chore: bump dependencies

app/Dockerfile

@@ -1,58 +1,43 @@
 # syntax=docker/dockerfile:1
-ARG ATLANTIS_BASE_VERSION=2023.03.30
-# The runatlantis/atlantis-base is created by docker-base/Dockerfile.
-FROM ghcr.io/runatlantis/atlantis-base:${ATLANTIS_BASE_VERSION} AS base
+
+ARG ATLANTIS_VERSION=v0.27.2
+
+FROM ghcr.io/runatlantis/atlantis:${ATLANTIS_VERSION} AS base
 
 # Default tool versions installed in that image
-ARG ATLANTIS_VERSION=v0.23.3
-ARG ASDF_VERSION=v0.11.3
-ARG K8S_VERSION=1.25.5
-ARG HELM_VERSION=3.11.2
-ARG TF_VERSION=1.4.2
-ARG TG_VERSION=0.45.0
-ARG TG_ATLANTIS_VERSION=1.16.0
-ARG CONFTEST_VERSION=v0.35.0
-ARG GLAB_VERSION=1.26.0
-ARG GOJQ_VERSION=0.12.13
-ARG YQ_VERSION=4.9.8
-ARG AZURE_CLI_VERSION=2.46.0
-ARG CHECKOV_VERSION=2.1.244
-ARG INFRACOST_VERSION=v0.10.18
-ARG TFLINT_VERSION=0.45.0
-ARG TERRAFORM_DOCS_VERSION=0.16.0
 
-RUN set -ex && \
-    apk update && \
-    apk add bash py3-pip curl && \
-    apk add --virtual=build gcc libffi-dev musl-dev openssl-dev python3-dev cargo make curl unzip aws-cli
+ARG ASDF_VERSION=v0.14.0
+ARG K8S_VERSION=1.30.0
+ARG HELM_VERSION=3.14.4
+ARG TF_VERSION=1.5.7
+ARG TG_VERSION=0.55.13
+ARG TG_ATLANTIS_VERSION=1.17.4
+ARG CONFTEST_VERSION=0.50.0
+ARG GLAB_VERSION=1.30.0
+ARG GOJQ_VERSION=0.12.14
+ARG YQ_VERSION=4.42.1
+ARG AZURE_CLI_VERSION=2.58.0
+ARG AWS_CLI_VERSION=2.13.25-r0
+ARG CHECKOV_VERSION=3.2.74
+ARG INFRACOST_VERSION=0.10.35
+ARG TFLINT_VERSION=0.50.3
+ARG TERRAFORM_DOCS_VERSION=0.17.0
+
+USER root
 
-###
-### Install Checkov
-###
 RUN set -ex && \
-    pip install --upgrade pip && \
-    pip install --upgrade setuptools && \
-    pip install checkov==${CHECKOV_VERSION}
-
-# Download and install Infracost
-RUN curl -LOs https://github.com/infracost/infracost/releases/download/${INFRACOST_VERSION}/infracost-linux-amd64.tar.gz && \
-    tar xzf infracost-linux-amd64.tar.gz && \
-    mv infracost-linux-amd64 /usr/bin/infracost && \
-    chmod a+x /usr/bin/infracost && \
-    rm -rf infracost-linux-amd64*
-
-###
-### Ensure Azure cli version is present and validated
-###
-RUN set -eux \
-    && pip install azure-cli==${AZURE_CLI_VERSION} \
-    && az --version
-
-# Download and install Atlantis
-RUN curl -LOs https://github.com/runatlantis/atlantis/releases/download/${ATLANTIS_VERSION}/atlantis_linux_amd64.zip && \
-    unzip atlantis_linux_amd64.zip -d /usr/bin && \
-    chmod a+x /usr/bin/atlantis && \
-    rm atlantis_linux_amd64.zip
+    apk update && \
+    apk add py3-pip curl aws-cli=${AWS_CLI_VERSION} && \
+    apk add --virtual=build gcc libffi-dev musl-dev openssl-dev python3-dev cargo make unzip && \
+    pip install --upgrade pip --break-system-packages && \
+    pip install --upgrade setuptools --break-system-packages && \
+    ###
+    ### Ensure Azure cli version is present and validated
+    ### with --break-system-packages due to https://peps.python.org/pep-0668/
+    pip install azure-cli==${AZURE_CLI_VERSION} --break-system-packages && \
+    az --version && \
+    ### cleanup build dependencies
+    apk del build
 
 # Download and install terragrunt-atlantis-config
 RUN curl -LOs https://github.com/transcend-io/terragrunt-atlantis-config/releases/download/v${TG_ATLANTIS_VERSION}/terragrunt-atlantis-config_${TG_ATLANTIS_VERSION}_linux_amd64.tar.gz && \
@@ -61,16 +46,22 @@ RUN curl -LOs https://github.com/transcend-io/terragrunt-atlantis-config/release
     chmod a+x /usr/bin/terragrunt-atlantis-config && \
     rm -rf terragrunt-atlantis-config_${TG_ATLANTIS_VERSION}_linux_amd64*
 
