feat: Add support for runtime_environment_secrets

[Antvirf]

Description

Changes in main.tf - supporting runtime_environment_secrets

Lines 114, 146

Add the runtime_environment_secrets map to aws_apprunner_service, if provided. Following exactly the same syntax as existing lines for runtime_environment_variables.

This map expects the desired name of a secret for your app runner as the KEY, and the ARN of that secret (as per your Secrets Manager or Systems Manager param store).

Changes in main.tf - fixing create_iam_instance_role

Line 38

With the previous code, create_instance_iam_role in my view does not work as expected - it may get created if set to true, but only gets properly applied if the user also chose to provide an instance_configuration, as the role ARN for the instance profile of your app runner service is set inside that object. If the user does not provide any instance_configuration objects, the IAM role doesn't get linked to the App Runner service (regardless of create_instance_iam_role being true).

This change had to be made as after adding the initial bits to send secrets and trying it out, App Runner replied with:

Error: error creating App Runner Service (ex-complete-image-base): InvalidRequestException: Instance Role have to be provided if passing in RuntimeEnvironmentSecrets.
    with module.app_runner_image_base.aws_apprunner_service.this[0],
    on ../../main.tf line 11, in resource "aws_apprunner_service" "this":
    11: resource "aws_apprunner_service" "this" {

As mentioned in AWS docs for secrets with App Runner, in order to provide runtime_environment_secrets, it is mandatory to provide also an IAM instance profile. This effectively means that the user has to set create_instance_iam_role = true when they want to provide runtime environment secrets, but if they forgo creating an instance_configuration, the apply fails anyway. The change addresses this problem.

If you have suggestions how we could enforce this - i.e. fail terraform validate if create_instance_iam_role=false when providing environment secrets, I'm happy to add that in as well.

Changes in versions.tf - bumping AWS provider minimum version to 4.51

The relevant change to the provider itself to support environment secrets was done in this version, see closed PR #28871 in terraform-provider-aws adding support to aws_apprunner_service object in v4.51.

Motivation and Context

It is a very common use case for App Runner users to need to provide runtime secrets, and as this is already supported by the AWS Terraform provider, it is relatively straightforward for us to also add this in to the module.

As this is a relatively minor change, I just extended the complete examples and added the relevant parameters to the 2 image-based examples (as the GitHub-based one would override the values from the hello-app-runner repo). I've executed the example and it seems to work.

As the examples didn't currently cover runtime_environment_variables, I thought it best to add those in as well as the functionality is very similar and they show up in the same spot in the App Runner console.

Breaking Changes

I don't believe so.

How Has This Been Tested?

• [x] I have updated at least one of the examples/* to demonstrate and validate my change(s)
• [x] I have tested and validated these changes using one or more of the provided examples/* projects
• [x] I have executed pre-commit run -a on my pull request

References

• Announcement from AWS adding support for the feature
• AWS App Runner docs on managing environment variables and secrets
• AWS App Runner docs on referencing environment variables

[antonbabenko]

This PR is included in version 1.2.0 :tada:

[github-actions[bot]]

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.