#!/usr/bin/env bash #------------------------------------------------------------------------------------------------------------- # Copyright (c) Microsoft Corporation. All rights reserved. # Licensed under the MIT License. See https://go.microsoft.com/fwlink/?linkid=2090316 for license information. #------------------------------------------------------------------------------------------------------------- # # Docs: https://github.com/microsoft/vscode-dev-containers/blob/main/script-library/docs/terraform.md # Maintainer: The VS Code and Codespaces Teams set -e # Clean up rm -rf /var/lib/apt/lists/* TERRAFORM_VERSION="${VERSION:-"latest"}" TFLINT_VERSION="${TFLINT:-"latest"}" TERRAGRUNT_VERSION="${TERRAGRUNT:-"latest"}" INSTALL_SENTINEL=${INSTALLSENTINEL:-false} INSTALL_TFSEC=${INSTALLTFSEC:-false} INSTALL_TERRAFORM_DOCS=${INSTALLTERRAFORMDOCS:-false} TERRAFORM_SHA256="${TERRAFORM_SHA256:-"automatic"}" TFLINT_SHA256="${TFLINT_SHA256:-"automatic"}" TERRAGRUNT_SHA256="${TERRAGRUNT_SHA256:-"automatic"}" SENTINEL_SHA256="${SENTINEL_SHA256:-"automatic"}" TFSEC_SHA256="${TFSEC_SHA256:-"automatic"}" TERRAFORM_DOCS_SHA256="${TERRAFORM_DOCS_SHA256:-"automatic"}" TERRAFORM_GPG_KEY="72D7468F" TFLINT_GPG_KEY_URI="https://raw.githubusercontent.com/terraform-linters/tflint/v0.46.1/8CE69160EB3F2FE9.key" KEYSERVER_PROXY="${HTTPPROXY:-"${HTTP_PROXY:-""}"}" architecture="$(uname -m)" case ${architecture} in x86_64) architecture="amd64";; aarch64 | armv8*) architecture="arm64";; aarch32 | armv7* | armvhf*) architecture="arm";; i?86) architecture="386";; *) echo "(!) Architecture ${architecture} unsupported"; exit 1 ;; esac if [ "$(id -u)" -ne 0 ]; then echo -e 'Script must be run as root. Use sudo, su, or add "USER root" to your Dockerfile before running this script.' exit 1 fi # Get the list of GPG key servers that are reachable get_gpg_key_servers() { declare -A keyservers_curl_map=( ["hkps://keyserver.ubuntu.com"]="https://keyserver.ubuntu.com" ["hkps://keys.openpgp.org"]="https://keys.openpgp.org" ["hkps://keyserver.pgp.com"]="https://keyserver.pgp.com" ) local curl_args="" local keyserver_reachable=false # Flag to indicate if any keyserver is reachable if [ ! -z "${KEYSERVER_PROXY}" ]; then curl_args="--proxy ${KEYSERVER_PROXY}" fi for keyserver in "${!keyservers_curl_map[@]}"; do local keyserver_curl_url="${keyservers_curl_map[${keyserver}]}" if curl -s ${curl_args} --max-time 5 ${keyserver_curl_url} > /dev/null; then echo "keyserver ${keyserver}" keyserver_reachable=true else echo "(*) Keyserver ${keyserver} is not reachable." >&2 fi done if ! $keyserver_reachable; then echo "(!) No keyserver is reachable." >&2 exit 1 fi } # Import the specified key in a variable name passed in as receive_gpg_keys() { local keys=${!1} local keyring_args="" if [ ! -z "$2" ]; then keyring_args="--no-default-keyring --keyring $2" fi if [ ! -z "${KEYSERVER_PROXY}" ]; then keyring_args="${keyring_args} --keyserver-options http-proxy=${KEYSERVER_PROXY}" fi # Install curl if ! type curl > /dev/null 2>&1; then check_packages curl fi # Use a temporary location for gpg keys to avoid polluting image export GNUPGHOME="/tmp/tmp-gnupg" mkdir -p ${GNUPGHOME} chmod 700 ${GNUPGHOME} echo -e "disable-ipv6\n$(get_gpg_key_servers)" > ${GNUPGHOME}/dirmngr.conf # GPG key download sometimes fails for some reason and retrying fixes it. local retry_count=0 local gpg_ok="false" set +e until [ "${gpg_ok}" = "true" ] || [ "${retry_count}" -eq "5" ]; do echo "(*) Downloading GPG key..." ( echo "${keys}" | xargs -n 1 gpg -q ${keyring_args} --recv-keys) 2>&1 && gpg_ok="true" if [ "${gpg_ok}" != "true" ]; then echo "(*) Failed getting key, retrying in 10s..." (( retry_count++ )) sleep 10s fi done # If all attempts fail, try getting the keyserver IP address and explicitly passing it to gpg if [ "${gpg_ok}" = "false" ]; then retry_count=0; echo "(*) Resolving GPG keyserver IP address..." local keyserver_ip_address=$( dig +short keyserver.ubuntu.com | head -n1 ) echo "(*) GPG keyserver IP address $keyserver_ip_address" until [ "${gpg_ok}" = "true" ] || [ "${retry_count}" -eq "3" ]; do echo "(*) Downloading GPG key..." ( echo "${keys}" | xargs -n 1 gpg -q ${keyring_args} --recv-keys --keyserver ${keyserver_ip_address}) 2>&1 && gpg_ok="true" if [ "${gpg_ok}" != "true" ]; then echo "(*) Failed getting key, retrying in 10s..." (( retry_count++ )) sleep 10s fi done fi set -e if [ "${gpg_ok}" = "false" ]; then echo "(!) Failed to get gpg key." exit 1 fi } # Figure out correct version of a three part version number is not passed find_version_from_git_tags() { local variable_name=$1 local requested_version=${!variable_name} if [ "${requested_version}" = "none" ]; then return; fi local repository=$2 local prefix=${3:-"tags/v"} local separator=${4:-"."} local last_part_optional=${5:-"false"} if [ "$(echo "${requested_version}" | grep -o "." | wc -l)" != "2" ]; then local escaped_separator=${separator//./\\.} local last_part if [ "${last_part_optional}" = "true" ]; then last_part="(${escaped_separator}[0-9]+)?" else last_part="${escaped_separator}[0-9]+" fi local regex="${prefix}\\K[0-9]+${escaped_separator}[0-9]+${last_part}$" local version_list="$(git ls-remote --tags ${repository} | grep -oP "${regex}" | tr -d ' ' | tr "${separator}" "." | sort -rV)" if [ "${requested_version}" = "latest" ] || [ "${requested_version}" = "current" ] || [ "${requested_version}" = "lts" ]; then declare -g ${variable_name}="$(echo "${version_list}" | head -n 1)" else set +e declare -g ${variable_name}="$(echo "${version_list}" | grep -E -m 1 "^${requested_version//./\\.}([\\.\\s]|$)")" set -e fi fi if [ -z "${!variable_name}" ] || ! echo "${version_list}" | grep "^${!variable_name//./\\.}$" > /dev/null 2>&1; then echo -e "Invalid ${variable_name} value: ${requested_version}\nValid values:\n${version_list}" >&2 exit 1 fi echo "${variable_name}=${!variable_name}" } # Use semver logic to decrement a version number then look for the closest match find_prev_version_from_git_tags() { local variable_name=$1 local current_version=${!variable_name} local repository=$2 # Normally a "v" is used before the version number, but support alternate cases local prefix=${3:-"tags/v"} # Some repositories use "_" instead of "." for version number part separation, support that local separator=${4:-"."} # Some tools release versions that omit the last digit (e.g. go) local last_part_optional=${5:-"false"} # Some repositories may have tags that include a suffix (e.g. actions/node-versions) local version_suffix_regex=$6 # Try one break fix version number less if we get a failure. Use "set +e" since "set -e" can cause failures in valid scenarios. set +e major="$(echo "${current_version}" | grep -oE '^[0-9]+' || echo '')" minor="$(echo "${current_version}" | grep -oP '^[0-9]+\.\K[0-9]+' || echo '')" breakfix="$(echo "${current_version}" | grep -oP '^[0-9]+\.[0-9]+\.\K[0-9]+' 2>/dev/null || echo '')" if [ "${minor}" = "0" ] && [ "${breakfix}" = "0" ]; then ((major=major-1)) declare -g ${variable_name}="${major}" # Look for latest version from previous major release find_version_from_git_tags "${variable_name}" "${repository}" "${prefix}" "${separator}" "${last_part_optional}" # Handle situations like Go's odd version pattern where "0" releases omit the last part elif [ "${breakfix}" = "" ] || [ "${breakfix}" = "0" ]; then ((minor=minor-1)) declare -g ${variable_name}="${major}.