ECS: TaskDefinition Container Secret property

[nmussy]

Note: for support questions, please first reference our documentation, then use Stackoverflow. This repository's issues are intended for feature requests and bug reports.

• I'm submitting a ...

  • 🪲 bug report
  • 🚀 feature request
  • 📚 construct library gap
  • ☎️ security issue or vulnerability => Please see policy
  • ❓ support request => Please see note at the top of this template.

• What is the current behavior?
  If the current behavior is a 🪲bug🪲: Please provide the steps to reproduce
  There is currently no practical way to securely pass SSM parameters or Secrets Manager secrets to an ECS task definition, due to the missing AWS::ECS::TaskDefinition ClontainerDefinition Secret property.

• What is the expected behavior (or behavior of feature suggested)?
  Add a secrets property or addSecrets method, to provide parameters and secrets to ECS tasks. Ideally, the secrets given would also be added to the container role policy.

• What is the motivation / use case for changing the behavior or adding this feature?
  Securely and easily pass parameters and secrets to containers

• Please tell us about your environment:

  • CDK CLI Version: 1.0.0
  • Module Version: 1.0.0
  • OS: all
  • Language: all

• Other information (e.g. detailed explanation, stacktraces, related issues, suggestions how to fix, links for us to have context, eg. associated pull-request, stackoverflow, gitter, etc)

[nmussy]

Here is a working override in the meantime, using an RDS instance secret as an example:

const database = new DatabaseInstance(this, 'rds', {
    vpc,
    engine: DatabaseInstanceEngine.MYSQL,
    instanceClass: InstanceType.of(InstanceClass.BURSTABLE2, InstanceSize.MICRO),
    databaseName: DATABASE_NAME,
    masterUsername: DATABASE_ADMIN,
});
database.connections.allowDefaultPortFromAnyIpv4();

const taskDefinition = new TaskDefinition(this, 'task', {
    compatibility: Compatibility.EC2,
});

const container = taskDefinition.addContainer('container', {
    image: ContainerImage.fromEcrRepository(new Repository(this, 'ecr', {}), 'latest'),
});

{
    database.secret && database.secret.grantRead(taskDefinition.obtainExecutionRole());

    const taskDefinitionResource = taskDefinition.node.findChild('Resource') as unknown as CfnTaskDefinition;
    taskDefinitionResource.addPropertyOverride('ContainerDefinitions.0.Secrets', [{
        Name: 'RDS_SECRET',
        ValueFrom: database.secret && database.secret.secretArn
    }]);
}

[CShigaki]

You can also use Secrets like this

const taskDef = new cdk.CfnResource(this, 'TaskDef', {
  type: 'AWS::ECS::TaskDefinition',
  properties: {
    ...
    ContainerDefinitions : [
      {
        ...
        Secrets: {
          Name: '',
          ValueFrom: 'secret-arn',
        }
        ...
      },
    ],
    ...
  },
});

[nmussy]

Duplicate of #1478