Page MenuHomePhabricator
Differential D12823

[terraform] Avoid including Terraform state and secrets in keyserver Docker images
ClosedPublic
Actions

Authored by ashoat on Jul 20 2024, 7:09 PM.
Tags
None
Referenced Files
Unknown Object (File)
Wed, Sep 4, 2:22 AM
Unknown Object (File)
Sat, Aug 31, 2:03 PM
Unknown Object (File)
Fri, Aug 30, 6:14 PM
Unknown Object (File)
Fri, Aug 30, 11:01 AM
Unknown Object (File)
Thu, Aug 29, 12:08 AM
Unknown Object (File)
Wed, Aug 28, 11:26 PM
Unknown Object (File)
Wed, Aug 28, 8:47 PM
Unknown Object (File)
Wed, Aug 28, 8:28 PM
View All 41 Files
Subscribers
tomek

Details

Reviewers
will
bartek
varun
Commits
rCOMMf1d9ec893762: [terraform] Avoid including Terraform state and secrets in keyserver Docker…
Summary

This addresses part 1 of ENG-8869.

Test Plan
  1. Docker build: docker build --build-arg HOST_GID=20 --build-arg HOST_UID=501 --build-arg COMM_JSONCONFIG_secrets_alchemy='{"key":"<secret>"}' --build-arg COMM_JSONCONFIG_secrets_walletconnect='{"key":"<secret>"}' --build-arg COMM_JSONCONFIG_secrets_neynar='{"key":"<secret>"}' --build-arg COMM_JSONCONFIG_secrets_geoip_license='{"key":"<secret>"}' --platform linux/arm64 -f keyserver/Dockerfile -t commapp/keyserver:sometag .
  2. Open the build: docker run -it commapp/keyserver:sometag bash
  3. Search for passwords via cd .. && (grep -R password_string . | grep -v node_modules)

Diff Detail

Repository
rCOMM Comm
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

ashoat created this revision.Jul 20 2024, 7:09 PM
Herald added a subscriber: tomek. · View Herald TranscriptJul 20 2024, 7:10 PM
ashoat edited the test plan for this revision. (Show Details)Jul 20 2024, 7:10 PM
ashoat added inline comments.
.dockerignore
46–49 ↗(On Diff #42589)

Should we consider excluding all *.env, *.env.*, *.tfstate, and *.tfvars files in the entire repo? Seems safer than excluding them piecemeal like this, but I'm not sure if there might be any unintended effects

Harbormaster completed remote builds in B30542: Diff 42589.Jul 20 2024, 7:27 PM
ashoat requested review of this revision.Jul 20 2024, 7:27 PM
bartek accepted this revision.Jul 22 2024, 1:42 AM
bartek added inline comments.
.dockerignore
46–49 ↗(On Diff #42589)

A problematic place might be CommTest CI, which builds docker images for each service and then uses Terraform to set up resources on localstack.

This revision is now accepted and ready to land.Jul 22 2024, 1:42 AM
ashoat added inline comments.Jul 22 2024, 9:25 AM
.dockerignore
46–49 ↗(On Diff #42589)

Sounds like that would be easy to detect – I'll try it and we'll see if the CI fails

ashoat updated this revision to Diff 42638.Jul 22 2024, 10:31 AM

Try ignoring all *.tfstate and *.tfvars files

Harbormaster completed remote builds in B30574: Diff 42638.Jul 22 2024, 10:47 AM
ashoat requested review of this revision.Jul 22 2024, 10:49 AM

Looks like CommTest passes – would love to get another accept from either reviewer before landing, to confirm that this new strategy seems safe

ashoat added a reviewer: varun.Jul 22 2024, 10:49 AM
varun accepted this revision.Jul 22 2024, 10:57 AM
This revision is now accepted and ready to land.Jul 22 2024, 10:57 AM
Closed by commit rCOMMf1d9ec893762: [terraform] Avoid including Terraform state and secrets in keyserver Docker… (authored by ashoat). · Explain WhyJul 22 2024, 1:55 PM
This revision was automatically updated to reflect the committed changes.
ashoat added a commit: rCOMMf1d9ec893762: [terraform] Avoid including Terraform state and secrets in keyserver Docker….
will mentioned this in D12849: [terraform] Avoid including Terraform *.tfstate.backup in keyserver docker images.Jul 22 2024, 5:56 PM
will mentioned this in rCOMM139ef005b33b: [terraform] Avoid including Terraform *.tfstate.backup in keyserver docker….Jul 22 2024, 6:13 PM

Revision Contents
Changeset List

PathSize
3 lines

Diff 42646

View Options

.dockerignore

Loading...