${minor}" # Look for latest version from previous minor release find_version_from_git_tags "${variable_name}" "${repository}" "${prefix}" "${separator}" "${last_part_optional}" else ((breakfix=breakfix-1)) if [ "${breakfix}" = "0" ] && [ "${last_part_optional}" = "true" ]; then declare -g ${variable_name}="${major}.${minor}" else declare -g ${variable_name}="${major}.${minor}.${breakfix}" fi fi set -e } find_sentinel_version_from_url() { local variable_name=$1 local requested_version=${!variable_name} if [ "${requested_version}" = "none" ]; then return; fi local repository=$2 if [ "$(echo "${requested_version}" | grep -o "." | wc -l)" != "2" ]; then local prefix='sentinel_' local regex="${prefix}\d.\d{2}.\d(?:-\w*)?" local version_list="$(wget -q $2 -O - | grep -oP ${regex} | tr -d ${prefix} | sort -rV)" if [ "${requested_version}" = "latest" ] || [ "${requested_version}" = "current" ] || [ "${requested_version}" = "lts" ]; then declare -g ${variable_name}="$(echo "${version_list}" | head -n 1)" else set +e declare -g ${variable_name}="$(echo "${version_list}" | grep -E -m 1 "^${requested_version//./\\.}([\\.\\s]|$)")" set -e fi fi if [ -z "${!variable_name}" ] || ! echo "${version_list}" | grep "^${!variable_name//./\\.}$" >/dev/null 2>&1; then echo -e "Invalid ${variable_name} value: ${requested_version}\nValid values:\n${version_list}" >&2 exit 1 fi echo "${variable_name}=${!variable_name}" } apt_get_update() { if [ "$(find /var/lib/apt/lists/* | wc -l)" = "0" ]; then echo "Running apt-get update..." apt-get update -y fi } # Checks if packages are installed and installs them if not check_packages() { if ! dpkg -s "$@" > /dev/null 2>&1; then apt_get_update apt-get -y install --no-install-recommends "$@" fi } # Function to fetch the version released prior to the latest version get_previous_version() { local url=$1 local repo_url=$2 local variable_name=$3 prev_version=${!variable_name} output=$(curl -s "$repo_url"); # install jq check_packages jq message=$(echo "$output" | jq -r '.message') if [[ $message == "API rate limit exceeded"* ]]; then echo -e "\nAn attempt to find latest version using GitHub Api Failed... \nReason: ${message}" echo -e "\nAttempting to find latest version using GitHub tags." find_prev_version_from_git_tags prev_version "$url" "tags/v" declare -g ${variable_name}="${prev_version}" else echo -e "\nAttempting to find latest version using GitHub Api." version=$(echo "$output" | jq -r '.tag_name') declare -g ${variable_name}="${version#v}" fi echo "${variable_name}=${!variable_name}" } get_github_api_repo_url() { local url=$1 echo "${url/https:\/\/github.com/https:\/\/api.github.com\/repos}/releases/latest" } install_previous_version() { given_version=$1 requested_version=${!given_version} local URL=$2 INSTALLER_FN=$3 local REPO_URL=$(get_github_api_repo_url "$URL") local PKG_NAME=$(get_pkg_name "${given_version}") echo -e "\n(!) Failed to fetch the latest artifacts for ${PKG_NAME} v${requested_version}..." get_previous_version "$URL" "$REPO_URL" requested_version echo -e "\nAttempting to install ${requested_version}" declare -g ${given_version}="${requested_version#v}" $INSTALLER_FN "${!given_version}" echo "${given_version}=${!given_version}" } install_cosign() { COSIGN_VERSION=$1 local URL=$2 cosign_filename="/tmp/cosign_${COSIGN_VERSION}_${architecture}.deb" cosign_url="https://github.com/sigstore/cosign/releases/latest/download/cosign_${COSIGN_VERSION}_${architecture}.deb" curl -L "${cosign_url}" -o $cosign_filename if grep -q "Not Found" "$cosign_filename"; then echo -e "\n(!) Failed to fetch the latest artifacts for cosign v${COSIGN_VERSION}..." REPO_URL=$(get_github_api_repo_url "$URL") get_previous_version "$URL" "$REPO_URL" COSIGN_VERSION echo -e "\nAttempting to install ${COSIGN_VERSION}" cosign_filename="/tmp/cosign_${COSIGN_VERSION}_${architecture}.deb" cosign_url="https://github.com/sigstore/cosign/releases/latest/download/cosign_${COSIGN_VERSION}_${architecture}.deb" curl -L "${cosign_url}" -o $cosign_filename fi dpkg -i $cosign_filename rm $cosign_filename echo "Installation of cosign succeeded with ${COSIGN_VERSION}." } # Install 'cosign' for validating signatures # https://docs.sigstore.dev/cosign/overview/ ensure_cosign() { check_packages curl ca-certificates gnupg2 if ! type cosign > /dev/null 2>&1; then echo "Installing cosign..." COSIGN_VERSION="latest" cosign_url='https://github.com/sigstore/cosign' find_version_from_git_tags COSIGN_VERSION "${cosign_url}" install_cosign "${COSIGN_VERSION}" "${cosign_url}" fi if ! type cosign > /dev/null 2>&1; then echo "(!) Failed to install cosign." exit 1 fi cosign version } # Ensure apt is in non-interactive to avoid prompts export DEBIAN_FRONTEND=noninteractive # Install dependencies if missing check_packages curl ca-certificates gnupg2 dirmngr coreutils unzip dnsutils if ! type git > /dev/null 2>&1; then check_packages git fi terraform_url='https://github.com/hashicorp/terraform' tflint_url='https://github.com/terraform-linters/tflint' terragrunt_url='https://github.com/gruntwork-io/terragrunt' # Verify requested version is available, convert latest find_version_from_git_tags TERRAFORM_VERSION "$terraform_url" find_version_from_git_tags TFLINT_VERSION "$tflint_url" find_version_from_git_tags TERRAGRUNT_VERSION "$terragrunt_url" install_terraform() { local TERRAFORM_VERSION=$1 terraform_filename="terraform_${TERRAFORM_VERSION}_linux_${architecture}.zip" curl -sSL -o ${terraform_filename} "https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/${terraform_filename}" } mkdir -p /tmp/tf-downloads cd /tmp/tf-downloads # Install Terraform, tflint, Terragrunt echo "Downloading terraform..." terraform_filename="terraform_${TERRAFORM_VERSION}_linux_${architecture}.zip" install_terraform "$TERRAFORM_VERSION" if grep -q "The specified key does not exist." "${terraform_filename}"; then install_previous_version TERRAFORM_VERSION $terraform_url "install_terraform" terraform_filename="terraform_${TERRAFORM_VERSION}_linux_${architecture}.zip" fi if [ "${TERRAFORM_SHA256}" != "dev-mode" ]; then if [ "${TERRAFORM_SHA256}" = "automatic" ]; then receive_gpg_keys TERRAFORM_GPG_KEY curl -sSL -o terraform_SHA256SUMS https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_SHA256SUMS curl -sSL -o terraform_SHA256SUMS.sig https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_SHA256SUMS.${TERRAFORM_GPG_KEY}.sig gpg --verify terraform_SHA256SUMS.sig terraform_SHA256SUMS else echo "${TERRAFORM_SHA256} *${terraform_filename}" > terraform_SHA256SUMS fi sha256sum --ignore-missing -c terraform_SHA256SUMS fi unzip ${terraform_filename} mv -f terraform /usr/local/bin/ install_tflint() { TFLINT_VERSION=$1 curl -sSL -o /tmp/tf-downloads/${TFLINT_FILENAME} https://github.com/terraform-linters/tflint/releases/download/v${TFLINT_VERSION}/${TFLINT_FILENAME} } if [ "${TFLINT_VERSION}" != "none" ]; then echo "Downloading tflint..." TFLINT_FILENAME="tflint_linux_${architecture}.zip" install_tflint "$TFLINT_VERSION" if grep -q "Not