feat(ecs): support secret environment variables

packages/@aws-cdk/aws-ecs-patterns/lib/base/load-balanced-service-base.ts

@@ -65,7 +65,7 @@ export interface LoadBalancedServiceBaseProps {
    *
    * @default - No environment variables.
    */
-  readonly environment?: { [key: string]: string };
+  readonly environment?: { [key: string]: ecs.EnvironmentValue };
 
   /**
    * Whether to create an AWS log driver

packages/@aws-cdk/aws-ecs-patterns/lib/base/queue-processing-service-base.ts

@@ -43,7 +43,7 @@ export interface QueueProcessingServiceBaseProps {
    *
    * @default 'QUEUE_NAME: queue.queueName'
    */
-  readonly environment?: { [key: string]: string };
+  readonly environment?: { [key: string]: ecs.EnvironmentValue };
 
   /**
    * A queue for which to process items from.
@@ -88,7 +88,7 @@ export abstract class QueueProcessingServiceBase extends cdk.Construct {
   /**
    * Environment variables that will include the queue name
    */
-  public readonly environment: { [key: string]: string };
+  public readonly environment: { [key: string]: ecs.EnvironmentValue };
   /**
    * The minimum number of tasks to run
    */
@@ -121,7 +121,7 @@ export abstract class QueueProcessingServiceBase extends cdk.Construct {
     this.logDriver = enableLogging ? this.createAWSLogDriver(this.node.id) : undefined;
 
     // Add the queue name to environment variables
-    this.environment = { ...(props.environment || {}), QUEUE_NAME: this.sqsQueue.queueName };
+    this.environment = { ...(props.environment || {}), QUEUE_NAME: ecs.EnvironmentValue.fromString(this.sqsQueue.queueName) };
 
     // Determine the desired task count (minimum) and maximum scaling capacity
     this.desiredCount = props.desiredTaskCount || 1;

packages/@aws-cdk/aws-ecs-patterns/lib/base/scheduled-task-base.ts

@@ -43,7 +43,7 @@ export interface ScheduledTaskBaseProps {
    *
    * @default none
    */
-  readonly environment?: { [key: string]: string };
+  readonly environment?: { [key: string]: ecs.EnvironmentValue };
 }
 
 /**

packages/@aws-cdk/aws-ecs-patterns/test/ec2/integ.scheduled-ecs-task.lit.expected.json

@@ -649,11 +649,7 @@
             "Cpu": 1,
             "Environment": [
               {
-                "Name": "name",
-                "Value": "TRIGGER"
-              },
-              {
-                "Name": "value",
+                "Name": "TRIGGER",
                 "Value": "CloudWatch Events"
               }
             ],

packages/@aws-cdk/aws-ecs-patterns/test/ec2/integ.scheduled-ecs-task.lit.ts

@@ -26,7 +26,7 @@ class EventStack extends cdk.Stack {
       desiredTaskCount: 2,
       memoryLimitMiB: 512,
       cpu: 1,
-      environment: { name: 'TRIGGER', value: 'CloudWatch Events' },
+      environment: { TRIGGER: ecs.EnvironmentValue.fromString('CloudWatch Events') },
       schedule: events.Schedule.rate(cdk.Duration.minutes(1)),
     });
     /// !hide

packages/@aws-cdk/aws-ecs-patterns/test/ec2/test.l3s.ts

@@ -22,8 +22,8 @@ export = {
       image: ecs.ContainerImage.fromRegistry('test'),
       desiredCount: 2,
       environment: {
-        TEST_ENVIRONMENT_VARIABLE1: "test environment variable 1 value",
-        TEST_ENVIRONMENT_VARIABLE2: "test environment variable 2 value"
+        TEST_ENVIRONMENT_VARIABLE1: ecs.EnvironmentValue.fromString("test environment variable 1 value"),
+        TEST_ENVIRONMENT_VARIABLE2: ecs.EnvironmentValue.fromString("test environment variable 2 value")
       }
     });
 
@@ -96,8 +96,8 @@ export = {
       image: ecs.ContainerImage.fromRegistry('test'),
       desiredCount: 2,
       environment: {
-        TEST_ENVIRONMENT_VARIABLE1: "test environment variable 1 value",
-        TEST_ENVIRONMENT_VARIABLE2: "test environment variable 2 value"
+        TEST_ENVIRONMENT_VARIABLE1: ecs.EnvironmentValue.fromString("test environment variable 1 value"),
+        TEST_ENVIRONMENT_VARIABLE2: ecs.EnvironmentValue.fromString("test environment variable 2 value")
       }
     });
 
