Skip to content

Commit

Permalink
add new env vars to repo and docker build
Browse files Browse the repository at this point in the history
  • Loading branch information
alexeh committed Sep 21, 2024
1 parent e0afebe commit 77e59e1
Show file tree
Hide file tree
Showing 4 changed files with 36 additions and 9 deletions.
8 changes: 6 additions & 2 deletions .github/workflows/deploy.yml
Original file line number Diff line number Diff line change
Expand Up @@ -130,8 +130,12 @@ jobs:
DB_NAME=${{ secrets.DB_NAME }}
DB_USERNAME=${{ secrets.DB_USERNAME }}
DB_PASSWORD=${{ secrets.DB_PASSWORD }}
JWT_SECRET=${{ secrets.JWT_SECRET }}
JWT_EXPIRES_IN=${{ vars.JWT_EXPIRES_IN }}
ACCESS_TOKEN_SECRET=${{ secrets.ACCESS_TOKEN_SECRET }}
ACCESS_TOKEN_SECRET=${{ vars.ACCESS_TOKEN_SECRET }}
RESET_PASSWORD_TOKEN_SECRET=${{ secrets.ACCESS_TOKEN_SECRET }}
RESET_PASSWORD_TOKEN_EXPIRES_IN=${{ secrets.RESET_PASSWORD_TOKEN_EXPIRES_IN }}
EMAIL_CONFIRMATION_TOKEN_SECRET=${{ secrets.EMAIL_CONFIRMATION_TOKEN_SECRET }}
EMAIL_CONFIRMATION_TOKEN_EXPIRES_IN=${{ secrets.EMAIL_CONFIRMATION_TOKEN_EXPIRES_IN }}
AWS_SES_ACCESS_KEY_ID=${{ secrets.AWS_SES_ACCESS_KEY_ID }}
AWS_SES_ACCESS_KEY_SECRET=${{ secrets.AWS_SES_ACCESS_KEY_SECRET }}
AWS_SES_DOMAIN=${{ secrets.AWS_SES_DOMAIN }}
Expand Down
16 changes: 12 additions & 4 deletions api/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -5,8 +5,12 @@ ARG DB_PORT
ARG DB_NAME
ARG DB_USERNAME
ARG DB_PASSWORD

Check warning on line 7 in api/Dockerfile

View workflow job for this annotation

GitHub Actions / Build API image and push to Amazon ECR

Sensitive data should not be used in the ARG or ENV commands

SecretsUsedInArgOrEnv: Do not use ARG or ENV instructions for sensitive data (ARG "DB_PASSWORD") More info: https://docs.docker.com/go/dockerfile/rule/secrets-used-in-arg-or-env/
ARG JWT_SECRET
ARG JWT_EXPIRES_IN
ARG ACCESS_TOKEN_SECRET

Check warning on line 8 in api/Dockerfile

View workflow job for this annotation

GitHub Actions / Build API image and push to Amazon ECR

Sensitive data should not be used in the ARG or ENV commands

SecretsUsedInArgOrEnv: Do not use ARG or ENV instructions for sensitive data (ARG "ACCESS_TOKEN_SECRET") More info: https://docs.docker.com/go/dockerfile/rule/secrets-used-in-arg-or-env/
ARG ACCESS_TOKEN_EXPIRES_IN

Check warning on line 9 in api/Dockerfile

View workflow job for this annotation

GitHub Actions / Build API image and push to Amazon ECR

Sensitive data should not be used in the ARG or ENV commands

SecretsUsedInArgOrEnv: Do not use ARG or ENV instructions for sensitive data (ARG "ACCESS_TOKEN_EXPIRES_IN") More info: https://docs.docker.com/go/dockerfile/rule/secrets-used-in-arg-or-env/
ARG RESET_PASSWORD_TOKEN_SECRET
ARG RESET_PASSWORD_TOKEN_EXPIRES_IN
ARG EMAIL_CONFIRMATION_TOKEN_SECRET

Check warning on line 12 in api/Dockerfile

View workflow job for this annotation

GitHub Actions / Build API image and push to Amazon ECR

Sensitive data should not be used in the ARG or ENV commands

SecretsUsedInArgOrEnv: Do not use ARG or ENV instructions for sensitive data (ARG "EMAIL_CONFIRMATION_TOKEN_SECRET") More info: https://docs.docker.com/go/dockerfile/rule/secrets-used-in-arg-or-env/
ARG EMAIL_CONFIRMATION_TOKEN_EXPIRES_IN
ARG AWS_SES_ACCESS_KEY_ID
ARG AWS_SES_ACCESS_KEY_SECRET

Check warning on line 15 in api/Dockerfile

View workflow job for this annotation

GitHub Actions / Build API image and push to Amazon ECR

Sensitive data should not be used in the ARG or ENV commands

SecretsUsedInArgOrEnv: Do not use ARG or ENV instructions for sensitive data (ARG "AWS_SES_ACCESS_KEY_SECRET") More info: https://docs.docker.com/go/dockerfile/rule/secrets-used-in-arg-or-env/
ARG AWS_SES_DOMAIN
Expand All @@ -17,8 +21,12 @@ ENV DB_PORT $DB_PORT
ENV DB_NAME $DB_NAME
ENV DB_USERNAME $DB_USERNAME
ENV DB_PASSWORD $DB_PASSWORD

