feat(ecs): support secret environment variables

packages/@aws-cdk/aws-ecs-patterns/lib/base/load-balanced-service-base.ts

@@ -4,6 +4,7 @@ import elbv2 = require('@aws-cdk/aws-elasticloadbalancingv2');
 import { AddressRecordTarget, ARecord, IHostedZone } from '@aws-cdk/aws-route53';
 import route53targets = require('@aws-cdk/aws-route53-targets');
 import cdk = require('@aws-cdk/core');
+import { BaseProps } from './props';
 
 export enum LoadBalancerType {
   APPLICATION,
@@ -13,17 +14,7 @@ export enum LoadBalancerType {
 /**
  * Base properties for load-balanced Fargate and ECS services
  */
-export interface LoadBalancedServiceBaseProps {
-  /**
-   * The cluster where your service will be deployed
-   */
-  readonly cluster: ecs.ICluster;
-
-  /**
-   * The image to start.
-   */
-  readonly image: ecs.ContainerImage;
-
+export interface LoadBalancedServiceBaseProps extends BaseProps {
   /**
    * The container port of the application load balancer attached to your Fargate service. Corresponds to container port mapping.
    *

packages/@aws-cdk/aws-ecs-patterns/lib/base/props.ts

@@ -0,0 +1,23 @@
+import ecs = require('@aws-cdk/aws-ecs');
+
+/**
+ * Base properties for service and task.
+ */
+export interface BaseProps {
+  /**
+   * The cluster where your service will be deployed
+   */
+  readonly cluster: ecs.ICluster;
+
+  /**
+   * The image to start.
+   */
+  readonly image: ecs.ContainerImage;
+
+  /**
+   * Secret environment variables to pass to the container
+   *
+   * @default - No secret environment variables.
+   */
+  readonly secrets?: { [key: string]: ecs.Secret };
+}

packages/@aws-cdk/aws-ecs-patterns/lib/base/queue-processing-service-base.ts

@@ -2,21 +2,12 @@ import autoscaling = require('@aws-cdk/aws-applicationautoscaling');
 import ecs = require('@aws-cdk/aws-ecs');
 import sqs = require('@aws-cdk/aws-sqs');
 import cdk = require('@aws-cdk/core');
+import { BaseProps } from './props';
 
 /**
  * Properties to define a queue processing service
  */
-export interface QueueProcessingServiceBaseProps {
-  /**
-   * Cluster where service will be deployed
-   */
-  readonly cluster: ecs.ICluster;
-
-  /**
-   * The image to start.
-   */
-  readonly image: ecs.ContainerImage;
-
+export interface QueueProcessingServiceBaseProps extends BaseProps {
   /**
    * The CMD value to pass to the container. A string with commands delimited by commas.
    *
@@ -89,18 +80,27 @@ export abstract class QueueProcessingServiceBase extends cdk.Construct {
    * Environment variables that will include the queue name
    */
   public readonly environment: { [key: string]: string };
+
+  /**
+   * Secret environment variables
+   */
+  public readonly secrets?: { [key: string]: ecs.Secret };
+
   /**
    * The minimum number of tasks to run
    */
   public readonly desiredCount: number;
+
   /**
    * The maximum number of instances for autoscaling to scale up to
    */
   public readonly maxCapacity: number;
+
   /**
    * The scaling interval for autoscaling based off an SQS Queue size
    */
   public readonly scalingSteps: autoscaling.ScalingInterval[];
+
   /**
    * The AwsLogDriver to use for logging if logging is enabled.
    */
@@ -122,6 +122,7 @@ export abstract class QueueProcessingServiceBase extends cdk.Construct {
 
     // Add the queue name to environment variables
     this.environment = { ...(props.environment || {}), QUEUE_NAME: this.sqsQueue.queueName };
+    this.secrets = props.secrets;
 
     // Determine the desired task count (minimum) and maximum scaling capacity
     this.desiredCount = props.desiredTaskCount || 1;

packages/@aws-cdk/aws-ecs-patterns/lib/base/scheduled-task-base.ts

@@ -3,18 +3,9 @@ import { ICluster } from '@aws-cdk/aws-ecs';
 import events = require('@aws-cdk/aws-events');
 import eventsTargets = require('@aws-cdk/aws-events-targets');
 import cdk = require('@aws-cdk/core');
+import { BaseProps } from './props';
 
