Skip to content

Exlabs/terraform-aws-ecs-secrets-manager

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

8 Commits
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
main.tf
main.tf
 
 
outputs.tf
outputs.tf
 
 
variables.tf
variables.tf
 
 
versions.tf
versions.tf
 
 

Repository files navigation

terraform-aws-ecs-secrets-manager

Terraform module to create a SecretManager secret and generate secrets definition to be injected in the ECS Container definition.

This module uses the recommended way of passing sensitive data from SecretManager to ECS Task without hardcoding any sensitive values in the ECS Container definition.

Usage

Passing specific keys to ECS task definition

module "secrets" {
  source  = "exlabs/ecs-secrets-manager/aws"
  # We recommend pinning every module to a specific version
  version = "1.1.0"
  name    = "data-pipeline-secrets"

  ecs_task_execution_roles = [
    "ecs-task-execution-role1",
    "ecs-task-execution-role2"
  ]

  key_names = [
    "STRIPE_PUBLIC_KEY",
    "STRIPE_SECRET_KEY",
    "STRIPE_WEBHOOK_SECRET"
  ]
}

resource "aws_ecs_task_definition" "data_pipeline" {
  #...

  container_definitions = jsonencode([
    {
      secrets = module.secrets.ecs_secrets,
      #...
    }
  ])
}

Passing the whole AWS Secret Manager secret to the ECS task as a single variable

module "secrets" {
  source  = "exlabs/ecs-secrets-manager/aws"
  # We recommend pinning every module to a specific version
  version = "1.1.0"
  name    = "data-pipeline-secrets"

  enable_secret_assigned_to_single_key = true

  ecs_task_execution_roles = [
    "ecs-task-execution-role1",
    "ecs-task-execution-role2"
  ]

  # You can define your own key or leave it default then the key name is built based on the secret name
  key_names = [
    "YOUR_OWN_KEY"
  ]
}

resource "aws_ecs_task_definition" "data_pipeline" {
  #...

  container_definitions = jsonencode([
    {
      secrets = module.secrets.ecs_secrets,
      #...
    }
  ])
}

After terraform apply you have to go to the AWS Console SecretsManager dashboard, select created secret and set values by creating a key-value pair for each defined key name.

Requirements

Name Version
terraform >= 0.13.0
aws >= 3.30.0
random >= 3.5.0

Providers

Name Version
aws >= 3.30.0
random >= 3.5.0

Modules

No modules.

Resources

Name Type
aws_iam_policy.this resource
random_id.policy_suffix resource
aws_iam_role_policy_attachment.this resource
aws_secretsmanager_secret.this resource

Inputs

Name Description Type Default Required
ecs_task_execution_roles ECS task execution role names list(string) [] yes
key_names Secret names that will be injected as env variables list(string) [] yes
name AWS SecretsManager secret name string n/a yes
description AWS SecretsManager secret description string n/a no
enable_secret_assigned_to_single_key Enables returning the whole secret as a single key-value pair string false no

Outputs

Name Description
ecs_secrets Secrets description to be injected in the ECS Container definition.
secretsmanager_secret_arn AWS SecretsManager secret ARN

About

No description, website, or topics provided.

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

5 stars

Watchers

2 watching

Forks

2 forks
Report repository

Releases 3

v1.1 (16.08.2023) Latest
Aug 16, 2023
+ 2 releases

Packages

No packages published

Contributors 2

  •  
  •  

Languages