-# Download and install asdf, create .profile and source asdf inside
-RUN gosu atlantis bash -l -c " \
-    git clone --quiet https://github.com/asdf-vm/asdf.git /home/atlantis/.asdf --branch ${ASDF_VERSION} && \
-    echo '. /home/atlantis/.asdf/asdf.sh' >> /home/atlantis/.profile && \
-    chown atlantis.atlantis /home/atlantis/.profile && \
-    chmod u+rw /home/atlantis/.profile"
+# Download and install asdf
+USER atlantis
+
+RUN git clone --quiet https://github.com/asdf-vm/asdf.git $HOME/.asdf --branch ${ASDF_VERSION}
+
+ENV PATH=$PATH:/home/atlantis/.asdf/bin:/home/atlantis/.asdf/shims
+
+# Create .profile and source asdf inside
+# ASDF_DIR is not automatically detected for sh
+RUN echo 'export ASDF_DIR=$HOME/.asdf' >> $HOME/.profile && \
+    echo '. $HOME/.asdf/asdf.sh' >> $HOME/.profile && \
+    chown $USER.root $HOME/.profile && \
+    chmod u+rw $HOME/.profile
 
 # Install all needed plugins
-RUN gosu atlantis bash -l -c " \
-    asdf plugin-add kubectl && \
+RUN asdf plugin-add kubectl && \
     asdf plugin-add helm && \
     asdf plugin-add terragrunt && \
     asdf plugin-add terraform && \
@@ -79,11 +70,12 @@ RUN gosu atlantis bash -l -c " \
     asdf plugin-add gojq && \
     asdf plugin-add tflint && \
     asdf plugin-add terraform-docs && \
-    asdf plugin-add yq"
+    asdf plugin-add yq && \
+    asdf plugin-add checkov && \
+    asdf plugin-add infracost
+
 # Install default versions and define them globally
-RUN gosu atlantis bash -l -c " \
-    cd /home/atlantis/ && \
-    asdf install kubectl ${K8S_VERSION} && \
+RUN asdf install kubectl ${K8S_VERSION} && \
     asdf install helm ${HELM_VERSION} && \
     asdf install terraform ${TF_VERSION} && \
     asdf install terragrunt ${TG_VERSION} && \
@@ -93,6 +85,8 @@ RUN gosu atlantis bash -l -c " \
     asdf install tflint ${TFLINT_VERSION} && \
     asdf install terraform-docs ${TERRAFORM_DOCS_VERSION} && \
     asdf install yq ${YQ_VERSION} && \
+    asdf install checkov ${CHECKOV_VERSION} && \
+    asdf install infracost ${INFRACOST_VERSION} && \
     asdf global kubectl ${K8S_VERSION} && \
     asdf global helm ${HELM_VERSION} && \
     asdf global terraform ${TF_VERSION} && \
@@ -102,32 +96,39 @@ RUN gosu atlantis bash -l -c " \
     asdf global gojq ${GOJQ_VERSION} && \
     asdf global tflint ${TFLINT_VERSION} && \
     asdf global terraform-docs ${TERRAFORM_DOCS_VERSION} && \
-    asdf global yq ${YQ_VERSION}"
+    asdf global yq ${YQ_VERSION} && \
+    asdf global checkov ${CHECKOV_VERSION} && \
+    asdf global infracost ${INFRACOST_VERSION}
+
+# Additional cleanup for non default terraform versions, pip cache, tmp
+RUN pip cache purge
+
+USER root
+
+RUN rm -f /usr/local/bin/terraform* && \
+    pip cache purge && \
+    rm -rf /tmp/*
 
-# Additional cleanup
-RUN rm -rf /tmp/*
 # Add 'alias' `jq` to `gojq`
-RUN echo -e '#!/bin/bash \nexec gojq "$@"' > /usr/local/bin/jq && chmod +x /usr/local/bin/jq
+RUN echo -e '#!/bin/sh \nexec gojq "$@"' > /usr/local/bin/jq && chmod +x /usr/local/bin/jq
 
-# Set atlantis login shell to bash
-RUN sed -i s#atlantis:/sbin/nologin#atlantis:/bin/bash#g /etc/passwd
+# Set atlantis login shell to sh
+RUN sed -i s#atlantis:/sbin/nologin#atlantis:/bin/sh#g /etc/passwd
 
-COPY docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
 COPY check-gitlab-approvals.sh /usr/local/bin/check-gitlab-approvals.sh
 COPY pull-gitlab-variables.sh /usr/local/bin/pull-gitlab-variables.sh
 
-RUN chmod a+x /usr/local/bin/docker-entrypoint.sh && \
-    chmod a+x /usr/local/bin/check-gitlab-approvals.sh && \
+RUN chmod a+x /usr/local/bin/check-gitlab-approvals.sh && \
     chmod a+x /usr/local/bin/pull-gitlab-variables.sh
 
 USER atlantis
 # Add GitHub and GitLab to known keys file for safe SSH connections
-RUN mkdir -p /home/atlantis/.ssh && \
-    chmod 0700 /home/atlantis/.ssh && \
-    touch /home/atlantis/.ssh/known_hosts && \
-    chmod 0600 /home/atlantis/.ssh/known_hosts && \
-    ssh-keyscan -H github.com >> /home/atlantis/.ssh/known_hosts && \
-    ssh-keyscan -H gitlab.com >> /home/atlantis/.ssh/known_hosts
+RUN mkdir -p $HOME/.ssh && \
+    chmod 0700 $HOME/.ssh && \
+    touch $HOME/.ssh/known_hosts && \
+    chmod 0600 $HOME/.ssh/known_hosts && \
+    ssh-keyscan -H github.com >> $HOME/.ssh/known_hosts && \
+    ssh-keyscan -H gitlab.com >> $HOME/.ssh/known_hosts
 
 ENTRYPOINT ["docker-entrypoint.sh"]
 CMD ["server"]