Managing configuration from the command line is not enough. Applications need a way to pull environment specific configuration in order to run.
This example uses S3 with KMS encryption for the configuration store, but will work with any supported storage solution.
- Add docker-entrypoint.sh script to the repo.
- Replace
./appin the script with the correct application executable.
exec ./my-application- When using secrets injection, add
-ito the pull command in the script to inject secrets from Secrets Manager.
cstore pull -le -t $CONFIG_ENV -v $CONFIG_VER -i- Use the
ENTRYPOINTcommand in place of theCMDcommand in Dockerfile to run the shell script.
ENTRYPOINT ["./docker-entrypoint.sh"]
- Update the
Dockerfileto install cStore for Linux (or the appropriate os) adding execute permissions.
RUN curl -L -o /usr/local/bin/cstore https://github.com/turnerlabs/cstore/releases/download/v3.8.3-alpha/cstore_linux_386 && chmod +x /usr/local/bin/cstore
- Update the
docker-compose.ymlfile to specify which environment config should be pulled by thedocker-entrypoint.shscript.
environment:
CONFIG_ENV: dev
CONFIG_VER: v1.0.0 # optional
AWS_REGION: us-east-1-
In the same folder as the
Dockerfile, use cStore to push the.envor.jsonfiles to an AWS S3 bucket with adevtag. Check the resultingcstore.ymlfile into the repo. -
Set up the S3 Bucket and KMS key with a policy to allow AWS container role access.
-
Set up the AWS container role policy to allow S3 bucket access.
data "aws_iam_policy_document" "app_policy" {
statement {
effect = "Allow"
actions = [
"s3:Get*",
]
resources = [
"${var.aws_s3_bucket_arn}/*",
]
}
# Required when injecting AWS Secrets Manager secrets.
statement {
effect = "Allow"
actions = [
"secretsmanager:GetSecretValue",
]
resources = [
"arn:aws:secretsmanager:us-east-1:${var.account_id}:secret:${var.config_context}/*",
]
}
}
variable account_id {}
variable config_context {}- Deploy the conainer.