You have taken ownership of an old legacy system, but it's not looking good. The legacy system builds a docker image that serves a simple HTML page, and deploys it to a cloud account.
The page is served using a simple webserver (Nginx, Httpd or similar) but is password protected (like .htpasswd).
The problem is, the contents of the docker image, including the password, are all clearly visible in the repository. Anyone who has read access to the repo knows the password.
Your first task as the owner of the legacy system is to ensure secrets handling. Demonstrate a full deployment and injection of the secret using Infrastructure as Code (IAC).
Took sensitive data out the repository and instead inject it as context to the Stack, eg
cdk deploy --context htpasswd=passwordThis works well with CI/CD pipelines where a previous step could build the context before deploying. Either from pipeline environment vars or by getting the value from AWS SSM.
I went with the AWS CDK in TypeScript for the following reasons:
- It's customizable and reusable
- Leverages full power of programming languages
- Is extendable through jsii for multi language support
- Testable through unit testing
There are some drawbacks, eg it's locked for the AWS Cloud, whereas other languages like serverless and terraform are cloud agnostic.