Pattern: Use of plain-text secret for AWS ECS task definition
Issue: -
You should not make secrets available to a user in plain-text in any scenario. Secrets can instead be pulled from a secure secret storage system by the service requiring them.
Resolution: Use secrets for the task definition.
Example of incorrect code:
resource "aws_ecs_task_definition" "bad_example" {
container_definitions = <<EOF
[
{
"name": "my_service",
"essential": true,
"memory": 256,
"environment": [
{ "name": "ENVIRONMENT", "value": "development" },
{ "name": "DATABASE_PASSWORD", "value": "oh no D:"}
]
}
]
EOF
}Example of correct code:
resource "aws_ecs_task_definition" "good_example" {
container_definitions = <<EOF
[
{
"name": "my_service",
"essential": true,
"memory": 256,
"environment": [
{ "name": "ENVIRONMENT", "value": "development" }
]
}
]
EOF
}