Add secrets prop for sensitive data

ikovac · ikovac · commit 27a3f7bcda06 · 2023-10-19T10:42:41.000+02:00
diff --git a/README.md b/README.md
@@ -131,6 +131,7 @@ export type WebServerService = {
   environment?:
     | aws.ecs.KeyValuePair[]
     | ((services: Services) => aws.ecs.KeyValuePair[]);
+  secrets?: aws.ecs.Secret[];
   image: pulumi.Input<string>;
   port: pulumi.Input<number>;
   domain: pulumi.Input<string>;
@@ -181,6 +182,27 @@ const project = new studion.Project('demo-project', {
 });
 ```
 
+In order to pass sensitive information to the container use `secrets` instead of `environment`. AWS will fetch values from
+Secret Manager based on arn that is provided for the `valueFrom` field.
+
+```ts
+const project = new studion.Project('demo-project', {
+  environment: 'DEVELOPMENT',
+  services: [
+    {
+      type: 'WEB_SERVER',
+      serviceName: 'api',
+      image: imageUri,
+      port: 3000,
+      domain: 'api.my-domain.com',
+      secrets: [
+        { name: 'DB_PASSWORD', valueFrom: 'arn-of-the-secret-manager-secret' },
+      ],
+    },
+  ],
+});
+```
+
 ### Database
 
 AWS RDS Postgres instance.
@@ -331,6 +353,7 @@ export type WebServerArgs = {
   maxCount?: pulumi.Input<number>;
   size?: pulumi.Input<Size>;
   environment?: aws.ecs.KeyValuePair[];
+  secrets?: aws.ecs.Secret[];
   healtCheckPath?: pulumi.Input<string>;
   taskExecutionRoleInlinePolicies?: pulumi.Input<
     pulumi.Input<RoleInlinePolicy>[]
@@ -444,3 +467,4 @@ const project = new studion.Project('demo-project', {
 
 - [ ] Add worker service for executing tasks
 - [ ] Add MongoDB service
+- [ ] Make db username & password fields optional and autogenerate db username & password if they are not provided
diff --git a/src/components/web-server.ts b/src/components/web-server.ts
@@ -82,9 +82,16 @@ export type WebServerArgs = {
    */
   size?: pulumi.Input<Size>;
   /**
-   * The environment variables to pass to a container. Defaults to [].
+   * The environment variables to pass to a container. Don't use this field for
+   * sensitive information such as passwords, API keys, etc. For that purpose,
+   * please use the `secrets` property.
+   * Defaults to [].
    */
   environment?: aws.ecs.KeyValuePair[];
+  /**
+   * The secrets to pass to the container. Defaults to [].
+   */
+  secrets?: aws.ecs.Secret[];
   /**
    * Path for the health check request. Defaults to "/healtcheck".
    */
@@ -107,6 +114,7 @@ const defaults = {
   maxCount: 10,
   size: 'small',
   environment: [],
+  secrets: [],
   healtCheckPath: '/healtcheck',
   taskExecutionRoleInlinePolicies: [],
   taskRoleInlinePolicies: [],
@@ -267,6 +275,21 @@ export class WebServer extends pulumi.ComponentResource {
       { parent: this },
     );
 
+    const secretManagerSecretsInlinePolicy = {
+      name: `${name}-secret-manager-access`,
+      policy: JSON.stringify({
+        Version: '2012-10-17',
+        Statement: [
+          {
+            Sid: 'AllowContainerToGetSecretManagerSecrets',
+            Effect: 'Allow',
+            Action: ['secretsmanager:GetSecretValue'],
+            Resource: '*',
+          },
+        ],
+      }),
+    };
+
     const taskExecutionRole = new aws.iam.Role(
       `${name}-ecs-task-exec-role`,
       {
@@ -276,7 +299,10 @@ export class WebServer extends pulumi.ComponentResource {
           'arn:aws:iam::aws:policy/CloudWatchFullAccess',
           'arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryFullAccess',
         ],
-        inlinePolicies: argsWithDefaults.taskExecutionRoleInlinePolicies,
+        inlinePolicies: [
+          secretManagerSecretsInlinePolicy,
+          ...argsWithDefaults.taskExecutionRoleInlinePolicies,
+        ],
       },
       { parent: this },
     );
@@ -344,11 +370,20 @@ export class WebServer extends pulumi.ComponentResource {
             argsWithDefaults.image,
             argsWithDefaults.port,
             argsWithDefaults.environment,
+            argsWithDefaults.secrets,
             this.logGroup.name,
             awsRegion,
           ])
           .apply(
-            ([containerName, image, port, environment, logGroup, region]) => {
+            ([
+              containerName,
+              image,
+              port,
+              environment,
+              secrets,
+              logGroup,
+              region,
+            ]) => {
               return JSON.stringify([
                 {
                   readonlyRootFilesystem: false,
@@ -370,6 +405,7 @@ export class WebServer extends pulumi.ComponentResource {
                     },
                   },
                   environment,
+                  secrets,
                 },
               ] as ContainerDefinition[]);
             },
