From 1b79bae69247f5a0f440a25e2f68e61c4b8b17d8 Mon Sep 17 00:00:00 2001 From: Ray Krishardi Layadi Date: Mon, 2 Oct 2023 10:57:56 +1100 Subject: [PATCH] fix: secretsmanager valuefrom task definition (#68) * fix: secretsmanager valuefrom task definition * feat: add test and spec --- ecs-service.cfndsl.rb | 2 +- spec/secrets_spec.rb | 4 ++-- tests/secrets.test.yaml | 3 +-- 3 files changed, 4 insertions(+), 5 deletions(-) diff --git a/ecs-service.cfndsl.rb b/ecs-service.cfndsl.rb index 5d51124..f28f559 100644 --- a/ecs-service.cfndsl.rb +++ b/ecs-service.cfndsl.rb @@ -203,7 +203,7 @@ end if task['secrets'].key?('secretsmanager') - secrets.push *task['secrets']['secretsmanager'].map {|k,v| { Name: k, ValueFrom: v.is_a?(String) && ! v.start_with?('arn') ? v : FnSub("arn:aws:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:#{v}") }} + secrets.push *task['secrets']['secretsmanager'].map {|k,v| { Name: k, ValueFrom: v.is_a?(String) && v.start_with?('arn') ? v : FnSub("arn:aws:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:#{v}") }} resources = task['secrets']['secretsmanager'].map {|k,v| v.is_a?(String) && v.start_with?('arn') ? "#{v}*" : FnSub("arn:aws:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:#{v}*") } secrets_policy['secretsmanager'] = { 'action' => 'secretsmanager:GetSecretValue', diff --git a/spec/secrets_spec.rb b/spec/secrets_spec.rb index be1e2fa..ef7b5a1 100644 --- a/spec/secrets_spec.rb +++ b/spec/secrets_spec.rb @@ -71,7 +71,7 @@ end it "to have property Policies" do - expect(resource["Properties"]["Policies"]).to eq([{"PolicyName"=>"ssm-secrets", "PolicyDocument"=>{"Statement"=>[{"Sid"=>"ssmsecrets", "Action"=>"ssm:GetParameters", "Resource"=>[{"Fn::Sub"=>"arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/nginx/${EnvironmentName}/api/key*"}, {"Fn::Sub"=>"arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/nginx/${EnvironmentName}/api/secret*"}], "Effect"=>"Allow"}]}}, {"PolicyName"=>"secretsmanager", "PolicyDocument"=>{"Statement"=>[{"Sid"=>"secretsmanager", "Action"=>"secretsmanager:GetSecretValue", "Resource"=>[{"Fn::Sub"=>"arn:aws:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:/dont/use/accesskeys*"}, {"Fn::Sub"=>"arn:aws:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:{\"Ref\"=>\"EnvironmentName\"}*"}], "Effect"=>"Allow"}]}}]) + expect(resource["Properties"]["Policies"]).to eq([{"PolicyName"=>"ssm-secrets", "PolicyDocument"=>{"Statement"=>[{"Sid"=>"ssmsecrets", "Action"=>"ssm:GetParameters", "Resource"=>[{"Fn::Sub"=>"arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/nginx/${EnvironmentName}/api/key*"}, {"Fn::Sub"=>"arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/nginx/${EnvironmentName}/api/secret*"}], "Effect"=>"Allow"}]}}, {"PolicyName"=>"secretsmanager", "PolicyDocument"=>{"Statement"=>[{"Sid"=>"secretsmanager", "Action"=>"secretsmanager:GetSecretValue", "Resource"=>[{"Fn::Sub"=>"arn:aws:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:/dont/use/accesskeys*"}, {"Fn::Sub"=>"arn:aws:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:${EnvironmentName}*"}], "Effect"=>"Allow"}]}}]) end end @@ -84,7 +84,7 @@ end it "to have property ContainerDefinitions" do - expect(resource["Properties"]["ContainerDefinitions"]).to eq([{"Name"=>"nginx", "Image"=>{"Fn::Join"=>["", ["nginx/", "nginx", ":", "latest"]]}, "LogConfiguration"=>{"LogDriver"=>"awslogs", "Options"=>{"awslogs-group"=>{"Ref"=>"LogGroup"}, "awslogs-region"=>{"Ref"=>"AWS::Region"}, "awslogs-stream-prefix"=>"nginx"}}, "Secrets"=>[{"Name"=>"API_KEY", "ValueFrom"=>{"Fn::Sub"=>"arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/nginx/${EnvironmentName}/api/key"}}, {"Name"=>"API_SECRET", "ValueFrom"=>{"Fn::Sub"=>"arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/nginx/${EnvironmentName}/api/secret"}}, {"Name"=>"ACCESSKEY", "ValueFrom"=>"/dont/use/accesskeys"}, {"Name"=>"SECRETKEY", "ValueFrom"=>{"Fn::Sub"=>"arn:aws:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:{\"Ref\"=>\"EnvironmentName\"}"}}]}]) + expect(resource["Properties"]["ContainerDefinitions"]).to eq([{"Name"=>"nginx", "Image"=>{"Fn::Join"=>["", ["nginx/", "nginx", ":", "latest"]]}, "LogConfiguration"=>{"LogDriver"=>"awslogs", "Options"=>{"awslogs-group"=>{"Ref"=>"LogGroup"}, "awslogs-region"=>{"Ref"=>"AWS::Region"}, "awslogs-stream-prefix"=>"nginx"}}, "Secrets"=>[{"Name"=>"API_KEY", "ValueFrom"=>{"Fn::Sub"=>"arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/nginx/${EnvironmentName}/api/key"}}, {"Name"=>"API_SECRET", "ValueFrom"=>{"Fn::Sub"=>"arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/nginx/${EnvironmentName}/api/secret"}}, {"Name"=>"ACCESSKEY", "ValueFrom"=>{"Fn::Sub"=>"arn:aws:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:/dont/use/accesskeys"}}, {"Name"=>"SECRETKEY", "ValueFrom"=>{"Fn::Sub"=>"arn:aws:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:${EnvironmentName}"}}]}]) end it "to have property TaskRoleArn" do diff --git a/tests/secrets.test.yaml b/tests/secrets.test.yaml index 787af22..51643f0 100644 --- a/tests/secrets.test.yaml +++ b/tests/secrets.test.yaml @@ -13,8 +13,7 @@ task_definition: API_SECRET: /nginx/${EnvironmentName}/api/secret secretsmanager: ACCESSKEY: /dont/use/accesskeys - SECRETKEY: - Ref: EnvironmentName + SECRETKEY: ${EnvironmentName} targetgroup: