diff --git a/skeleton/aws/modules/ecs/main.tf b/skeleton/aws/modules/ecs/main.tf index 03ef4944..7d7aea9c 100644 --- a/skeleton/aws/modules/ecs/main.tf +++ b/skeleton/aws/modules/ecs/main.tf @@ -25,6 +25,7 @@ locals { aws_cloudwatch_log_group_name = var.aws_cloudwatch_log_group_name environment_variables = setunion(local.environment_variables, var.environment_variables) + secrets_variables = var.secrets_variables } container_definitions = templatefile("${path.module}/service.json.tftpl", merge(local.container_vars, var.aws_parameter_store)) @@ -37,7 +38,7 @@ locals { Action = [ "ssm:GetParameters" ], - Resource = "*" + Resource = var.parameter_store_arns } ] } diff --git a/skeleton/aws/modules/ecs/service.json.tftpl b/skeleton/aws/modules/ecs/service.json.tftpl index e9cc5803..3122af56 100644 --- a/skeleton/aws/modules/ecs/service.json.tftpl +++ b/skeleton/aws/modules/ecs/service.json.tftpl @@ -21,8 +21,7 @@ } }, "environment": ${jsonencode(environment_variables)}, - "secrets": [ - ], + "secrets": ${jsonencode(secrets_variables)}, "ulimits": [ { "name": "nofile", diff --git a/skeleton/aws/modules/ecs/variables.tf b/skeleton/aws/modules/ecs/variables.tf index c80e3e86..0964b200 100644 --- a/skeleton/aws/modules/ecs/variables.tf +++ b/skeleton/aws/modules/ecs/variables.tf @@ -77,11 +77,6 @@ variable "aws_cloudwatch_log_group_name" { type = string } -variable "aws_parameter_store" { - description = "AWS parameter store" - type = map(any) -} - variable "environment_variables" { description = "List of [{name = \"\", value = \"\"}] pairs of environment variables" type = set(object({ @@ -89,3 +84,13 @@ variable "environment_variables" { value = string })) } + +variable "secrets_variables" { + description = "List of [{name = \"\", valueFrom = \"\"}] pairs of secret variables" + type = list(any) +} + +variable "parameter_store_arns" { + description = "The ARNs of the SSM Parameter Store parameters" + type = list(string) +} diff --git a/skeleton/aws/modules/ssm/main.tf b/skeleton/aws/modules/ssm/main.tf index 26cda0e3..faf0ba90 100644 --- a/skeleton/aws/modules/ssm/main.tf +++ b/skeleton/aws/modules/ssm/main.tf @@ -1,11 +1,23 @@ -resource "aws_ssm_parameter" "secret_key_base" { - name = "/${var.namespace}/SECRET_KEY_BASE" +resource "aws_ssm_parameter" "secret_parameters" { + for_each = var.secrets + + name = "/${var.namespace}/${each.key}" type = "String" - value = var.secret_key_base + value = each.value } -resource "aws_ssm_parameter" "database_url" { - name = "/${var.namespace}/DATABASE_URL" - type = "String" - value = "postgresql://${var.rds_username}:${var.rds_password}@${var.rds_endpoint}/${var.rds_database_name}" +locals { + # Create a list of parameter store ARNs for granting access to ECS task execution role + parameter_store_arns = [for parameter in aws_ssm_parameter.secret_parameters : parameter.arn] + + # Get secret names array + secret_names = keys(var.secrets) + + # Create a map {secret_name: secret_arn} using zipmap function for iteration + secret_arns = zipmap(local.secret_names, local.parameter_store_arns) + + # Create the formatted secrets for ECS task definition + secrets_variables = [for secret_key, secret_arn in local.secrets_name_arn_map : + tomap({ "name" = upper(secret_key), "valueFrom" = secret_arn }) + ] } diff --git a/skeleton/aws/modules/ssm/outputs.tf b/skeleton/aws/modules/ssm/outputs.tf index a727b022..83a17941 100644 --- a/skeleton/aws/modules/ssm/outputs.tf +++ b/skeleton/aws/modules/ssm/outputs.tf @@ -1,8 +1,9 @@ -output "parameter_store" { - description = "ARNs of the parameters" +output "secrets_variables" { + description = "The formatted secrets for ECS task definition" + value = local.secrets_variables +} - value = { - secret_base_ssm_arn = aws_ssm_parameter.secret_key_base.arn - database_url_ssm_arn = aws_ssm_parameter.database_url.arn - } +output "parameter_store_arns" { + description = "List of parameter store ARNs for granting access to ECS task execution role" + value = local.parameter_store_arns } diff --git a/skeleton/aws/modules/ssm/variables.tf b/skeleton/aws/modules/ssm/variables.tf index 5acba861..1a81ce9a 100644 --- a/skeleton/aws/modules/ssm/variables.tf +++ b/skeleton/aws/modules/ssm/variables.tf @@ -3,27 +3,8 @@ variable "namespace" { type = string } -variable "secret_key_base" { - description = "The Secret key base for the application" - type = string -} - -variable "rds_username" { - description = "The DB username for building DB URL" - type = string -} - -variable "rds_password" { - description = "The DB password for building DB URL" - type = string -} - -variable "rds_endpoint" { - description = "The DB endpoint for building DB URL" - type = string -} - -variable "rds_database_name" { - description = "The DB name for building DB URL" - type = string +variable "secrets" { + description = "Map of secrets to keep in AWS SSM Parameter Store" + type = map(string) + default = {} } diff --git a/src/templates/aws/addons/ssm.ts b/src/templates/aws/addons/ssm.ts index bc7ed9db..bb750338 100644 --- a/src/templates/aws/addons/ssm.ts +++ b/src/templates/aws/addons/ssm.ts @@ -20,6 +20,11 @@ const ssmModuleContent = dedent` rds_password = var.rds_password rds_database_name = var.rds_database_name rds_endpoint = module.rds.db_endpoint + + secrets = { + database_url = "postgres://\${var.rds_username}:\${var.rds_password}@\${module.rds.db_endpoint}/\${var.rds_database_name}" + secret_key_base = var.secret_key_base + } } \n`;