From 205a8826534433e4f06b14277b01c6fb2cee295f Mon Sep 17 00:00:00 2001
From: Nick Sellen <git@nicksellen.co.uk>
Date: Wed, 19 Jul 2023 19:23:11 +0100
Subject: [PATCH] Split S3 config into compose.s3.yml

---
 compose.s3.yml     | 33 +++++++++++++++++++++++++++++++++
 compose.yml        | 12 ------------
 entrypoint.sh.tmpl |  1 +
 3 files changed, 34 insertions(+), 12 deletions(-)
 create mode 100644 compose.s3.yml

diff --git a/compose.s3.yml b/compose.s3.yml
new file mode 100644
index 0000000..67b2143
--- /dev/null
+++ b/compose.s3.yml
@@ -0,0 +1,33 @@
+---
+version: "3.8"
+
+services:
+  app:
+    environment: &s3-env
+      - S3_ENABLED=true
+      - AWS_ACCESS_KEY_ID
+      - AWS_SECRET_ACCESS_KEY_FILE=/run/secrets/aws_secret_access_key
+      - S3_BUCKET
+      - S3_REGION
+      - S3_PROTOCOL
+      - S3_HOSTNAME
+      - S3_ENDPOINT
+      - S3_SIGNATURE_VERSION
+      - S3_OVERRIDE_PATH_STYLE
+      - S3_OPEN_TIMEOUT
+      - S3_READ_TIMEOUT
+    secrets: &s3-secrets
+      - aws_secret_access_key
+
+  streaming:
+    environment: *s3-env
+    secrets: *s3-secrets
+
+  sidekiq:
+    environment: *s3-env
+    secrets: *s3-secrets
+
+secrets:
+  aws_secret_access_key:
+    name: ${STACK_NAME}_aws_secret_access_key_${SECRET_AWS_SECRET_ACCESS_KEY_VERSION}
+    external: true
diff --git a/compose.yml b/compose.yml
index 6a9e1f3..784d961 100644
--- a/compose.yml
+++ b/compose.yml
@@ -37,8 +37,6 @@ services:
       - ALLOW_ACCESS_TO_HIDDEN_SERVICE
       - ALTERNATE_DOMAINS
       - AUTHORIZED_FETCH
-      - AWS_ACCESS_KEY_ID
-      - AWS_SECRET_ACCESS_KEY
       - CACHE_REDIS_HOST
       - CACHE_REDIS_NAMESPACE
       - CACHE_REDIS_PORT
@@ -102,16 +100,6 @@ services:
       - REDIS_NAMESPACE
       - REDIS_PORT
       - REDIS_URL
-      - S3_ENABLED
-      - S3_BUCKET
-      - S3_REGION
-      - S3_PROTOCOL
-      - S3_HOSTNAME
-      - S3_ENDPOINT
-      - S3_SIGNATURE_VERSION
-      - S3_OVERRIDE_PATH_STYLE
-      - S3_OPEN_TIMEOUT
-      - S3_READ_TIMEOUT
       - SAML_ACS_URL
       - SAML_ATTRIBUTES_STATEMENTS_EMAIL
       - SAML_ATTRIBUTES_STATEMENTS_FIRST_NAME
diff --git a/entrypoint.sh.tmpl b/entrypoint.sh.tmpl
index 57b8ff0..87cc55f 100644
--- a/entrypoint.sh.tmpl
+++ b/entrypoint.sh.tmpl
@@ -28,6 +28,7 @@ export DB_PASS=$(cat /run/secrets/db_password)
 # for sidekiq service bundle exec env var threading
 file_env "OTP_SECRET"
 file_env "SECRET_KEY_BASE"
+file_env "AWS_SECRET_ACCESS_KEY"
 
 {{ if eq (env "OIDC_ENABLED") "true" }}
 file_env "OIDC_CLIENT_SECRET"