@@ -153,8 +153,8 @@ export = {
       desiredCount: 2,
       enableLogging: false,
       environment: {
-        TEST_ENVIRONMENT_VARIABLE1: "test environment variable 1 value",
-        TEST_ENVIRONMENT_VARIABLE2: "test environment variable 2 value"
+        TEST_ENVIRONMENT_VARIABLE1: ecs.EnvironmentValue.fromString("test environment variable 1 value"),
+        TEST_ENVIRONMENT_VARIABLE2: ecs.EnvironmentValue.fromString("test environment variable 2 value")
       }
     });
 

packages/@aws-cdk/aws-ecs-patterns/test/ec2/test.queue-processing-ecs-service.ts

@@ -84,8 +84,8 @@ export = {
       enableLogging: false,
       desiredTaskCount: 2,
       environment: {
-        TEST_ENVIRONMENT_VARIABLE1: "test environment variable 1 value",
-        TEST_ENVIRONMENT_VARIABLE2: "test environment variable 2 value"
+        TEST_ENVIRONMENT_VARIABLE1: ecs.EnvironmentValue.fromString("test environment variable 1 value"),
+        TEST_ENVIRONMENT_VARIABLE2: ecs.EnvironmentValue.fromString("test environment variable 2 value")
       },
       queue,
       maxScalingCapacity: 5

packages/@aws-cdk/aws-ecs-patterns/test/ec2/test.scheduled-ecs-task.ts

@@ -85,7 +85,7 @@ export = {
       desiredTaskCount: 2,
       memoryLimitMiB: 512,
       cpu: 2,
-      environment: { name: 'TRIGGER', value: 'CloudWatch Events' },
+      environment: { TRIGGER: ecs.EnvironmentValue.fromString('CloudWatch Events') },
       schedule: events.Schedule.expression('rate(1 minute)')
     });
 
@@ -111,11 +111,7 @@ export = {
           Cpu: 2,
           Environment: [
             {
-              Name: "name",
-              Value: "TRIGGER"
-            },
-            {
-              Name: "value",
+              Name: "TRIGGER",
               Value: "CloudWatch Events"
             }
           ],

packages/@aws-cdk/aws-ecs-patterns/test/fargate/integ.scheduled-fargate-task.lit.expected.json

@@ -258,11 +258,7 @@
           {
             "Environment": [
               {
-                "Name": "name",
-                "Value": "TRIGGER"
-              },
-              {
-                "Name": "value",
+                "Name": "TRIGGER",
                 "Value": "CloudWatch Events"
               }
             ],

packages/@aws-cdk/aws-ecs-patterns/test/fargate/integ.scheduled-fargate-task.lit.ts

@@ -22,7 +22,7 @@ class EventStack extends cdk.Stack {
       desiredTaskCount: 2,
       memoryLimitMiB: 512,
       cpu: 256,
-      environment: { name: 'TRIGGER', value: 'CloudWatch Events' },
+      environment: { TRIGGER: ecs.EnvironmentValue.fromString('CloudWatch Events') },
       schedule: events.Schedule.rate(cdk.Duration.minutes(2)),
     });
   }

packages/@aws-cdk/aws-ecs-patterns/test/fargate/test.queue-processing-fargate-service.ts

@@ -82,8 +82,8 @@ export = {
       enableLogging: false,
       desiredTaskCount: 2,
       environment: {
-        TEST_ENVIRONMENT_VARIABLE1: "test environment variable 1 value",
-        TEST_ENVIRONMENT_VARIABLE2: "test environment variable 2 value"
+        TEST_ENVIRONMENT_VARIABLE1: ecs.EnvironmentValue.fromString("test environment variable 1 value"),
+        TEST_ENVIRONMENT_VARIABLE2: ecs.EnvironmentValue.fromString("test environment variable 2 value")
       },
       queue,
       maxScalingCapacity: 5

packages/@aws-cdk/aws-ecs-patterns/test/fargate/test.scheduled-fargate-task.ts

@@ -78,7 +78,7 @@ export = {
       desiredTaskCount: 2,
       memoryLimitMiB: 512,
       cpu: 2,
-      environment: { name: 'TRIGGER', value: 'CloudWatch Events' },
+      environment: { TRIGGER: ecs.EnvironmentValue.fromString('CloudWatch Events') },
       schedule: events.Schedule.expression('rate(1 minute)')
     });
 
@@ -103,11 +103,7 @@ export = {
         {
           Environment: [
             {
-              Name: "name",
-              Value: "TRIGGER"
-            },
-            {
-              Name: "value",
+              Name: "TRIGGER",
               Value: "CloudWatch Events"
             }
           ],

packages/@aws-cdk/aws-ecs/lib/base/task-definition.ts

@@ -266,7 +266,7 @@ export class TaskDefinition extends TaskDefinitionBase {
     });
 
     const taskDef = new CfnTaskDefinition(this, 'Resource', {
-      containerDefinitions: Lazy.anyValue({ produce: () => this.containers.map(x => x.renderContainerDefinition()) }),
+      containerDefinitions: Lazy.anyValue({ produce: () => this.containers.map(x => x.renderContainerDefinition(this)) }),
       volumes: Lazy.anyValue({ produce: () => this.volumes }),
       executionRoleArn: Lazy.stringValue({ produce: () => this.executionRole && this.executionRole.roleArn }),
       family: this.family,

packages/@aws-cdk/aws-ecs/lib/container-definition.ts

@@ -1,4 +1,6 @@
 import iam = require('@aws-cdk/aws-iam');
+import secretsmanager = require('@aws-cdk/aws-secretsmanager');
+import ssm = require('@aws-cdk/aws-ssm');
 import cdk = require('@aws-cdk/core');
 import { NetworkMode, TaskDefinition } from './base/task-definition';
 import { ContainerImage, ContainerImageConfig } from './container-image';
@@ -7,6 +9,56 @@ import { LinuxParameters } from './linux-parameters';
 import { LogDriver, LogDriverConfig } from './log-drivers/log-driver';
 
