[terraform] Avoid including Terraform state and secrets in keyserver Docker images
ClosedPublic
Actions

Authored by ashoat on Jul 20 2024, 7:09 PM.

Details

Reviewers

Commits

Summary

This addresses part 1 of ENG-8869.

Test Plan

Docker build: docker build --build-arg HOST_GID=20 --build-arg HOST_UID=501 --build-arg COMM_JSONCONFIG_secrets_alchemy='{"key":"<secret>"}' --build-arg COMM_JSONCONFIG_secrets_walletconnect='{"key":"<secret>"}' --build-arg COMM_JSONCONFIG_secrets_neynar='{"key":"<secret>"}' --build-arg COMM_JSONCONFIG_secrets_geoip_license='{"key":"<secret>"}' --platform linux/arm64 -f keyserver/Dockerfile -t commapp/keyserver:sometag .
Open the build: docker run -it commapp/keyserver:sometag bash
Search for passwords via cd .. && (grep -R password_string . | grep -v node_modules)

Repository

rCOMM Comm

Branch

ashoat/dockerignore

Lint

No Lint Coverage

Unit

No Test Coverage

ashoat edited the test plan for this revision. (Show Details)Jul 20 2024, 7:10 PM

ashoat added inline comments.

.dockerignore
46–49 ↗	(On Diff #42589)	Should we consider excluding all `.env`, `.env.`, `.tfstate`, and `*.tfvars` files in the entire repo? Seems safer than excluding them piecemeal like this, but I'm not sure if there might be any unintended effects

ashoat requested review of this revision.Jul 20 2024, 7:27 PM

bartek added inline comments.

.dockerignore
46–49 ↗	(On Diff #42589)	A problematic place might be CommTest CI, which builds docker images for each service and then uses Terraform to set up resources on localstack.