fix: [#277] remove public MySQL port exposure for security

src/infrastructure/templating/docker_compose/template/renderer/docker_compose.rs

@@ -301,10 +301,10 @@ mod tests {
             "Volume should use local driver"
         );
 
-        // Verify port mapping
+        // Verify port is NOT exposed (security fix: https://github.com/torrust/torrust-tracker-deployer/issues/277)
         assert!(
-            content.contains("3306:3306"),
-            "Should expose MySQL port 3306"
+            !content.contains("3306:3306"),
+            "MySQL port 3306 should NOT be exposed externally for security"
         );
     }
 

templates/docker-compose/docker-compose.yml.tera

@@ -176,8 +176,11 @@ services:
 {%- for network in mysql.networks %}
       - {{ network }}
 {%- endfor %}
-    ports:
-      - "3306:3306"
+    # SECURITY: MySQL port is NOT exposed to the host/external network.
+    # - Only the tracker container can access MySQL via Docker's internal database_network
+    # - The healthcheck runs inside the container, so no external port is needed
+    # - This prevents unauthorized external access to the database
+    # See: https://github.com/torrust/torrust-tracker-deployer/issues/277
     volumes:
       - mysql_data:/var/lib/mysql
     command: --mysql-native-password=ON