RoyBellingan
commented
1 year ago This sound quite complex imho, and super bound to use AWS system, why not put them in a config file like... anyone else as a first step ?
Open anarthal opened 1 year ago
RoyBellingan
commented
1 year ago This sound quite complex imho, and super bound to use AWS system, why not put them in a config file like... anyone else as a first step ?
anarthal
commented
1 year ago How do you place the password in the config file? Something we wanted is making deployments really easy for users (this is what we have right now: https://anarthal.github.io/servertech-chat/03-fork-modify-deploy.html).
RoyBellingan
commented
1 year ago Maybe this can just be an optional step after all ? Suggested but not required as, looks like can not be easily automated. (and maybe automatic is out of the scope of the project after all)
So if you want you can put those additional password (we can provide a script to create the 2 user for mysql), and later use a GitHub secrets to write such file ?
We're currently running Redis without authentication, and MySQL with a blank root password (which almost equals no authentication). This is not terrible because these two services are never exposed outside of the Docker network (so an attacker must gain access to the server host to do anything), but it's not good practice.
MySQL root should have a strong password, and there should be a dedicated user with minimum privilege that's used in the webserver. We can create such user as part of a migration (see #11), and the password can be transmitted using AWS SSM. This requires the EC2 instance to call the AWS API though - so the CloudFormation scripts need to have IAM access to create a role for the EC2 instances.