diff --git a/data.tf b/data.tf
index b451124..7c8dc35 100644
--- a/data.tf
+++ b/data.tf
@@ -89,6 +89,6 @@ data "aws_iam_policy_document" "task_execution_role_policy" {
       "ecs:ExecuteCommand",
       "ecs:DescribeTasks"
     ]
-    resources = ["${aws_ecs_task_definition.task.arn}:*"]
+    resources = [aws_ecs_task_definition.task.arn]
   }
 }
diff --git a/files/container_definition.json b/files/container_definition.json
index 8ead85c..f28a5d7 100644
--- a/files/container_definition.json
+++ b/files/container_definition.json
@@ -5,6 +5,7 @@
     "repositoryCredentials": {
       "credentialsParameter": "${docker_secret}"
     },
+    ${secrets}
     "memory": ${memory},
     "cpu": ${cpu},
     "essential": true,
@@ -27,7 +28,6 @@
     "volumesFrom": [],
     "logConfiguration": {
         "logDriver": "awslogs",
-        ${secretsoptions}
         "options": {
            "awslogs-group": "${awslogs_group}",
            "awslogs-region": "${awslogs_region}",
diff --git a/locals.tf b/locals.tf
index 9c7dec0..bc2517b 100644
--- a/locals.tf
+++ b/locals.tf
@@ -18,7 +18,7 @@ locals {
     }
   }
 
-  secrets = length(var.secrets) > 0 ? "\"secretOptions\": ${jsonencode(var.secrets)}," : ""
+  secrets = length(var.secrets) > 0 ? "\"secrets\": ${jsonencode(var.secrets)}," : ""
 
   container_def = templatefile("${path.module}/files/container_definition.json",
     {
@@ -40,7 +40,7 @@ locals {
       awslogs_region        = data.aws_region.region.name
       awslogs_group         = aws_cloudwatch_log_group.task.name
       awslogs_stream_prefix = var.service_identifier
-      secretsoptions        = local.secrets
+      secrets               = local.secrets
     }
   )
 }