 /**
+ * Propertiers for an EnvironmentValue
+ */
+export interface EnvironmentValueProps {
+  /**
+   * A string in clear text.
+   */
+  readonly value?: string;
+
+  /**
+   * A SSM parameter that will be retrieved at container startup.
+   */
+  readonly parameter?: ssm.IParameter;
+
+  /**
+   * An AWS Secrets Manager secret that will be retrieved at container startup.
+   */
+  readonly secret?: secretsmanager.ISecret
+}
+
+/**
+ * An environment variable value.
+ */
+export class EnvironmentValue {
+  /**
+   * Creates a environment variable value from a string.
+   */
+  public static fromString(value: string) {
+    return new EnvironmentValue({ value });
+  }
+
+  /**
+   * Creates a environment variable value from a parameter stored in AWS
+   * Systems Manager Parameter Store.
+   */
+  public static fromSsmParameter(parameter: ssm.IParameter) {
+    return new EnvironmentValue({ parameter });
+  }
+
+  /**
+   * Creates a environment variable value from a secret stored in AWS Secrets
+   * Manager.
+   */
+  public static fromSecretsManager(secret: secretsmanager.ISecret) {
+    return new EnvironmentValue({ secret });
+  }
+
+  constructor(public readonly props: EnvironmentValueProps) {}
+}
+
+/*
  * The options for creating a container definition.
  */
 export interface ContainerDefinitionOptions {
@@ -84,7 +136,7 @@ export interface ContainerDefinitionOptions {
    *
    * @default - No environment variables.
    */
-  readonly environment?: { [key: string]: string };
+  readonly environment?: { [key: string]: EnvironmentValue };
 
   /**
    * Specifies whether the container will be marked essential.
@@ -406,8 +458,24 @@ export class ContainerDefinition extends cdk.Construct {
 
   /**
    * Render this container definition to a CloudFormation object
-   */
-  public renderContainerDefinition(): CfnTaskDefinition.ContainerDefinitionProperty {
+   *
+   * @param taskDefinition [disable-awslint:ref-via-interface]
+   */
+  public renderContainerDefinition(taskDefinition: TaskDefinition): CfnTaskDefinition.ContainerDefinitionProperty {
+    const environment = [];
+    const secrets = [];
+    for (const [k, v] of Object.entries(this.props.environment || {})) {
+      if (v.props.value) {
+        environment.push({ name: k, value: v.props.value });
+      } else if (v.props.parameter) {
+        secrets.push({ name: k, valueFrom: v.props.parameter.parameterArn });
+        v.props.parameter.grantRead(taskDefinition.obtainExecutionRole());
+      } else if (v.props.secret) {
+        secrets.push({ name: k, valueFrom: v.props.secret.secretArn });
+        v.props.secret.grantRead(taskDefinition.obtainExecutionRole());
+      }
+    }
+
     return {
       command: this.props.command,
       cpu: this.props.cpu,
@@ -433,8 +501,10 @@ export class ContainerDefinition extends cdk.Construct {
       volumesFrom: this.volumesFrom.map(renderVolumeFrom),
       workingDirectory: this.props.workingDirectory,
       logConfiguration: this.logDriverConfig,
-      environment: this.props.environment && renderKV(this.props.environment, 'name', 'value'),
-      extraHosts: this.props.extraHosts && renderKV(this.props.extraHosts, 'hostname', 'ipAddress'),
+      environment: environment.length !== 0 ? environment : undefined,
+      secrets: secrets.length !== 0 ? secrets : undefined,
+      extraHosts: this.props.extraHosts && Object.entries(this.props.extraHosts)
+        .map(([k, v]) => ({ hostname: k, ipAddress: v })),
       healthCheck: this.props.healthCheck && renderHealthCheck(this.props.healthCheck),
       links: this.links,
       linuxParameters: this.linuxParameters && this.linuxParameters.renderLinuxParameters(),
@@ -490,14 +560,6 @@ export interface HealthCheck {
   readonly timeout?: cdk.Duration;
 }
 
-function renderKV(env: { [key: string]: string }, keyName: string, valueName: string): any {
-  const ret = [];
-  for (const [key, value] of Object.entries(env)) {
-    ret.push({ [keyName]: key, [valueName]: value });
-  }
-  return ret;
-}
-
 function renderHealthCheck(hc: HealthCheck): CfnTaskDefinition.HealthCheckProperty {
   return {
     command: getHealthCheckCommand(hc),