Amazonlinux 2023 (#710)

* Switch to Amazon Linux 2023

Author: thomasleplus

.github/pull_request_template.md

@@ -7,7 +7,7 @@ Please check the boxes below to confirm that you have followed the
 required guidelines for contributions:
 
 - [ ] If this pull request includes code changes, they were all properly tested. Automated tests were also included where possible.
-- [ ] If applicagle, this pull request includes the relevant documentation for this change.
+- [ ] If applicable, this pull request includes the relevant documentation for this change.
 - [ ] If this pull request is related to an existing issue, you can use the same description below but in any case include a [link](https://docs.github.com/en/issues/tracking-your-work-with-issues/using-issues/linking-a-pull-request-to-an-issue) like `Fixes #ISSUE_NUMBER.` or `Closese #ISSUE_NUMBER.`.
 - [ ] All the commits in this pull request were squashed into a single commit. That commit is [signed](https://docs.github.com/en/authentication/managing-commit-signature-verification).
 

.github/workflows/docker-build-push.yml

@@ -76,8 +76,8 @@ jobs:
         run: |
           # shellcheck disable=SC2086
           VERSION="$(\grep ${IMAGE}/Dockerfile -e '^FROM' | \head -n 1 | \sed -e 's/@.*$//; s/^.*://;')"
-          if [[ "${VERSION}" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]] ; then
-            \echo "VERSION=${VERSION}" >> "${GITHUB_ENV}"
+          if [[ "${VERSION}" =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\-minimal$ ]] ; then
+            \echo "VERSION=${VERSION/[0-9][0-9]*-minimal/}" >> "${GITHUB_ENV}"
           fi
       - name: Check if release already exists
         if: env.VERSION != ''

README.md

@@ -12,19 +12,17 @@ Docker container to run the AWS CLI and related tools (cfn-policy-validator, jq,
 
 ## Rational
 
-This image is based on the official
-[amazon/aws-cli](https://hub.docker.com/r/amazon/aws-cli) image. The
-main difference is that default entrypoint of the official image is
-`aws` because it is the only command that this image is meant to run.
-On the other hand, this image's default entrypoint is a shell (`bash`)
+This image is based on the latest official
+[public.ecr.aws/amazonlinux/amazonlinux](https://gallery.ecr.aws/amazonlinux/amazonlinux)
+image. This image's default entrypoint is a shell (`bash`)
 in which you can run not only `aws` but also other commands typically
 useful when building a more advanced CI/CD pipeline. For example this
 image includes the `jq` utility often very useful to process the
 output of the `aws` command. The tool `cfn-policy-validator` is also
 included to run IAM policies from a CloudFormation template through
 IAM Access Analyzer checks.
 
-Another significant difference with the official image is that this
+Another significant difference with the official AWS images is that this
 image is not running using the `root` user. Running as `root` should
 not be necessary for CI/CD activities and it is considered a security
 risk.

aws-cli/Dockerfile

@@ -1,4 +1,4 @@
-FROM amazon/aws-cli:2.27.36@sha256:0228db71362505ad9e8ad73b5da53a9d287ddc80424f1c92b1b0e5dedb9e4c70
+FROM public.ecr.aws/amazonlinux/amazonlinux:2023.7.20250609.0-minimal@sha256:c278930b7f4d5b703962bbcfb7a0ac4c6dc6c318ee02dd8123005d68cd94df17
 
 HEALTHCHECK NONE
 
@@ -8,42 +8,26 @@ ARG USER_ID=1000
 
 SHELL ["/bin/bash", "-euo", "pipefail", "-c"]
 
-# Upgrade python to 3.8 (best we can do with Amazon Linux 2)
-RUN yum remove python3 \
-    && amazon-linux-extras install python3.8 \
-    && ln -s /usr/bin/python3.8 /usr/bin/python3
-
-RUN yum update -y \
-    && yum install -y --setopt=skip_missing_names_on_install=False \
-    bash-4.2.46-34.amzn2 \
-    curl-8.3.0-1.amzn2.0.8 \
-    git-2.47.1-1.amzn2.0.2 \
-    libxml2-2.9.1-6.amzn2.5.16 \
-    jq-1.5-1.amzn2.0.2 \
-    make-3.82-24.amzn2 \
-    python3-pip-20.2.2-1.amzn2.0.10 \
-    tar-1.26-35.amzn2.0.4 \
-    unzip-6.0-57.amzn2.0.1 \
-    zip-3.0-11.amzn2.0.2 \
+RUN dnf upgrade -y \
+    && dnf install -y \
+    awscli-2-2.23.11-1.amzn2023.0.1 \
+    curl-minimal \
+    git-2.47.1-1.amzn2023.0.3 \
+    gzip-1.12-1.amzn2023.0.1 \
+    libxml2-2.10.4-1.amzn2023.0.10 \
+    jq-1.7.1-49.amzn2023.0.2 \
+    make-1:4.3-5.amzn2023.0.2 \
+    python3-3.9.22-1.amzn2023.0.1 \
+    tar-2:1.34-1.amzn2023.0.4 \
+    unzip-6.0-57.amzn2023.0.2 \
+    zip-3.0-28.amzn2023.0.2 \
     && IFS=$'\n\t' \
-    && if yum list updates | grep -q -e '^Updated Packages' ; then \
-       yum list updates ; \
+    && if dnf upgrade -y | grep -v -e '^Nothing to do.' ; then \
        exit 1 ; \
     fi \
-    && yum clean all \
+    && dnf clean all \
     && rm -rf /var/cache/yum
 
-# @TL FIXME: cfn-policy-validator version is held back by Python 3.8.
-# @TL FIXME: --break-system-packages not supported until Python 3.11.
-RUN pip3 install --no-cache-dir --upgrade \
-    cfn-policy-validator==0.0.29 \
-    && IFS=$'\n\t' \
-    && msg="$(pip3 list --outdated | grep -i -e '^cfn-policy-validator ' || true)" \
-    && if [ -n "${msg}" ]; then \
-       >&2 echo "ERROR: outdated: ${msg}" ; \
-       exit 1 ; \
-    fi
-
 RUN chmod 777 /opt \
     && adduser --home-dir "${USER_HOME}" --uid "${USER_ID}" "${USER_NAME}"
 
@@ -53,6 +37,16 @@ ENV HOME="${USER_HOME}"
 
 WORKDIR /opt
 
+# @TL FIXME: --break-system-packages not supported until Python 3.11.
+RUN pip3 install --no-cache-dir --upgrade \
+    cfn-policy-validator==0.0.36 \
+    && IFS=$'\n\t' \
+    && msg="$(pip3 list --outdated | grep -i -e '^cfn-policy-validator ' || true)" \
+    && if [ -n "${msg}" ]; then \
+       >&2 echo "ERROR: outdated: ${msg}" ; \
+       exit 1 ; \
+    fi
+
 CMD ["/bin/bash"]
 
 ENTRYPOINT []