fix(ecs): using secret JSON field with fargate task does not fail

For tasks that use the Fargate launch type, it is only supported to inject
the full contents of a secret as an environment variable. Specifying a specific
JSON key or version is not supported at this time.

Also clean up/refactor a bit.

See https://docs.aws.amazon.com/AmazonECS/latest/userguide/specifying-sensitive-data-secrets.html#secrets-considerations

Closes #7272

Author: jogold

packages/@aws-cdk/aws-ecs/lib/base/task-definition.ts

@@ -477,7 +477,7 @@ export class TaskDefinition extends TaskDefinitionBase {
       }
     }
 
-    return this.containers.map(x => x.renderContainerDefinition(this));
+    return this.containers.map(x => x.renderContainerDefinition());
   }
 }
 

packages/@aws-cdk/aws-ecs/lib/container-definition.ts

@@ -36,11 +36,24 @@ export abstract class Secret {
   public static fromSecretsManager(secret: secretsmanager.ISecret, field?: string): Secret {
     return {
       arn: field ? `${secret.secretArn}:${field}::` : secret.secretArn,
+      hasField: true,
       grantRead: grantee => secret.grantRead(grantee),
     };
   }
 
+  /**
+   * The ARN of the secret
+   */
   public abstract readonly arn: string;
+
+  /**
+   * Whether this secret uses a specific JSON field
+   */
+  public abstract readonly hasField?: boolean;
+
+  /**
+   * Grants reading the secret to a principal
+   */
   public abstract grantRead(grantee: iam.IGrantable): iam.Grant;
 }
 
@@ -519,9 +532,9 @@ export class ContainerDefinition extends cdk.Construct {
   /**
    * Render this container definition to a CloudFormation object
    *
-   * @param taskDefinition [disable-awslint:ref-via-interface] (made optional to avoid breaking change)
+   * @param _taskDefinition [disable-awslint:ref-via-interface] (unused but kept to avoid breaking change)
    */
-  public renderContainerDefinition(taskDefinition?: TaskDefinition): CfnTaskDefinition.ContainerDefinitionProperty {
+  public renderContainerDefinition(_taskDefinition?: TaskDefinition): CfnTaskDefinition.ContainerDefinitionProperty {
     return {
       command: this.props.command,
       cpu: this.props.cpu,
@@ -551,23 +564,35 @@ export class ContainerDefinition extends cdk.Construct {
       workingDirectory: this.props.workingDirectory,
       logConfiguration: this.logDriverConfig,
       environment: this.props.environment && renderKV(this.props.environment, 'name', 'value'),
-      secrets: this.props.secrets && Object.entries(this.props.secrets)
-        .map(([k, v]) => {
-          if (taskDefinition) {
-            v.grantRead(taskDefinition.obtainExecutionRole());
-          }
-          return {
-            name: k,
-            valueFrom: v.arn
-          };
-        }),
+      secrets: this.renderSecrets(),
       extraHosts: this.props.extraHosts && renderKV(this.props.extraHosts, 'hostname', 'ipAddress'),
       healthCheck: this.props.healthCheck && renderHealthCheck(this.props.healthCheck),
       links: cdk.Lazy.listValue({ produce: () => this.links }, { omitEmpty: true }),
       linuxParameters: this.linuxParameters && this.linuxParameters.renderLinuxParameters(),
       resourceRequirements: (this.props.gpuCount !== undefined) ? renderResourceRequirements(this.props.gpuCount) : undefined,
     };
   }
+
+  private renderSecrets(): CfnTaskDefinition.SecretProperty[] | undefined {
+    if (!this.props.secrets) {
+      return undefined;
+    }
+
+    const secrets: CfnTaskDefinition.SecretProperty[] = [];
+
+    for (const [k, v] of Object.entries(this.props.secrets)) {
+      if (this.taskDefinition.isFargateCompatible && v.hasField) {
+        throw new Error(`Cannot specify secret JSON field for a task using the FARGATE launch type: '${k}' in container '${this.node.id}'`);
+      }
+      v.grantRead(this.taskDefinition.obtainExecutionRole());
+      secrets.push({
+        name: k,
+        valueFrom: v.arn
+      });
+    }
+
+    return secrets;
+  }
 }
 
