fix(apprunner-alpha): env vars and secrets can't solely be added via .add*() methods

packages/@aws-cdk/aws-apprunner/lib/service.ts

@@ -1137,7 +1137,7 @@ export class Service extends cdk.Resource {
   }
 
   private renderEnvironmentVariables(): EnvironmentVariable[] | undefined {
-    if (Object.keys(this.environmentVariables).length > 0) {
+    if (Object.keys(this.environmentVariables).length + this.variables.length > 0) {
       for (const [key, value] of Object.entries(this.environmentVariables)) {
         if (key.startsWith('AWSAPPRUNNER')) {
           throw new Error(`Environment variable key ${key} with a prefix of AWSAPPRUNNER is not allowed`);
@@ -1151,7 +1151,7 @@ export class Service extends cdk.Resource {
   }
 
   private renderEnvironmentSecrets(): EnvironmentSecret[] | undefined {
-    if (Object.keys(this.environmentSecrets).length > 0 && this.instanceRole) {
+    if (Object.keys(this.environmentSecrets).length + this.secrets.length > 0 && this.instanceRole) {
       for (const [key, value] of Object.entries(this.environmentSecrets)) {
         if (key.startsWith('AWSAPPRUNNER')) {
           throw new Error(`Environment secret key ${key} with a prefix of AWSAPPRUNNER is not allowed`);

packages/@aws-cdk/aws-apprunner/test/service.test.ts

@@ -391,6 +391,68 @@ test('custom environment secrets and start commands are allowed for imageConfigu
   });
 });
 
+
+test('custom environment variables and secrets can be added without first defining them in props', () => {
+  // GIVEN
+  const app = new cdk.App();
+  const stack = new cdk.Stack(app, 'demo-stack');
+  // WHEN
+  const secret = new secretsmanager.Secret(stack, 'Secret');
+  const service = new apprunner.Service(stack, 'DemoService', {
+    source: apprunner.Source.fromEcrPublic({
+      imageConfiguration: {
+        startCommand: '/root/start-command.sh',
+      },
+      imageIdentifier: 'public.ecr.aws/aws-containers/hello-app-runner:latest',
+    }),
+  });
+
+  service.addEnvironmentVariable('TEST_ENVIRONMENT_VARIABLE', 'test environment variable value');
+  service.addSecret('LATER_SECRET', apprunner.Secret.fromSecretsManager(secret, 'field'));
+
+  // THEN
+  // we should have the service
+  Template.fromStack(stack).hasResourceProperties('AWS::AppRunner::Service', {
+    SourceConfiguration: {
+      AuthenticationConfiguration: {},
+      ImageRepository: {
+        ImageConfiguration: {
+          RuntimeEnvironmentVariables: [
+            {
+              Name: 'TEST_ENVIRONMENT_VARIABLE',
+              Value: 'test environment variable value',
+            },
+          ],
+          RuntimeEnvironmentSecrets: [
+            {
+              Name: 'LATER_SECRET',
+              Value: {
+                'Fn::Join': [
+                  '',
+                  [
+                    {
+                      Ref: 'SecretA720EF05',
+                    },
+                    ':field::',
+                  ],
+                ],
+              },
+            },
+          ],
+          StartCommand: '/root/start-command.sh',
+        },
+        ImageIdentifier: 'public.ecr.aws/aws-containers/hello-app-runner:latest',
+        ImageRepositoryType: 'ECR_PUBLIC',
+      },
+    },
+    NetworkConfiguration: {
+      EgressConfiguration: {
+        EgressType: 'DEFAULT',
+      },
+    },
+  });
+});
+
 test('create a service from existing ECR repository(image repository type: ECR)', () => {
   // GIVEN
   const app = new cdk.App();