4

In order to deploy new task to ECS im using amazon-ecs-render-task-definition GitHub action. This action receives a task-definition.json as a parameter. This JSON contain secrets that i dont want to push, is there a way to inject some parameter to this JSON? Maybe from aws secrets manager?

For example - task-definition.json

{
 "containerDefinitions": [
  {
   "name": "wordpress",
   "links": [
     "mysql"
   ],
  "image": "wordpress",
  "essential": true,
  "portMappings": [
    {
      "containerPort": 80,
      "hostPort": 80
    }
  ],
  "memory": 500,
  "cpu": 10
},
{
  "environment": [
    {
      "name": "MYSQL_ROOT_PASSWORD",
      "value": ****"password"**** // ITS A SECRET!
    }
  ],
  "name": "mysql",
  "image": "mysql",
  "cpu": 10,
  "memory": 500,
  "essential": true
}], 
 "family": "hello_world" }
Benny67b
  • 509
  • 1
  • 6
  • 18

3 Answers3

5

Apparently there is a build in solution for using aws-scrent-manager secrets:

"secrets": [
    {
      "name": "DATABASE_PASSWORD",
      "valueFrom": "arn:aws:ssm:us-east-1:awsExampleAccountID:parameter/awsExampleParameter"
    }
  ]

https://aws.amazon.com/premiumsupport/knowledge-center/ecs-data-security-container-task/

Benny67b
  • 509
  • 1
  • 6
  • 18
5

Another solution is to use sed to insert your secrets

So your workflow becomes something like - 

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - name: Add secrets to Task Definition
        run: |
          sed -i "s/<jwt_secret>/$JWT_SECRET/g" task.json 
          sed -i "s/<mongo_password>/$MONGO_PASSWORD/g" task.json 
        env:
          JWT_SECRET: ${{secrets.JWT_SECRET}}
          MONGO_PASSWORD: ${{secrets.MONGO_PASSWORD}}

Then you edit your to task.json to include the placeholders that sed will use for the replacement

{
  "ipcMode": null,
  "executionRoleArn": null,
  "containerDefinitions": [
    {
      ...
      "environment": [
        {
          "name": "JWT_SECRET",
          "value": "<jwt_secret>"
        },
        {
          "name": "MONGO_PASSWORD",
          "value": "<mongo_password>"
        },
      ]
      ...
   }
  ]
}
Aidan Ewen
  • 13,049
  • 8
  • 63
  • 88
  • it works on my json files @ali_wetrill. I use this process in multiple builds. I like it because I find GitHub secrets more streamlined than AWS - less cruft (IMHO). – Aidan Ewen Oct 13 '20 at 09:58
  • 2
    Hmm on the first line under the run section I get 'sed: -e expression #1, char 64: unknown option to `s'. Any idea why? It's formatted exactly the same – ali_wetrill Oct 14 '20 at 23:12
  • @ali_wetrill The error "'sed: -e expression #1, char 64: unknown option to `s'" appears when there is a "/" in the env variable value because then sed expression will not resolve. e-g S3_FILENAME=testbucket123/.env then the sed command: sed -i "s//$S3_FILENAME/g" task.json becomes sed -i "s//testbucket123/.env/g" task.json which is not resolved. – Muhammad Zunair Oct 20 '21 at 21:20
0

All repos have a place to store their secrets, see creating and using encrypted secrets. As for editing .json, preinstalled jq looks like an obvious choice here, or maybe powershell if you're more familiar with that (just remember about tweaking -Depth).

Samira
  • 7,795
  • 3
  • 25
  • 25