 /**

packages/@aws-cdk/aws-ecs/package.json

@@ -137,8 +137,6 @@
       "docs-public-apis:@aws-cdk/aws-ecs.GelfCompressionType.GZIP",
       "docs-public-apis:@aws-cdk/aws-ecs.WindowsOptimizedVersion.SERVER_2016",
       "docs-public-apis:@aws-cdk/aws-ecs.WindowsOptimizedVersion.SERVER_2019",
-      "docs-public-apis:@aws-cdk/aws-ecs.Secret.arn",
-      "docs-public-apis:@aws-cdk/aws-ecs.Secret.grantRead",
       "props-default-doc:@aws-cdk/aws-ecs.AppMeshProxyConfigurationProps.egressIgnoredIPs",
       "props-default-doc:@aws-cdk/aws-ecs.AppMeshProxyConfigurationProps.egressIgnoredPorts",
       "props-default-doc:@aws-cdk/aws-ecs.AppMeshProxyConfigurationProps.ignoredGID",

packages/@aws-cdk/aws-ecs/test/fargate/integ.secret-json-key.expected.json renamed to packages/@aws-cdk/aws-ecs/test/ec2/integ.secret-json-field.expected.json

@@ -33,6 +33,7 @@
           {
             "Essential": true,
             "Image": "amazon/amazon-ecs-sample",
+            "Memory": 256,
             "Name": "web",
             "Secrets": [
               {
@@ -52,18 +53,16 @@
             ]
           }
         ],
-        "Cpu": "512",
         "ExecutionRoleArn": {
           "Fn::GetAtt": [
             "TaskDefExecutionRoleB4775C97",
             "Arn"
           ]
         },
-        "Family": "awsecsintegsecretjsonkeyTaskDefC01C0E99",
-        "Memory": "1024",
-        "NetworkMode": "awsvpc",
+        "Family": "awsecsintegsecretjsonfieldTaskDef1C2EE990",
+        "NetworkMode": "bridge",
         "RequiresCompatibilities": [
-          "FARGATE"
+          "EC2"
         ],
         "TaskRoleArn": {
           "Fn::GetAtt": [

packages/@aws-cdk/aws-ecs/test/fargate/integ.secret-json-key.ts renamed to packages/@aws-cdk/aws-ecs/test/ec2/integ.secret-json-field.ts

@@ -3,7 +3,7 @@ import * as cdk from '@aws-cdk/core';
 import * as ecs from '../../lib';
 
 const app = new cdk.App();
-const stack = new cdk.Stack(app, 'aws-ecs-integ-secret-json-key');
+const stack = new cdk.Stack(app, 'aws-ecs-integ-secret-json-field');
 
 const secret = new secretsmanager.Secret(stack, 'Secret', {
   generateSecretString: {
@@ -12,13 +12,11 @@ const secret = new secretsmanager.Secret(stack, 'Secret', {
   }
 });
 
-const taskDefinition = new ecs.FargateTaskDefinition(stack, 'TaskDef', {
-  memoryLimitMiB: 1024,
-  cpu: 512
-});
+const taskDefinition = new ecs.Ec2TaskDefinition(stack, 'TaskDef');
 
 taskDefinition.addContainer('web', {
   image: ecs.ContainerImage.fromRegistry('amazon/amazon-ecs-sample'),
+  memoryLimitMiB: 256,
   secrets: {
     PASSWORD: ecs.Secret.fromSecretsManager(secret, 'password')
   }

packages/@aws-cdk/aws-ecs/test/test.container-definition.ts

@@ -843,6 +843,29 @@ export = {
 
   },
 
+  'throws when using a specific secret JSON field as environment variable for a Fargate task'(test: Test) {
+    // GIVEN
+    const app = new cdk.App();
+    const stack = new cdk.Stack(app, 'Stack');
+    const taskDefinition = new ecs.FargateTaskDefinition(stack, 'TaskDef');
+
+    const secret = new secretsmanager.Secret(stack, 'Secret');
+
+    // WHEN
+    taskDefinition.addContainer('cont', {
+      image: ecs.ContainerImage.fromRegistry('test'),
+      memoryLimitMiB: 1024,
+      secrets: {
+        SECRET_KEY: ecs.Secret.fromSecretsManager(secret, 'specificKey'),
+      }
+    });
+
+    // THEN
+    test.throws(() => app.synth(), /Cannot specify secret JSON field for a task using the FARGATE launch type/);
+
+    test.done();
+  },
+
   'can add AWS logging to container definition'(test: Test) {
     // GIVEN
     const stack = new cdk.Stack();