search

hashicorp / terraform-aws-consul-ecs

Consul Service Mesh on AWS ECS (Elastic Container Service)
https://www.consul.io/docs/ecs
Mozilla Public License 2.0
52 stars 30 forks source link

GetSecretValue IAM permission for acl-controller #135

Open polewskm opened 2 years ago

polewskm commented 2 years ago

Module: acl-controller

Regarding secrets, currently the module has the following input variables:

The module then creates IAM permissions to the GetSecretValue action. Normally this works fine with secret ARNs that only contain a single value such as:

arn:aws:secretsmanager:<region>:<aws_account_id>:secret:<secret_name>

But when a secret with a JSON structure is used, then the ARN in the ECS task definition becomes:

arn:aws:secretsmanager:region:aws_account_id:secret:secret-name:json-key:version-stage:version-id

Unfortunately the IAM permission fails (does not apply) when this type of secret ARN is used and the acl-controller fails to start because its unable to retrieve the secret value.

I was able to confirm this by manually updating the IAM policy by removing the :json-key:version-stage:version-id suffix and the acl-controller was then able to start successfully.

How would it be possible to use secrets with ARNs that specify a JSON key?

v-rosa commented 1 year ago

Hello @polewskm as workaround I guess you can levegare this feature recently merged: https://github.com/hashicorp/terraform-aws-consul-ecs/pull/151