Alpine on HabibiOpshttps://habibiops.com/tags/alpine/Recent content in Alpine on HabibiOpsHugo -- gohugo.ioen-usSun, 11 Jan 2026 00:00:00 +0000Terraform Container Image for CI/CD Pipelineshttps://habibiops.com/p/terraform-container-image-for-cicd-pipelines/Sun, 11 Jan 2026 00:00:00 +0000https://habibiops.com/p/terraform-container-image-for-cicd-pipelines/<h2 id="introduction">Introduction </h2><p>Terraform is a great tool for managing infrastructure and can be integrated with CI/CD pipelines for automated deployments. In order to achieve idempotency and avoid unexpected changes from version updates, terraform should be run in a container image and be pinned to a specific version.</p> <p>In addition to having a pinned terraform version inside the container image, it can be a wise choice to also include a pinned version of the main provider being used for your infrastructure. For example, if you are using AWS, you can pin the terraform aws provider to your specific version.</p> <h2 id="terraform-and-provider-version-pinning">Terraform and Provider Version Pinning </h2><p>Your terraform configuration file should include the terraform and provider versions you want to use. For example:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-terraform" data-lang="terraform"><span class="line"><span class="cl"><span class="nx">terraform</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nx">required_version</span> <span class="o">=</span> <span class="s2">&#34;1.12.0&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nx">required_providers</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nx">aws</span> <span class="o">=</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nx">source</span> <span class="o">=</span> <span class="s2">&#34;hashicorp/aws&#34;</span> </span></span><span class="line"><span class="cl"> <span class="nx">version</span> <span class="o">=</span> <span class="s2">&#34;6.5.0&#34;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>I place the above in a separate file called <code>versions.tf</code> and include it in any directory used by terraform.</p> <h2 id="terraform-container-image">Terraform Container Image </h2><p>The main characteristics of a good terraform container image are:</p> <ul> <li>small size: use Alpine Linux as a base image</li> <li>pinned terraform version</li> <li>pinned provider versions</li> <li>arguments to specify the terraform and provider versions</li> <li>environment variables reflecting the used versions</li> </ul> <p>This <a class="link" href="https://www.hashicorp.com/de/blog/installing-hashicorp-tools-in-alpine-linux-containers" target="_blank" rel="noopener" >link</a> provides an example on how to install terraform on Alpine Linux. Here is an example Dockerfile for our terraform container image:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-dockerfile" data-lang="dockerfile"><span class="line"><span class="cl"><span class="k">FROM</span><span class="w"> </span><span class="s">alpine:3.22.0</span><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">ARG</span> <span class="nv">TERRAFORM_VERSION</span><span class="o">=</span><span class="s2">&#34;1.12.0&#34;</span><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">ARG</span> <span class="nv">TERRAFORM_AWS_PROVIDER_VERSION</span><span class="o">=</span><span class="s2">&#34;6.5.0&#34;</span><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">ENV</span> <span class="nv">TF_IN_AUTOMATION</span><span class="o">=</span><span class="nb">true</span> </span></span><span class="line"><span class="cl"><span class="k">ENV</span> <span class="nv">TF_INPUT</span><span class="o">=</span><span class="nb">false</span> </span></span><span class="line"><span class="cl"><span class="k">ENV</span> <span class="nv">TERRAFORM_VERSION</span><span class="o">=</span><span class="s2">&#34;</span><span class="si">${</span><span class="nv">TERRAFORM_VERSION</span><span class="si">}</span><span class="s2">&#34;</span><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">ENV</span> <span class="nv">TERRAFORM_AWS_PROVIDER_VERSION</span><span class="o">=</span><span class="s2">&#34;</span><span class="si">${</span><span class="nv">TERRAFORM_AWS_PROVIDER_VERSION</span><span class="si">}</span><span class="s2">&#34;</span><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">RUN</span> apk add --update --no-cache <span class="se">\ </span></span></span><span class="line"><span class="cl"> aws-cli <span class="se">\ </span></span></span><span class="line"><span class="cl"> curl <span class="se">\ </span></span></span><span class="line"><span class="cl"> git <span class="se">\ </span></span></span><span class="line"><span class="cl"> unzip<span class="err"> </span></span></span><span class="line"><span class="cl"><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="c"># terraform</span><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">RUN</span> curl -o tf.zip <span class="s2">&#34;https://releases.hashicorp.com/terraform/</span><span class="si">${</span><span class="nv">TERRAFORM_VERSION</span><span class="si">}</span><span class="s2">/terraform_</span><span class="si">${</span><span class="nv">TERRAFORM_VERSION</span><span class="si">}</span><span class="s2">_linux_amd64.zip&#34;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"> <span class="o">&amp;&amp;</span> unzip tf.zip -d /usr/local/bin/ <span class="se">\ </span></span></span><span class="line"><span class="cl"> <span class="o">&amp;&amp;</span> rm tf.zip<span class="err"> </span></span></span><span class="line"><span class="cl"><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="c"># terraform hashicorp/aws provider</span><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">RUN</span> mkdir -p <span class="s2">&#34;/root/.terraform.d/plugins/registry.terraform.io/hashicorp/aws/</span><span class="si">${</span><span class="nv">TERRAFORM_AWS_PROVIDER_VERSION</span><span class="si">}</span><span class="s2">/linux_amd64&#34;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"> <span class="o">&amp;&amp;</span> curl -o tf_aws.zip <span class="s2">&#34;https://releases.hashicorp.com/terraform-provider-aws/</span><span class="si">${</span><span class="nv">TERRAFORM_AWS_PROVIDER_VERSION</span><span class="si">}</span><span class="s2">/terraform-provider-aws_</span><span class="si">${</span><span class="nv">TERRAFORM_AWS_PROVIDER_VERSION</span><span class="si">}</span><span class="s2">_linux_amd64.zip&#34;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"> <span class="o">&amp;&amp;</span> unzip tf_aws.zip -d <span class="s2">&#34;/root/.terraform.d/plugins/registry.terraform.io/hashicorp/aws/</span><span class="si">${</span><span class="nv">TERRAFORM_AWS_PROVIDER_VERSION</span><span class="si">}</span><span class="s2">/linux_amd64/&#34;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"> <span class="o">&amp;&amp;</span> rm tf_aws.zip<span class="err"> </span></span></span></code></pre></td></tr></table> </div> </div><p>Some advantages of having a pinned terraform and provider versions are:</p> <ul> <li>The pipeline runs will be guaranteed to run in a reproducible manner</li> <li><code>terraform init</code> will not download the latest provider version and will fail in case someone tries to use a different version in the pipeline</li> <li>The pipeline runs will be faster since the provider will not need to be downloaded every time on <code>terraform init</code></li> </ul> <h2 id="image-tagging">Image Tagging </h2><p>There are different ways to tag a container image. Some prefer to use the git commit hash as the tag, while others prefer to use semantic versioning. In this case, I prefer to use the explicit terraform and provider versions as the tag.</p> <p>The image is therefore tagged accordingly: <code>$IMAGE:$TERRAFORM_VERSION-$TERRAFORM_AWS_PROVIDER_VERSION</code>. For example, an image with terraform version <code>1.12.0</code> installed and aws provider version <code>6.5.0</code> would have the tag <code>1.12.0-6.5.0</code>.</p> <h2 id="conclusion">Conclusion </h2><p>This post summarized the best practices for creating terraform container images to be used in CI/CD pipelines.</p> <p>A sequel post will cover how to configure pipeline builds and deployments using the above container image.</p>