Explicit task_exec_secret_arns #244
Description
Is your request related to a new offering from AWS?
Is this functionality available in the AWS provider for Terraform? See CHANGELOG.md, too.
- No 🛑: please wait to file a request until the functionality is avaialble in the AWS provider
- Yes ✅: please list the AWS provider version which introduced this functionality
Is your request related to a problem? Please describe.
Not a problem in and of itself; nevertheless, the primary motivation is to make it easier to limit the scope of the task_exec policy to only the secrets explicitly mentioned in the container_definitions section.
Describe the solution you'd like.
Limit the scope of the task_exec policy to only the secrets that are actually used within the container_definitions.
Describe alternatives you've considered.
Obtain the ARNs for all the secrets defined in the container_definitions and pass them to task_exec_secret_arns.
Additional context
Currently task_exec_secret_arns defaults to ["arn:aws:secretsmanager:*:*:secret:*"]; therefore, a flag could be introduced to change this behaviour so it grabs the secrets ARNs by looping over all container_definitions:
container_definitions_secrets = flatten([for k, v in module.container_definition : v.container_definition.secrets])
task_exec_secret_arns = var.explicit_task_exec_secret_arns ? [for v in local.container_definitions_secrets : v.valueFrom] : var.task_exec_secret_arns