Found" "/tmp/tf-downloads/${TFLINT_FILENAME}"; then install_previous_version TFLINT_VERSION "$tflint_url" "install_tflint" fi if [ "${TFLINT_SHA256}" != "dev-mode" ]; then if [ "${TFLINT_SHA256}" != "automatic" ]; then echo "${TFLINT_SHA256} *${TFLINT_FILENAME}" > tflint_checksums.txt sha256sum --ignore-missing -c tflint_checksums.txt else curl -sSL -o tflint_checksums.txt https://github.com/terraform-linters/tflint/releases/download/v${TFLINT_VERSION}/checksums.txt set +e curl -sSL -o checksums.txt.keyless.sig https://github.com/terraform-linters/tflint/releases/download/v${TFLINT_VERSION}/checksums.txt.keyless.sig set -e # Check that checksums.txt.keyless.sig exists and is not empty if [ -s checksums.txt.keyless.sig ]; then # Validate checksums with cosign curl -sSL -o checksums.txt.pem https://github.com/terraform-linters/tflint/releases/download/v${TFLINT_VERSION}/checksums.txt.pem ensure_cosign cosign verify-blob \ --certificate=/tmp/tf-downloads/checksums.txt.pem \ --signature=/tmp/tf-downloads/checksums.txt.keyless.sig \ --certificate-identity-regexp="^https://github.com/terraform-linters/tflint" \ --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ /tmp/tf-downloads/tflint_checksums.txt # Ensure that checksums.txt has $TFLINT_FILENAME grep ${TFLINT_FILENAME} /tmp/tf-downloads/tflint_checksums.txt # Validate downloaded file sha256sum --ignore-missing -c tflint_checksums.txt else # Fallback to older, GPG-based verification (pre-0.47.0 of tflint) curl -sSL -o tflint_checksums.txt.sig https://github.com/terraform-linters/tflint/releases/download/v${TFLINT_VERSION}/checksums.txt.sig curl -sSL -o tflint_key "${TFLINT_GPG_KEY_URI}" gpg -q --import tflint_key gpg --verify tflint_checksums.txt.sig tflint_checksums.txt fi fi fi unzip /tmp/tf-downloads/${TFLINT_FILENAME} mv -f tflint /usr/local/bin/ fi install_terragrunt() { TERRAGRUNT_VERSION=$1 curl -sSL -o /tmp/tf-downloads/${terragrunt_filename} https://github.com/gruntwork-io/terragrunt/releases/download/v${TERRAGRUNT_VERSION}/${terragrunt_filename} } if [ "${TERRAGRUNT_VERSION}" != "none" ]; then echo "Downloading Terragrunt..." terragrunt_filename="terragrunt_linux_${architecture}" install_terragrunt "$TERRAGRUNT_VERSION" output=$(cat "/tmp/tf-downloads/${terragrunt_filename}") if [[ $output == "Not Found" ]]; then install_previous_version TERRAGRUNT_VERSION $terragrunt_url "install_terragrunt" fi if [ "${TERRAGRUNT_SHA256}" != "dev-mode" ]; then if [ "${TERRAGRUNT_SHA256}" = "automatic" ]; then curl -sSL -o terragrunt_SHA256SUMS https://github.com/gruntwork-io/terragrunt/releases/download/v${TERRAGRUNT_VERSION}/SHA256SUMS else echo "${TERRAGRUNT_SHA256} *${terragrunt_filename}" > terragrunt_SHA256SUMS fi sha256sum --ignore-missing -c terragrunt_SHA256SUMS fi chmod a+x /tmp/tf-downloads/${terragrunt_filename} mv -f /tmp/tf-downloads/${terragrunt_filename} /usr/local/bin/terragrunt fi if [ "${INSTALL_SENTINEL}" = "true" ]; then SENTINEL_VERSION="latest" sentinel_releases_url='https://releases.hashicorp.com/sentinel' find_sentinel_version_from_url SENTINEL_VERSION ${sentinel_releases_url} sentinel_filename="sentinel_${SENTINEL_VERSION}_linux_${architecture}.zip" echo "(*) Downloading Sentinel... ${sentinel_filename}" curl -sSL -o /tmp/tf-downloads/${sentinel_filename} ${sentinel_releases_url}/${SENTINEL_VERSION}/${sentinel_filename} if [ "${SENTINEL_SHA256}" != "dev-mode" ]; then if [ "${SENTINEL_SHA256}" = "automatic" ]; then receive_gpg_keys TERRAFORM_GPG_KEY curl -sSL -o sentinel_checksums.txt ${sentinel_releases_url}/${SENTINEL_VERSION}/sentinel_${SENTINEL_VERSION}_SHA256SUMS curl -sSL -o sentinel_checksums.txt.sig ${sentinel_releases_url}/${SENTINEL_VERSION}/sentinel_${SENTINEL_VERSION}_SHA256SUMS.