From c9903aacb1e1a5f2ff35ac0c95a08c37c0cabaf7 Mon Sep 17 00:00:00 2001 From: Kazuma Watanabe Date: Mon, 23 Feb 2026 07:40:45 +0000 Subject: [PATCH 1/4] terraform: Add support for GitHub Attestations in TFLint installation --- src/terraform/devcontainer-feature.json | 5 ++ src/terraform/install.sh | 70 ++++++++++++++++++------- 2 files changed, 55 insertions(+), 20 deletions(-) diff --git a/src/terraform/devcontainer-feature.json b/src/terraform/devcontainer-feature.json index a72f18993..2fefba628 100644 --- a/src/terraform/devcontainer-feature.json +++ b/src/terraform/devcontainer-feature.json @@ -79,6 +79,11 @@ } } }, + "dependsOn": { + "ghcr.io/devcontainers/features/github-cli:1": { + "version": "latest" + } + }, "installsAfter": [ "ghcr.io/devcontainers/features/common-utils" ] diff --git a/src/terraform/install.sh b/src/terraform/install.sh index 999815a38..7f15e8c3e 100755 --- a/src/terraform/install.sh +++ b/src/terraform/install.sh @@ -460,6 +460,23 @@ install_tflint() { curl -sSL -o /tmp/tf-downloads/${TFLINT_FILENAME} https://github.com/terraform-linters/tflint/releases/download/v${TFLINT_VERSION}/${TFLINT_FILENAME} } +verify_tflint_attestations() { + local checksums=$1 + local checksums_sha256=$(sha256sum "$checksums" | cut -d " " -f 1) + + check_packages jq + + curl -L -f "https://api.github.com/repos/terraform-linters/tflint/attestations/sha256:${checksums_sha256}" > attestation.json + curl_exit_code=$? + if [ $curl_exit_code -ne 0 ]; then + echo "(*) Failed to fetch GitHub Attestations for tflint checksums" + return 1 + fi + + jq ".attestations[].bundle" attestation.json > bundle.jsonl + gh at verify "$checksums" -R terraform-linters/tflint -b bundle.jsonl +} + if [ "${TFLINT_VERSION}" != "none" ]; then echo "Downloading tflint..." TFLINT_FILENAME="tflint_linux_${architecture}.zip" @@ -475,31 +492,44 @@ if [ "${TFLINT_VERSION}" != "none" ]; then else curl -sSL -o tflint_checksums.txt https://github.com/terraform-linters/tflint/releases/download/v${TFLINT_VERSION}/checksums.txt + # Attempt GitHub Attestation verification (0.51.1+) set +e - curl -sSL -o checksums.txt.keyless.sig https://github.com/terraform-linters/tflint/releases/download/v${TFLINT_VERSION}/checksums.txt.keyless.sig + verify_tflint_attestations tflint_checksums.txt + verify_result=$? set -e - # Check that checksums.txt.keyless.sig exists and is not empty - if [ -s checksums.txt.keyless.sig ]; then - # Validate checksums with cosign - curl -sSL -o checksums.txt.pem https://github.com/terraform-linters/tflint/releases/download/v${TFLINT_VERSION}/checksums.txt.pem - ensure_cosign - cosign verify-blob \ - --certificate=/tmp/tf-downloads/checksums.txt.pem \ - --signature=/tmp/tf-downloads/checksums.txt.keyless.sig \ - --certificate-identity-regexp="^https://github.com/terraform-linters/tflint" \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - /tmp/tf-downloads/tflint_checksums.txt - # Ensure that checksums.txt has $TFLINT_FILENAME - grep ${TFLINT_FILENAME} /tmp/tf-downloads/tflint_checksums.txt - # Validate downloaded file + if [ $verify_result -eq 0 ]; then sha256sum --ignore-missing -c tflint_checksums.txt + echo "(*) tflint_checksums.txt verified successfully using GitHub Attestation." else - # Fallback to older, GPG-based verification (pre-0.47.0 of tflint) - curl -sSL -o tflint_checksums.txt.sig https://github.com/terraform-linters/tflint/releases/download/v${TFLINT_VERSION}/checksums.txt.sig - curl -sSL -o tflint_key "${TFLINT_GPG_KEY_URI}" - gpg -q --import tflint_key - gpg --verify tflint_checksums.txt.sig tflint_checksums.txt + # Fallback to cosign verification + echo "(*) GitHub Attestation verification failed or not supported for this version, falling back to Cosign verification..." + set +e + curl -sSL -o checksums.txt.keyless.sig https://github.com/terraform-linters/tflint/releases/download/v${TFLINT_VERSION}/checksums.txt.keyless.sig + set -e + + # Check that checksums.txt.keyless.sig exists and is not empty + if [ -s checksums.txt.keyless.sig ]; then + # Validate checksums with cosign + curl -sSL -o checksums.txt.pem https://github.com/terraform-linters/tflint/releases/download/v${TFLINT_VERSION}/checksums.txt.pem + ensure_cosign + cosign verify-blob \ + --certificate=/tmp/tf-downloads/checksums.txt.pem \ + --signature=/tmp/tf-downloads/checksums.txt.keyless.sig \ + --certificate-identity-regexp="^https://github.com/terraform-linters/tflint" \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + /tmp/tf-downloads/tflint_checksums.txt + # Ensure that checksums.txt has $TFLINT_FILENAME + grep ${TFLINT_FILENAME} /tmp/tf-downloads/tflint_checksums.txt + # Validate downloaded file + sha256sum --ignore-missing -c tflint_checksums.txt + else + # Fallback to older, GPG-based verification (pre-0.47.0 of tflint) + curl -sSL -o tflint_checksums.txt.sig https://github.com/terraform-linters/tflint/releases/download/v${TFLINT_VERSION}/checksums.txt.sig + curl -sSL -o tflint_key "${TFLINT_GPG_KEY_URI}" + gpg -q --import tflint_key + gpg --verify tflint_checksums.txt.sig tflint_checksums.txt + fi fi fi fi From 0b517007afe3cc8bf2d389c1b6a4e79e43b0b3c9 Mon Sep 17 00:00:00 2001 From: Kazuma Watanabe Date: Sat, 28 Feb 2026 08:32:23 +0000 Subject: [PATCH 2/4] terraform: Pin TFLint version in tflint_fallback_test --- test/terraform/scenarios.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/test/terraform/scenarios.json b/test/terraform/scenarios.json index 09bb0f598..9abea49c8 100644 --- a/test/terraform/scenarios.json +++ b/test/terraform/scenarios.json @@ -14,7 +14,7 @@ "installSentinel": true } } - }, + }, "install_in_ubuntu_noble": { "image": "mcr.microsoft.com/devcontainers/base:noble", "features": { @@ -91,7 +91,7 @@ "image": "mcr.microsoft.com/devcontainers/base:jammy", "features": { "terraform": { - "tflint": "latest" + "tflint": "0.50.0" } } }, @@ -122,4 +122,4 @@ } } } -} \ No newline at end of file +} From cc2ff1b9a09394997f7c8be8028e39422db8d208 Mon Sep 17 00:00:00 2001 From: Kazuma Watanabe Date: Sat, 28 Feb 2026 08:35:22 +0000 Subject: [PATCH 3/4] terraform: Bump version to 1.4.3 --- src/terraform/devcontainer-feature.