Support logConfiguration.secretOptions via ecs-params

[ahayworth]

Description of changes:

This PR enables ecs-cli to support the logConfiguration.secretOptions array as described in the ECS docs.

These parameters allow one to inject secrets into log config options, much the same as one may inject secrets into environment variables via the secrets array - eg, a splunk token. This PR configures these options under the container defs, like so:

version: 1
task_definition:
  services:
    foo:
      logging:
        secret_options:
          - name: super-secret
             value_from: 'arn::aws::blah'
...

To do so, this PR upgrades the aws sdk to 1.19.22 and re-generates mocks. Tests seem to pass, and I can confirm that I'm able to launch an ECS service with secrets parameters successfully injected into logging configuration.

---

Enter [N/A] in the box, if an item is not applicable to your change.

Testing

• Unit tests passed
• Integration tests passed
• Unit tests added for new functionality
• Listed manual checks and their outputs in the comments (example)
• Link to issue or PR for the integration tests:

Documentation

• Contacted our doc writer
• Updated our README

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[efekarakus]

Awesome 🎉!
Thanks @ahayworth, we'll take a look at this PR soon and get back to you :)

[PettitWesley]

Secrets manager ARN is also supported

[ahayworth]

Indeed! 😄
f30c51f

[ahayworth]

Thanks for fixing the base branch @efekarakus :)

Manual Testing

New Functionality

Configuration

I tested with an in-house deployment, so I've redacted some parameters...

Parameters

# docker-compose.yaml
services:
  redacted-app:
    command: redacted-app
    environment:
      BOT_ENV: staging-ecs
      STATS_ADDR: localhost:8125
    healthcheck:
      interval: 5s
      retries: 5
      test: curl -f http://localhost:3000/_ping
      timeout: 2s
    image: redacted-ecr-repo-url:${SHA:?Deployment SHA is undefined!}
    logging:
      driver: splunk
      options:
        splunk-index: prod-sre
        splunk-sourcetype: sre
        splunk-url: redacted-splunk-url
        tag: '{{.ImageName}}/{{.Name}}/{{.ID}}'

# ecs-params.yaml
version: 1
run_params:
  network_configuration:
    awsvpc_configuration:
      assign_public_ip: DISABLED
      security_groups:
      - sg-12345
      subnets:
      - subnet-12345
task_definition:
  ecs_network_mode: awsvpc
  services:
    redacted-app:
      cpu_shares: 512
      essential: true
      healthcheck:
        start_period: 60s
      logging:
        secret_options:
        - name: splunk-token
          value_from: 'arn:aws:secretsmanager:12345...'
      mem_limit: 512
      secrets:
      - name: BOT_ID
        value_from: 'arn:aws:secretsmanager:123457849...'
  task_execution_role: arn:aws:blah
  task_size:
    cpu_limit: 2048
    mem_limit: 4096

Tests

Create and run a service with secret log params

INFO[0001] Using ECS task definition                     TaskDefinition="ecs-redacted-app:11"
INFO[0001] Updated the ECS service with a new task definition. Old containers will be stopped automatically, and replaced with new ones  desiredCount=1 force-deployment=true service=ecs-redacted-app
INFO[0002] Service redacted-app                                desiredCount=1 runningCount=1 serviceName=redacted-app
INFO[0002] ECS Service has reached a stable state        desiredCount=1 runningCount=1 serviceName=redacted-app

The friendly neighborhood splunk admin assures me that logs are flowing in (whereas before they most definitely were not), so I presume it to be working. 😄

[efekarakus]

Looks great! I also ran our integration tests against the change and it passes 😄