fix: convert sam/build-python to python:alpine (#868)

scottschreckengaust · krokoko · web-flow · commit c486aaf03ebd · 2025-07-18T23:52:17.000Z
* fix: convert sam/build-python to python:alpine

Signed-off-by: Scott Schreckengaust &lt;scottschreckengaust@users.noreply.github.com&gt;

* fix: terraform-mcp-server

Signed-off-by: Scott Schreckengaust &lt;scottschreckengaust@users.noreply.github.com&gt;

* fix: optimizing

Signed-off-by: Scott Schreckengaust &lt;scottschreckengaust@users.noreply.github.com&gt;

---------

Signed-off-by: Scott Schreckengaust &lt;scottschreckengaust@users.noreply.github.com&gt;
Co-authored-by: Alain Krok &lt;alkrok@amazon.com&gt;
diff --git a/src/aws-diagram-mcp-server/Dockerfile b/src/aws-diagram-mcp-server/Dockerfile
@@ -13,7 +13,7 @@
 # limitations under the License.
 
 # dependabot should continue to update this to the latest hash.
-FROM public.ecr.aws/sam/build-python3.12@sha256:e76d50b20fa10ee101886cb62962aaf87a5cd1d737af48e1b8395a05f3a7c52f AS uv
+FROM public.ecr.aws/docker/library/python:3.12-slim-bookworm@sha256:4600f71648e110b005bf7bca92dbb335e549e6b27f2e83fceee5e11b3e1a4d01 AS uv
 
 # Install the project into `/app`
 WORKDIR /app
@@ -48,24 +48,26 @@ COPY . /app
 RUN --mount=type=cache,target=/root/.cache/uv \
     uv sync --python 3.12 --frozen --no-dev --no-editable
 
-# Make the directory just in case it doesn't exist
-RUN mkdir -p /root/.local
+# # Make the directory just in case it doesn't exist
+# RUN mkdir -p /root/.local
 
-FROM public.ecr.aws/sam/build-python3.12@sha256:e76d50b20fa10ee101886cb62962aaf87a5cd1d737af48e1b8395a05f3a7c52f
+FROM public.ecr.aws/docker/library/python:3.12-slim-bookworm@sha256:4600f71648e110b005bf7bca92dbb335e549e6b27f2e83fceee5e11b3e1a4d01
 
 # Place executables in the environment at the front of the path and include other binaries
 ENV PATH="/app/.venv/bin:$PATH:/usr/sbin" \
     PYTHONUNBUFFERED=1
 
 # Add non-root user and ability to change directory into /root
-RUN dnf update -y && \
-    dnf install -y graphviz && \
-    dnf clean all -y && \
-    rm -rf /var/cache/dnf && \
-    groupadd --force --system app
+RUN apt-get update -y && \
+    apt-get install -y graphviz && \
+    apt-get clean -y && \
+    apt-get autoremove -y && \
+    groupadd --force --system app && \
+    useradd app -g app -d /app && \
+    chmod o+x /root
 
 # Copy application artifacts from build stage
-COPY --from=uv --chown=app:app /root/.local /root/.local
+# COPY --from=uv --chown=app:app /root/.local /root/.local
 COPY --from=uv --chown=app:app /app/.venv /app/.venv
 
 # Get healthcheck script
diff --git a/src/s3-tables-mcp-server/Dockerfile b/src/s3-tables-mcp-server/Dockerfile
@@ -13,7 +13,7 @@
 # limitations under the License.
 
 # dependabot should continue to update this to the latest hash.
-FROM public.ecr.aws/sam/build-python3.13@sha256:0c274ddd44e1d80e4dab3a70c25fe29508f612a045cba7d27840461c12eee86d AS uv
+FROM public.ecr.aws/docker/library/python:3.13-slim-bookworm@sha256:6544e0e002b40ae0f59bc3618b07c1e48064c4faed3a15ae2fbd2e8f663e8283 AS uv
 
 # Install the project into `/app`
 WORKDIR /app
@@ -48,10 +48,10 @@ COPY . /app
 RUN --mount=type=cache,target=/root/.cache/uv \
     uv sync --python 3.13 --frozen --no-dev --no-editable
 
