diff --git a/ecs-task.cfndsl.rb b/ecs-task.cfndsl.rb index 8322aa0..44a2a49 100644 --- a/ecs-task.cfndsl.rb +++ b/ecs-task.cfndsl.rb @@ -18,7 +18,7 @@ RetentionInDays "#{log_retention}" } - definitions, task_volumes, secrets = Array.new(3){[]} + definitions, task_volumes, secrets, secrets_policy = Array.new(4){[]} task_definition = external_parameters.fetch(:task_definition, {}) task_definition.each do |task_name, task| @@ -125,8 +125,31 @@ task_def.merge!({WorkingDirectory: task['working_dir'] }) if task.key?('working_dir') if task.key?('secrets') - secrets.push(*task['secrets'].values) - task_def.merge!({Secrets: task['secrets'].map {|k,v| { Name: k, ValueFrom: v }} }) + + if task['secrets'].key?('ssm') + secrets.push *task['secrets']['ssm'].map {|k,v| { Name: k, ValueFrom: v.is_a?(String) && v.start_with?('/') ? FnSub("arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter#{v}") : v }} + resources = task['secrets']['ssm'].map {|k,v| v.is_a?(String) && v.start_with?('/') ? FnSub("arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter#{v}") : v } + secrets_policy.push iam_policy_allow('ssm-secrets','ssm:GetParameters', resources) + task['secrets'].reject! { |k| k == 'ssm' } + end + + if task['secrets'].key?('secretsmanager') + secrets.push *task['secrets']['secretsmanager'].map {|k,v| { Name: k, ValueFrom: v.is_a?(String) && v.start_with?('/') ? FnSub("arn:aws:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:#{v}") : v }} + resources = task['secrets']['secretsmanager'].map {|k,v| v.is_a?(String) && v.start_with?('/') ? FnSub("arn:aws:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:#{v}-*") : v } + secrets_policy.push iam_policy_allow('secretsmanager','secretsmanager:GetSecretValue', resources) + task['secrets'].reject! { |k| k == 'secretsmanager' } + end + + unless task['secrets'].empty? + secrets.push *task['secrets'].map {|k,v| { Name: k, ValueFrom: v.is_a?(String) && v.start_with?('/') ? FnSub("arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter#{v}") : v }} + resources = task['secrets'].map {|k,v| v.is_a?(String) && v.start_with?('/') ? FnSub("arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter#{v}") : v } + secrets_policy.push iam_policy_allow('ssm-secrets','ssm:GetParameters', resources) + end + + if secrets.any? + task_def.merge!({Secrets: secrets}) + end + end definitions << task_def @@ -175,15 +198,12 @@ end IAM_Role('ExecutionRole') do - AssumeRolePolicyDocument service_role_assume_policy('ecs-tasks') + AssumeRolePolicyDocument service_role_assume_policy(['ecs-tasks', 'ssm']) Path '/' ManagedPolicyArns ["arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"] - - if secrets.any? - resources = secrets.map {|secret| FnSub("arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter#{secret}")} - Policies [iam_policy_allow('ssm-secrets',%(ssm:GetParameters),secrets)] + if secrets_policy.any? + Policies secrets_policy end - end end diff --git a/tests/secrets.test.yaml b/tests/secrets.test.yaml index b73a122..82b0b93 100644 --- a/tests/secrets.test.yaml +++ b/tests/secrets.test.yaml @@ -11,6 +11,14 @@ task_definition: secrets: API_KEY: /nginx/${EnvironmentName}/api/key API_SECRET: /nginx/${EnvironmentName}/api/secret + ssm: + APP_KEY: /nginx/${EnvironmentName}/app/key + APP_SECRET: /nginx/${EnvironmentName}/app/secret + secretsmanager: + ACCESSKEY: /dont/use/accesskeys + SECRETKEY: + Ref: EnvironmentName + targetgroup: name: nginx