feat: add support for install deps

[Aashiq-J]

Description

Add script to install binaries which are required by the scripts in the module.

Release required?

• No release
• Patch release (x.x.X)
• Minor release (x.X.x)
• Major release (X.x.x)

Release notes content

Run the pipeline

If the CI pipeline doesn't run when you create the PR, the PR requires a user with GitHub collaborators access to run the pipeline.

Run the CI pipeline when the PR is ready for review and you expect tests to pass. Add a comment to the PR with the following text:

/run pipeline

Checklist for reviewers

• If relevant, a test for the change is included or updated with this PR.
• If relevant, documentation for the change is included or updated with this PR.

For mergers

• Use a conventional commit message to set the release level. Follow the guidelines.
• Include information that users need to know about the PR in the commit message. The commit message becomes part of the GitHub release notes.
• Use the Squash and merge option.

[Aashiq-J]

/run pipeline

[Aashiq-J]

/run pipeline

[Aashiq-J]

/run pipeline

[Aashiq-J]

/run pipeline

[Aashiq-J]

/run pipeline

[Aashiq-J]

/run pipeline

[Aashiq-J]

/run pipeline

[Aashiq-J]

/run pipeline

[Aashiq-J]

/run pipeline

[Aashiq-J]

/run pipeline

[ocofaigh]

Too much code duplication - lets sync up to see how we can handle here. Especially since this code would even be duplicated across multiple repos too. Perhaps time to leverage https://github.com/terraform-ibm-modules/common-bash-library

[ocofaigh]

Why do we have scripts/install-deps.sh and modules/kube-audit/scripts/install-deps.sh? We should only have 1 script that should be used by all the modules in this repo. If needed update the script to support only installing certain binaries if required

[ocofaigh]

I don't think we need this to trigger every time. It only need to trigger if the null resource has to run again

[Aashiq-J]

I guess thats not possible, if we set triggers to other null_resource blocks, the install script will run after there is a change in the other null_resource block and not before.

[ocofaigh]

I think we should look into this. I don’t like the fact we will always install as part of every plan. Perhaps there is some pre condition or lifecycle feature we could leverage in terraform?

[ocofaigh]

This is not documented anywhere? We should probably list the environment variabl overrides in the variable descrption.

[ocofaigh]

I would also rename them to:

• CUSTOM_KUBECTL_URL -> KUBECTL_DOWNLOAD_URL
• CUSTOM_JQ_URL -> JQ_DOWNLOAD_URL

[ocofaigh]

I'm just thinking that there might be authentication required for someones custom URL, but I guess its on them to make sure that handled.

[Aashiq-J]

I added the documentation to the main README

[ocofaigh]

you will need to add a custom renovate rule in renovate.json for this to work (copy the one in common-dev-asstes)

[Aashiq-J]

@ocofaigh ,
kube-audit submodule can be used independently of the root module, thats why we have the install-binaries script in that submodule as well.

[ocofaigh]

@Aashiq-J We should not have to duplicate the script in the submodule. Can't we find syntax to reference it from the same location? Worst case, we could use a symlink, but I'm hoping we can use ../.. to maybe find it?

[Aashiq-J]

@ocofaigh , ../.. usually gives an error in waypoint, that was why I was avoiding it. I'm just running a quick test to see if ../.. will work in waypoint.

[ocofaigh]

Can we look more into why this doesn't work? Perhaps set it up locally so we can play with it?

[Aashiq-J]

/run pipeline

[Aashiq-J]

