[BUG] ECS TaskDefinition fails to update on removal of SecretManager reference when secret key does not exist anymore

Question

[BUG] ECS TaskDefinition fails to update on removal of SecretManager reference when secret key does not exist anymore

Opened this issue 4 months ago · 0 comments

rantoniuk commented 4 months ago

Name of the resource

AWS::ECS::TaskDefinition

Resource Name

No response

Issue Description

When using an ECS:TaskDefinition together with a referenced AWS:SecretManager secretValueFromJson(), the stack update fails when the key does not exist, which is a bug for a scenario when some previously used secret keys are removed.

Consider the following scenario.

The stack defined below is deployed without any issues:

    // secret holds the following JSON: {"SECRET1" : "value1", "SECRET2": "value2" }
    const secret = Secret.fromSecretNameV2(this, 'secret', 'secret');

    const taskDefinition = new Ec2TaskDefinition(this, 'EcsWatchdogTaskDef', {
      family: 'task-def',
      networkMode: NetworkMode.AWS_VPC,
    });

    taskDefinition.addContainer('backend', {
      image: ContainerImage.fromEcrRepository(image, 'latest'),
      environment: {
        SECRET1: secret.secretValueFromJson('SECRET1').unsafeUnwrap(),
        SECRET2: secret.secretValueFromJson('SECRET2').unsafeUnwrap(),
      },
    });

Now, the application does no longer need SECRET2 so it is removed from the SecretManager secret and the CDK stack definition is modified to look like below:

    // secret holds the following JSON: {"SECRET1" : "value1"}
    const secret = Secret.fromSecretNameV2(this, 'secret', 'secret');

    const taskDefinition = new Ec2TaskDefinition(this, 'EcsWatchdogTaskDef', {
      family: 'task-def',
      networkMode: NetworkMode.AWS_VPC,
    });

    taskDefinition.addContainer('backend', {
      image: ContainerImage.fromEcrRepository(image, 'latest'),
      environment: {
        SECRET1: secret.secretValueFromJson('SECRET1').unsafeUnwrap(),
      },
    });

cdk diff shows the following:

Stack EcsBackendService-Stack
Hold on while we create a read-only change set to get a diff with accurate replacement information (use --no-change-set to use a less accurate but faster template-only diff)
Resources
[~] AWS::ECS::TaskDefinition TaskDef TaskDef7C802DCD replace
 └─ [~] ContainerDefinitions (requires replacement)
     └─ @@ -104,29 +104,6 @@
        [ ]   }
        [ ] },
        [ ] {
        [-]   "Name": "SECRET2",
        [-]   "Value": {
        [-]     "Fn::Join": [
        [-]       "",
        [-]       [
        [-]         "{{resolve:secretsmanager:arn:",
        [-]         {
        [-]           "Ref": "AWS::Partition"
        [-]         },
        [-]         ":secretsmanager:",
        [-]         {
        [-]           "Ref": "AWS::Region"
        [-]         },
        [-]         ":",
        [-]         {
        [-]           "Ref": "AWS::AccountId"
        [-]         },
        [-]         ":secret:secret:SecretString:SECRET2::}}"
        [-]       ]
        [-]     ]
        [-]   }
        [-] },


✨  Number of stacks with differences: 1

so all looks good, however cdk deploy fails with:

The stack named EcsBackendService-Stack failed to deploy: UPDATE_ROLLBACK_COMPLETE: Could not find a value associated with JSONKey in SecretString

Expected Behavior

The stack is updated without any issues to remove the old secret reference.

Observed Behavior

The stack named EcsBackendService-Stack failed to deploy: UPDATE_ROLLBACK_COMPLETE: Could not find a value associated with JSONKey in SecretString

Test Cases

Other Details

No response