Any plans for adding support for AWS Secrets now supported in Fargate platform version 1.3

awslabs / fargatecli

CLI for AWS Fargate

Apache License 2.0

894 stars 114 forks source link

Any plans for adding support for AWS Secrets now supported in Fargate platform version 1.3 #80

Open jeberly opened 5 years ago

jeberly commented 5 years ago

Just curious if there are any plans to support this or best approach to consume them. Eg. just edit Task Definition.

https://aws.amazon.com/about-aws/whats-new/2018/12/aws-fargate-platform-version-1-3-adds-secrets-support/

Thanks!

nodesocket commented 5 years ago

Just created a related issue https://github.com/jpignata/fargate/issues/93. Currently if you use fargate cli and issue a service deploy it deletes any secrets previous defined in a task definition. This is a blocker for us until it get resolved.

nodesocket commented 5 years ago

@jpignata @jeberly @holyjak @billdavidson4 I am willing to open a paid bounty for this feature as we require it. Essentially seems like existing secrets from the secrets array need to be copied from the previous task definition as well as adding the following to the requiresAttributes array in the task definition.

{
      "targetId": null,
      "targetType": null,
      "value": null,
      "name": "ecs.capability.secrets.ssm.environment-variables"
}

jritsema commented 5 years ago

@nodesocket just fyi, that our fork has support for secrets in service deploy as well as env set.

curl -s get-fargate.turnerlabs.io | sh

nodesocket commented 5 years ago

@jritsema wow, how did I not come across your fork before? This looks awesome. Looks like the deploy command is slightly different.

Current:

fargate --region "$AWS_REGION" --cluster "$ECS_CLUSTER_NAME" service deploy "$ECS_SERVICE_NAME" --image "$ECR_REPO/$NAME:$GIT_HASH"

Your fork:

fargate --region "$AWS_REGION" --cluster "$ECS_CLUSTER_NAME" --service "$ECS_SERVICE_NAME" service deploy --image "$ECR_REPO/$NAME:$GIT_HASH"

I will give your fork a try today.

jritsema commented 5 years ago

Yes, it is slightly different. The reason we moved the service argument is so you can maintain a fargate.yml file (or $FARGATE_X envvars) and not have to specify the cluster, service, task, etc. for each command.

cluster: my-cluster
service: my-service
task: my-task-family
rule: my-cloudwatch-event-rule

export AWS_DEFAULT_REGION=us-east-1
fargate service deploy --image "$ECR_REPO/$NAME:$GIT_HASH"
fargate service env set --secret PASSWORD=xyz
fargate service info
fargate service logs