         2025/12/02 11:04:44 Terraform apply | Error: local-exec provisioner error
         2025/12/02 11:04:44 Terraform apply | 
         2025/12/02 11:04:44 Terraform apply |   with module.kube_audit[0].null_resource.set_audit_webhook,
         2025/12/02 11:04:44 Terraform apply |   on ../../modules/kube-audit/main.tf line 122, in resource "null_resource" "set_audit_webhook":
         2025/12/02 11:04:44 Terraform apply |  122:   provisioner "local-exec" {
         2025/12/02 11:04:44 Terraform apply | 
         2025/12/02 11:04:44 Terraform apply | Error running command '../../modules/kube-audit/scripts/set_webhook.sh jp-osa
         2025/12/02 11:04:44 Terraform apply | true default d4nbekfo0gsdui1npgu0 bcf50e9435d0407ca539741836c70bbb default
         2025/12/02 11:04:44 Terraform apply | /tmp': exit status 1. Output: hostname: armada-api-b848b867d-5jxqm
         2025/12/02 11:04:44 Terraform apply | x-region: jp-osa
         2025/12/02 11:04:44 Terraform apply | x-request-id: f2b4b0cb-f855-4d74-877c-0856e3f10940
         2025/12/02 11:04:44 Terraform apply | date: Tue, 02 Dec 2025 11:02:10 GMT
         2025/12/02 11:04:44 Terraform apply | content-length: 321
         2025/12/02 11:04:44 Terraform apply | cache-control: no-cache, no-store
         2025/12/02 11:04:44 Terraform apply | content-security-policy: default-src 'none'; script-src 'self'
         2025/12/02 11:04:44 Terraform apply | 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; img-src 'self' data:;
         2025/12/02 11:04:44 Terraform apply | style-src 'self' 'unsafe-inline'; font-src 'self'
         2025/12/02 11:04:44 Terraform apply | expires: 0
         2025/12/02 11:04:44 Terraform apply | pragma: no-cache
         2025/12/02 11:04:44 Terraform apply | strict-transport-security: max-age=31536000; includeSubDomains
         2025/12/02 11:04:44 Terraform apply | x-content-type-options: nosniff
         2025/12/02 11:04:44 Terraform apply | x-frame-options: DENY
         2025/12/02 11:04:44 Terraform apply | x-permitted-cross-domain-policies: master-only
         2025/12/02 11:04:44 Terraform apply | x-xss-protection: 1; mode=block
         2025/12/02 11:04:44 Terraform apply | 
         2025/12/02 11:04:44 Terraform apply | {"incidentID":"f2b4b0cb-f855-ad74-877c-0856e3f10940","code":"A0003","description":"Your
         2025/12/02 11:04:44 Terraform apply | IAM token could not be verified. Run ibmcloud iam oauth-tokens to retrieve
         2025/12/02 11:04:44 Terraform apply | your access tokens, and use the IAM token for the Authorization
         2025/12/02 11:04:44 Terraform apply | header.","type":"Authentication","recoveryCLI":"Run 'ibmcloud login' to log
         2025/12/02 11:04:44 Terraform apply | in to IBM Cloud."}
         2025/12/02 11:04:44 Terraform apply | Sleeping for 30 secs..
         2025/12/02 11:04:44 Terraform apply | Webhook status: ERROR::
         2025/12/02 11:04:44 Terraform apply | v1/clusters/d4nbekfo0gsdui1npgu0/apiserverconfigs/auditwebhook FAILED
         2025/12/02 11:04:44 Terraform apply | HTTP/2 401 
         2025/12/02 11:04:44 Terraform apply | content-type: application/json; charset=utf-8
         2025/12/02 11:04:44 Terraform apply | x-carrier: prod-osa21-carrier100
         2025/12/02 11:04:44 Terraform apply | x-correlation-id: 13b1ba94-be58-43fa-bc35-c1d9dbef7ba2
         2025/12/02 11:04:44 Terraform apply | x-hostname: armada-api-b848b867d-v2wj7
         2025/12/02 11:04:44 Terraform apply | x-region: jp-osa
         2025/12/02 11:04:44 Terraform apply | x-request-id: 1a17f220-dc9d-45be-84bb-e6c301987757
         2025/12/02 11:04:44 Terraform apply | date: Tue, 02 Dec 2025 11:02:40 GMT
         2025/12/02 11:04:44 Terraform apply | content-length: 321

Still facing issues with the kube-audit script which required token, will revert the change for now and need to debug that issue further.

Issue: https://github.ibm.com/GoldenEye/issues/issues/16988

[Aashiq-J]

/run pipeline

[ocofaigh]

@Aashiq-J can you please create an issue to investigate with the goal of adding back the provider data lookup to generate the access token?

[Aashiq-J]

/run pipeline

[Aashiq-J]

/run pipeline

[Aashiq-J]

/run pipeline

[ocofaigh]

@Aashiq-J can you please leave comments on why tests are failing as they fail so we know what kind of issues are tests are hitting

[Aashiq-J]

/run pipeline

[Aashiq-J]

last test failed due to this:

2025/12/03 04:58:11 Failed to execute script: exit status 1
Stderr: Looking up resource group ID for name: geretain-test-base-ocp-vpc
Found resource group ID: ed293fd4909f4bc69b1e85324b8c39db
FAIL	command-line-arguments	48.415s
FAIL
make: *** [Makefile:120: run-tests] Error 1

Not related to the code change.

[terraform-ibm-modules-ops]

🎉 This PR is included in version 3.74.0 🎉

The release is available on:

• GitHub release
• v3.74.0

Your semantic-release bot 📦🚀