From 4d61bf52212e2324c815cffd0d6a066d958583e0 Mon Sep 17 00:00:00 2001
From: Shahe Islam <shahe.islam@education.gov.uk>
Date: Mon, 25 Aug 2025 14:51:34 +0100
Subject: [PATCH] Configure containers to run as non-root user for ITHC
 security compliance

  This change addresses ITHC security recommendations that containers should:
  - Not run as root user
  - Not run with GID <= 10000
  - Not run with UID <= 10000

  Changes:
  - Dockerfile: Create appuser/appgroup with UID/GID 10001 and set USER 10001
  - terraform/application/application.tf: Add run_as_user, run_as_group, and run_as_non_root
   settings to web_application module
  - terraform/application/variables.tf: Add run_as_non_root variable with default value of
  true

  These changes ensure containers run securely on AKS hosts following best practices.
  The Terraform configuration will be fully functional once terraform-modules PR #158
  is promoted to stable.

  Testing requirements:
  - Verify application starts without errors
  - Confirm no issues with worker processes (if applicable)
  - Full dev testing required to ensure no runtime permission issues
---
 Dockerfile                           | 10 ++++++++++
 terraform/application/application.tf |  4 ++++
 terraform/application/variables.tf   |  5 +++++
 3 files changed, 19 insertions(+)

diff --git a/Dockerfile b/Dockerfile
index d5301ac4..f5cdb53e 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,3 +1,13 @@
 FROM nginxinc/nginx-unprivileged:1.27.5-alpine3.21
 
+# Switch to root to create the user
+USER root
+
+# Create app user and group with UID/GID 10001 as per ITHC security requirements
+RUN addgroup -g 10001 -S appgroup && adduser -u 10001 -S appuser -G appgroup
+
+# COPY the build files - the base image already handles proper ownership
 COPY ./build/ /usr/share/nginx/html
+
+# Run as non-root user with UID > 10000 as per ITHC security requirements
+USER 10001
diff --git a/terraform/application/application.tf b/terraform/application/application.tf
index 2e3a8c4f..564bcb30 100644
--- a/terraform/application/application.tf
+++ b/terraform/application/application.tf
@@ -34,4 +34,8 @@ module "web_application" {
   replicas = var.replicas
 
   docker_image = var.docker_image
+
+  run_as_user     = "10001"
+  run_as_group    = "10001"
+  run_as_non_root = var.run_as_non_root
 }
diff --git a/terraform/application/variables.tf b/terraform/application/variables.tf
index 22c7e480..7ddad61e 100644
--- a/terraform/application/variables.tf
+++ b/terraform/application/variables.tf
@@ -51,6 +51,11 @@ variable "enable_monitoring" {
   description = "Enable monitoring and alerting"
 }
 
+variable "run_as_non_root" {
+  default     = true
+  description = "Run containers as non-root user for security compliance"
+}
+
 locals {
   postgres_ssl_mode = var.enable_postgres_ssl ? "require" : "disable"
 }