A batteries-included container image for infrastructure work — OpenTofu, Terragrunt, kubectl, Helm, AWS CLI and more.
Use it in CI/CD pipelines or as a portable local dev shell.
Table of contents
Setting up kubectl, helm, aws-cli, terragrunt and friends on every laptop and CI runner is tedious and drifts over time. infratools packages a curated, version-pinned set of infra tools into a single OCI image you can pull from anywhere.
- Two flavors — a lightweight
-ciimage for pipelines, and a full local shell with zsh, krew, fzf, and dev ergonomics. - Multi-arch — published for both
amd64andarm64. - Pinned versions — every tool version is declared in the
Dockerfileand bumped through conventional commits.
| Architecture | Supported | Tested |
|---|---|---|
amd64 |
✅ | ✅ |
arm64 |
✅ | ✅ |
| Tool | Full image | CI image |
|---|---|---|
kubectl |
✅ | ✅ |
helm |
✅ | ✅ |
aws-cli |
✅ | ✅ |
jq / curl |
✅ | ✅ |
opentofu |
✅ | — |
terragrunt |
✅ | — |
tfenv |
✅ | — |
krew + oidc-login |
✅ | — |
kubectx |
✅ | — |
git / vim |
✅ | — |
zsh + oh-my-zsh |
✅ | — |
fzf, bash, make |
✅ | — |
pre-commit |
✅ | — |
docker-cli |
✅ | — |
openssh (krb5) |
✅ | — |
Note
Exact pinned versions live in the Dockerfile under the ARG declarations.
Warning
Avoid using :latest in real workflows. Tool versions (OpenTofu, Terragrunt, kubectl, Helm…) change between releases and may break compatibility with your modules or state files.
Pin an explicit version from Docker Hub tags or GitHub releases — for example containerscrew/infratools:3.3.1. The :latest tags in the snippets below are shown for brevity only.
Mount your project directory and your local AWS / kube / SSH config so the container can act on your real environment:
docker run -it --rm \
--name infratools \
-h infratools \
-v "$(pwd):/code" \
-v "$HOME/.aws:/home/infratools/.aws" \
-v "$HOME/.kube:/home/infratools/.kube" \
-v "$HOME/.ssh:/home/infratools/.ssh" \
-w /code \
containerscrew/infratools:latestTip
For day-to-day local use, prefer the run-infratools.sh helper — it wires up these mounts (plus env-file and zsh history persistence) automatically.
Or use the image directly in a pipeline:
deploy:
image: containerscrew/infratools:latest-ci
script:
- kubectl version --client
- helm version
- aws --versioncontainerscrew/infratools:<version> — the complete toolbox for local development and rich pipelines. Includes OpenTofu, Terragrunt, zsh with oh-my-zsh, krew plugins, and the rest of the table above.
containerscrew/infratools:<version>-ci — a stripped-down image built from the same Dockerfile (--target ci). It ships only what most deploy jobs need: kubectl, helm, aws-cli, jq, curl. No terraform, no zsh, no dev tooling — smaller and faster to pull.
Both flavors are published from the same git tag.
For local use, copy run-infratools.sh into your repo (or your $PATH) and run it:
./run-infratools.sh
# Usage: run-infratools.sh [-i (info)] [-u (update)] [-a (attach or create)] [-v <host_path>:<container_path>]Install it globally so you can reuse it from any repo:
sudo cp run-infratools.sh /usr/local/bin/Mount additional files (e.g. credentials):
run-infratools.sh -a -v ~/.lacework.toml:/home/infratools/.lacework.tomlPersist environment variables across container runs — create a .user/env file in your project:
cd your-terraform-repo
mkdir -p .user
echo "FOO=BAR" >> .user/env
run-infratools.sh -a
echo "$FOO" # → BARImportant
The helper persists zsh history in .zsh_container_history at the repo root and reads .user/env as an env file.
Add both to your .gitignore to keep them out of version control.
GitLab CI with the full image:
stages:
- deploy
infratools:
image: containerscrew/infratools:latest
stage: deploy
script:
- tofu init
- tofu planGitLab CI with the slim CI image:
deploy:
image: containerscrew/infratools:latest-ci
stage: deploy
script:
- kubectl apply -f manifests/
- helm upgrade --install my-release ./chartTip
Pin to an explicit version (:3.3.1 / :3.3.1-ci) in production pipelines for reproducible builds.
Important
Since v2.9.0, terraform has been replaced by opentofu — a drop-in CLI replacement. terragrunt will auto-detect the tofu binary.
If you still need the classic terraform CLI, tfenv is included:
tfenv use 1.9.5
# Apple Silicon hosts wanting the amd64 binary:
TFENV_ARCH=amd64 tfenv use 1.9.5
# Point terragrunt explicitly at terraform:
terragrunt init --tf-path=/usr/local/bin/terraform
# or via env var:
export TG_TF_PATH=/usr/local/bin/terraform
terragrunt planWhen pulling modules from a private git server with a self-signed certificate, configure ~/.gitconfig:
[http "https://gitlab.server.internal"]
sslCAInfo = /path/to/your/certificate.crt
sslVerify = trueOr, inside the container, skip TLS verification (use with care):
git config --global http.sslVerify falseBuild and run the full image locally:
make local-build-runBuild and run the CI image locally:
make ci-local-build-runScan the image with Trivy:
make trivy-scanReleases are managed with cocogitto and conventional commits.
# Record commits
cog commit feat -a "add new tool X"
cog commit fix -a "update kubectl version"
# Bump and tag (updates CHANGELOG.md and creates the git tag)
cog bump --version 3.2.0
git push origin main --follow-tagsPushing the tag triggers release.yml, which builds and publishes both flavors:
containerscrew/infratools:3.2.0— full imagecontainerscrew/infratools:3.2.0-ci— CI image
Note
Starting in 3.0.0, tags no longer carry the leading v (e.g. 3.2.0, not v3.2.0).
Starting in 3.0.0, CHANGELOG.md is generated from conventional commits via cocogitto.
infratools is distributed under the terms of the Apache 2.0 license.