Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Encrypt everywhere #28

Open
wants to merge 28 commits into
base: develop
Choose a base branch
from

Conversation

aaroncarlucci
Copy link
Owner

@aaroncarlucci aaroncarlucci commented Nov 27, 2023

This PR features some drastic changes for #15 and #18 to serve a custom OCI image from ECR and configure nginx to serve encrypted traffic using a self-signed certificate.

This is still in rough PoC mode and there is a lot TODO:

  • Remove comments from trying various approaches
  • Test provisioning a brand new infrastructure stack
  • Implement 3musketeers tooling (Institute 3musketeers pattern for managing local application #29)
  • Don't build cert inside the Dockerfile -- store in AWS SSM Parameter Store and provision on container bootstrap entrypoint
  • Consider generating certificate in Terraform: https://registry.terraform.io/providers/hashicorp/tls/latest/docs
  • Reconsider a more best-practice solution to managing the deployed image_tag other than ECR-first infrastructure provisioning
  • Audit and test ECR attributes - is immutability practical? What about manually triggering runs which use the same Git SHA?

Closes #18 and #15

@aaroncarlucci
Copy link
Owner Author

Here are some resources for deployment by changing the image in the task definition using AWS Github actions:

This approach is more "standard", but seems to assume that application and infrastructure deployments are decoupled. There is also the question of ignoring changes to the task definition in Terraform.

@aaroncarlucci
Copy link
Owner Author

Changed ECR repository to MUTABLE for now, as a practical solution.

@aaroncarlucci
Copy link
Owner Author

Also decided to stay with the ECR-first deployment strategy for now.

@aaroncarlucci aaroncarlucci force-pushed the feature/encrypt-everywhere--wild-workflow branch from 0578d6c to 956ba28 Compare October 2, 2024 19:36
@aaroncarlucci aaroncarlucci force-pushed the feature/encrypt-everywhere--wild-workflow branch from 956ba28 to ce7fa15 Compare October 5, 2024 14:56
@aaroncarlucci aaroncarlucci force-pushed the feature/encrypt-everywhere--wild-workflow branch from ce7fa15 to 4e6bacc Compare October 5, 2024 15:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Customize "Hello World" NGINX container Encrypt traffic between ALB and ECS application
1 participant