Configuration¶
Dockerfile Build Arguments¶
Tool versions are defined as ARG variables at the top of the Dockerfile. Override them at build time to customize the image.
Builder Stage Arguments¶
| Argument | Description | Default |
|---|---|---|
TERRAFORM_VERSION | Terraform version | 1.14.4 |
TERRAGRUNT_VERSION | Terragrunt version | 0.99.1 |
TFDOCS_VERSION | terraform-docs version | 0.21.0 |
TFLINT_VERSION | TFLint version | 0.61.0 |
TRIVY_VERSION | Trivy version | 0.69.1 |
EKSCTL_VERSION | eksctl version | 0.222.0 |
Runtime Stage Arguments¶
| Argument | Description | Default |
|---|---|---|
CHECKOV_VERSION | Checkov version | 3.2.497 |
PRE_COMMIT_VERSION | pre-commit version | 4.5.1 |
User Arguments¶
| Argument | Description | Default |
|---|---|---|
USERNAME | Non-root user name | tf-user |
USER_UID | User UID | 1000 |
USER_GID | User GID | 1000 |
Building with Custom Versions¶
Override a single tool version:
Override multiple versions:
docker build \
--build-arg TERRAFORM_VERSION=1.14.0 \
--build-arg TERRAGRUNT_VERSION=0.98.0 \
--build-arg CHECKOV_VERSION=3.2.400 \
-t terraform-toolkit:custom .
Image Size Breakdown¶
The optimized image is approximately 1.61 GB (27% smaller than the original 2.21 GB).
| Component | Size | Notes |
|---|---|---|
| Checkov (Python) | ~236 MB | Infrastructure security scanning |
| AWS CLI | ~231 MB | AWS command line interface |
| Trivy | ~148 MB | Container and Terraform security scanner |
| eksctl | ~136 MB | Kubernetes cluster management |
| System packages | ~100 MB | Minimal: git, Python, bash, curl, unzip |
| Terraform | 87 MB | Core tool |
| Terragrunt | 67 MB | Terraform wrapper |
| TFLint | 47 MB | Terraform linter |
| terraform-docs | 16 MB | Documentation generator |
Optimization Techniques¶
- Multi-stage build - Alpine builder downloads binaries, Ubuntu runtime provides compatibility
--no-install-recommends- APT packages installed without recommended packages--no-cache-dir- pip installations don't cache downloaded packages- Python cleanup - Removes
__pycache__,.pycfiles, and test directories - No sudo - The sudo package is not included (~40 MB saved)
- Combined RUN layers - Fewer Docker layers reduce overhead
Multi-Architecture Support¶
The image supports both linux/amd64 and linux/arm64 architectures. The build process automatically detects the target architecture and downloads the correct binaries.