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/terraform/devcontainer-feature.json b/src/terraform/devcontainer-feature.json index 2fefba628..176ba205c 100644 --- a/src/terraform/devcontainer-feature.json +++ b/src/terraform/devcontainer-feature.json @@ -1,6 +1,6 @@ { "id": "terraform", - "version": "1.4.2", + "version": "1.4.3", "name": "Terraform, tflint, and TFGrunt", "documentationURL": "https://github.com/devcontainers/features/tree/main/src/terraform", "description": "Installs the Terraform CLI and optionally TFLint and Terragrunt. Auto-detects latest version and installs needed dependencies.", From a4e7fa6e86e8be1344288f602fda18b53d95d204 Mon Sep 17 00:00:00 2001 From: Kazuma Watanabe Date: Sat, 14 Mar 2026 17:05:02 +0000 Subject: [PATCH 4/4] terraform: Update tflint_fallback_test for the latest version --- test/terraform/scenarios.json | 2 +- test/terraform/tflint_fallback_test.sh | 85 +++++++++++++++++--------- 2 files changed, 57 insertions(+), 30 deletions(-) diff --git a/test/terraform/scenarios.json b/test/terraform/scenarios.json index 9abea49c8..fab18de1e 100644 --- a/test/terraform/scenarios.json +++ b/test/terraform/scenarios.json @@ -91,7 +91,7 @@ "image": "mcr.microsoft.com/devcontainers/base:jammy", "features": { "terraform": { - "tflint": "0.50.0" + "tflint": "latest" } } }, diff --git a/test/terraform/tflint_fallback_test.sh b/test/terraform/tflint_fallback_test.sh index 5619ff4fb..33b75f3b0 100644 --- a/test/terraform/tflint_fallback_test.sh +++ b/test/terraform/tflint_fallback_test.sh @@ -22,7 +22,6 @@ keyserver hkps://keys.openpgp.org keyserver hkps://keyserver.pgp.com" check "tflint version as installed by feature" tflint --version -check "cosign version as installed by feature" cosign version architecture="$(uname -m)" case ${architecture} in @@ -221,14 +220,31 @@ install_tflint() { curl -sSL -o /tmp/tf-downloads/${TFLINT_FILENAME} https://github.com/terraform-linters/tflint/releases/download/v${TFLINT_VERSION}/${TFLINT_FILENAME} } +verify_tflint_attestations() { + local checksums=$1 + local checksums_sha256=$(sha256sum "$checksums" | cut -d " " -f 1) -try_install_dummy_tflint_cosign_version() { + check_packages jq + + curl -L -f "https://api.github.com/repos/terraform-linters/tflint/attestations/sha256:${checksums_sha256}" > attestation.json + curl_exit_code=$? + if [ $curl_exit_code -ne 0 ]; then + echo "(*) Failed to fetch GitHub Attestations for tflint checksums" + return 1 + fi + + jq ".attestations[].bundle" attestation.json > bundle.jsonl + gh at verify "$checksums" -R terraform-linters/tflint -b bundle.jsonl +} + + +try_install_dummy_tflint_version() { mode=$1 tflint_url='https://github.com/terraform-linters/tflint' mkdir -p /tmp/tf-downloads cd /tmp/tf-downloads echo -e "\nTrying to install dummy tflint version..." - TFLINT_VERSION="0.50.XYZ" + TFLINT_VERSION="0.60.XYZ" echo "Downloading tflint...v${TFLINT_VERSION}" TFLINT_FILENAME="tflint_linux_${architecture}.zip" install_tflint "$TFLINT_VERSION" @@ -237,37 +253,50 @@ try_install_dummy_tflint_cosign_version() { fi if [ "${TFLINT_SHA256}" != "dev-mode" ]; then - if [ "${TFLINT_SHA256}" != "automatic" ]; then + if [ "${TFLINT_SHA256}" != "automatic" ]; then echo "${TFLINT_SHA256} *${TFLINT_FILENAME}" > tflint_checksums.txt sha256sum --ignore-missing -c tflint_checksums.txt else curl -sSL -o tflint_checksums.txt https://github.com/terraform-linters/tflint/releases/download/v${TFLINT_VERSION}/checksums.txt + # Attempt GitHub Attestation verification (0.51.1+) set +e - curl -sSL -o checksums.txt.keyless.sig https://github.com/terraform-linters/tflint/releases/download/v${TFLINT_VERSION}/checksums.txt.keyless.sig + verify_tflint_attestations tflint_checksums.txt + verify_result=$? set -e - - # Check that checksums.txt.keyless.sig exists and