Sre 1854 refactor payments api task def to load secrets directly from…

… ssm or secrets manager (#35) * Add secretOptions to the container def
FitnessKeeper · Nov 29, 2023 · 1c84032 · 1c84032
1 parent a94ea1f
commit 1c84032
Show file tree

Hide file tree

Showing 4 changed files with 27 additions and 2 deletions.
diff --git a/data.tf b/data.tf
@@ -74,7 +74,13 @@ data "aws_iam_policy_document" "task_execution_role_policy" {
   statement {
     effect    = "Allow"
     actions   = ["secretsmanager:GetSecretValue"]
-    resources = ["${var.docker_secret}"]
+    resources = concat([var.docker_secret], var.secret_arns)
+  }
+
+  statement {
+    effect    = "Allow"
+    actions   = ["kms:Decrypt"]
+    resources = [var.encryption_key]
   }
 
   statement {
@@ -83,6 +89,6 @@ data "aws_iam_policy_document" "task_execution_role_policy" {
       "ecs:ExecuteCommand",
       "ecs:DescribeTasks"
     ]
-    resources = [aws_ecs_task_definition.task.arn]
+    resources = ["${aws_ecs_task_definition.task.arn}:*"]
   }
 }
diff --git a/files/container_definition.json b/files/container_definition.json
@@ -27,6 +27,7 @@
     "volumesFrom": [],
     "logConfiguration": {
         "logDriver": "awslogs",
+        ${secretsoptions}
         "options": {
            "awslogs-group": "${awslogs_group}",
            "awslogs-region": "${awslogs_region}",

diff --git a/locals.tf b/locals.tf
@@ -18,6 +18,8 @@ locals {
     }
   }
 
+  secrets = length(var.secrets) > 0 ? "\"secretOptions\": ${jsonencode(var.secrets)}," : ""
+
   container_def = templatefile("${path.module}/files/container_definition.json",
     {
       service_identifier    = var.service_identifier
@@ -38,6 +40,7 @@ locals {
       awslogs_region        = data.aws_region.region.name
       awslogs_group         = aws_cloudwatch_log_group.task.name
       awslogs_stream_prefix = var.service_identifier
+      secretsoptions        = local.secrets
     }
   )
 }
diff --git a/variables.tf b/variables.tf
@@ -314,3 +314,18 @@ variable "entrypoint" {
   description = "The entry point that's passed to the container. Use [ \"sleep\", \"60\" ], when enabling exec command"
   default     = ""
 }
+
+variable "secrets" {
+  description = "Secrets to be passed to the container environment"
+  default     = ""
+}
+
+variable "secret_arns" {
+  description = "Arn of the secrets that are passed to the container environment"
+  default     = null
+}
+
+variable "encryption_key" {
+  description = "Kms key to decrypt secrets"
+  default     = null
+}