Prepare the Toolbox Image
Geodesic is a powerful Linux toolbox container designed to optimize DevOps workflows by providing essential dependencies for a DevOps toolchain, ensuring consistency and efficiency across development environments without additional software installation on your workstation. It can be extended and customized to fit specific needs by creating your own Dockerfile
based on Geodesic, allowing you to add your favorite tools and share the container with your team for a unified working environment.
Geodesic is similar in principle to devcontainers. However, being a container itself, Geodesic can run anywhere containers are supported—whether on your local workstation, remotely inside clusters, or on bastion hosts. Additionally, you can use Geodesic as the base image for a devcontainer.
Building the Toolbox Image
Build a Geodesic infrastructure container. This container that has all the tools like terraform and atmos for building infrastructure. It's built from the Dockerfile
and there are some predefined targets defined in the Makefile
to make this easy. Customize these for your organization. Here are examples of both for reference.
# https://github.com/cloudposse/geodesic/
ARG GEODESIC_VERSION=2.5.0
ARG GEODESIC_OS=debian
# https://github.com/cloudposse/atmos
ARG ATMOS_VERSION=1.63.0
# This should match the version set in stacks/catalog/spacelift.yaml
# This should match the version set in .github/workflows/auto-format.yaml
ARG TF_1_VERSION=1.4.5
FROM public.ecr.aws/cloudposse/geodesic:${GEODESIC_VERSION}-${GEODESIC_OS}
# Geodesic message of the Day
ENV MOTD_URL="https://geodesic.sh/motd"
# Some configuration options for Geodesic
ENV AWS_SAML2AWS_ENABLED=false
ENV AWS_VAULT_ENABLED=false
ENV AWS_VAULT_SERVER_ENABLED=false
ENV CHAMBER_KMS_KEY_ALIAS=aws/ssm
ENV GEODESIC_TF_PROMPT_ACTIVE=false
ENV DIRENV_ENABLED=false
# Enable advanced AWS assume role chaining for tools using AWS SDK
# https://docs.aws.amazon.com/sdk-for-go/api/aws/session/
ENV AWS_SDK_LOAD_CONFIG=1
ENV AWS_DEFAULT_REGION=us-east-1
ENV AWS_DEFAULT_SHORT_REGION=use1
ENV AWS_REGION_ABBREVIATION_TYPE=short
# Install specific versions of Terraform. Must match versions in Spacelift terraform_version_map
# in components/terraform/spacelift/default.auto.tfvars
ARG TF_1_VERSION
RUN apt-get update && apt-get install -y -u --allow-downgrades \
terraform-1="${TF_1_VERSION}-*" && \
update-alternatives --set terraform /usr/share/terraform/1/bin/terraform
ARG ATMOS_VERSION
RUN apt-get update && apt-get install -y --allow-downgrades \
atmos="${ATMOS_VERSION}-*" \
spacectl
# Install pluto - a CLI tool to help discover deprecated and removed apiVersions in Kubernetes
# https://pluto.docs.fairwinds.com/
# https://github.com/FairwindsOps/pluto
RUN apt-get update && apt-get install -y --allow-downgrades \
pluto
COPY rootfs/ /
ARG DOCKER_REPO
ARG TENANT="core"
ENV NAMESPACE=acme
# Format of Geodesic banner prompt
ENV BANNER=${NAMESPACE}
ENV DOCKER_IMAGE="${NAMESPACE}/infra"
ENV DOCKER_TAG="latest"
# Default AWS_PROFILE
ENV AWS_PROFILE=${NAMESPACE}-identity
# This sets the default AWS_CONFIG to be used after signing in with Leapp.
# Once logged in, this config file gives you access to all the other teams
# and roles (if you are authorized for access).
ENV AWS_CONFIG_FILE=/etc/aws-config/aws-config-teams
ENV ASSUME_ROLE_INTERACTIVE_QUERY=${NAMESPACE}${TENANT:+-$TENANT}-gbl-
WORKDIR /
# placeholder until example is created
The standard Makefile
includes a number of commands. In order to build the initial, complete Geodesic image, run the following:
make all
On future builds, use make run
to use the cached image.
We install a wrapper script with make all
to your chosen namespace. For example, simply enter for given namespace to start your Geodesic container once built:
acme
See the install
step of the Makefile
for more details.
Build the toolbox image locally before continuing.
Follow the toolbox image setup steps in the How-to Get Started guide. In short,
run make all
.
The container will have the given local home mapped, so you should be able to use aws normally inside it once you set a profile that has valid credentials. For instance, if I log in to the profile acme
with leapp, I can run aws --profile acme sts get-caller-identity
and get a response.
Once you've verified that the infra container has access to aws resources, we can move on to the next step.
What comes next?
With your repository set up, workstation configured and toolbox in hand, you're ready to get to work provisioning your infrastructure with Atmos and Terraform. The next step is to learn how to provision AWS accounts.
Next Step