Check warning on line 23 in api/Dockerfile

View workflow job for this annotation

GitHub Actions / Build API image and push to Amazon ECR

Sensitive data should not be used in the ARG or ENV commands

SecretsUsedInArgOrEnv: Do not use ARG or ENV instructions for sensitive data (ENV "DB_PASSWORD") More info: https://docs.docker.com/go/dockerfile/rule/secrets-used-in-arg-or-env/
ENV JWT_SECRET $JWT_SECRET
ENV JWT_EXPIRES_IN $JWT_EXPIRES_IN
ENV ACCESS_TOKEN_SECRET $ACCESS_TOKEN_SECRET
ENV ACCESS_TOKEN_SECRET $ACCESS_TOKEN_EXPIRES_IN

Check warning on line 25 in api/Dockerfile

View workflow job for this annotation

GitHub Actions / Build API image and push to Amazon ECR

Sensitive data should not be used in the ARG or ENV commands

SecretsUsedInArgOrEnv: Do not use ARG or ENV instructions for sensitive data (ENV "ACCESS_TOKEN_SECRET") More info: https://docs.docker.com/go/dockerfile/rule/secrets-used-in-arg-or-env/
ENV RESET_PASSWORD_TOKEN_SECRET $RESET_PASSWORD_TOKEN_SECRET

Check warning on line 26 in api/Dockerfile

View workflow job for this annotation

GitHub Actions / Build API image and push to Amazon ECR

Legacy key/value format with whitespace separator should not be used

LegacyKeyValueFormat: "ENV key=value" should be used instead of legacy "ENV key value" format More info: https://docs.docker.com/go/dockerfile/rule/legacy-key-value-format/

Check warning on line 26 in api/Dockerfile

View workflow job for this annotation

GitHub Actions / Build API image and push to Amazon ECR

Sensitive data should not be used in the ARG or ENV commands

SecretsUsedInArgOrEnv: Do not use ARG or ENV instructions for sensitive data (ENV "RESET_PASSWORD_TOKEN_SECRET") More info: https://docs.docker.com/go/dockerfile/rule/secrets-used-in-arg-or-env/
ENV RESET_PASSWORD_TOKEN_EXPIRES_IN $RESET_PASSWORD_TOKEN_EXPIRES_IN
ENV EMAIL_CONFIRMATION_TOKEN_SECRET $EMAIL_CONFIRMATION_TOKEN_SECRET
ENV EMAIL_CONFIRMATION_TOKEN_EXPIRES_IN $EMAIL_CONFIRMATION_TOKEN_EXPIRES_IN
ENV AWS_SES_ACCESS_KEY_ID $AWS_SES_ACCESS_KEY_ID
ENV AWS_SES_ACCESS_KEY_SECRET $AWS_SES_ACCESS_KEY_SECRET

Check warning on line 31 in api/Dockerfile

View workflow job for this annotation

GitHub Actions / Build API image and push to Amazon ECR

Sensitive data should not be used in the ARG or ENV commands

SecretsUsedInArgOrEnv: Do not use ARG or ENV instructions for sensitive data (ENV "AWS_SES_ACCESS_KEY_SECRET") More info: https://docs.docker.com/go/dockerfile/rule/secrets-used-in-arg-or-env/
ENV AWS_SES_DOMAIN $AWS_SES_DOMAIN
Expand Down
2 changes: 1 addition & 1 deletion infrastructure/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -119,7 +119,7 @@ module "dev" {
elasticbeanstalk_iam_service_linked_role_name = aws_iam_service_linked_role.elasticbeanstalk.name
cname_prefix = "blue-carbon-cost-tool-dev-environment"
rds_instance_class = "db.t3.micro"
rds_engine_version = "15.5"
rds_engine_version = "15.7"
rds_backup_retention_period = 3
repo_name = var.project_name
github_owner = var.github_owner
Expand Down
19 changes: 17 additions & 2 deletions infrastructure/modules/env/api_env_vars.tf
Original file line number Diff line number Diff line change
@@ -1,5 +1,15 @@
resource "random_password" "access_token_secret" {
length = 32
special = true
override_special = "!#%&*()-_=+[]{}<>:?"
}

resource "random_password" "jwt_secret" {
resource "random_password" "reset_password_token_secret" {
length = 32
special = true
override_special = "!#%&*()-_=+[]{}<>:?"
}
resource "random_password" "email_confirmation_token_secret" {
length = 32
special = true
override_special = "!#%&*()-_=+[]{}<>:?"
Expand All @@ -16,7 +26,12 @@ locals {
DB_PASSWORD = module.postgresql.password
DB_USERNAME = module.postgresql.username
DB_PORT = module.postgresql.port
JWT_SECRET = random_password.jwt_secret.result
ACCESS_TOKEN_SECRET = random_password.access_token_secret.result
ACCESS_TOKEN_EXPIRES_IN = "24h"
RESET_PASSWORD_TOKEN_SECRET = random_password.reset_password_token_secret.result
RESET_PASSWORD_TOKEN_EXPIRES_IN = "24h"
EMAIL_CONFIRMATION_TOKEN_SECRET = random_password.email_confirmation_token_secret.result
EMAIL_CONFIRMATION_TOKEN_EXPIRES_IN = "24h"
AWS_SES_ACCESS_KEY_ID = aws_iam_access_key.email_user_access_key.id
AWS_SES_ACCESS_KEY_SECRET = aws_iam_access_key.email_user_access_key.secret
AWS_SES_DOMAIN = module.email.mail_from_domain
Expand Down

0 comments on commit 77e59e1

Please sign in to comment.