version: '3.8'

services:
  # Prowler scanner — runs once per scheduled interval then exits
  prowler:
    image: toniblyx/prowler:latest
    volumes:
      - ./output:/output
      - ./config:/config:ro
    environment:
      - AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID}
      - AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY}
      - AWS_DEFAULT_REGION=us-east-1
    command: >
      aws
      --output-formats csv
      --output-directory /output
      --config-file /config/prowler-config.yaml
    restart: unless-stopped
    networks:
      - prowler-net
    mem_limit: 4096m
    cpus: 2

  # Findings consumer — watches output dir and populates SQLite DB
  consumer:
    build:
      context: ./consumer
      dockerfile: Dockerfile
    volumes:
      - ./output:/output
      - ./consumer:/app
    env_file:
      - .env
    restart: unless-stopped
    depends_on:
      - prowler
    networks:
      - prowler-net
    command: python prowler_consumer.py --daemon --poll-interval 30 --dry-run

  # Remediation daemon — applies fixes from action queue
  remediator:
    build:
      context: ./consumer
      dockerfile: Dockerfile
    volumes:
      - ~/.aws:/root/.aws:ro
      - ./consumer:/app
    env_file:
      - .env
    restart: unless-stopped
    depends_on:
      - consumer
    networks:
      - prowler-net
    # Default: dry-run mode. Use --apply flag in overrides for production.
    command: python /app/remediation_service/remediation_daemon.py --dry-run --poll-interval 60

networks:
  prowler-net:
    driver: bridge