I am defining a task in AWS which I already have working using aws_ecs_task_definition module. I am setting up some environtment variables using the environtment var in terraform module but some of the will be provided throug AWS SSM. The normal creation without AWS SSM is:
environment : [
{
name : "user",
value : "name"
},
],
This works like a charm.
Then I tried:
environment : [
{
name : "user",
valueFrom : "my_env_var_name_in_ssm"
},
],
But it doesn't work. When I go to the UI of the task definition the ENV variable is not there, neither in the UI's json definition.
Then I tried to create them in the UI and the task work perfect and I saw that when you setup valueFrom, the ENV variable is created under the secrets section of the json definition. So I tried to replicate it in Terraform such as:
secrets : [
{
name : "user",
valueFrom : "my_env_var_name_in_ssm"
},
],
But it doesn't work neither. The task definition json is:
{
"ipcMode": null,
"executionRoleArn": "arn",
"containerDefinitions": [
{
"dnsSearchDomains": null,
"environmentFiles": null,
"logConfiguration": null,
"entryPoint": null,
"portMappings": [
{
"hostPort": 8080,
"protocol": "tcp",
"containerPort": 8080
},
{
"hostPort": 8793,
"protocol": "tcp",
"containerPort": 8793
}
],
"command": null,
"linuxParameters": null,
"cpu": 7,
"environment": [
{
"name": "name",
"value": "harcoded"
},
],
"resourceRequirements": null,
"ulimits": null,
"dnsServers": null,
"mountPoints": [],
"workingDirectory": null,
"secrets": null,
"dockerSecurityOptions": null,
"memory": null,
"memoryReservation": 128,
"volumesFrom": [],
"stopTimeout": null,
"image": "image_arn",
"startTimeout": null,
"firelensConfiguration": null,
"dependsOn": null,
"disableNetworking": null,
"interactive": null,
"healthCheck": null,
"essential": true,
"links": null,
"hostname": null,
"extraHosts": null,
"pseudoTerminal": null,
"user": null,
"readonlyRootFilesystem": null,
"dockerLabels": null,
"systemControls": null,
"privileged": null,
"name": "my-name"
}
],
"placementConstraints": [],
"memory": null,
"taskRoleArn": "arn",
"compatibilities": [
"EC2"
],
"taskDefinitionArn": "arn",
"family": "family-name",
"requiresAttributes": [
{
"targetId": null,
"targetType": null,
"value": null,
"name": "com.amazonaws.ecs.capability.ecr-auth"
},
{
"targetId": null,
"targetType": null,
"value": null,
"name": "com.amazonaws.ecs.capability.docker-remote-api.1.21"
},
{
"targetId": null,
"targetType": null,
"value": null,
"name": "com.amazonaws.ecs.capability.task-iam-role"
},
{
"targetId": null,
"targetType": null,
"value": null,
"name": "ecs.capability.execution-role-ecr-pull"
},
{
"targetId": null,
"targetType": null,
"value": null,
"name": "com.amazonaws.ecs.capability.docker-remote-api.1.18"
},
{
"targetId": null,
"targetType": null,
"value": null,
"name": "ecs.capability.task-eni"
}
],
"pidMode": null,
"requiresCompatibilities": [],
"networkMode": "awsvpc",
"cpu": null,
"revision": 2,
"status": "ACTIVE",
"inferenceAccelerators": null,
"proxyConfiguration": null,
"volumes": []
}
As you can see the json returns: "secrets": null,
When the terraform run a container_definitions like this:
container_definitions = jsonencode(
[
{
name = aws_ecs_cluster.cluster.name,
image = "${var.image_url}:latest",
cpu = 7,
dnsSearchDomains = null,
network_configuration = "awsvpc",
entryPoint = null,
portMappings = [
{
hostPort = 8080,
protocol = "tcp",
containerPort = 8080
},
{
hostPort = 8793,
protocol = "tcp",
containerPort = 8793
}
],
command : null,
linuxParameters : null,
environment : [
{
name : "name",
value : "harcoded"
},
],
secrets : [
{
name : "parameter-name",
valueFrom : "arn:aws:ssm:eu-west-2:111111111:parameter/my_env_var_name_in_ssm"
},
],
resourceRequirements : null,
ulimits : null,
dnsServers : null,
mountPoints : null,
workingDirectory : null,
secrets : null,
dockerSecurityOptions : null,
memoryReservation : 128,
volumesFrom : [],
stopTimeout : null,
startTimeout : null,
firelensConfiguration : null,
dependsOn : null,
disableNetworking : null,
interactive : null,
healthCheck: null
essential : true,
links : null,
hostname : null,
extraHosts : null,
pseudoTerminal : null,
user : null,
readonlyRootFilesystem : null,
dockerLabels : null,
systemControls : null,
privileged : null
}
]
)
}
terraform apply worked fine but the secrets are not in the output of the terraform performed actions, so it's normal that the json definition shows null. Then I guess the real issue is how to writte it in terraform.
How can I use AWS SSM as a valueFrom in AWS ECS task defined in Terraform? As you can see the json is
CodePudding user response:
Your task definition has secrets defined twice. Once with a value, and once with null:
See the first and last lines in this block I copied from the code you posted:
secrets : [
{
name : "parameter-name",
valueFrom : "arn:aws:ssm:eu-west-2:111111111:parameter/my_env_var_name_in_ssm"
},
],
resourceRequirements : null,
ulimits : null,
dnsServers : null,
mountPoints : null,
workingDirectory : null,
secrets : null,
You need to remove the line secrets : null because it is overriding the earlier setting.