Adds a Dockerfile that creates a terragrunt image

[lorengordon]

Related to #1655

Summary by CodeRabbit

• New Features

  • Added automated building and verification of a Docker container for the application, triggered on new version tags.
  • Introduced a Dockerfile to package the application as a container image.

• Chores

  • Updated CI workflows to include container build and version verification steps.

[lorengordon]

fwiw, demonstrating it builds...

$ docker build -t gruntworkio/terragrunt -f Dockerfile .
[+] Building 153.1s (13/13) FINISHED
 => [internal] load build definition from Dockerfile
=> => transferring dockerfile: 353B
=> [internal] load .dockerignore
=> => transferring context: 2B
=> [internal] load metadata for docker.io/library/alpine:latest
=> [internal] load metadata for docker.io/library/golang:1.16.3-alpine
=> CACHED [stage-1 1/2] FROM docker.io/library/alpine:latest@sha256:69e70a79f2d41ab5d637de98c1e0b055206ba40a8145e7bddb55ccc04e13cf8f
=> CACHED [builder 1/5] FROM docker.io/library/golang:1.16.3-alpine@sha256:49c07aa83790aca732250c2258b5912659df31b6bfa2ab428661bc66833769e1
=> [internal] load build context
=> => transferring context: 109.75kB
=> [builder 2/5] RUN apk add --update --no-cache make git
=> [builder 3/5] WORKDIR /go/src/terragrunt
=> [builder 4/5] COPY . .
=> [builder 5/5] RUN make build
=> [stage-1 2/2] COPY --from=builder /go/src/terragrunt/terragrunt /usr/local/bin/
=> exporting to image
=> => exporting layers
=> => writing image sha256:a68cc54158c9f9ac6409a860bf5de127f04951b52569ed1a890c4f92b663e2cb
=> => naming to docker.io/gruntworkio/terragrunt

and runs:

$ docker run --rm gruntworkio/terragrunt
DESCRIPTION:
   terragrunt - Terragrunt is a thin wrapper for Terraform that provides extra tools for working with multiple
   Terraform modules, remote state, and locking. For documentation, see https://github.com/gruntwork-io/terragrunt/.

USAGE:
   terragrunt <COMMAND>
...
VERSION:
   v0.29.2-2-g67173f167cae-dirty

AUTHOR(S):
   Gruntwork <www.gruntwork.io>

[brikis98]

Thanks for the PR!

I could configure a Docker Hub build as you mentioned here, but there are a few gotchas:

1. How do we set the version number in the binary? See my comment in the PR itself.
2. How do we test the Dockerfile before merging/releasing? I'd rather not merge something and later find out the Docker Hub build failed.
3. Docker Hub has introduced a bunch of limits recently, and seems to be heading in the direction of adding still more. Terragrunt might be popular enough to trip this limits... Not sure how many people use it via Docker though.

[brikis98]

This will end up with an empty version number in the binary. It needs to be set via:

-ldflags "-X main.VERSION=<VERSION>"

But it's not clear what version number we'd be able to use?

[lorengordon]

The version is not empty! That's one reason I used the make build target. The version is determined by the command git describe --tags --abbrev=12 --dirty --broken. When the checkout matches a git tag, the value is just the git tag. When the checkout is not a tag, you get the last tag plus a git ref marker.

If you go with the dockerhub build service, dockerhub clones the repo and has all the tags, so this evaluates correctly. I'd expect any other container build service would also.

$ git describe --tags --abbrev=12 --dirty --broken
v0.29.2-2-gc90d385e21b8
$ git tag v0.29.3-testing
$ git describe --tags --abbrev=12 --dirty --broken
v0.29.3-testing

[lorengordon]

For example:

$ docker run --rm gruntworkio/terragrunt --version
terragrunt version v0.29.2-3-gdbe93918437f-dirty

[brikis98]

NIT: couldn't this be scratch? I think a standalone Go binary doesn't need anything else...

[lorengordon]

Perhaps? Using alpine:latest and the multistage build, it's only a 40MB image. Might be over-optimizing... I'll give it a shot though.

[lorengordon]

The scratch base image worked, just needed to use CGO_ENABLED=0. Image size is 34MB.

$ docker run --rm gruntworkio/terragrunt --version
terragrunt version v0.29.2-4-g4deae14c6db3-dirty

[lorengordon]

How do we set the version number in the binary? See my comment in the PR itself.

I addressed that inline. The version is being set!

How do we test the Dockerfile before merging/releasing? I'd rather not merge something and later find out the Docker Hub build failed.

What I usually do is build the image in CI and then run the container, exercising some suite of tests. How thorough I want to be with the image generally depends on how confident I am in the unit tests or integration tests I run more directly. Sometimes I just will run the container passing a basic flag, like --version, to ensure the binary did build and can be executed.

Docker Hub has introduced a bunch of limits recently, and seems to be heading in the direction of adding still more. Terragrunt might be popular enough to trip this limits... Not sure how many people use it via Docker though.

I haven't seen any DockerHub limits on building or pushing images for public projects. There are rate limits on users pulling images, and it is the user's responsibility to login to dockerhub to avoid the rate limit.