${TERRAFORM_GPG_KEY}.sig gpg --verify sentinel_checksums.txt.sig sentinel_checksums.txt # Verify the SHASUM matches the archive shasum -a 256 --ignore-missing -c sentinel_checksums.txt else echo "${SENTINEL_SHA256} *${SENTINEL_FILENAME}" >sentinel_checksums.txt fi sha256sum --ignore-missing -c sentinel_checksums.txt fi unzip /tmp/tf-downloads/${sentinel_filename} chmod a+x /tmp/tf-downloads/sentinel mv -f /tmp/tf-downloads/sentinel /usr/local/bin/sentinel fi install_tfsec() { local TFSEC_VERSION=$1 tfsec_filename="tfsec_${TFSEC_VERSION}_linux_${architecture}.tar.gz" curl -sSL -o /tmp/tf-downloads/${tfsec_filename} https://github.com/aquasecurity/tfsec/releases/download/v${TFSEC_VERSION}/${tfsec_filename} } if [ "${INSTALL_TFSEC}" = "true" ]; then TFSEC_VERSION="latest" tfsec_url='https://github.com/aquasecurity/tfsec' find_version_from_git_tags TFSEC_VERSION $tfsec_url tfsec_filename="tfsec_${TFSEC_VERSION}_linux_${architecture}.tar.gz" echo "(*) Downloading TFSec... ${tfsec_filename}" install_tfsec "$TFSEC_VERSION" if grep -q "Not Found" "/tmp/tf-downloads/${tfsec_filename}"; then install_previous_version TFSEC_VERSION $tfsec_url "install_tfsec" tfsec_filename="tfsec_${TFSEC_VERSION}_linux_${architecture}.tar.gz" fi if [ "${TFSEC_SHA256}" != "dev-mode" ]; then if [ "${TFSEC_SHA256}" = "automatic" ]; then curl -sSL -o tfsec_SHA256SUMS https://github.com/aquasecurity/tfsec/releases/download/v${TFSEC_VERSION}/tfsec_${TFSEC_VERSION}_checksums.txt else echo "${TFSEC_SHA256} *${tfsec_filename}" > tfsec_SHA256SUMS fi sha256sum --ignore-missing -c tfsec_SHA256SUMS fi mkdir -p /tmp/tf-downloads/tfsec tar -xzf /tmp/tf-downloads/${tfsec_filename} -C /tmp/tf-downloads/tfsec chmod a+x /tmp/tf-downloads/tfsec/tfsec mv -f /tmp/tf-downloads/tfsec/tfsec /usr/local/bin/tfsec fi install_terraform_docs() { local TERRAFORM_DOCS_VERSION=$1 tfdocs_filename="terraform-docs-v${TERRAFORM_DOCS_VERSION}-linux-${architecture}.tar.gz" curl -sSL -o /tmp/tf-downloads/${tfdocs_filename} https://github.com/terraform-docs/terraform-docs/releases/download/v${TERRAFORM_DOCS_VERSION}/${tfdocs_filename} } if [ "${INSTALL_TERRAFORM_DOCS}" = "true" ]; then TERRAFORM_DOCS_VERSION="latest" terraform_docs_url='https://github.com/terraform-docs/terraform-docs' find_version_from_git_tags TERRAFORM_DOCS_VERSION $terraform_docs_url tfdocs_filename="terraform-docs-v${TERRAFORM_DOCS_VERSION}-linux-${architecture}.tar.gz" echo "(*) Downloading Terraform docs... ${tfdocs_filename}" install_terraform_docs "$TERRAFORM_DOCS_VERSION" if grep -q "Not Found" "/tmp/tf-downloads/${tfdocs_filename}"; then install_previous_version TERRAFORM_DOCS_VERSION $terraform_docs_url "install_terraform_docs" tfdocs_filename="terraform-docs-v${TERRAFORM_DOCS_VERSION}-linux-${architecture}.tar.gz" fi if [ "${TERRAFORM_DOCS_SHA256}" != "dev-mode" ]; then if [ "${TERRAFORM_DOCS_SHA256}" = "automatic" ]; then curl -sSL -o tfdocs_SHA256SUMS https://github.com/terraform-docs/terraform-docs/releases/download/v${TERRAFORM_DOCS_VERSION}/terraform-docs-v${TERRAFORM_DOCS_VERSION}.sha256sum else echo "${TERRAFORM_DOCS_SHA256} *${tfsec_filename}" > tfdocs_SHA256SUMS fi sha256sum --ignore-missing -c tfdocs_SHA256SUMS fi mkdir -p /tmp/tf-downloads/tfdocs tar -xzf /tmp/tf-downloads/${tfdocs_filename} -C /tmp/tf-downloads/tfdocs chmod a+x /tmp/tf-downloads/tfdocs/terraform-docs mv -f /tmp/tf-downloads/tfdocs/terraform-docs /usr/local/bin/terraform-docs fi rm -rf /tmp/tf-downloads ${GNUPGHOME} # Clean up rm -rf /var/lib/apt/lists/* echo "Done!"