feat(ecs): Support secret for ecs fargate (aws#1478)

ECS container definition can be configured with secrets as per cloud formation specification
johnwatsonncr · Jul 17, 2019 · 60ecffe · 60ecffe
1 parent 50c7319
commit 60ecffe
Show file tree

Hide file tree

Showing 2 changed files with 44 additions and 0 deletions.
diff --git a/packages/@aws-cdk/aws-ecs/lib/container-definition.ts b/packages/@aws-cdk/aws-ecs/lib/container-definition.ts
@@ -194,6 +194,15 @@ export interface ContainerDefinitionOptions {
    * @default - No Linux paramters.
    */
   readonly linuxParameters?: LinuxParameters;
+
+  /**
+   * The Secret property specifies an object representing the secret to expose to the container
+   * For more information, see [Specifying Sensitive Data](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/specifying-sensitive-data.html)
+   * in the Amazon Elastic Container Service Developer Guide.
+   *
+   * @default - No secrets.
+   */
+  readonly secrets?: CfnTaskDefinition.SecretProperty[];
 }
 
 /**
@@ -444,6 +453,7 @@ export class ContainerDefinition extends cdk.Construct {
       healthCheck: this.props.healthCheck && renderHealthCheck(this.props.healthCheck),
       links: this.links,
       linuxParameters: this.linuxParameters && this.linuxParameters.renderLinuxParameters(),
+      secrets: this.props.secrets
     };
   }
 }

diff --git a/packages/@aws-cdk/aws-ecs/test/test.container-definition.ts b/packages/@aws-cdk/aws-ecs/test/test.container-definition.ts
@@ -554,6 +554,40 @@ export = {
       test.done();
     },
 
+    'can specify secrets'(test: Test) {
+      // GIVEN
+      const stack = new cdk.Stack();
+      const taskDefinition = new ecs.Ec2TaskDefinition(stack, 'TaskDef');
+      const mySecretArn = 'arn:aws:secretsmanager:region:1234567890:secret:MyRepoSecret-6f8hj3';
+
+      // WHEN
+      taskDefinition.addContainer('cont', {
+        image: ecs.ContainerImage.fromRegistry('test'),
+        memoryLimitMiB: 1024,
+        secrets: [ {
+          name: 'MyRepoSecret',
+          valueFrom: mySecretArn,
+        }],
+      });
+
+      // THEN
+      expect(stack).to(haveResourceLike('AWS::ECS::TaskDefinition', {
+        ContainerDefinitions: [
+          {
+            Image: 'test',
+            Secrets: [
+              {
+                Name : 'MyRepoSecret',
+                ValueFrom : mySecretArn
+              }
+            ],
+          }
+        ]
+      }));
+
+      test.done();
+    },
+
     'after calling addContainer'(test: Test) {
       // GIVEN
       const stack = new cdk.Stack();