From c3a11e30822e12c387f8d1213b5aa053024eca0e Mon Sep 17 00:00:00 2001
From: Ash Davies <3853061+DrizzlyOwl@users.noreply.github.com>
Date: Fri, 15 Nov 2024 13:41:28 +0000
Subject: [PATCH] Switch to Azure Linux base image
* Reduces the overall final image size by using Azure Linux
* Offers maximum compatibility with Azure infrastructure
* Uses arbitrary user instead of 'root'
* Use the default Port 8080 non-privileged
---
Dockerfile | 35 +++++++++++++++--------------
terraform/README.md | 1 +
terraform/container-apps-hosting.tf | 1 +
terraform/locals.tf | 1 +
terraform/variables.tf | 6 +++++
5 files changed, 27 insertions(+), 17 deletions(-)
diff --git a/Dockerfile b/Dockerfile
index f1b9b75a1b..a72edf37a2 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,26 +1,27 @@
-# Stage 1
-ARG ASPNET_IMAGE_TAG=8.0-bookworm-slim
-FROM mcr.microsoft.com/dotnet/sdk:8.0 AS build
-WORKDIR /build
+# Set the major version of dotnet
+ARG DOTNET_VERSION=8.0
-ENV DEBIAN_FRONTEND=noninteractive
+# Stage 1 - Build the app using the dotnet SDK
+FROM "mcr.microsoft.com/dotnet/sdk:${DOTNET_VERSION}-azurelinux3.0" AS build
+WORKDIR /build
COPY ./Dfe.Academies.External.Web/ ./Dfe.Academies.External.Web/
+COPY ./script/web-docker-entrypoint.sh /app/docker-entrypoint.sh
+# Mount GitHub Token as a Docker secret so that NuGet Feed can be accessed
RUN --mount=type=secret,id=github_token dotnet nuget add source --username USERNAME --password $(cat /run/secrets/github_token) --store-password-in-clear-text --name github "https://nuget.pkg.github.com/DFE-Digital/index.json"
-RUN dotnet restore Dfe.Academies.External.Web
-RUN dotnet build Dfe.Academies.External.Web --no-restore
-RUN dotnet publish Dfe.Academies.External.Web -c Release -o /app --no-restore
-COPY ./script/web-docker-entrypoint.sh /app/docker-entrypoint.sh
+# Restore, build and publish the dotnet solution
+RUN ["dotnet", "restore", "Dfe.Academies.External.Web"]
+RUN ["dotnet", "build", "Dfe.Academies.External.Web", "--no-restore"]
+RUN ["dotnet", "publish", "Dfe.Academies.External.Web", "--no-restore", "-c", "Release", "-o", "/app"]
-# Stage 2
-ARG ASPNET_IMAGE_TAG
-FROM "mcr.microsoft.com/dotnet/aspnet:${ASPNET_IMAGE_TAG}" AS final
-LABEL org.opencontainers.image.source=https://github.com/DFE-Digital/Dfe.Academies.External
+# Stage 2 - Build a runtime environment
+FROM "mcr.microsoft.com/dotnet/aspnet:${DOTNET_VERSION}-azurelinux3.0" AS final
+WORKDIR /app
+LABEL org.opencontainers.image.source="https://github.com/DFE-Digital/Dfe.Academies.External"
COPY --from=build /app /app
-WORKDIR /app
-RUN chmod +x ./docker-entrypoint.sh
-ENV ASPNETCORE_HTTP_PORTS=80
-EXPOSE 80/tcp
+RUN ["chmod", "+x", "./docker-entrypoint.sh"]
+
+USER $APP_UID
diff --git a/terraform/README.md b/terraform/README.md
index bf568a4c00..349339d713 100644
--- a/terraform/README.md
+++ b/terraform/README.md
@@ -171,6 +171,7 @@ No resources.
| [container\_command](#input\_container\_command) | Container command | `list(any)` | n/a | yes |
| [container\_max\_replicas](#input\_container\_max\_replicas) | Container max replicas | `number` | `2` | no |
| [container\_min\_replicas](#input\_container\_min\_replicas) | Container min replicas | `number` | `1` | no |
+| [container\_port](#input\_container\_port) | Container port | `number` | `8080` | no |
| [container\_scale\_http\_concurrency](#input\_container\_scale\_http\_concurrency) | When the number of concurrent HTTP requests exceeds this value, then another replica is added. Replicas continue to add to the pool up to the max-replicas amount. | `number` | `10` | no |
| [container\_secret\_environment\_variables](#input\_container\_secret\_environment\_variables) | Container secret environment variables | `map(string)` | n/a | yes |
| [create\_container\_app\_blob\_storage\_sas](#input\_create\_container\_app\_blob\_storage\_sas) | Generate a SAS connection string that is exposed to your App as an environment variable so that it can connect to the Storage Account | `bool` | `false` | no |
diff --git a/terraform/container-apps-hosting.tf b/terraform/container-apps-hosting.tf
index 5ef1db9c85..9e23b3a1be 100644
--- a/terraform/container-apps-hosting.tf
+++ b/terraform/container-apps-hosting.tf
@@ -20,6 +20,7 @@ module "azure_container_apps_hosting" {
container_min_replicas = local.container_min_replicas
container_max_replicas = local.container_max_replicas
container_scale_http_concurrency = local.container_scale_http_concurrency
+ container_port = local.container_port
enable_health_insights_api = local.enable_health_insights_api
health_insights_api_cors_origins = local.health_insights_api_cors_origins
diff --git a/terraform/locals.tf b/terraform/locals.tf
index 50d4aac33f..ad9f1723d9 100644
--- a/terraform/locals.tf
+++ b/terraform/locals.tf
@@ -15,6 +15,7 @@ locals {
container_secret_environment_variables = var.container_secret_environment_variables
container_min_replicas = var.container_min_replicas
container_max_replicas = var.container_max_replicas
+ container_port = var.container_port
enable_cdn_frontdoor = var.enable_cdn_frontdoor
enable_event_hub = var.enable_event_hub
enable_logstash_consumer = var.enable_logstash_consumer
diff --git a/terraform/variables.tf b/terraform/variables.tf
index 971d30f173..270491492c 100644
--- a/terraform/variables.tf
+++ b/terraform/variables.tf
@@ -417,3 +417,9 @@ variable "cdn_frontdoor_vdp_destination_hostname" {
type = string
default = "vdp.security.education.gov.uk"
}
+
+variable "container_port" {
+ description = "Container port"
+ type = number
+ default = 8080
+}