Closed Antvirf closed 1 year ago
This PR is included in version 1.2.0 :tada:
I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.
Description
Changes in
main.tf
- supportingruntime_environment_secrets
Lines 114, 146
Add the
runtime_environment_secrets
map toaws_apprunner_service
, if provided. Following exactly the same syntax as existing lines forruntime_environment_variables
.This map expects the desired name of a secret for your app runner as the KEY, and the ARN of that secret (as per your Secrets Manager or Systems Manager param store).
Changes in
main.tf
- fixingcreate_iam_instance_role
Line 38
With the previous code,
create_instance_iam_role
in my view does not work as expected - it may get created if set to true, but only gets properly applied if the user also chose to provide aninstance_configuration
, as the role ARN for the instance profile of your app runner service is set inside that object. If the user does not provide anyinstance_configuration
objects, the IAM role doesn't get linked to the App Runner service (regardless ofcreate_instance_iam_role
being true).This change had to be made as after adding the initial bits to send secrets and trying it out, App Runner replied with:
As mentioned in AWS docs for secrets with App Runner, in order to provide
runtime_environment_secrets
, it is mandatory to provide also an IAM instance profile. This effectively means that the user has to setcreate_instance_iam_role = true
when they want to provide runtime environment secrets, but if they forgo creating aninstance_configuration
, the apply fails anyway. The change addresses this problem.If you have suggestions how we could enforce this - i.e. fail
terraform validate
ifcreate_instance_iam_role=false
when providing environment secrets, I'm happy to add that in as well.Changes in
versions.tf
- bumping AWS provider minimum version to4.51
The relevant change to the provider itself to support environment secrets was done in this version, see closed PR #28871 in
terraform-provider-aws
adding support toaws_apprunner_service
object in v4.51.Motivation and Context
It is a very common use case for App Runner users to need to provide runtime secrets, and as this is already supported by the AWS Terraform provider, it is relatively straightforward for us to also add this in to the module.
As this is a relatively minor change, I just extended the complete examples and added the relevant parameters to the 2 image-based examples (as the GitHub-based one would override the values from the hello-app-runner repo). I've executed the example and it seems to work.
As the examples didn't currently cover
runtime_environment_variables
, I thought it best to add those in as well as the functionality is very similar and they show up in the same spot in the App Runner console.Breaking Changes
I don't believe so.
How Has This Been Tested?
examples/*
to demonstrate and validate my change(s)examples/*
projectspre-commit run -a
on my pull requestReferences