-export interface ScheduledTaskBaseProps {
-  /**
-   * The cluster where your service will be deployed.
-   */
-  readonly cluster: ecs.ICluster;
-
-  /**
-   * The image to start.
-   */
-  readonly image: ecs.ContainerImage;
-
+export interface ScheduledTaskBaseProps extends BaseProps {
   /**
    * The schedule or rate (frequency) that determines when CloudWatch Events
    * runs the rule. For more information, see Schedule Expression Syntax for

packages/@aws-cdk/aws-ecs-patterns/lib/ecs/load-balanced-ecs-service.ts

@@ -53,6 +53,7 @@ export class LoadBalancedEc2Service extends LoadBalancedServiceBase {
       memoryLimitMiB: props.memoryLimitMiB,
       memoryReservationMiB: props.memoryReservationMiB,
       environment: props.environment,
+      secrets: props.secrets,
       logging: this.logDriver,
     });
 

packages/@aws-cdk/aws-ecs-patterns/lib/ecs/queue-processing-ecs-service.ts

@@ -62,6 +62,7 @@ export class QueueProcessingEc2Service extends QueueProcessingServiceBase {
       cpu: props.cpu,
       command: props.command,
       environment: this.environment,
+      secrets: this.secrets,
       logging: this.logDriver
     });
 

packages/@aws-cdk/aws-ecs-patterns/lib/ecs/scheduled-ecs-task.ts

@@ -53,6 +53,7 @@ export class ScheduledEc2Task extends ScheduledTaskBase {
       cpu: props.cpu,
       command: props.command,
       environment: props.environment,
+      secrets: props.secrets,
       logging: this.createAWSLogDriver(this.node.id)
     });
 

packages/@aws-cdk/aws-ecs-patterns/lib/fargate/load-balanced-fargate-service.ts

@@ -98,7 +98,8 @@ export class LoadBalancedFargateService extends LoadBalancedServiceBase {
     const container = taskDefinition.addContainer(containerName, {
       image: props.image,
       logging: this.logDriver,
-      environment: props.environment
+      environment: props.environment,
+      secrets: props.secrets,
     });
 
     container.addPortMappings({

packages/@aws-cdk/aws-ecs-patterns/lib/fargate/queue-processing-fargate-service.ts

@@ -65,6 +65,7 @@ export class QueueProcessingFargateService extends QueueProcessingServiceBase {
       image: props.image,
       command: props.command,
       environment: this.environment,
+      secrets: this.secrets,
       logging: this.logDriver
     });
 

packages/@aws-cdk/aws-ecs-patterns/lib/fargate/scheduled-fargate-task.ts

@@ -48,6 +48,7 @@ export class ScheduledFargateTask extends ScheduledTaskBase {
       image: props.image,
       command: props.command,
       environment: props.environment,
+      secrets: props.secrets,
       logging: this.createAWSLogDriver(this.node.id)
     });
 

packages/@aws-cdk/aws-ecs-patterns/lib/index.ts

@@ -1,3 +1,5 @@
+export * from './base/props';
+
 export * from './ecs/queue-processing-ecs-service';
 export * from './fargate/queue-processing-fargate-service';
 export * from './base/queue-processing-service-base';

packages/@aws-cdk/aws-ecs-patterns/test/ec2/integ.scheduled-ecs-task.lit.expected.json

@@ -665,11 +665,7 @@
             "Cpu": 1,
             "Environment": [
               {
-                "Name": "name",
-                "Value": "TRIGGER"
-              },
-              {
-                "Name": "value",
+                "Name": "TRIGGER",
                 "Value": "CloudWatch Events"
               }
             ],

packages/@aws-cdk/aws-ecs-patterns/test/ec2/integ.scheduled-ecs-task.lit.ts

@@ -26,7 +26,7 @@ class EventStack extends cdk.Stack {
       desiredTaskCount: 2,
       memoryLimitMiB: 512,
       cpu: 1,
-      environment: { name: 'TRIGGER', value: 'CloudWatch Events' },
+      environment: { TRIGGER: 'CloudWatch Events' },
       schedule: events.Schedule.rate(cdk.Duration.minutes(1)),
     });
     /// !hide

packages/@aws-cdk/aws-ecs-patterns/test/ec2/test.scheduled-ecs-task.ts

@@ -85,7 +85,7 @@ export = {
       desiredTaskCount: 2,
       memoryLimitMiB: 512,
       cpu: 2,
-      environment: { name: 'TRIGGER', value: 'CloudWatch Events' },
+      environment: { TRIGGER: 'CloudWatch Events' },
       schedule: events.Schedule.expression('rate(1 minute)')
     });
 
@@ -111,11 +111,7 @@ export = {
           Cpu: 2,
           Environment: [
             {
-              Name: "name",
-              Value: "TRIGGER"
-            },
-            {
-              Name: "value",
+              Name: "TRIGGER",
               Value: "CloudWatch Events"
             }
           ],

packages/@aws-cdk/aws-ecs-patterns/test/fargate/integ.scheduled-fargate-task.lit.expected.json

@@ -258,11 +258,7 @@
           {
             "Environment": [
               {
-                "Name": "name",
-                "Value": "TRIGGER"
-              },
-              {
-                "Name": "value",
+                "Name": "TRIGGER",
                 "Value": "CloudWatch Events"
               }
             ],

packages/@aws-cdk/aws-ecs-patterns/test/fargate/integ.scheduled-fargate-task.lit.ts

