From a2939bdf246b6c271340ab794e78ca0f3ca28c08 Mon Sep 17 00:00:00 2001
From: Noah Paige <noahpaig@amazon.com>
Date: Thu, 11 Jan 2024 18:48:09 -0500
Subject: [PATCH 1/7] Resolve volume mounts local data.all

---
 docker-compose.yaml | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/docker-compose.yaml b/docker-compose.yaml
index 9495269ab..86223e578 100644
--- a/docker-compose.yaml
+++ b/docker-compose.yaml
@@ -21,7 +21,8 @@ services:
       AWS_DEFAULT_REGION: "${AWS_DEFAULT_REGION:-eu-west-1}"
     volumes:
       - ./backend/dataall:/dataall
-      - $HOME/.aws/credentials:/root/.aws/credentials:ro
+      - $HOME/.aws/credentials:/home/cuser/.aws/credentials:ro
+      - $HOME/.aws/config:/home/cuser/.aws/config
       - ./config.json:/config.json
     restart:
       on-failure:60
@@ -45,7 +46,7 @@ services:
       email_sender_id: "noreply@someawsdomain"
     volumes:
       - ./backend/dataall:/dataall
-      - $HOME/.aws/credentials:/root/.aws/credentials:ro
+      - $HOME/.aws/credentials:/home/cuser/.aws/credentials:ro
       - ./config.json:/config.json
     depends_on:
       - db

From 3d23ba9ec73f35f576c4ac280276a719db675d40 Mon Sep 17 00:00:00 2001
From: Noah Paige <noahpaig@amazon.com>
Date: Thu, 11 Jan 2024 18:49:02 -0500
Subject: [PATCH 2/7] Resolve dev Dockerfile elasticsearch

---
 compose/elasticsearch/Dockerfile | 10 ----------
 1 file changed, 10 deletions(-)

diff --git a/compose/elasticsearch/Dockerfile b/compose/elasticsearch/Dockerfile
index 9c3e818f6..8d470a342 100644
--- a/compose/elasticsearch/Dockerfile
+++ b/compose/elasticsearch/Dockerfile
@@ -4,15 +4,5 @@ ARG ELK_VERSION
 # https://www.docker.elastic.co/
 FROM docker.elastic.co/elasticsearch/elasticsearch:${ELK_VERSION}
 
-ARG CONTAINER_USER=cuser
-ARG CONTAINER_USER_GROUP=cuser
-
-RUN groupadd -r ${CONTAINER_USER_GROUP} && useradd -r -g ${CONTAINER_USER_GROUP} ${CONTAINER_USER}
-RUN chown -R ${CONTAINER_USER}:root /usr/share/elasticsearch
-RUN chown -R ${CONTAINER_USER}:root /tmp
-USER ${CONTAINER_USER}
-
-
-
 # Add your elasticsearch plugins setup here
 # Example: RUN elasticsearch-plugin install analysis-icu

From d2a86613b354da3666ae390091c87d63a56b83b4 Mon Sep 17 00:00:00 2001
From: Noah Paige <noahpaig@amazon.com>
Date: Thu, 11 Jan 2024 18:49:32 -0500
Subject: [PATCH 3/7] Resolve dev Dockerfile db and upgrade postgres

---
 compose/postgres/Dockerfile | 11 +----------
 1 file changed, 1 insertion(+), 10 deletions(-)

diff --git a/compose/postgres/Dockerfile b/compose/postgres/Dockerfile
index 54aff0e9b..cb61fc5f9 100644
--- a/compose/postgres/Dockerfile
+++ b/compose/postgres/Dockerfile
@@ -1,10 +1 @@
-FROM postgres:10
-
-ARG CONTAINER_USER=cuser
-ARG CONTAINER_USER_GROUP=cuser
-
-RUN groupadd -r ${CONTAINER_USER_GROUP} && useradd -r -g ${CONTAINER_USER_GROUP} ${CONTAINER_USER}
-RUN chown -R ${CONTAINER_USER}:root /var/lib/
-RUN chown -R ${CONTAINER_USER}:root /var/run/
-RUN chown -R ${CONTAINER_USER}:root /tmp
-USER ${CONTAINER_USER}
+FROM postgres:13.12

From 3a610c75c0b15b20a350f0640738e0c29f2fca41 Mon Sep 17 00:00:00 2001
From: Noah Paige <noahpaig@amazon.com>
Date: Fri, 12 Jan 2024 13:53:55 -0500
Subject: [PATCH 4/7] Resolve docker file ECS issues vpc facing deploy

---
 compose/elasticsearch/Dockerfile  |  1 +
 compose/postgres/Dockerfile       |  1 +
 frontend/docker/prod/Dockerfile   | 36 +++++++++++++++----------------
 frontend/docker/prod/nginx.config |  2 +-
 4 files changed, 20 insertions(+), 20 deletions(-)

diff --git a/compose/elasticsearch/Dockerfile b/compose/elasticsearch/Dockerfile
index 8d470a342..d07352efd 100644
--- a/compose/elasticsearch/Dockerfile
+++ b/compose/elasticsearch/Dockerfile
@@ -1,3 +1,4 @@
+#checkov:skip=CKV_DOCKER_3: Dockerfile only used for local data.all - no need to check user created
 ARG ELK_VERSION
 
 
diff --git a/compose/postgres/Dockerfile b/compose/postgres/Dockerfile
index cb61fc5f9..c5cc7d86e 100644
--- a/compose/postgres/Dockerfile
+++ b/compose/postgres/Dockerfile
@@ -1 +1,2 @@
+#checkov:skip=CKV_DOCKER_3: Dockerfile only used for local data.all - no need to check user created
 FROM postgres:13.12
diff --git a/frontend/docker/prod/Dockerfile b/frontend/docker/prod/Dockerfile
index 8fa71ebd2..66ceadd01 100644
--- a/frontend/docker/prod/Dockerfile
+++ b/frontend/docker/prod/Dockerfile
@@ -21,28 +21,26 @@ RUN dnf upgrade -y;\
 # Installing libraries
 RUN dnf install -y tar gzip openssl nginx-$NGINX_VERSION
 
-
-
 RUN groupadd -r ${CONTAINER_USER_GROUP} && useradd -m -r -g ${CONTAINER_USER_GROUP} ${CONTAINER_USER}
 
-RUN mkdir -p /var/cache/nginx && chown -R ${CONTAINER_USER}:root /var/cache/nginx && \
-    mkdir -p /var/log/nginx  && chown -R ${CONTAINER_USER}:root /var/log/nginx && \
-    mkdir -p /var/lib/nginx  && chown -R ${CONTAINER_USER}:root /var/lib/nginx && \
-    touch /run/nginx.pid && chown -R ${CONTAINER_USER}:root /run/nginx.pid && \
+RUN mkdir -p /var/cache/nginx /var/log/nginx /var/lib/nginx /var/run/nginx /var/www/html && \
+    chown -R ${CONTAINER_USER}:${CONTAINER_USER_GROUP} /var/cache/nginx /var/log/nginx /var/lib/nginx /var/run/nginx /var/www/html && \
+    touch /run/nginx.pid && chown -R ${CONTAINER_USER}:${CONTAINER_USER_GROUP} /run/nginx.pid && \
     mkdir -p /etc/nginx/templates /etc/nginx/ssl/certs && \
-    chown -R ${CONTAINER_USER}:root /etc/nginx
+    chown -R ${CONTAINER_USER}:${CONTAINER_USER_GROUP} /etc/nginx
 
+# Install necessary packages and grant permissions
+RUN setcap 'cap_net_bind_service=+ep' /usr/sbin/nginx
 
+WORKDIR /app
 
-RUN chown -R ${CONTAINER_USER}:root /usr/local
-RUN chown -R ${CONTAINER_USER}:root /etc/nginx
-RUN chown -R ${CONTAINER_USER}:root /usr/share/nginx
-RUN chown -R ${CONTAINER_USER}:root /tmp
-RUN chown -R ${CONTAINER_USER}:root /app
-USER ${CONTAINER_USER}
-
+RUN chown -R ${CONTAINER_USER}:${CONTAINER_USER_GROUP} /usr/local
+RUN chown -R ${CONTAINER_USER}:${CONTAINER_USER_GROUP} /etc/nginx
+RUN chown -R ${CONTAINER_USER}:${CONTAINER_USER_GROUP} /usr/share/nginx
+RUN chown -R ${CONTAINER_USER}:${CONTAINER_USER_GROUP} /tmp
+RUN chown -R ${CONTAINER_USER}:${CONTAINER_USER_GROUP} /app
 
-WORKDIR /app
+USER ${CONTAINER_USER}
 
 RUN touch ~/.bashrc
 
@@ -53,14 +51,14 @@ RUN echo '. ~/.nvm/nvm.sh' >> ~/.bashrc
 RUN . ~/.nvm/nvm.sh && npm install -g npm@9 yarn
 
 
-COPY --chown=${CONTAINER_USER}:root ./frontend/package.json ./frontend/yarn.lock ./
-COPY --chown=${CONTAINER_USER}:root ./config.json /
+COPY --chown=${CONTAINER_USER}:${CONTAINER_USER_GROUP} ./frontend/package.json ./frontend/yarn.lock ./
+COPY --chown=${CONTAINER_USER}:${CONTAINER_USER_GROUP} ./config.json /
 
 RUN . ~/.nvm/nvm.sh && yarn install
 
 ENV PATH="./node_modules/.bin:$PATH"
 
-COPY --chown=${CONTAINER_USER}:root ./frontend/docker/prod/nginx.config /etc/nginx/nginx.template
+COPY --chown=${CONTAINER_USER}:${CONTAINER_USER_GROUP} ./frontend/docker/prod/nginx.config /etc/nginx/nginx.template
 
 ENV SERVERNAME=$DOMAIN
 
@@ -77,7 +75,7 @@ RUN sed -i 's/user nginx;/#user nginx;/g' /etc/nginx/nginx.conf
 
 RUN cat /etc/nginx/nginx.conf
 
-COPY --chown=${CONTAINER_USER}:root ./frontend ./
+COPY --chown=${CONTAINER_USER}:${CONTAINER_USER_GROUP} ./frontend ./
 
 RUN . ~/.nvm/nvm.sh && yarn build
 
diff --git a/frontend/docker/prod/nginx.config b/frontend/docker/prod/nginx.config
index 500db0d7e..61f241ed0 100644
--- a/frontend/docker/prod/nginx.config
+++ b/frontend/docker/prod/nginx.config
@@ -1,4 +1,4 @@
-user nginx;
+user cuser cuser;
 worker_processes auto;
 error_log /var/log/nginx/error.log;
 pid /run/nginx.pid;

From d638fbe427783b794b4d1d8fd0b184011c2c1472 Mon Sep 17 00:00:00 2001
From: Noah Paige <noahpaig@amazon.com>
Date: Tue, 6 Feb 2024 13:35:28 -0500
Subject: [PATCH 5/7] Add Commands to fix permissions to access aws creds file

---
 backend/docker/dev/Dockerfile | 4 ++--
 docker-compose.yaml           | 4 ++++
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/backend/docker/dev/Dockerfile b/backend/docker/dev/Dockerfile
index 51dccc05f..6c7d3719a 100644
--- a/backend/docker/dev/Dockerfile
+++ b/backend/docker/dev/Dockerfile
@@ -5,7 +5,7 @@ ARG NVM_VERSION=v0.37.2
 ARG PYTHON_VERSION=python3.9
 ARG CONTAINER_USER=cuser
 ARG CONTAINER_USER_GROUP=cuser
-
+ARG CONTAINER_UID
 
 
 # Clean cache
@@ -20,7 +20,7 @@ RUN dnf -y install -y \
 RUN dnf install $PYTHON_VERSION
 RUN dnf -y install python3-pip python3-devel git
 
-RUN groupadd -r ${CONTAINER_USER_GROUP} && useradd -m -r -g ${CONTAINER_USER_GROUP} ${CONTAINER_USER}
+RUN groupadd -r ${CONTAINER_USER_GROUP} && useradd -m -r -u ${CONTAINER_UID} -g ${CONTAINER_USER_GROUP} ${CONTAINER_USER}
 RUN useradd -m app
 RUN chown -R ${CONTAINER_USER}:root /usr/local
 RUN chown -R ${CONTAINER_USER}:root /tmp
diff --git a/docker-compose.yaml b/docker-compose.yaml
index 86223e578..6b10cfeac 100644
--- a/docker-compose.yaml
+++ b/docker-compose.yaml
@@ -5,6 +5,8 @@ services:
     build:
       context: ./backend
       dockerfile: docker/dev/Dockerfile
+      args:
+        CONTAINER_UID: ${UID}
     entrypoint: /bin/bash -c 'aws configure set region "eu-west-1" &&. ~/.nvm/nvm.sh && uvicorn cdkproxymain:app --host 0.0.0.0 --port 2805 --reload'
     expose:
       - 2805
@@ -33,6 +35,8 @@ services:
     build:
       context: ./backend
       dockerfile: docker/dev/Dockerfile
+      args:
+        CONTAINER_UID: ${UID}
     entrypoint: /bin/bash -c "../build/wait-for-it.sh elasticsearch:9200 -t 30 && python3.9 local_graphql_server.py"
     expose:
       - 5000

From 83cc02597b41cb0e3f4ad857409449614a3cadb2 Mon Sep 17 00:00:00 2001
From: Noah Paige <noahpaig@amazon.com>
Date: Wed, 7 Feb 2024 08:50:21 -0500
Subject: [PATCH 6/7] change group owner command vpc facing frontend

---
 frontend/docker/prod/Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/frontend/docker/prod/Dockerfile b/frontend/docker/prod/Dockerfile
index f31e024c3..14ebca130 100644
--- a/frontend/docker/prod/Dockerfile
+++ b/frontend/docker/prod/Dockerfile
@@ -54,7 +54,7 @@ RUN . ~/.nvm/nvm.sh && npm install -g npm@9 yarn
 COPY --chown=${CONTAINER_USER}:${CONTAINER_USER_GROUP} ./frontend/package.json ./frontend/yarn.lock ./
 COPY --chown=${CONTAINER_USER}:${CONTAINER_USER_GROUP} ./config.json /
 # Copy vesion.json to docker root, because app scripts read it from ".."
-COPY --chown=${CONTAINER_USER}:root ./version.json /
+COPY --chown=${CONTAINER_USER}:${CONTAINER_USER_GROUP} ./version.json /
 
 RUN . ~/.nvm/nvm.sh && yarn install
 

From 197373ff89b3b45a4976207dc76ee6dc57b55ab8 Mon Sep 17 00:00:00 2001
From: Noah Paige <noahpaig@amazon.com>
Date: Wed, 7 Feb 2024 09:11:05 -0500
Subject: [PATCH 7/7] remove checkov exceptions, handled in baseline and gh
 workflow

---
 compose/elasticsearch/Dockerfile | 1 -
 compose/postgres/Dockerfile      | 1 -
 2 files changed, 2 deletions(-)

diff --git a/compose/elasticsearch/Dockerfile b/compose/elasticsearch/Dockerfile
index d07352efd..8d470a342 100644
--- a/compose/elasticsearch/Dockerfile
+++ b/compose/elasticsearch/Dockerfile
@@ -1,4 +1,3 @@
-#checkov:skip=CKV_DOCKER_3: Dockerfile only used for local data.all - no need to check user created
 ARG ELK_VERSION
 
 
diff --git a/compose/postgres/Dockerfile b/compose/postgres/Dockerfile
index c5cc7d86e..cb61fc5f9 100644
--- a/compose/postgres/Dockerfile
+++ b/compose/postgres/Dockerfile
@@ -1,2 +1 @@
-#checkov:skip=CKV_DOCKER_3: Dockerfile only used for local data.all - no need to check user created
 FROM postgres:13.12