-
Notifications
You must be signed in to change notification settings - Fork 16
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[AWS Terraform] Unable to use stock image without Master Key #78
Comments
👋 Thanks for the feedback, and you're absolutely right. The container up on dockerhub cannot be directly used as is. We have no plans at this time to change how the image is packaged. However, I've added some documentation on how to deploy the Portal container. One option that doesn't involve building another image is to mount a volume during scheduling that contains your own encrypted credentials file (assuming your container scheduler supports this). Then set the |
@Ginja, thank you for you reply and documentation updates. We have deployed our Server and Web Portal in AWS ECS. Since they are containers, unlike OS running in EC2 instances that we can create mount point, could you also provide information or direction on how to mount a volume on ECS, please? Thanks! |
What should be the content of |
When we deploy portal to AWS, it creates ECS task definition, with Docker image from public docker repo, and version based on the latest SHA from the master branch of the CovidShield Github repo.
When rails start, one of the first things that happen is that a file /config/credentials.yml.enc get read and is decrypted using a master key. That key is usually passed in the environment variables from variables.auto.tfvars or from secrets, etc.
The problem, as I see it (as non-Shopify members), is that when we use stock CovidShield portal image, the /config/credentials.yml.enc is baked into the image. However, we do not seem to have the key required to decrypt it.
If we want to use our own credentials, then we would need to roll our own image, unless we can inject them at runtime.
Workaround:
Request:
The text was updated successfully, but these errors were encountered: