Remove secrets from docker-compose.override.yml

This commit removes secrets from docker-compose.override.yml in favour of storing these in 1Password and pulling them in at runtime via the use of a .env file. It includes a modified version of the script created by @Mhowell494 to make the .env file available at the time of running the app and to ensure that it is cleaned up after the app has exited.
ministryofjustice · Sep 26, 2024 · 98e2121 · 98e2121
1 parent 53cd030
commit 98e2121
Show file tree

Hide file tree

Showing 4 changed files with 60 additions and 5 deletions.
diff --git a/.gitignore b/.gitignore
@@ -39,3 +39,6 @@ out/
 .env
 gradle.properties
 pgdata/
+
+# Local environment variables for testing
+*.env
diff --git a/README.md b/README.md
@@ -28,11 +28,31 @@ This is a Java based Spring Boot Application which will be hosted on AWS Environ
 
 We're using [Gradle](https://gradle.org/) to build the application. This also includes plugins for generating IntelliJ configuration.
 
-### Decrypting docker-compose.override.yml
+### Obtaining environment variables for running locally
 
-The `docker-compose.override.yml` is encrypted using [git-crypt](https://github.com/AGWA/git-crypt).
+To run the app locally, you will need to download the appropriate environment variables from the team
+vault in 1Password. These environment variables are stored as a .env file, which docker-compose uses
+when starting up the service. If you don't see the team vault, speak to your tech lead to get access.
 
-To run the app locally you need to be able to decrypt this file.
+To begin with, make sure that you have the 1Password CLI installed:
+
+```sh
+op version
+```
+
+If the command is not found, [follow the steps on the 1Password developer docs to get the CLI set-up](https://developer.1password.com/docs/cli/get-started/).
+
+Once you're ready to run the application:
+
+```sh
+./startup-local.sh
+```
+
+### Decrypting values files
+
+The values YAML files are encrypted using [git-crypt](https://github.com/AGWA/git-crypt).
+
+To be able to view and/or edit these files, you will need to decrypt them first.
 
 You will first need to create a GPG key. See [Create a GPG Key](https://docs.publishing.service.gov.uk/manual/create-a-gpg-key.html) for details on how to do this with `GPGTools` (GUI) or `gpg` (command line).
 You can install either from a terminal or just download the UI version.
@@ -79,8 +99,7 @@ You will need to build the artifacts for the source code, using `gradle`.
 The apps should then startup cleanly if you run
 
 ```sh
-docker-compose build
-docker-compose up
+./startup-local.sh
 ```
 
 laa-crime-evidence application will be running on http://localhost:8088

diff --git a/crime-evidence/docker-compose.override.yml b/crime-evidence/docker-compose.override.yml
diff --git a/crime-evidence/start-local.sh b/crime-evidence/start-local.sh
@@ -0,0 +1,33 @@
+#!/bin/bash
+
+# Ensure the script stops if any command fails
+set -euo pipefail
+
+# Specify the vault and the document name in 1Password
+VAULT="LAA Crime Apps"
+DOCUMENT="EnvironmentVariables-EvidenceService-App"
+APP_ENV_FILE="./app.env"
+
+function remove_env_file()
+{
+    echo "Removing .env file"
+    rm -f "$APP_ENV_FILE"
+}
+
+trap remove_env_file EXIT
+
+echo "Signing into 1Password..."
+eval $(op signin --account ministryofjustice)
+
+echo "Fetching latest .env file from 1Password..."
+op document get "$DOCUMENT" --vault "$VAULT" --output "$APP_ENV_FILE" --force
+
+if [ ! -f "$APP_ENV_FILE" ]; then
+    echo "Failed to retrieve .env file from 1Password."
+    exit 1
+fi
+
+echo ".env file successfully retrieved."
+
+echo "Starting Docker containers..."
+docker-compose up --build
-Original file line number
+Diff line change
@@ Expand Up / @@ -39,3 +39,6 @@ out/ @@
     .env
     gradle.properties
     pgdata/
+    # Local environment variables for testing
+    *.env