is not empty - if [ -s checksums.txt.keyless.sig ]; then - # Validate checksums with cosign - curl -sSL -o checksums.txt.pem https://github.com/terraform-linters/tflint/releases/download/v${TFLINT_VERSION}/checksums.txt.pem - ensure_cosign $mode - cosign verify-blob \ - --certificate=/tmp/tf-downloads/checksums.txt.pem \ - --signature=/tmp/tf-downloads/checksums.txt.keyless.sig \ - --certificate-identity-regexp="^https://github.com/terraform-linters/tflint" \ - --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ - /tmp/tf-downloads/tflint_checksums.txt - # Ensure that checksums.txt has $TFLINT_FILENAME - grep ${TFLINT_FILENAME} /tmp/tf-downloads/tflint_checksums.txt - # Validate downloaded file + + if [ $verify_result -eq 0 ]; then sha256sum --ignore-missing -c tflint_checksums.txt + echo "(*) tflint_checksums.txt verified successfully using GitHub Attestation." else - # Fallback to older, GPG-based verification (pre-0.47.0 of tflint) - curl -sSL -o tflint_checksums.txt.sig https://github.com/terraform-linters/tflint/releases/download/v${TFLINT_VERSION}/checksums.txt.sig - curl -sSL -o tflint_key "${TFLINT_GPG_KEY_URI}" - gpg -q --import tflint_key - gpg --verify tflint_checksums.txt.sig tflint_checksums.txt + # Fallback to cosign verification + echo "(*) GitHub Attestation verification failed or not supported for this version, falling back to Cosign verification..." + set +e + curl -sSL -o checksums.txt.keyless.sig https://github.com/terraform-linters/tflint/releases/download/v${TFLINT_VERSION}/checksums.txt.keyless.sig + set -e + + # Check that checksums.txt.keyless.sig exists and is not empty + if [ -s checksums.txt.keyless.sig ]; then + # Validate checksums with cosign + curl -sSL -o checksums.txt.pem https://github.com/terraform-linters/tflint/releases/download/v${TFLINT_VERSION}/checksums.txt.pem + ensure_cosign $mode + cosign verify-blob \ + --certificate=/tmp/tf-downloads/checksums.txt.pem \ + --signature=/tmp/tf-downloads/checksums.txt.keyless.sig \ + --certificate-identity-regexp="^https://github.com/terraform-linters/tflint" \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ + /tmp/tf-downloads/tflint_checksums.txt + # Ensure that checksums.txt has $TFLINT_FILENAME + grep ${TFLINT_FILENAME} /tmp/tf-downloads/tflint_checksums.txt + # Validate downloaded file + sha256sum --ignore-missing -c tflint_checksums.txt + else + # Fallback to older, GPG-based verification (pre-0.47.0 of tflint) + curl -sSL -o tflint_checksums.txt.sig https://github.com/terraform-linters/tflint/releases/download/v${TFLINT_VERSION}/checksums.txt.sig + curl -sSL -o tflint_key "${TFLINT_GPG_KEY_URI}" + gpg -q --import tflint_key + gpg --verify tflint_checksums.txt.sig tflint_checksums.txt + fi fi fi fi @@ -276,12 +305,10 @@ try_install_dummy_tflint_cosign_version() { sudo mv -f tflint /usr/local/bin/ } -try_install_dummy_tflint_cosign_version "mode1" +try_install_dummy_tflint_version "mode1" check "tflint version as installed when mode=1" tflint --version -check "cosign version as installed when mode=1" cosign version -try_install_dummy_tflint_cosign_version "mode2" +try_install_dummy_tflint_version "mode2" check "tflint version as installed when mode=2" tflint --version -check "cosign version as installed when mode=2" cosign version \ No newline at end of file