-
Notifications
You must be signed in to change notification settings - Fork 144
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: support for setting environment secrets, and other task-def params #204
base: master
Are you sure you want to change the base?
feat: support for setting environment secrets, and other task-def params #204
Conversation
@clareliguori @hyandell @kdaily @awood45 @mattsb42-aws Can anyone take a look at this or know who can? |
description: 'task-def family' | ||
required: false | ||
cpu: | ||
description: 'CPU' | ||
required: false | ||
memory: | ||
description: 'Memory' | ||
required: false | ||
executionRoleArn: | ||
description: 'executionRoleArn' | ||
required: false | ||
taskRoleArn: | ||
description: 'taskRoleArn' | ||
required: false | ||
awslogs-group: | ||
description: 'awslogs-group' | ||
required: false | ||
awslogs-region: | ||
description: 'awslogs-region' | ||
required: false |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Question; is the expectation here that some of this changes between github action execution?
Until now, we haven't added these fields into the github action config because we supply a task def json and then we read the parameters that change and inline them into the task definition. But I'm wondering if there is a usecase that we've missed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah some of these might not be needed like the logs, and task arns since you can just use the names. To be honest I think the biggest item needed is secret arns since they do contain the AWS Account Id and would prefer not to commit that in the repo.
} | ||
|
||
// Get pairs by splitting on newlines | ||
environmentSecrets.split('\n').forEach(function (line) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nit; this could be turned into a .map()
that maps each environment secret line to type { name: string, valueFrom: string }
and then we could merge these values into containerDef.secrets
outside of the forEach
loop.
}) | ||
} | ||
|
||
if (awslogsGroup && awslogsRegion && containerDef.logConfiguration && containerDef.logConfiguration.options) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These options look specific to awslogs
log driver. I believe we should check if the logConfiguration.logsDriver
is set to awslogs
before we change these properties in the task def.
containerDef.logConfiguration.options["awslogs-group"] = awslogsGroup; | ||
containerDef.logConfiguration.options["awslogs-region"] = awslogsRegion; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nit; It might also be worthwhile to also include the option to set awslogs-stream-prefix
and awslogs-create-group
as well because that'll ship the complete set of AWS logs options for customers.
@@ -16,6 +16,30 @@ inputs: | |||
environment-variables: | |||
description: 'Variables to add to the container. Each variable is of the form KEY=value, you can specify multiple variables with multi-line YAML strings.' | |||
required: false | |||
environment-secrets: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@joshmello can you think about how to add option to get secrets from AWS AppConfig? For example. we can set arn of config. It's will be very useful. Or just read env from file.
(asking because have a lot of env to setup)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
by "environment-secrets" you mean both value from SSM and from Secret Manager right ?
Is there any progress in getting this released? |
Any updates here? Having secrets, executionRoleArn, and taskRoleArn would be really nice to not have to maintain a separate |
Can this be merged any time soon? |
@sh-mykola see #252 (comment) for another option using https://github.com/marketplace/actions/update-json-file to manually edit a JSON file (outside any AWS context), since that's all that really needs to be done. |
Thank you! But I still think providing SSM name as variable is much smoother experience |
Is this something that can merged in now? I haven't looked to see the conflicts. |
Hi @pierre-wehbe, thank you so much for your contribution. Apologies on the delay.
|
Description of changes: These commits add a few extra inputs (all optional)
I've updated the tests to include testing for all these.