How to handle Dynamic Secrets and Parameters for Container Definitions in ECS at same time

herculan0 · February 2, 2022, 8:48pm

I’m referencing existing secret versions in Secret manager by arn and creating string for parameter in secret manager with lookup.
I want to use both of them in the session’s secrets of my container_definitions.

  sorted_secrets_vars = [
    for key in local.sorted_secrets_keys :
    {
      name      = key
      valueFrom = "${data.aws_secretsmanager_secret.cofre.arn}:${lookup(local.secrets_as_map, key)}::"
    }
  ]

  sorted_parameters_vars = [
    for key in local.sorted_parameters_keys :
    {
      name      = key
      valueFrom = "arn:aws:ssm:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:parameter${lookup(local.parameters_as_map, key)}"
    }
  ]

final_secrets_vars     = merge(local.final_parameters, local.final_secrets)

My dev.json (using workspace) has the following code:

{
  "secrets": {
    "SECRET_1": "SECRET1",
    "SECRET_2": "SECRET2"
  },
  "parameters": {
    "PARAMETER_1": "/dev/parameter1",
    "PARAMETER_2": "/dev/parameter2"
  }
}

With merge function I’m getting the following error:

│     │ local.final_parameters is tuple with 2 elements
│     │ local.final_secrets is tuple with 2 elements
│ 
│ Call to function "merge" failed: arguments must be maps or objects, got "tuple".

How can I join local.final_parameters with local.final_secrets and have something like this?

final_secret_vars = [
   {
      name      = "PARAMETER_1"
      valueFrom = "arn:aws:ssm:us-east-1:12345678901:parameter/dev/parameter1"
    },
    {
      name      = "PARAMETER_2"
      valueFrom = "arn:aws:ssm:us-east-1:12345678901:parameter/dev/parameter2"
    },
    {
      name      = "SECRET_1"
      valueFrom = "arn:aws:secretsmanager:us-east-1:1234567890:secret:/dev/secret-1abCde:SECRET1::"
    },
    {
      name      = "SECRET_2"
      valueFrom = "arn:aws:secretsmanager:us-east-1:1234567890:secret:/dev/secret-1abCde:SECRET2::"
    },
]

ronaldmiranda · February 7, 2022, 4:35am

You cant do a merge of lists, only maps.
You can make a usage of flatten function to join one list with another.
here it is an example of what you can do, and some corrections that you can use the object iteration avoiding lookup functions :

locals {
  sorted_secrets_keys    = jsondecode(file("./secretkeys.json")).secrets
  sorted_parameters_keys = jsondecode(file("./secretkeys.json")).parameters

  sorted_secrets_vars = [
    for k, v in local.sorted_secrets_keys :
    {
      name      = k
      valueFrom = "arn:aws:secretsmanager:us-east-1:1234567890:secret:${v}::"
    }
  ]

  sorted_parameters_vars = [
    for k, v in local.sorted_parameters_keys :
    {
      name      = k
      valueFrom = "arn:aws:ssm:us-east-1:12345678901:parameter${v}"
    }
  ]

  final_secrets_vars = flatten([local.sorted_secrets_vars, local.sorted_parameters_vars])
}

output "final_secrets_vars" {
  value = local.final_secrets_vars
}

herculan0 · February 8, 2022, 1:34pm

Your solution works just fine, and I have the expected output, thanks!

Topic		Replies	Views
Enable secure access to secrets for AWS ECS containers using Terraform - ecs-secrets-manager module AWS	2	1941	September 20, 2022
Solution around updating dynamic secret values generated from vault to secrets/Env. variable in AWS parameter store Vault	0	151	May 27, 2023
Variable - dynamic object Terraform	5	2823	December 27, 2023
Kubernetes_secret dynamic assertion Terraform	0	268	July 25, 2022
Passing Dynamic value to a variable in terraform AWS	0	1395	July 23, 2020

How to handle Dynamic Secrets and Parameters for Container Definitions in ECS at same time

Related topics