Give Meadow permission to load secrets

nulib · Nov 11, 2024 · 6127cb8 · 6127cb8
1 parent 9aa620f
commit 6127cb8
Show file tree

Hide file tree

Showing 4 changed files with 10 additions and 2 deletions.
diff --git a/app/lib/meadow/config/runtime.ex b/app/lib/meadow/config/runtime.ex
@@ -33,7 +33,7 @@ defmodule Meadow.Config.Runtime do
       port: get_secret(:ldap, ["port"]),
       user_dn: get_secret(:ldap, ["user_dn"]),
       password: get_secret(:ldap, ["password"]),
-      ssl: get_secret(:ldap, ["ssl"]) == "true"
+      ssl: get_secret(:ldap, ["ssl"], "true") == "true"
 
     config :hackney,
       max_connections: environment_int("HACKNEY_MAX_CONNECTIONS", 1000)

diff --git a/infrastructure/deploy/ecs.tf b/infrastructure/deploy/ecs.tf
@@ -46,7 +46,10 @@ data "aws_iam_policy_document" "meadow_role_permissions" {
     sid       = "secretsmanager"
     effect    = "Allow"
     actions   = ["secretsmanager:Get*"]
-    resources = ["arn:aws:secretsmanager:${var.aws_region}:${data.aws_caller_identity.current.id}:secret:config/meadow-*"]
+    resources = [
+      "arn:aws:secretsmanager:${var.aws_region}:${data.aws_caller_identity.current.id}:secret:config/meadow-*",
+      "arn:aws:secretsmanager:${var.aws_region}:${data.aws_caller_identity.current.id}:secret:${local.prefix}/*"
+    ]
   }
 
   statement {

diff --git a/infrastructure/deploy/ecs_services.tf b/infrastructure/deploy/ecs_services.tf
@@ -12,6 +12,7 @@ locals {
     meadow_urls                     = join(",", local.meadow_urls)
     region                          = var.aws_region
     secret_key_base                 = random_string.secret_key_base.result
+    secrets_path                    = local.prefix
   }
 }
 

diff --git a/infrastructure/deploy/task-definitions/meadow_app.json b/infrastructure/deploy/task-definitions/meadow_app.json
@@ -6,6 +6,10 @@
     "mountPoints": [],
     "essential": true,
     "environment": [
+      {
+        "name": "SECRETS_PATH",
+        "value": "${secrets_path}"
+      },
       {
         "name": "MEADOW_PROCESSES",
         "value": "${processes}"