Merge pull request #1380 from aligent/feature/DO-1631_add_secretsmana…

…ger_support
aligent · May 27, 2024 · 26995d4 · 26995d4
2 parents c7384ab + 00f3725
commit 26995d4
Show file tree

Hide file tree

Showing 3 changed files with 35 additions and 10 deletions.
diff --git a/package-lock.json b/package-lock.json
diff --git a/packages/graphql-mesh-server/lib/fargate.ts b/packages/graphql-mesh-server/lib/fargate.ts
@@ -59,8 +59,20 @@ export interface MeshServiceProps {
   };
   /**
    * SSM values to pass through to the container as secrets
+   *
+   * @deprecated - Use secrets instead
    */
-  secrets?: { [key: string]: ssm.IStringParameter | ssm.IStringListParameter };
+  ssmSecrets?: {
+    [key: string]: ssm.IStringParameter | ssm.IStringListParameter;
+  };
+
+  /**
+   * ECS Secrets to pass through to the container as secrets
+   *
+   * The key values can be referenced from either SSM or Secrets manager
+   */
+  secrets?: { [key: string]: ecs.Secret };
+
   /**
    * Name of the WAF
    * Defaults to 'graphql-mesh-web-acl'
@@ -268,10 +280,10 @@ export class MeshService extends Construct {
     }
 
     // Construct secrets from provided ssm values
-    const secrets: { [key: string]: ecs.Secret } = {};
-    props.secrets = props.secrets || {};
-    for (const [key, ssm] of Object.entries(props.secrets)) {
-      secrets[key] = ecs.Secret.fromSsmParameter(ssm);
+    const ssmSecrets: { [key: string]: ecs.Secret } = {};
+    props.ssmSecrets = props.ssmSecrets || {};
+    for (const [key, ssm] of Object.entries(props.ssmSecrets)) {
+      ssmSecrets[key] = ecs.Secret.fromSsmParameter(ssm);
     }
 
     // Configure a custom log driver and group
@@ -295,7 +307,7 @@ export class MeshService extends Construct {
           image: ecs.ContainerImage.fromEcrRepository(this.repository),
           enableLogging: true, // default
           containerPort: 4000, // graphql mesh gateway port
-          secrets: secrets,
+          secrets: props.secrets ? props.secrets : ssmSecrets, // Prefer v2 secrets using secrets manager
           environment: environment,
           logDriver: logDriver,
           taskRole: new iam.Role(this, "MeshTaskRole", {

diff --git a/packages/graphql-mesh-server/lib/graphql-mesh-server.ts b/packages/graphql-mesh-server/lib/graphql-mesh-server.ts
@@ -19,6 +19,7 @@ import { LogGroup } from "aws-cdk-lib/aws-logs";
 import { Topic } from "aws-cdk-lib/aws-sns";
 import { Alarm } from "aws-cdk-lib/aws-cloudwatch";
 import { Maintenance } from "./maintenance";
+import { Secret } from "aws-cdk-lib/aws-ecs";
 
 export type MeshHostingProps = {
   /**
@@ -66,8 +67,20 @@ export type MeshHostingProps = {
   };
   /**
    * SSM values to pass through to the container as secrets
+   *
+   * @deprecated - Use secrets instead
    */
-  secrets?: { [key: string]: ssm.IStringParameter | ssm.IStringListParameter };
+  ssmSecrets?: {
+    [key: string]: ssm.IStringParameter | ssm.IStringListParameter;
+  };
+
+  /**
+   * ECS Secrets to pass through to the container as secrets
+   *
+   * The key values can be referenced from either SSM or Secrets manager
+   */
+  secrets?: { [key: string]: Secret };
+
   /**
    * Pass custom cpu scaling steps
    * Default value: