Add ability to get the whole secret as a key-value pair

Exlabs · Aug 16, 2023 · b6b0ab5 · b6b0ab5
1 parent 6bfff9b
commit b6b0ab5
Show file tree

Hide file tree

Showing 4 changed files with 56 additions and 3 deletions.
diff --git a/README.md b/README.md
@@ -6,11 +6,12 @@ This module uses the recommended way of passing sensitive data from SecretManage
 
 ## Usage
 
+### Passing specific keys to ECS task definition
 ```hcl
 module "secrets" {
   source  = "exlabs/ecs-secrets-manager/aws"
   # We recommend pinning every module to a specific version
-  version = "1.0.0"
+  version = "1.1.0"
   name    = "data-pipeline-secrets"
 
   ecs_task_execution_roles = [
@@ -37,6 +38,39 @@ resource "aws_ecs_task_definition" "data_pipeline" {
 }
 ```
 
+### Passing the whole AWS Secret Manager secret to the ECS task as a single variable
+```hcl
+module "secrets" {
+  source  = "exlabs/ecs-secrets-manager/aws"
+  # We recommend pinning every module to a specific version
+  version = "1.1.0"
+  name    = "data-pipeline-secrets"
+
+  enable_secret_assigned_to_single_key = true
+
+  ecs_task_execution_roles = [
+    "ecs-task-execution-role1",
+    "ecs-task-execution-role2"
+  ]
+
+  # You can define your own key or leave it default then the key name is built based on the secret name
+  key_names = [
+    "YOUR_OWN_KEY"
+  ]
+}
+
+resource "aws_ecs_task_definition" "data_pipeline" {
+  #...
+
+  container_definitions = jsonencode([
+    {
+      secrets = module.secrets.ecs_secrets,
+      #...
+    }
+  ])
+}
+```
+
 After `terraform apply` you have to go to the AWS Console SecretsManager dashboard, select created secret and set values by creating a key-value pair for each defined key name.
 
 
@@ -77,10 +111,12 @@ No modules.
 | <a name="input_key_names"></a> [key\_names](#input\_key\_names) | Secret names that will be injected as env variables | `list(string)` | `[]` | yes |
 | <a name="input_name"></a> [name](#input\_name) | AWS SecretsManager secret name | `string` | n/a | yes |
 | <a name="input_description"></a> [description](#input\_description) | AWS SecretsManager secret description | `string` | n/a | no |
+| <a name="input_enable_secret_assigned_to_single_key"></a> [enable\_secret\_assigned\_to\_single\_key](#input\_enable\_secret\_assigned\_to\_single\_key) | Enables returning the whole secret as a single key-value pair | `string` | `false` | no |
 
 ## Outputs
 
 | Name | Description |
 |------|-------------|
 | <a name="output_ecs_secrets"></a> [ecs\_secrets](#output\_ecs\_secrets) | Secrets description to be injected in the ECS Container definition. |
+| <a name="output_secretsmanager_secret_arn"></a> [secretsmanager\_secret\_arn](#output\_secretsmanager\_secret\_arn) | AWS SecretsManager secret ARN |
 <!-- END_TF_DOCS -->
diff --git a/main.tf b/main.tf
@@ -34,9 +34,14 @@ resource "aws_iam_role_policy_attachment" "this" {
 }
 
 locals {
-  ecs_secrets = [
+  ecs_secrets = var.enable_secret_assigned_to_single_key ? [
+    {
+      name      = coalesce(one(var.key_names), upper(replace(replace(var.name,"/[^a-zA-Z\\d\\-_:]/","*"),"-","_")))
+      valueFrom = aws_secretsmanager_secret.this.arn
+    }
+  ] : [
     for key_name in var.key_names :{
-      name = key_name
+      name      = key_name
       valueFrom = "${aws_secretsmanager_secret.this.arn}:${key_name}::"
     }
   ]

diff --git a/outputs.tf b/outputs.tf
@@ -2,3 +2,8 @@ output "ecs_secrets" {
   value = local.ecs_secrets
   description = "Secrets description to be injected in the ECS Container definition."
 }
+
+output "secretsmanager_secret_arn" {
+  value = aws_secretsmanager_secret.this.arn
+  description = "AWS SecretsManager secret ARN"
+}
diff --git a/variables.tf b/variables.tf
@@ -23,3 +23,10 @@ variable "key_names" {
   nullable    = false
   default     = []
 }
+
+variable "enable_secret_assigned_to_single_key" {
+  description = "Enables returning the whole secret as a single key-value pair"
+  type        = bool
+  nullable    = false
+  default     = false
+}