There is also a plan to expire images that have not been used in 6 months, for accounts on the free tier. That seems pretty reasonable, though. If the image is being used, it remains available. If it's not used for 6 months, it seems likely it is not needed (and a user in desperate need could build it themselves at that point).

[lorengordon]

@brikis98 I added a step to the circle-ci config to build the container as an example of how to validate the docker build in CI, but I have no ability to run it, of course. I also have never used circle-ci, so I may have guessed wrong about how to do this! 😬

What I usually do is build the image in CI and then run the container, exercising some suite of tests. How thorough I want to be with the image generally depends on how confident I am in the unit tests or integration tests I run more directly. Sometimes I just will run the container passing a basic flag, like --version, to ensure the binary did build and can be executed.

[angeloskaltsikis]

Hey folks,
We are thinking of using Terragrunt as a Kubernetes Cronjob (to get alerts for Drift like mentioned in this discussion).
As a result, we are going to prefer if we could utilize any official Terragrunt Docker image.
@brikis98 Do you have any other concerns or this could proceed? 🙏🏽

[Matthew-Beckett]

Following on from @angeloskaltsikis's question, what is blocking progression on this PR? I am happy to pick up getting this merged into branch so that alpine/terragrunt at Dockerhub with over 10 million downloads can be deprecated.

[github-actions]

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for submitting this pull request.

[coderabbitai]

Walkthrough

This update introduces a Dockerfile for building and packaging the "terragrunt" Go application as a statically linked binary in a minimal container. Alongside, the CircleCI configuration is updated with a new build_container job. This job builds the Docker image, verifies the application version inside the container, and is integrated into the build-and-test workflow to run after tests, but only on version tags. No existing jobs or deployment steps are changed.

Changes

File(s)	Change Summary
.circleci/config.yml	Added a build_container job to build and verify a Docker container; integrated into workflow.
Dockerfile	Introduced a multi-stage Dockerfile to build and package the "terragrunt" Go app as a container.

Sequence Diagram(s)

sequenceDiagram
    participant Dev as Developer
    participant CI as CircleCI
    participant Docker as Docker Engine
    participant Container as terragrunt Container

    Dev->>CI: Push tag (vX.Y.Z)
    CI->>CI: Run unit_test & integration_test
    CI->>Docker: Build Docker image (terragrunt-test)
    Docker->>Container: Run container (output terragrunt version)
    Container-->>Docker: Return version string
    Docker-->>CI: Pass/fail based on version check

Loading

Poem

In a Dockerfile, a Go app takes flight,
CircleCI builds it—checks version is right.
On tagged commits, the workflow will run,
Testing and building, all neatly done.
Now terragrunt sails in a container so light,
Ready for action, day or night!
🚢✨

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (5)

Dockerfile (4)

1-5: Great use of multistage build—but consider future‐proofing the Go version.
Pinning to golang:1.16.3-alpine works today, but Go 1.16 is in maintenance mode and may miss out on performance/security updates. You could introduce a build ARG like ARG GO_VERSION=1.16.3 and use FROM golang:${GO_VERSION}-alpine as builder. That makes bumping easier later without editing the Dockerfile directly.

---

9-11: Nice layer caching for Go modules.
Separating go.mod/go.sum and go mod download is spot on for faster rebuilds when source changes but deps don’t. One tiny nit: consider using go mod verify after download to ensure module integrity.

---

13-15: Solid build step—but lock down your build environment.
You’ve got CGO_ENABLED=0 make build, which yields a static binary. To guarantee it always targets amd64 Linux, you might also set GOOS=linux GOARCH=amd64 (unless your Makefile already does). Example:

-RUN CGO_ENABLED=0 make build
+RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 make build

That way there’s no surprise if someone builds on a different host arch.

---

19-23: Scratch final image—impressively tiny!
Using scratch ensures minimal attack surface. One thought: since it runs as root by default, you might add a non‐root user in the builder and USER in the final stage (though static binaries typically don’t need passwd entries). Also, consider a simple HEALTHCHECK to validate the binary still responds over time.

.circleci/config.yml (1)

70-75: Version check looks solid!
Using git describe --tags and grepping the container’s output is an effective smoke test. One tweak: wrap $vtag_maybe_extra in quotes in the grep to avoid globbing surprises if the tag has special characters. E.g.:

- docker run --rm terragrunt-test --version | grep $vtag_maybe_extra
+ docker run --rm terragrunt-test --version | grep -F -- "$vtag_maybe_extra"

This guards against regex interpolation and makes the grep intention obvious.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 9362e01 and ba94dd4.

📒 Files selected for processing (2)

• .circleci/config.yml (2 hunks)
• Dockerfile (1 hunks)

🔇 Additional comments (2)

.circleci/config.yml (2)

63-69: Good start on a build_container job—don’t forget publishing.
You build the terragrunt-test image locally, but there’s no docker push. If you rely on Docker Hub Automated Builds or another registry, that’s fine. Otherwise, add a push step or document how the image will be published.

---

111-119: Workflow integration is clear—just verify ordering.
You’ve wired build_container to run after tests, parallel to build. Confirm that you’re happy if a container‐build failure doesn’t block deploy. If you’d like to gate deployments on a working container too, consider adding build_container as a requirement for deploy.