When inejcting secrets to the Secrets object of the ApplicationLoadBalancedFargateService's taskImageOptions imported from
sm.Secret.fromSecretCompleteArn (including 6 digit hypen), the deploy gets stuck and does not work.
I have also tried importing the secrets by:
sm.Secret.fromSecretNameV2 and the behaviour is the same.
Expected Behavior
ECS to deploy with custom secrets
Current Behavior
CDK deploy freezed stuck at ECS apiService deploy
Reproduction Steps
const importedSecrets = SECRET_NAMES.reduce((acc, key) => {
const secret = sm.Secret.fromSecretCompleteArn(
scope,
`${config.ENVIRONMENT}/${key}`,
secretFullArns[key], // full ARN of the secret identical as AWS
);
return {...acc, [key]: secret};
}, {} as {[key: string]: sm.ISecret});
Where SECRET_NAMES is an array of secret names
Then,
const secretsJson = SECRET_NAMES.reduce(
(acc, key) => ({
...acc,
[key]: ecs.Secret.fromSecretsManager(importedSecrets[key]),
}),
{},
);
and then in the fargate service creator:
// Fargate service
this.backendService = new ecsPatterns.ApplicationLoadBalancedFargateService(
scope,
'apiService',
{
serviceName: 'apiService',
cluster: this.ecsCluster,
taskSubnets: {
subnetType: ec2.SubnetType.PRIVATE_WITH_NAT,
},
memoryLimitMiB: 2048,
cpu: 1024,
desiredCount: 1,
taskImageOptions: {
containerName: 'apiContainer',
image: ecs.ContainerImage.fromAsset('../api-backend/', {
followSymlinks: SymlinkFollowMode.ALWAYS,
}),
containerPort: config.PORT,
environment: {
NODE_ENV: 'development',
AWS_DEFAULT_REGION: config.AWS_DEFAULT_REGION,
},
logDriver: ecs.LogDrivers.awsLogs({
streamPrefix: `${config.PROJECT_NAME}-logStream`,
logGroup: fargateLog,
}),
secrets: {
DB_BUSINESS_PASSWORD: ecs.Secret.fromSecretsManager(
dbBusinessPasswordSecret,
'password',
),
DB_BUSINESS_HOST: ecs.Secret.fromSecretsManager(
dbBusinessPasswordSecret,
'host',
),
...secretsJson.
// ===========>>> If i comment this line here, the deploy is successfull, but without the secrets i want.
},
},
},
);
In the CDK template i see the correct secret name BUT WITHOUT THE HYPHEN
CDK TEMPLATE Secrets from ECS:
....
{
"Name": "X_API_KEY",
"ValueFrom": {
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
"secret-arn-as-it-is-in-aws-console/co****/staging/X_API_KEY"
// The secret arn is exactly equal as it is in aws but without the 6 char hyphen auto-generated when the secret was uploaded.
]
]
}
},
...
Parameter name is: /co****/staging/X_API_KEY
But in the aws console the arn of the secret is exactly the same as the one in the cdk template but without the hyphen.
Im pretty sure that's the cause of the deploy stuck freeze.
Also,
IAM Permissions from the image task are fine, for example for the secret who's name is:
/co***/staging/CIPHER_SECRET-?????? where the ? represent the auto hyphen 6 digit
Update:
I've tried to use fromSecretAttributes as suggested per https://docs.aws.amazon.com/cdk/v2/guide/get_secrets_manager_value.html
and the code is:
const importedSecrets = SECRET_NAMES.reduce((acc, key) => {
const secret = sm.Secret.fromSecretAttributes(
scope,
`/cobuy/${config.ENVIRONMENT}/${key}`,
{secretCompleteArn: secretFullArns[key]}, // full ARN with 6 digit hyphen
);
return {...acc, [key]: secret};
}, {} as {[key: string]: sm.ISecret});
const secretsJson = SECRET_NAMES.reduce(
(acc, key) => ({
...acc,
[key]: ecs.Secret.fromSecretsManager(importedSecrets[key]),
}),
{} as {[key: string]: ecs.Secret},
);
Still not working but now the CDK Synthesis throws an error:
must use only one of secretCompleteArn or secretPartialArn
Interest data:
"aws-cdk-lib": "^2.27.0"
node -v => 14.19
Typescript "^4.7.2"
Other information
CDK JSON
{
"app": "npx ts-node --prefer-ts-exts bin/CdkStarter.ts",
"context": {
"@aws-cdk/aws-apigateway:usagePlanKeyOrderInsensitiveId": true,
"@aws-cdk/aws-rds:lowercaseDbIdentifier": true,
"@aws-cdk/aws-efs:defaultEncryptionAtRest": true,
"@aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021": false,
"@aws-cdk/core:stackRelativeExports": false
}
}
