GoogleCloudPlatform
ENV output when generating Dockerfile
The ruby-generate-dockerfile container is used by Google App Engine to deploy Ruby/Rails applications. The last thing it does after generating the Dockerfile for the Ruby/Rails application is output the entire generated Dockerfile.
I can see how this step would be helpful in debugging as you could see how the container is being configured. But this means any ENV variables are also outputted to the Cloudbuild log files. Since ENV variables often contain sensitive credentials this seem unwise.
At the most simple level might be a flag that someone can use to indicate if they want the Dockerfile to output for debugging. By default don't output but with a certain flag that can be given to the GAE deploy command (and therefore passed onto this generator) you get the best of both worlds. Secure by default but debugging output can be enabled.
Another option might be filter the values of all ENV variables from the Dockerfile output. This removes the complexity of a config option and 99% of the generated Dockerfile can be seen but the part that might contain sensitive data would just have something like:
Step #7 - "default_service": Step #0: ENV RAILS_ENV="XXXXXXXX" \
Step #7 - "default_service": Step #0: RAILS_MASTER_KEY="XXXXXXXX" \
Step #7 - "default_service": Step #0: DATABASE_HOST="XXXXXXXX" \
Step #7 - "default_service": Step #0: DATABASE_USER="XXXXXXXXX" \
Step #7 - "default_service": Step #0: DATABASE_PASSWORD="XXXXXXXX"
As you can see this might over-reach some. The RAILS_ENV env variable is not sensitive. But the others become protected.
It just seems a shame that we have nice components like the Secrets Manager to store these secrets securely, CloudBuild can pull these secrets out via the 'avaliableSecrets' so we can pass it onto gcloud app deploy only to have all that effort undone by the stock build process.
