Merge pull request #7 from theonestack/secrets

fixes secrets and makes it compatible with how the ecs-service component also handles secrets while keep backward compt
theonestack · Mar 6, 2020 · c8390db · c8390db
2 parents d3cd95e + 27380cc
commit c8390db
Show file tree

Hide file tree

Showing 2 changed files with 37 additions and 9 deletions.
diff --git a/ecs-task.cfndsl.rb b/ecs-task.cfndsl.rb
@@ -18,7 +18,7 @@
       RetentionInDays "#{log_retention}"
     }
 
-    definitions, task_volumes, secrets = Array.new(3){[]}
+    definitions, task_volumes, secrets, secrets_policy = Array.new(4){[]}
 
     task_definition = external_parameters.fetch(:task_definition, {})
     task_definition.each do |task_name, task|
@@ -125,8 +125,31 @@
       task_def.merge!({WorkingDirectory: task['working_dir'] }) if task.key?('working_dir')
 
       if task.key?('secrets')
-        secrets.push(*task['secrets'].values)
-        task_def.merge!({Secrets: task['secrets'].map {|k,v| { Name: k, ValueFrom: v }} })
+
+        if task['secrets'].key?('ssm')
+          secrets.push *task['secrets']['ssm'].map {|k,v| { Name: k, ValueFrom: v.is_a?(String) && v.start_with?('/') ? FnSub("arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter#{v}") : v }}
+          resources = task['secrets']['ssm'].map {|k,v| v.is_a?(String) && v.start_with?('/') ? FnSub("arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter#{v}") : v }
+          secrets_policy.push iam_policy_allow('ssm-secrets','ssm:GetParameters', resources)
+          task['secrets'].reject! { |k| k == 'ssm' }
+        end
+
+        if task['secrets'].key?('secretsmanager')
+          secrets.push *task['secrets']['secretsmanager'].map {|k,v| { Name: k, ValueFrom: v.is_a?(String) && v.start_with?('/') ? FnSub("arn:aws:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:#{v}") : v }}
+          resources = task['secrets']['secretsmanager'].map {|k,v| v.is_a?(String) && v.start_with?('/') ? FnSub("arn:aws:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:#{v}-*") : v }
+          secrets_policy.push iam_policy_allow('secretsmanager','secretsmanager:GetSecretValue', resources)
+          task['secrets'].reject! { |k| k == 'secretsmanager' }
+        end
+
+        unless task['secrets'].empty?
+          secrets.push *task['secrets'].map {|k,v| { Name: k, ValueFrom: v.is_a?(String) && v.start_with?('/') ? FnSub("arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter#{v}") : v }}
+          resources = task['secrets'].map {|k,v| v.is_a?(String) && v.start_with?('/') ? FnSub("arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter#{v}") : v }
+          secrets_policy.push iam_policy_allow('ssm-secrets','ssm:GetParameters', resources)
+        end
+
+        if secrets.any?
+          task_def.merge!({Secrets: secrets})
+        end
+
       end
 
       definitions << task_def
@@ -175,15 +198,12 @@
       end
 
       IAM_Role('ExecutionRole') do
-        AssumeRolePolicyDocument service_role_assume_policy('ecs-tasks')
+        AssumeRolePolicyDocument service_role_assume_policy(['ecs-tasks', 'ssm'])
         Path '/'
         ManagedPolicyArns ["arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"]
-
-        if secrets.any?
-          resources = secrets.map {|secret| FnSub("arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter#{secret}")}
-          Policies [iam_policy_allow('ssm-secrets',%(ssm:GetParameters),secrets)]
+        if secrets_policy.any?
+          Policies secrets_policy
         end
-
       end
     end
 

diff --git a/tests/secrets.test.yaml b/tests/secrets.test.yaml
@@ -11,6 +11,14 @@ task_definition:
     secrets:
       API_KEY: /nginx/${EnvironmentName}/api/key
       API_SECRET: /nginx/${EnvironmentName}/api/secret
+      ssm:
+        APP_KEY: /nginx/${EnvironmentName}/app/key
+        APP_SECRET: /nginx/${EnvironmentName}/app/secret
+      secretsmanager:
+        ACCESSKEY: /dont/use/accesskeys
+        SECRETKEY:
+          Ref: EnvironmentName
+
 
 targetgroup:
   name: nginx