terraform-aws-ecs-secrets-manager

Terraform module to create a SecretManager secret and generate secrets definition to be injected in the ECS Container definition.

This module uses the recommended way of passing sensitive data from SecretManager to ECS Task without hardcoding any sensitive values in the ECS Container definition.

Usage

Passing specific keys to ECS task definition

module "secrets" {
  source  = "exlabs/ecs-secrets-manager/aws"
  # We recommend pinning every module to a specific version
  version = "1.1.0"
  name    = "data-pipeline-secrets"

  ecs_task_execution_roles = [
    "ecs-task-execution-role1",
    "ecs-task-execution-role2"
  ]

  key_names = [
    "STRIPE_PUBLIC_KEY",
    "STRIPE_SECRET_KEY",
    "STRIPE_WEBHOOK_SECRET"
  ]
}

resource "aws_ecs_task_definition" "data_pipeline" {
  #...

  container_definitions = jsonencode([
    {
      secrets = module.secrets.ecs_secrets,
      #...
    }
  ])
}

Passing the whole AWS Secret Manager secret to the ECS task as a single variable

module "secrets" {
  source  = "exlabs/ecs-secrets-manager/aws"
  # We recommend pinning every module to a specific version
  version = "1.1.0"
  name    = "data-pipeline-secrets"

  enable_secret_assigned_to_single_key = true

  ecs_task_execution_roles = [
    "ecs-task-execution-role1",
    "ecs-task-execution-role2"
  ]

  # You can define your own key or leave it default then the key name is built based on the secret name
  key_names = [
    "YOUR_OWN_KEY"
  ]
}

resource "aws_ecs_task_definition" "data_pipeline" {
  #...

  container_definitions = jsonencode([
    {
      secrets = module.secrets.ecs_secrets,
      #...
    }
  ])
}

After terraform apply you have to go to the AWS Console SecretsManager dashboard, select created secret and set values by creating a key-value pair for each defined key name.

Requirements

Name	Version
terraform	>= 0.13.0
aws	>= 3.30.0
random	>= 3.5.0

Providers

Name	Version
aws	>= 3.30.0
random	>= 3.5.0

Modules

No modules.

Resources

Name	Type
aws_iam_policy.this	resource
random_id.policy_suffix	resource
aws_iam_role_policy_attachment.this	resource
aws_secretsmanager_secret.this	resource

Inputs

Name	Description	Type	Default	Required
ecs_task_execution_roles	ECS task execution role names	`list(string)`	`[]`	yes
key_names	Secret names that will be injected as env variables	`list(string)`	`[]`	yes
name	AWS SecretsManager secret name	`string`	n/a	yes
description	AWS SecretsManager secret description	`string`	n/a	no
enable_secret_assigned_to_single_key	Enables returning the whole secret as a single key-value pair	`string`	`false`	no

Outputs

Name	Description
ecs_secrets	Secrets description to be injected in the ECS Container definition.
secretsmanager_secret_arn	AWS SecretsManager secret ARN

Exlabs/terraform-aws-ecs-secrets-manager