aws/aws-cdk

Deploy ECS ApplicationLoadBalancedFargateService isn't loading Secrets

Open

#20744 opened on Jun 14, 2022

View on GitHub
 (9 comments) (0 reactions) (0 assignees)TypeScript (10,710 stars) (3,530 forks)batch import
@aws-cdk/aws-ecsbugdocumentationgood first issuep2

Description

When inejcting secrets to the Secrets object of the ApplicationLoadBalancedFargateService's taskImageOptions imported from sm.Secret.fromSecretCompleteArn (including 6 digit hypen), the deploy gets stuck and does not work.

I have also tried importing the secrets by:

sm.Secret.fromSecretNameV2 and the behaviour is the same.

Expected Behavior

ECS to deploy with custom secrets

Current Behavior

CDK deploy freezed stuck at ECS apiService deploy

Reproduction Steps

const importedSecrets = SECRET_NAMES.reduce((acc, key) => {
    const secret = sm.Secret.fromSecretCompleteArn(
      scope,
      `${config.ENVIRONMENT}/${key}`,
      secretFullArns[key], // full ARN of the secret identical as AWS
    );
    return {...acc, [key]: secret};
  }, {} as {[key: string]: sm.ISecret});

Where SECRET_NAMES is an array of secret names Then,

  const secretsJson = SECRET_NAMES.reduce(
    (acc, key) => ({
      ...acc,
      [key]: ecs.Secret.fromSecretsManager(importedSecrets[key]),
    }),
    {},
  );

and then in the fargate service creator:

// Fargate service
this.backendService = new ecsPatterns.ApplicationLoadBalancedFargateService(
  scope,
  'apiService',
  {
    serviceName: 'apiService',
    cluster: this.ecsCluster,
    taskSubnets: {
      subnetType: ec2.SubnetType.PRIVATE_WITH_NAT,
    },
    memoryLimitMiB: 2048,
    cpu: 1024,
    desiredCount: 1,
    taskImageOptions: {
      containerName: 'apiContainer',
      image: ecs.ContainerImage.fromAsset('../api-backend/', {
        followSymlinks: SymlinkFollowMode.ALWAYS,
      }),
      containerPort: config.PORT,
      environment: {
        NODE_ENV: 'development',
        AWS_DEFAULT_REGION: config.AWS_DEFAULT_REGION,
      },
      logDriver: ecs.LogDrivers.awsLogs({
        streamPrefix: `${config.PROJECT_NAME}-logStream`,
        logGroup: fargateLog,
      }),
      secrets: {
        DB_BUSINESS_PASSWORD: ecs.Secret.fromSecretsManager(
          dbBusinessPasswordSecret,
          'password',
        ),
        DB_BUSINESS_HOST: ecs.Secret.fromSecretsManager(
          dbBusinessPasswordSecret,
          'host',
        ),


        ...secretsJson. 
        // ===========>>> If i comment this line here, the deploy is successfull, but without the secrets i want.
        


      },
    },
  },
);

In the CDK template i see the correct secret name BUT WITHOUT THE HYPHEN

CDK TEMPLATE Secrets from ECS:

....
{
  "Name": "X_API_KEY",
  "ValueFrom": {
    "Fn::Join": [
      "",
      [
        "arn:",
        {
          "Ref": "AWS::Partition"
        },
        "secret-arn-as-it-is-in-aws-console/co****/staging/X_API_KEY"
// The secret arn is exactly equal as it is in aws but without the 6 char hyphen auto-generated when the secret was uploaded.
      ]
    ]
  }
},
...

Parameter name is: /co****/staging/X_API_KEY But in the aws console the arn of the secret is exactly the same as the one in the cdk template but without the hyphen. Im pretty sure that's the cause of the deploy stuck freeze.

Also, IAM Permissions from the image task are fine, for example for the secret who's name is: /co***/staging/CIPHER_SECRET-?????? where the ? represent the auto hyphen 6 digit

Console Synth CDK template

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

"aws-cdk-lib": "^2.27.0",

Node.js Version

14.19

OS

Macos Monterey

Language

Typescript

Language Version

"typescript": "^4.7.2"

Other information

CDK JSON

{
  "app": "npx ts-node --prefer-ts-exts bin/CdkStarter.ts",
  "context": {
    "@aws-cdk/aws-apigateway:usagePlanKeyOrderInsensitiveId": true,
    "@aws-cdk/aws-rds:lowercaseDbIdentifier": true,
    "@aws-cdk/aws-efs:defaultEncryptionAtRest": true,
    "@aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021": false,
    "@aws-cdk/core:stackRelativeExports": false
  }
}

Contributor guide

Tech stack
typescriptnodejsaws
Domain
infrastructurecloud
Issue type
bug
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
4
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
3-5 days
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
active
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
clear
Prerequisites
AWS CDK experienceECS service deploymentAWS Secrets Manager
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
25
Research direction
Start by examining the ApplicationLoadBalancedFargateService source in the aws cdk repository (likely in packages/@aws cdk/aws ecs patterns). Focus on how the `secrets` property in `taskImageOptions` is processed and how secret ARNs are passed to CloudFormation. Check if the hyphens in secret ARNs are being stripped or mangled during string formatting. Also review the CloudFormation template generated to see the exact ARN format. Consult the CDK documentation for Secret.fromSecretCompleteArn and Secret.fromSecretNameV2 to ensure correct usage. The issue may be related to how CDK resolves secret names to ARNs; consider looking at the `@aws cdk/aws secretsmanager` module for the implementation of these methods.