search

CircleCI-Public / aws-ecs-orb

An orb that simplifies deployment to Amazon's Elastic Container Service (ECS). Supports both EC2 and Fargate launch types.
https://circleci.com/orbs/registry/orb/circleci/aws-ecs
MIT License
51 stars 80 forks source link

Cannot update secret values consistently #210

Closed jackpeeplesPlayon closed 2 months ago

jackpeeplesPlayon commented 8 months ago

Orb version:

4.0.0

What happened:

When updating the task definition, if the secret already exists, it still appends it to the list of secrets, rather than updating the value

This is using the "container_secret_updates" tag over the update_task_definition command.

output from "register new task definition" step on circleci:

`An error occurred (ClientException) when calling the RegisterTaskDefinition operation: Duplicate secret names found: testSecret. Each secret name must be unique.

Exited with code exit status 254`

Expected behavior:

The values ought to upsert, not just insert. I should be able to run the same pipeline without changing the secret values, and still deploy.

Additional Information:

It appears to me like the issue is in this block, major pieces bolded. The environment map is not including secrets: ` try: secret_kv_pairs = container_secret_updates.split(',') for index, kv_pair in enumerate(secret_kv_pairs): kv = kv_pair.split('=') key = kv[0].strip() if key == 'container': container_name = kv[1].strip() secret_name_kv = secret_kv_pairs[index+1].split('=') secret_name = secret_name_kv[1].strip() secret_value_kv = secret_kv_pairs[index+2].split('=', maxsplit=1) secret_value = secret_value_kv[1].strip() if secret_name_kv[0].strip() != 'name' or secret_value_kv[0].strip() != 'valueFrom': raise ValueError( 'Container secret update parameter format is incorrect: ' + container_secret_updates)

                      container_entry = container_map.get(container_name)
                      if container_entry is None:
                          raise ValueError('The container ' + container_name + ' is not defined in the existing task definition')
                      container_index = container_entry['index']
                      **secret_entry = container_entry['environment_map'].get(secret_name)**
                      **if secret_entry is None:**
                          # The existing container definition does not contain secrets variable
                          if container_definitions[container_index].get('secrets') is None:
                              container_definitions[container_index]['secrets'] = []
                          # The secrets variable does not exist in the existing container definition
                          container_definitions[container_index]['secrets'].append({'name': secret_name, 'valueFrom': secret_value})
                      else:
                          secret_index = secret_entry['index']
                          container_definitions[container_index]['secrets'][secret_index]['valueFrom'] = secret_value
                  elif key and key not in ['container', 'name', 'valueFrom']:
                      raise ValueError('Incorrect key found in secret updates parameter: ' + key)
          except ValueError as value_error:
              raise value_error
          except:
              raise Exception('Container secrets update parameter could not be processed; please check parameter value: ' + container_secret_updates)

`

marboledacci commented 2 months ago

This should be fixed in this new version https://circleci.com/developer/orbs/orb/circleci/aws-ecs?version=5.1.0