Isolate docker configuration per step

Patrick Robinson · yob · commit c4d93f28e0d2 · 2020-10-26T16:37:13.000+11:00
This avoids potential race condition that:
- Allow steps to use credential from other steps
- Causes steps to use incorrect credentials, if they are over-written by another step
diff --git a/packer/linux/conf/bin/bk-install-elastic-stack.sh b/packer/linux/conf/bin/bk-install-elastic-stack.sh
@@ -49,6 +49,8 @@ PLUGINS_ENABLED=()
 [[ $ECR_PLUGIN_ENABLED == "true" ]] && PLUGINS_ENABLED+=("ecr")
 [[ $DOCKER_LOGIN_PLUGIN_ENABLED == "true" ]] && PLUGINS_ENABLED+=("docker-login")
 
+[[ $ISOLATE_DOCKER_CONFIG == "true" ]] && DOCKER_CONFIG="export DOCKER_CONFIG=\$(mktemp -d)"
+
 # cfn-env is sourced by the environment hook in builds
 cat << EOF > /var/lib/buildkite-agent/cfn-env
 export DOCKER_VERSION=$DOCKER_VERSION
@@ -60,6 +62,7 @@ export AWS_DEFAULT_REGION=$AWS_REGION
 export AWS_REGION=$AWS_REGION
 export PLUGINS_ENABLED="${PLUGINS_ENABLED[*]-}"
 export BUILDKITE_ECR_POLICY=${BUILDKITE_ECR_POLICY:-none}
+${DOCKER_CONFIG:-""}
 EOF
 
 if [[ "${BUILDKITE_AGENT_RELEASE}" == "edge" ]] ; then
diff --git a/templates/aws-stack.yml b/templates/aws-stack.yml
@@ -74,6 +74,7 @@ Metadata:
         Parameters:
         - EnableDockerUserNamespaceRemap
         - EnableDockerExperimental
+        - IsolateDockerConfig
 
       - Label:
           default: Docker Registry Configuration
@@ -355,6 +356,14 @@ Parameters:
       - "false"
     Default: "false"
 
+  IsolateDockerConfig:
+    Type: String
+    Description: Isolates Docker Configuration per step
+    AllowedValues:
+      - "true"
+      - "false"
+    Default: "false"
+
   EnableCostAllocationTags:
     Type: String
     Description: Enables AWS Cost Allocation tags for all resources in the stack. See https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/cost-alloc-tags.html
@@ -864,6 +873,7 @@ Resources:
                   $Env:ECR_PLUGIN_ENABLED="${EnableECRPlugin}"
                   $Env:DOCKER_LOGIN_PLUGIN_ENABLED="${EnableDockerLoginPlugin}"
                   $Env:AWS_REGION="${AWS::Region}"
+                  $Env:ISOLATE_DOCKER_CONFIG="${IsolateDockerConfig}"
                   powershell -file C:\buildkite-agent\bin\bk-install-elastic-stack.ps1 >> C:\buildkite-agent\elastic-stack.log
                   </powershell>
                 - {