@@ -22,7 +22,7 @@ class EventStack extends cdk.Stack {
       desiredTaskCount: 2,
       memoryLimitMiB: 512,
       cpu: 256,
-      environment: { name: 'TRIGGER', value: 'CloudWatch Events' },
+      environment: { TRIGGER: 'CloudWatch Events' },
       schedule: events.Schedule.rate(cdk.Duration.minutes(2)),
     });
   }

packages/@aws-cdk/aws-ecs-patterns/test/fargate/test.scheduled-fargate-task.ts

@@ -78,7 +78,7 @@ export = {
       desiredTaskCount: 2,
       memoryLimitMiB: 512,
       cpu: 2,
-      environment: { name: 'TRIGGER', value: 'CloudWatch Events' },
+      environment: { TRIGGER: 'CloudWatch Events' },
       schedule: events.Schedule.expression('rate(1 minute)')
     });
 
@@ -103,11 +103,7 @@ export = {
         {
           Environment: [
             {
-              Name: "name",
-              Value: "TRIGGER"
-            },
-            {
-              Name: "value",
+              Name: "TRIGGER",
               Value: "CloudWatch Events"
             }
           ],

packages/@aws-cdk/aws-ecs/lib/base/task-definition.ts

@@ -265,7 +265,7 @@ export class TaskDefinition extends TaskDefinitionBase {
     });
 
     const taskDef = new CfnTaskDefinition(this, 'Resource', {
-      containerDefinitions: Lazy.anyValue({ produce: () => this.containers.map(x => x.renderContainerDefinition()) }),
+      containerDefinitions: Lazy.anyValue({ produce: () => this.containers.map(x => x.renderContainerDefinition(this)) }),
       volumes: Lazy.anyValue({ produce: () => this.volumes }),
       executionRoleArn: Lazy.stringValue({ produce: () => this.executionRole && this.executionRole.roleArn }),
       family: this.family,

packages/@aws-cdk/aws-ecs/lib/container-definition.ts

@@ -1,4 +1,6 @@
 import iam = require('@aws-cdk/aws-iam');
+import secretsmanager = require('@aws-cdk/aws-secretsmanager');
+import ssm = require('@aws-cdk/aws-ssm');
 import cdk = require('@aws-cdk/core');
 import { NetworkMode, TaskDefinition } from './base/task-definition';
 import { ContainerImage, ContainerImageConfig } from './container-image';
@@ -7,6 +9,36 @@ import { LinuxParameters } from './linux-parameters';
 import { LogDriver, LogDriverConfig } from './log-drivers/log-driver';
 
 /**
+ * A secret environment variable.
+ */
+export abstract class Secret {
+  /**
+   * Creates an environment variable value from a parameter stored in AWS
+   * Systems Manager Parameter Store.
+   */
+  public static fromSsmParameter(parameter: ssm.IParameter): Secret {
+    return {
+      arn: parameter.parameterArn,
+      grantRead: grantee => parameter.grantRead(grantee),
+    };
+  }
+
+  /**
+   * Creates a environment variable value from a secret stored in AWS Secrets
+   * Manager.
+   */
+  public static fromSecretsManager(secret: secretsmanager.ISecret): Secret {
+    return {
+      arn: secret.secretArn,
+      grantRead: grantee => secret.grantRead(grantee),
+    };
+  }
+
+  public abstract readonly arn: string;
+  public abstract grantRead(grantee: iam.IGrantable): iam.Grant;
+}
+
+/*
  * The options for creating a container definition.
  */
 export interface ContainerDefinitionOptions {
@@ -89,6 +121,13 @@ export interface ContainerDefinitionOptions {
    */
   readonly environment?: { [key: string]: string };
 
+  /**
+   * The secret environment variables to pass to the container.
+   *
+   * @default - No secret environment variables.
+   */
+  readonly secrets?: { [key: string]: Secret };
+
   /**
    * Specifies whether the container is marked essential.
    *
@@ -412,8 +451,10 @@ export class ContainerDefinition extends cdk.Construct {
 
   /**
    * Render this container definition to a CloudFormation object
+   *
+   * @param taskDefinition [disable-awslint:ref-via-interface] (made optional to avoid breaking change)
    */
-  public renderContainerDefinition(): CfnTaskDefinition.ContainerDefinitionProperty {
+  public renderContainerDefinition(taskDefinition?: TaskDefinition): CfnTaskDefinition.ContainerDefinitionProperty {
     return {
       command: this.props.command,
       cpu: this.props.cpu,
@@ -439,7 +480,17 @@ export class ContainerDefinition extends cdk.Construct {
       volumesFrom: this.volumesFrom.map(renderVolumeFrom),
       workingDirectory: this.props.workingDirectory,
       logConfiguration: this.logDriverConfig,
-      environment: this.props.environment && renderKV(this.props.environment, 'name', 'value'),
+      environment:  this.props.environment && renderKV(this.props.environment, 'name', 'value'),
+      secrets: this.props.secrets && Object.entries(this.props.secrets)
+        .map(([k, v]) => {
+          if (taskDefinition) {
+            v.grantRead(taskDefinition.obtainExecutionRole());
+          }
+          return {
+            name: k,
+            valueFrom: v.arn
+          };
+        }),
       extraHosts: this.props.extraHosts && renderKV(this.props.extraHosts, 'hostname', 'ipAddress'),
       healthCheck: this.props.healthCheck && renderHealthCheck(this.props.healthCheck),
       links: this.links,