Showing posts with label bicep. Show all posts
Showing posts with label bicep. Show all posts

It turns out, it's not difficult to remove all passwords from our Docker Compose files

I used to hardcode my password in my demos and code samples. I know it's not a good practice, but it's just for demo purposes, it cannot be that dramatic, right? I know there are proper ways to manage sensitive information, but this is only temporary! And it must be complicated to remove all the passwords from a deployment... It turns out, IT IS NOT difficult at all, and that will prevent serious threats.

In this post, I will share how to remove all passwords from a docker-compose file using environment variables. It's quick to setup and easy to remember. For production deployment, it's better to use secrets, because environment variables will be visible in logs. That said, for demos and debugging and testing, it's nice to see those values. The code will be available on GitHub. This deployment was used for my talks during Azure Developers .NET Days: Auto-Generate and Host Data API Builder on Azure Static Web Apps and The most minimal API code of all... none

The Before Picture

For this deployment, I used a docker-compose file to deploy an SQL Server in a first container and Data API Builder (DAB) in a second one. When the database container starts, I run a script to create the database tables and populate them.

services:

  dab:
    image: "mcr.microsoft.com/azure-databases/data-api-builder:latest"
    container_name: trekapi
    restart: on-failure
    volumes:
      - "./startrek.json:/App/dab-config.json"
    ports:
      - "5000:5000"
    depends_on:
      - sqlDatabase

  sqlDatabase:
    image: mcr.microsoft.com/mssql/server
    container_name: trekdb
    hostname: sqltrek
    environment:
      ACCEPT_EULA: "Y"
      MSSQL_SA_PASSWORD: "1rootP@ssword"
    ports:
      - "1433:1433"
    volumes:
      - ./startrek.sql:/startrek.sql
    entrypoint:
      - /bin/bash
      - -c
      - |
        /opt/mssql/bin/sqlservr & sleep 30
        /opt/mssql-tools/bin/sqlcmd -U sa -P "1rootP@ssword" -d master -i /startrek.sql
        sleep infinity

As we can see, the password is in clear text twice, in the configuration of the database container and in the parameter for sqlcmd when populating the database. Same thing for the DAB configuration file. Here the data-source node where the password is in clear text in the connection string.

"data-source": {
 	"database-type": "mssql",
	"connection-string": "Server=localhost;Database=trek;User ID=sa;Password=myPassword!;",
	"options": {
		"set-session-context": false
	}
}

First Pass: Environment Variables

The easiest password instance to remove was in the sqlcmd command. When defining the container, an environment variable was used... Why not use it! To refer to an environment variable in a docker-compose file, you use the syntax $$VAR_NAME. I used the name of the environment variable MSSQL_SA_PASSWORD to replace the hardcoded password.

/opt/mssql-tools/bin/sqlcmd -U sa -P $$MSSQL_SA_PASSWORD -d master -i /startrek.sql

Second Pass: .env File

That's great but the value is still hardcoded when we assign the environment variable. Here comes the environment file. They are text files that holds the values in key-value paired style. The file is not committed to the repository, and it's used to store sensitive information. The file is read by the docker-compose and the values are injected. Here is the final docker-compose file:

services:

  dab:
    image: "mcr.microsoft.com/azure-databases/data-api-builder:latest"
    container_name: trekapi
    restart: on-failure
    env_file:
      - .env
    environment:
      MY_CONN_STRING: "Server=host.docker.internal;Initial Catalog=trek;User ID=sa;Password=${SA_PWD};TrustServerCertificate=True"
    volumes:
      - "./startrek.json:/App/dab-config.json"
    ports:
      - "5000:5000"
    depends_on:
      - sqlDatabase

  sqlDatabase:
    image: mcr.microsoft.com/mssql/server
    container_name: trekdb
    hostname: sqltrek
    environment:
      ACCEPT_EULA: "Y"
      MSSQL_SA_PASSWORD: ${SA_PWD}
    env_file:
      - .env
    ports:
      - "1433:1433"
    volumes:
      - ./startrek.sql:/startrek.sql
    entrypoint:
      - /bin/bash
      - -c
      - |
        /opt/mssql/bin/sqlservr & sleep 30
        /opt/mssql-tools/bin/sqlcmd -U sa -P $$MSSQL_SA_PASSWORD -d master -i /startrek.sql
        sleep infinity

Note the env_file directive in the services definition. The file .env is the name of the file used. The ${SA_PWD} tells docker compose to look for SA_PWD in the .env file. Here is what the file looks like:

SA_PWD=This!s@very$trongP@ssw0rd

Conclusion

Simple and quick. There are no reasons to still have the password in clear text in the docker compose files anymore. Even for a quick demo! Of course for a production deployment there are stronger ways to manage sensitive information, but for a demo it's perfect and it's secure.

During Microsoft Build Keynote on day 2, Julia Liuson and John Lambert talked about how trade actors are not only looking for the big fishes, but also looking at simple demos and old pieces of code, looking for passwords, keys and sensitive information.

