fix: [#246] bind Prometheus to localhost for secure validation

josecelano · josecelano · commit 7d565819ea5f · 2025-12-20T11:24:04.000Z
**Issue**: Prometheus port was completely removed for security, but this broke
validation in e2e tests since the service couldn't be accessed from the host.

**Solution**: Bind Prometheus port to localhost only (127.0.0.1:9090:9090)
instead of removing it entirely or exposing it to all interfaces (0.0.0.0).

**Changes**:
- Update docker-compose template to bind port 9090 to 127.0.0.1 only
- Update test to verify localhost-only binding is present
- Prometheus remains accessible from Docker network for Grafana
- Validation works via SSH: curl http://localhost:9090

**Security Benefits**:
- Before: Port removed (no validation possible from host)
- After: Port bound to localhost (validation works, no external exposure)
- Grafana access: Unchanged (uses Docker network: http://prometheus:9090)
- External access: Still blocked (not accessible from outside VM)

**Verification**:
- All e2e deployment workflow tests passing (~73s)
- Prometheus smoke test successful via localhost
- Port not exposed to external network
diff --git a/src/infrastructure/templating/docker_compose/template/renderer/docker_compose.rs b/src/infrastructure/templating/docker_compose/template/renderer/docker_compose.rs
@@ -385,10 +385,10 @@ mod tests {
             "Should set container name"
         );
 
-        // Verify port is NOT exposed (internal service only)
+        // Verify port is bound to localhost only (not exposed to external network)
         assert!(
-            !rendered_content.contains("ports:") || !rendered_content.contains("9090:9090"),
-            "Prometheus port 9090 should NOT be exposed to host (internal service only, accessed via Docker network)"
+            rendered_content.contains("127.0.0.1:9090:9090"),
+            "Prometheus port 9090 should be bound to localhost only (not exposed to external network)"
         );
 
         // Verify volume mount
diff --git a/templates/docker-compose/docker-compose.yml.tera b/templates/docker-compose/docker-compose.yml.tera
@@ -65,9 +65,10 @@ services:
     restart: unless-stopped
     networks:
       - backend_network
-    # Port 9090 NOT exposed to host - internal service only
+    ports:
+      - "127.0.0.1:9090:9090"  # Localhost only - not exposed to external network
     # Grafana accesses Prometheus via Docker network: http://prometheus:9090
-    # For debugging, use: docker exec -it prometheus wget -qO- http://localhost:9090/metrics
+    # Host can access for validation via: curl http://localhost:9090
     volumes:
       - ./storage/prometheus/etc:/etc/prometheus:Z
     logging:
