Fix/secrets policies - Githubissues

telia-oss / terraform-aws-ecs-fargate

Terraform module which creates Fargate ECS resources on AWS.

https://registry.terraform.io/modules/telia-oss/ecs-fargate/aws

MIT License

82 stars 75 forks source link

Fix/secrets policies #74

Closed feraudet closed 1 year ago

feraudet commented 1 year ago

Hey,

In some case we may have to access to a specific secret key by adding key name at the end of the secret ARN, ex :

task_container_secrets = [
    { name = "AUTH_KEY", valueFrom = "arn:aws:secretsmanager:eu-west-1:123456789012:secret:secret-id:mykey::" }
  ]

But the read_task_container_secrets policy would only contain the secret ARN without key name : arn:aws:secretsmanager:eu-west-1:123456789012:secret:secret-id

It what this PR is fixing

larstobi commented 1 year ago

Thanks, @feraudet !

It's not entirely clear to me what the replace() with regex does. Could you please explain it, preferrably as a comment in the source code, for documentation purposes.

Also, how is this not possible by passing in the specified key name as input to valueFrom ?

feraudet commented 1 year ago

Hello @larstobi When a secret is json based :

{
  "key1": "value1",
  "key2": "value2"
}

it's possible to specify a key to select a subpart like this :

valueFrom = "arn:aws:secretsmanager:eu-west-1:123456789012:secret:secret-id:key1::"

But in the IAM policy you don't need this part :key1:: It's what the regex/replace remove

feraudet commented 1 year ago

Hey @larstobi Any chance to see my PR merged ? Thanks ins advance, Cyril