AWS SSM作为Terraform中任务的valueFrom不起作用

Question

我在亚马逊网络服务中定义了一个任务，我已经使用aws_ecs_task_definition模块工作了。我正在使用terraform模块中的环境变量设置一些环境变量，但其中一些变量将通过AWS SSM提供。没有AWS SSM的正常创建是：

environment : [
        {
          name : "user",
          value : "name"
        },
      ],

这就像一个护身符。

然后我试着：

environment : [
        {
          name : "user",
          valueFrom : "my_env_var_name_in_ssm"
        },
      ],

但它不起作用。当我转到任务定义的UI时，ENV变量不在那里，也不在UI的json定义中。

然后，我尝试在UI中创建它们，任务完成后，我看到在设置valueFrom时，在json定义的secrets部分下创建了ENV变量。因此我尝试在Terraform中复制它，如下所示：

secrets : [
        {
          name : "user",
          valueFrom : "my_env_var_name_in_ssm"
        },
      ],

但它也不起作用。任务定义json为：

{
  "ipcMode": null,
  "executionRoleArn": "arn",
  "containerDefinitions": [
    {
      "dnsSearchDomains": null,
      "environmentFiles": null,
      "logConfiguration": null,
      "entryPoint": null,
      "portMappings": [
        {
          "hostPort": 8080,
          "protocol": "tcp",
          "containerPort": 8080
        },
        {
          "hostPort": 8793,
          "protocol": "tcp",
          "containerPort": 8793
        }
      ],
      "command": null,
      "linuxParameters": null,
      "cpu": 7,
      "environment": [
        {
          "name": "name",
          "value": "harcoded"
        },
      ],
      "resourceRequirements": null,
      "ulimits": null,
      "dnsServers": null,
      "mountPoints": [],
      "workingDirectory": null,
      "secrets": null,
      "dockerSecurityOptions": null,
      "memory": null,
      "memoryReservation": 128,
      "volumesFrom": [],
      "stopTimeout": null,
      "image": "image_arn",
      "startTimeout": null,
      "firelensConfiguration": null,
      "dependsOn": null,
      "disableNetworking": null,
      "interactive": null,
      "healthCheck": null,
      "essential": true,
      "links": null,
      "hostname": null,
      "extraHosts": null,
      "pseudoTerminal": null,
      "user": null,
      "readonlyRootFilesystem": null,
      "dockerLabels": null,
      "systemControls": null,
      "privileged": null,
      "name": "my-name"
    }
  ],
  "placementConstraints": [],
  "memory": null,
  "taskRoleArn": "arn",
  "compatibilities": [
    "EC2"
  ],
  "taskDefinitionArn": "arn",
  "family": "family-name",
  "requiresAttributes": [
    {
      "targetId": null,
      "targetType": null,
      "value": null,
      "name": "com.amazonaws.ecs.capability.ecr-auth"
    },
    {
      "targetId": null,
      "targetType": null,
      "value": null,
      "name": "com.amazonaws.ecs.capability.docker-remote-api.1.21"
    },
    {
      "targetId": null,
      "targetType": null,
      "value": null,
      "name": "com.amazonaws.ecs.capability.task-iam-role"
    },
    {
      "targetId": null,
      "targetType": null,
      "value": null,
      "name": "ecs.capability.execution-role-ecr-pull"
    },
    {
      "targetId": null,
      "targetType": null,
      "value": null,
      "name": "com.amazonaws.ecs.capability.docker-remote-api.1.18"
    },
    {
      "targetId": null,
      "targetType": null,
      "value": null,
      "name": "ecs.capability.task-eni"
    }
  ],
  "pidMode": null,
  "requiresCompatibilities": [],
  "networkMode": "awsvpc",
  "cpu": null,
  "revision": 2,
  "status": "ACTIVE",
  "inferenceAccelerators": null,
  "proxyConfiguration": null,
  "volumes": []
}

正如您所看到的，当terraform运行container_definitions时，json返回："secrets": null,：

container_definitions = jsonencode(
  [
    {
      name = aws_ecs_cluster.cluster.name,
      image = "${var.image_url}:latest",
      cpu = 7,
      dnsSearchDomains = null,
      network_configuration = "awsvpc",
      entryPoint = null,
      portMappings = [
        {
          hostPort = 8080,
          protocol = "tcp",
          containerPort = 8080
        },
        {
          hostPort = 8793,
          protocol = "tcp",
          containerPort = 8793
        }
      ],
      command : null,
      linuxParameters : null,
      environment : [
        {
          name : "name",
          value : "harcoded"
        },
      ],
      secrets : [
        {
          name : "parameter-name",
          valueFrom : "arn:aws:ssm:eu-west-2:111111111:parameter/my_env_var_name_in_ssm"
        },
      ],
      resourceRequirements : null,
      ulimits : null,
      dnsServers : null,
      mountPoints : null,
      workingDirectory : null,
      secrets : null,
      dockerSecurityOptions : null,
      memoryReservation : 128,
      volumesFrom : [],
      stopTimeout : null,
      startTimeout : null,
      firelensConfiguration : null,
      dependsOn : null,
      disableNetworking : null,
      interactive : null,
      healthCheck: null
      essential : true,
      links : null,
      hostname : null,
      extraHosts : null,
      pseudoTerminal : null,
      user : null,
      readonlyRootFilesystem : null,
      dockerLabels : null,
      systemControls : null,
      privileged : null
    }
  ]
  )
}

terraform apply运行良好，但secrets不在terraform执行的操作的输出中，所以json定义显示为null是正常的。那么我想真正的问题是如何用terraform编写它。

如何在Terraform中定义的AWS ECS任务中使用AWS SSM作为valueFrom？正如您所看到的，json是

Answer 1

您的任务定义定义了两次secrets。一次使用值，一次使用null

查看我从您发布的代码中复制的代码块中的第一行和最后一行：

  secrets : [
    {
      name : "parameter-name",
      valueFrom : "arn:aws:ssm:eu-west-2:111111111:parameter/my_env_var_name_in_ssm"
    },
  ],
  resourceRequirements : null,
  ulimits : null,
  dnsServers : null,
  mountPoints : null,
  workingDirectory : null,
  secrets : null,

您需要删除行secrets : null，因为它覆盖了以前的设置。