Merge pull request #2829 from DFE-Digital/use-non-root-user

vipin-dfe · web-flow · commit 6d1236028ac0 · 2025-08-11T11:48:55.000+01:00
Use non-root user
diff --git a/Dockerfile b/Dockerfile
@@ -79,6 +79,9 @@ RUN apk add --update --no-cache tzdata && \
     cp /usr/share/zoneinfo/Europe/London /etc/localtime && \
     echo "Europe/London" > /etc/timezone
 
+# Create non-root user and group
+RUN addgroup -S appgroup -g 20001 && adduser -S appuser -G appgroup -u 10001
+
 # Upgrade ssl, crypto and curl libraries to latest version
 RUN apk upgrade --no-cache openssl libssl3 libcrypto3 curl expat
 
@@ -97,5 +100,10 @@ RUN apk add font-terminus font-bitstream-100dpi font-bitstream-75dpi font-bitstr
 COPY --from=builder /app /app
 COPY --from=builder /usr/local/bundle/ /usr/local/bundle/
 
+RUN chown -R appuser:appgroup /app/tmp /app/log
+
+# Use non-root user
+USER 10001
+
 CMD bundle exec rails db:migrate:ignore_concurrent_migration_exceptions && \
     bundle exec rails server -b 0.0.0.0
diff --git a/terraform/application/application.tf b/terraform/application/application.tf
@@ -52,9 +52,10 @@ module "web_application" {
   kubernetes_config_map_name = module.application_configuration.kubernetes_config_map_name
   kubernetes_secret_name     = module.application_configuration.kubernetes_secret_name
 
-  docker_image = var.docker_image
-  replicas     = var.app_replicas
-  enable_logit = var.enable_logit
+  docker_image    = var.docker_image
+  replicas        = var.app_replicas
+  enable_logit    = var.enable_logit
+  run_as_non_root = var.run_as_non_root
 }
 
 module "worker_application" {
@@ -76,6 +77,7 @@ module "worker_application" {
   command       = ["bundle", "exec", "sidekiq", "-C", "./config/sidekiq.yml"]
   probe_command = ["pgrep", "-f", "sidekiq"]
 
-  enable_logit   = var.enable_logit
-  enable_gcp_wif = var.bigquery_federated_auth ? true : null
+  enable_logit    = var.enable_logit
+  enable_gcp_wif  = var.bigquery_federated_auth ? true : null
+  run_as_non_root = var.run_as_non_root
 }
diff --git a/terraform/application/variables.tf b/terraform/application/variables.tf
@@ -91,6 +91,12 @@ variable "bigquery_federated_auth" {
   description = "Configure environment variable to let dfe-analytics use federated authentication"
 }
 
+variable "run_as_non_root" {
+  type        = bool
+  default     = true
+  description = "Whether to enforce that containers must run as non-root user"
+}
+
 locals {
   environment_variables = yamldecode(file("${path.module}/config/${var.app_environment}/variables.yml"))
 }

Original file line number	Diff line number	Diff line change
`@@ -91,6 +91,12 @@ variable "bigquery_federated_auth" {`
`91`	`91`	`description = "Configure environment variable to let dfe-analytics use federated authentication"`
`92`	`92`	`}`
`93`	`93`
	`94`	`+variable "run_as_non_root" {`
	`95`	`+ type = bool`
	`96`	`+ default = true`
	`97`	`+ description = "Whether to enforce that containers must run as non-root user"`
	`98`	`+}`
	`99`	`+`
`94`	`100`	`locals {`
`95`	`101`	`environment_variables = yamldecode(file("${path.module}/config/${var.app_environment}/variables.yml"))`
`96`	`102`	`}`