-# Make the directory just in case it doesn't exist
-RUN mkdir -p /root/.local
+# # Make the directory just in case it doesn't exist
+# RUN mkdir -p /root/.local
 
-FROM public.ecr.aws/sam/build-python3.13@sha256:0c274ddd44e1d80e4dab3a70c25fe29508f612a045cba7d27840461c12eee86d
+FROM public.ecr.aws/docker/library/python:3.13-slim-bookworm@sha256:6544e0e002b40ae0f59bc3618b07c1e48064c4faed3a15ae2fbd2e8f663e8283
 
 # Place executables in the environment at the front of the path and include other binaries
 ENV PATH="/app/.venv/bin:$PATH:/usr/sbin" \
@@ -63,7 +63,7 @@ RUN groupadd --force --system app && \
     chmod o+x /root
 
 # Copy application artifacts from build stage
-COPY --from=uv --chown=app:app /root/.local /root/.local
+# COPY --from=uv --chown=app:app /root/.local /root/.local
 COPY --from=uv --chown=app:app /app/.venv /app/.venv
 
 # Get healthcheck script
diff --git a/src/terraform-mcp-server/Dockerfile b/src/terraform-mcp-server/Dockerfile
@@ -13,7 +13,7 @@
 # limitations under the License.
 
 # dependabot should continue to update this to the latest hash.
-FROM public.ecr.aws/sam/build-python3.13@sha256:0c274ddd44e1d80e4dab3a70c25fe29508f612a045cba7d27840461c12eee86d AS uv
+FROM public.ecr.aws/docker/library/python:3.13-slim-bookworm@sha256:6544e0e002b40ae0f59bc3618b07c1e48064c4faed3a15ae2fbd2e8f663e8283 AS uv
 
 # Install the project into `/app`
 WORKDIR /app
@@ -42,28 +42,39 @@ RUN --mount=type=cache,target=/root/.cache/uv \
     pip install --require-hashes --requirement uv-requirements.txt --no-cache-dir && \
     uv sync --python 3.13 --frozen --no-install-project --no-dev --no-editable
 
-# Then, add the rest of the project source code and install it
+    # Then, add the rest of the project source code and install it
 # Installing separately from its dependencies allows optimal layer caching
 COPY . /app
 RUN --mount=type=cache,target=/root/.cache/uv \
     uv sync --python 3.13 --frozen --no-dev --no-editable
 
 # Make the directory just in case it doesn't exist
-RUN mkdir -p /root/.local
-
-FROM public.ecr.aws/sam/build-python3.13@sha256:0c274ddd44e1d80e4dab3a70c25fe29508f612a045cba7d27840461c12eee86d
+# RUN mkdir -p /root/.local
 
+FROM public.ecr.aws/docker/library/python:3.13-slim-bookworm@sha256:6544e0e002b40ae0f59bc3618b07c1e48064c4faed3a15ae2fbd2e8f663e8283
+ARG TERRAFORM_VERSION="1.12.2"
 # Place executables in the environment at the front of the path and include other binaries
-ENV PATH="/app/.venv/bin:$PATH:/usr/sbin" \
-    PYTHONUNBUFFERED=1
+ENV PATH="/app/.venv/bin:$PATH:/usr/sbin"
+
+RUN echo $TERRAFORM_VERSION
 
+# Install lsof for the healthcheck
+# Install other tools as needed for the MCP server
 # Add non-root user and ability to change directory into /root
-RUN groupadd --force --system app && \
+RUN out=$(mktemp) && \
+    apt-get update -y && \
+    apt-get install -y wget unzip procps && \
+    (wget -nv -O$out wget "https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_linux_$(dpkg --print-architecture).zip" || echo "Getting Network Error 4 ? $?" ) && \
+    unzip "$out" -d /usr/local/bin/ && \
+    chmod +x /usr/local/bin/terraform && \
+    apt-get clean -y && \
+    apt-get autoremove -y && \
+    groupadd --force --system app && \
     useradd app -g app -d /app && \
     chmod o+x /root
 
-# Copy application artifacts from build stage
-COPY --from=uv --chown=app:app /root/.local /root/.local
+# Get the project from the uv layer
+# COPY --from=uv --chown=app:app /root/.local /root/.local
 COPY --from=uv --chown=app:app /app/.venv /app/.venv
 
 # Get healthcheck script
