You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Stabilize WPT Server Infrastructure (Bridge Networking, Port Alignment & State Migration) (#84)
* feat(security): run WPT server as unprivileged users and migrate state to GCS
Hardened the WPT server environment by removing root execution and sudo dependencies.
Migrated Terraform state to GCS and removed legacy Container VM agent overrides.
Infrastructure (Terraform):
- Created GCS bucket `gs://wpt-live-app-tfstate` with versioning for state storage.
- Switched instance templates to use a dedicated Service Account (`wpt-tot-app-sa`).
- Added IAM role `roles/storage.objectViewer` to the SA for certificate retrieval.
- Migrated local state to `gs://wpt-live-app-tfstate/terraform/state`.
- Retired legacy Container VM agent in favor of standard cloud-init.
Web Server (Docker/Supervisor):
- Created `wpt-server` (UID 1000) and `wpt-sync` (UID 1001) users.
- Granted `CAP_NET_BIND_SERVICE` to python3.10 to allow unprivileged binding to ports 80/443.
- Shifted all file paths and `git` operations inside `/home/wpt-sync` instead of `/root`.
- Unified supervisord process execution without `sudo`.
* address feedback
* more tidy up
Copy file name to clipboardExpand all lines: infrastructure/web-platform-tests/compute.tf
+78-63Lines changed: 78 additions & 63 deletions
Original file line number
Diff line number
Diff line change
@@ -10,37 +10,46 @@
10
10
# More information about how it was used previously: https://github.com/web-platform-tests/wpt.live/blob/67dc5976ccce2e64483f2028a35659d4d6e58891/infrastructure/web-platform-tests/main.tf#L69-L137
0 commit comments