Question
Using Pulumi, how can I provision a Postgres database using Docker without exposing the postgres password?
Background
Currently, when inspecting the container’s environment variables, the postgres password is viewable.
Solution
The following Pulumi code can be used to provision a Postgres database using Docker without exposing the postgres password:
import * as docker from '@pulumi/docker'
import * as pulumi from '@pulumi/pulumi'
import network from '../network'
import { Volume } from '../volumes'
const container_name = `${pulumi.getProject()}-postgres`
const postgresConfig = new pulumi.Config('postgres')
const postgres = pulumi
.all([postgresConfig.requireSecret('password')])
.apply(([password]) => {
const env = {
POSTGRES_DB: postgresConfig.require('db'),
POSTGRES_USER: postgresConfig.require('user'),
POSTGRES_PASSWORD: password,
}
return new docker.Container(container_name, {
name: container_name,
image: 'postgres:latest',
restart: 'always',
ports: [
{
internal: 5432,
external: 5432,
},
],
networksAdvanced: [
{
name: network.name,
},
],
volumes: [
{
volumeName: Volume.postgres,
containerPath: '/var/lib/postgres/data',
},
],
healthcheck: {
interval: '10s',
retries: 10,
tests: ['pg_isready -U $$POSTGRES_USER -d $$POSTGRES_DB'],
timeout: '2s',
},
envs: [
`POSTGRES_DB=${env.POSTGRES_DB}`,
`POSTGRES_USER=${env.POSTGRES_USER}`,
`POSTGRES_PASSWORD=${env.POSTGRES_PASSWORD}`,
],
})
})
export default postgres