support secret parameter for ecs task definitinon with Fargate

[pahud]

serverless-refarch-for-proxysql/lib/index.ts

Lines 160 to 161 in 42cb453

	'AURORA_MASTER_PASSWORD': ecs.Secret.fromSecretsManager(auroraMasterSecret),
	'RADMIN_PASSWORD': ecs.Secret.fromSecretsManager(radminSecret),

It is only supported to inject the full contents of a secret as an environment variable. Specifying a specific JSON key or version is not supported at this time.
https://docs.aws.amazon.com/AmazonECS/latest/developerguide/specifying-sensitive-data-secrets.html

depends on aws/containers-roadmap#385

[snese]

@pahud The issue aws/containers-roadmap#385 had closed, let's move on to next stage, lol

[DanyC97]

in case i haven't misunderstood the issue, i think the code is present as far as i can see and can confirm in the generated CFN templates that it does what is supposed to do

ProxySQLTask66A1033A:
    Type: AWS::ECS::TaskDefinition
    Properties:
      ContainerDefinitions:
        - Environment:
            - Name: DB_WRITER_HOSTNAME
              Value: writer.proxysql.local
            - Name: DB_READER_HOSTNAME
              Value: reader.proxysql.local
            - Name: DB_WRITER_PORT
              Value: '3306'
            - Name: DB_READER_PORT
              Value: '3306'
            - Name: DB_MASTER_USERNAME
              Value: admin
          Essential: true
          Image: !Join
            - ''
            - - 12345.dkr.ecr.us-east-1.
              - !Ref 'AWS::URLSuffix'
              - /aws-cdk/assets:0a48c0d6e2f688ca9f4b45efafa4dc5b6955193dc045a30b5f73131013ed3a6a
          LogConfiguration:
            LogDriver: awslogs
            Options:
              awslogs-group: !Ref 'ProxySQLTaskproxysqlLogGroup48D393F6'
              awslogs-stream-prefix: proxysql-main
              awslogs-region: us-east-1
          Name: proxysql
          PortMappings:
            - ContainerPort: 6033
              Protocol: tcp
            - ContainerPort: 6032
              Protocol: tcp
          Secrets:
            - Name: DB_MASTER_PASSWORD
              ValueFrom: !Ref 'ProxySQLAuroraMasterSecret65F602CE'
            - Name: RADMIN_PASSWORD
              ValueFrom: !Ref 'ProxySQLRAdminPassword14486454'

....

  ProxySQLAuroraMasterSecret65F602CE:
    Type: AWS::SecretsManager::Secret
    Properties:
      GenerateSecretString:
        ExcludePunctuation: true
        PasswordLength: 12
      Name: ProxysqlFargateStack-auroraMasterSecret
    Metadata:
      aws:cdk:path: ProxysqlFargateStack/ProxySQL/AuroraMasterSecret/Resource
  ProxySQLRAdminPassword14486454:
    Type: AWS::SecretsManager::Secret
    Properties:
      GenerateSecretString:
        ExcludePunctuation: true
        PasswordLength: 12
      Name: ProxysqlFargateStack-radmin_pwd
    Metadata:
      aws:cdk:path: ProxysqlFargateStack/ProxySQL/RAdminPassword/Resource

Hence i think it can be closed?

Edit

And if what i wrote above is correct then the readme can be udpated & remove the stale section

[pahud]

@DanyC97 thank you for your feedback.

Let me know if you have any issues and any PRs are always welcome!

[DanyC97]

thank you @pahud for coming back to us, much appreciated !

And if what i wrote above is correct then the readme can be udpated & remove the stale section

is my understanding correct that the above readme section can be removed or i've got it wrong ?

[pahud]

@DanyC97 Yes I have removed the stale section already at #21

Did I miss anything?

[DanyC97]

@pahud on a double check, is me who misunderstood.

In my link i pointed out to which is a different feature 🤦

---

Custom master password Secret

Use masterSecret to specify your master password from existing Secret.

const const YOUR_SECRET_ARN = 'arn:aws:secretsmanager:ap-northeast-1:112233445566:secret:xxxxxxx-rC5RTf'
const masterSecret = secretsmanager.Secret.fromSecretArn(stack, 'Secret', YOUR_SECRET_ARN)
new proxysql.ProxysqlFargate(stack, 'ProxySQL', {
  vpc: infra.vpc,
  customBackend: {
    readerHost: 'foo',
    writerHost: 'bar',
    masterSecret,
  }
})