-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Encrypt everywhere #28
base: develop
Are you sure you want to change the base?
Conversation
Here are some resources for deployment by changing the image in the task definition using AWS Github actions:
This approach is more "standard", but seems to assume that application and infrastructure deployments are decoupled. There is also the question of ignoring changes to the task definition in Terraform. |
Changed ECR repository to MUTABLE for now, as a practical solution. |
Also decided to stay with the ECR-first deployment strategy for now. |
* Dockerfile serving nginx on 443 and generating self-signed SSL certificate * Placeholder Hello World HTML page * Nginx config for SSL only
0578d6c
to
956ba28
Compare
* Generate SSL certificate and key in Terraform * Store certificate and key in secure SSM parameters * Modify Dockerfile to utiliize entrypoint.sh script and install SSL cert/key on bootstrap * IAM role policy to grant the hello-world task access to the SSL SSM parameters
…yment with Amazon workflows
Make ECR repository MUTABLE for now
956ba28
to
ce7fa15
Compare
ce7fa15
to
4e6bacc
Compare
This PR features some drastic changes for #15 and #18 to serve a custom OCI image from ECR and configure
nginx
to serve encrypted traffic using a self-signed certificate.This is still in rough PoC mode and there is a lot TODO:
Remove comments from trying various approachesTest provisioning a brand new infrastructure stackDon't build cert inside the Dockerfile -- store in AWS SSM Parameter Store and provision on container bootstrap entrypointConsider generating certificate in Terraform: https://registry.terraform.io/providers/hashicorp/tls/latest/docsimage_tag
other than ECR-first infrastructure provisioningAudit and test ECR attributes - is immutability practical? What about manually triggering runs which use the same Git SHA?Closes #18 and #15