Split S3 config into compose.s3.yml

compose.s3.yml

@@ -0,0 +1,33 @@
+---
+version: "3.8"
+
+services:
+  app:
+    environment: &s3-env
+      - S3_ENABLED=true
+      - AWS_ACCESS_KEY_ID
+      - AWS_SECRET_ACCESS_KEY_FILE=/run/secrets/aws_secret_access_key
+      - S3_BUCKET
+      - S3_REGION
+      - S3_PROTOCOL
+      - S3_HOSTNAME
+      - S3_ENDPOINT
+      - S3_SIGNATURE_VERSION
+      - S3_OVERRIDE_PATH_STYLE
+      - S3_OPEN_TIMEOUT
+      - S3_READ_TIMEOUT
+    secrets: &s3-secrets
+      - aws_secret_access_key
+
+  streaming:
+    environment: *s3-env
+    secrets: *s3-secrets
+
+  sidekiq:
+    environment: *s3-env
+    secrets: *s3-secrets
+
+secrets:
+  aws_secret_access_key:
+    name: ${STACK_NAME}_aws_secret_access_key_${SECRET_AWS_SECRET_ACCESS_KEY_VERSION}
+    external: true

compose.yml

@@ -37,8 +37,6 @@ services:
       - ALLOW_ACCESS_TO_HIDDEN_SERVICE
       - ALTERNATE_DOMAINS
       - AUTHORIZED_FETCH
-      - AWS_ACCESS_KEY_ID
-      - AWS_SECRET_ACCESS_KEY
       - CACHE_REDIS_HOST
       - CACHE_REDIS_NAMESPACE
       - CACHE_REDIS_PORT
@@ -102,16 +100,6 @@ services:
       - REDIS_NAMESPACE
       - REDIS_PORT
       - REDIS_URL
-      - S3_ENABLED
-      - S3_BUCKET
-      - S3_REGION
-      - S3_PROTOCOL
-      - S3_HOSTNAME
-      - S3_ENDPOINT
-      - S3_SIGNATURE_VERSION
-      - S3_OVERRIDE_PATH_STYLE
-      - S3_OPEN_TIMEOUT
-      - S3_READ_TIMEOUT
       - SAML_ACS_URL
       - SAML_ATTRIBUTES_STATEMENTS_EMAIL
       - SAML_ATTRIBUTES_STATEMENTS_FIRST_NAME

entrypoint.sh.tmpl

@@ -28,6 +28,7 @@ export DB_PASS=$(cat /run/secrets/db_password)
 # for sidekiq service bundle exec env var threading
 file_env "OTP_SECRET"
 file_env "SECRET_KEY_BASE"
+file_env "AWS_SECRET_ACCESS_KEY"
 
 {{ if eq (env "OIDC_ENABLED") "true" }}
 file_env "OIDC_CLIENT_SECRET"