Reading Notes #594

It is time to share new reading notes. It is a habit I started a long time ago where I share a list of all the articles, blog posts, and books that catch my interest during the week.

If you think you may have interesting content, share it!

Cloud

Programming

AI

Databases

~Frank

Reading Notes #551

Thumb's up from Frank on a kayak

It is time to share new reading notes. It is a habit I started a long time ago where I share a list of all the articles, blog posts, and books that catch my interest during the week. 

If you think you may have interesting content, share it!

Cloud

Programming

Podcast

Miscellaneous


~frank

Reading Notes #545

It is time to share new reading notes. It is a habit I started a long time ago where I share a list of all the articles, blog posts, and books that catch my interest during the week. 

If you think you may have interesting content, share it!


Cloud

Programming


~ frank


Reading Notes #532


Good Monday, time to share my reading notes. Those are a curated list of all the articles, blog posts, podcast episodes, and books that caught my interest during the week and that I found interesting. It's a mix of the actuality and what I consumed.

If you think you may have interesting content, share it!

Cloud

Programming

Miscellaneous

~frank

Reading Notes #529


Good Monday (standard time for many :) ),
It's time to share new ReadingNotes. Here is a list of all the articles, podcasts, and blog posts, that catch my interest during the week. 

If you think you may have interesting content, share it!

Cloud

Programming

Miscellaneous


~frank

Reading Notes #520

A turtle on a rock in the middle of the water


Good Monday, Already time to share new reading notes. Here is a list of all the articles, and blog posts that catch my interest during the week. 

If you think you may have interesting content, share it!

 

Suggestion of the week

  • How Cloudflare Broke My Build and How I Fixed It (Giorgi Dalakishvili) - Wow! That was a hard one. Like searching for a needle in a haystack. Those stories are incredibly useful as they teach how to investigate issues. Thank you so much for sharing it.

Cloud

Programming

Podcasts

Miscellaneous


~frank

Reading Notes #513


Good Monday, it's time to share new readingnotes. Here is a list of all the articles, and blog posts, that catch my interest during the week. 

If you think you may have interesting content, share it!

The suggestion of the week

Cloud

Programming

Miscellaneous


~frank


Reading Notes #503


It's Monday, time to share my reading notes. Those are a curated list of all the articles, blog posts, podcast episodes, and books that catch my interest during the week and that I found interesting. It's a mix of the actuality and what I consumed.

If you think you may have interesting content, share it!

Cloud

Programming


~Frank


Reading Notes #501


Another Monday, another Reading Notes. 😀

It's been five hundred weeks, this is more than nine years! Who knew I will keep doing that for so long... 

If you are new around here, welcome, The Reading Notes are a curated list of all the articles, blog posts, podcast episodes, and books that catch my interest during the week and that I found interesting. It's a mix of the actuality and what I consumed.

If you think you may have interesting content, share it!

Cloud

Programming

Miscellaneous

Miscellaneous


~Frank


Reading Notes #495


Good Monday, 
Already time to share new reading notes. It is a habit I started a long time ago where I share a list of all the articles, blog posts, podcast episodes, and books that catch my interest during the week. 


Suggestion of the week

  • Include diagrams in your Markdown files with Mermaid (Martin Woodward, Adam Biagianti) - This is very interesting. For a simple little diagram, we can now do that in text in the same document... Looking forward to trying it. Mermaid is also supported in Azure DevOps

Cloud

Programming

Book



Author: Matthew McConaughey

This autobiography is funny, light, interesting, and even weird at some moments. But you know what? I liked it. I totally kept some quotes, as I found them good. I partially read it and listen to it. The audio version is done by Matthew and it's nice to hear him telling us his story.




~frank

 

Reading Notes #472


Cloud

Programming

Podcasts

Miscellaneous


~frank


Reading Notes #469

Every Monday, I share my "reading notes". Those are a curated list of all the articles, blog posts, podcast episodes, and books that catch my interest during the week and that I found interesting. It's a mix of the actuality and what I consumed. 


You think you may have interesting content, share it!

Cloud

Programming

Books

cover of Think Again: The Power of Knowing What You Don't Know

Think Again: The Power of Knowing What You Don't Know
 

Author: Adam M. Grant
- I really like this book. It validates that it's okay to rethink decisions, to change your mind. The goal is to have (and keep) an open mindset. It seems easier than it is, of course. I heard amazing comments about this author, so it's probably not the last one I will read from him.





Miscellaneous


~ Frank


Reading Notes #468

Every Monday, I share my "reading notes". Those are a curated list of all the articles, blog posts, podcast episodes, and books that catch my interest during the week and that I found interesting. It's a mix of the actuality and what I consumed.

You think you may have interesting content, share it!


Cloud

Programming

Miscellaneous


~Frank


Reading Notes #442


Cloud

Programming