AWS SSM 作为 Terraform 中任务的 valueFrom 不起作用
AWS SSM as a valueFrom for task in Terraform not working
我正在 AWS 中定义一个任务,我已经在使用 aws_ecs_task_definition 模块工作。我正在使用 terraform 模块中的环境变量设置一些环境变量,但其中一些将通过 AWS SSM 提供。没有AWS SSM的正常创建是:
environment : [
{
name : "user",
value : "name"
},
],
这很有魅力。
然后我尝试了:
environment : [
{
name : "user",
valueFrom : "my_env_var_name_in_ssm"
},
],
但是没用。当我转到任务定义的 UI 时,ENV 变量不存在,UI 的 json 定义中也不存在。
然后我尝试在 UI 中创建它们并且任务工作完美,我看到当您设置 valueFrom 时,ENV 变量是在 [=45 的秘密部分下创建的=] 定义。所以我尝试在 Terraform 中复制它,例如:
secrets : [
{
name : "user",
valueFrom : "my_env_var_name_in_ssm"
},
],
但它也不起作用。任务定义json是:
{
"ipcMode": null,
"executionRoleArn": "arn",
"containerDefinitions": [
{
"dnsSearchDomains": null,
"environmentFiles": null,
"logConfiguration": null,
"entryPoint": null,
"portMappings": [
{
"hostPort": 8080,
"protocol": "tcp",
"containerPort": 8080
},
{
"hostPort": 8793,
"protocol": "tcp",
"containerPort": 8793
}
],
"command": null,
"linuxParameters": null,
"cpu": 7,
"environment": [
{
"name": "name",
"value": "harcoded"
},
],
"resourceRequirements": null,
"ulimits": null,
"dnsServers": null,
"mountPoints": [],
"workingDirectory": null,
"secrets": null,
"dockerSecurityOptions": null,
"memory": null,
"memoryReservation": 128,
"volumesFrom": [],
"stopTimeout": null,
"image": "image_arn",
"startTimeout": null,
"firelensConfiguration": null,
"dependsOn": null,
"disableNetworking": null,
"interactive": null,
"healthCheck": null,
"essential": true,
"links": null,
"hostname": null,
"extraHosts": null,
"pseudoTerminal": null,
"user": null,
"readonlyRootFilesystem": null,
"dockerLabels": null,
"systemControls": null,
"privileged": null,
"name": "my-name"
}
],
"placementConstraints": [],
"memory": null,
"taskRoleArn": "arn",
"compatibilities": [
"EC2"
],
"taskDefinitionArn": "arn",
"family": "family-name",
"requiresAttributes": [
{
"targetId": null,
"targetType": null,
"value": null,
"name": "com.amazonaws.ecs.capability.ecr-auth"
},
{
"targetId": null,
"targetType": null,
"value": null,
"name": "com.amazonaws.ecs.capability.docker-remote-api.1.21"
},
{
"targetId": null,
"targetType": null,
"value": null,
"name": "com.amazonaws.ecs.capability.task-iam-role"
},
{
"targetId": null,
"targetType": null,
"value": null,
"name": "ecs.capability.execution-role-ecr-pull"
},
{
"targetId": null,
"targetType": null,
"value": null,
"name": "com.amazonaws.ecs.capability.docker-remote-api.1.18"
},
{
"targetId": null,
"targetType": null,
"value": null,
"name": "ecs.capability.task-eni"
}
],
"pidMode": null,
"requiresCompatibilities": [],
"networkMode": "awsvpc",
"cpu": null,
"revision": 2,
"status": "ACTIVE",
"inferenceAccelerators": null,
"proxyConfiguration": null,
"volumes": []
}
如你所见 json returns: "secrets": null,
当 terraform 运行 a container_definitions 像这样时:
container_definitions = jsonencode(
[
{
name = aws_ecs_cluster.cluster.name,
image = "${var.image_url}:latest",
cpu = 7,
dnsSearchDomains = null,
network_configuration = "awsvpc",
entryPoint = null,
portMappings = [
{
hostPort = 8080,
protocol = "tcp",
containerPort = 8080
},
{
hostPort = 8793,
protocol = "tcp",
containerPort = 8793
}
],
command : null,
linuxParameters : null,
environment : [
{
name : "name",
value : "harcoded"
},
],
secrets : [
{
name : "parameter-name",
valueFrom : "arn:aws:ssm:eu-west-2:111111111:parameter/my_env_var_name_in_ssm"
},
],
resourceRequirements : null,
ulimits : null,
dnsServers : null,
mountPoints : null,
workingDirectory : null,
secrets : null,
dockerSecurityOptions : null,
memoryReservation : 128,
volumesFrom : [],
stopTimeout : null,
startTimeout : null,
firelensConfiguration : null,
dependsOn : null,
disableNetworking : null,
interactive : null,
healthCheck: null
essential : true,
links : null,
hostname : null,
extraHosts : null,
pseudoTerminal : null,
user : null,
readonlyRootFilesystem : null,
dockerLabels : null,
systemControls : null,
privileged : null
}
]
)
}
terraform apply 工作正常,但 secrets 不在 terraform 执行的操作的输出中,因此 json 定义显示 null 是正常的。那么我想真正的问题是如何在 terraform 中编写它。
如何在 Terraform 中定义的 AWS ECS 任务中使用 AWS SSM 作为 valueFrom?如您所见,json 是
您的任务定义 secrets 定义了两次。一次是一个值,一次是 null:
查看我从您发布的代码中复制的此块中的第一行和最后一行:
secrets : [
{
name : "parameter-name",
valueFrom : "arn:aws:ssm:eu-west-2:111111111:parameter/my_env_var_name_in_ssm"
},
],
resourceRequirements : null,
ulimits : null,
dnsServers : null,
mountPoints : null,
workingDirectory : null,
secrets : null,
您需要删除行 secrets : null,因为它会覆盖之前的设置。
我正在 AWS 中定义一个任务,我已经在使用 aws_ecs_task_definition 模块工作。我正在使用 terraform 模块中的环境变量设置一些环境变量,但其中一些将通过 AWS SSM 提供。没有AWS SSM的正常创建是:
environment : [
{
name : "user",
value : "name"
},
],
这很有魅力。
然后我尝试了:
environment : [
{
name : "user",
valueFrom : "my_env_var_name_in_ssm"
},
],
但是没用。当我转到任务定义的 UI 时,ENV 变量不存在,UI 的 json 定义中也不存在。
然后我尝试在 UI 中创建它们并且任务工作完美,我看到当您设置 valueFrom 时,ENV 变量是在 [=45 的秘密部分下创建的=] 定义。所以我尝试在 Terraform 中复制它,例如:
secrets : [
{
name : "user",
valueFrom : "my_env_var_name_in_ssm"
},
],
但它也不起作用。任务定义json是:
{
"ipcMode": null,
"executionRoleArn": "arn",
"containerDefinitions": [
{
"dnsSearchDomains": null,
"environmentFiles": null,
"logConfiguration": null,
"entryPoint": null,
"portMappings": [
{
"hostPort": 8080,
"protocol": "tcp",
"containerPort": 8080
},
{
"hostPort": 8793,
"protocol": "tcp",
"containerPort": 8793
}
],
"command": null,
"linuxParameters": null,
"cpu": 7,
"environment": [
{
"name": "name",
"value": "harcoded"
},
],
"resourceRequirements": null,
"ulimits": null,
"dnsServers": null,
"mountPoints": [],
"workingDirectory": null,
"secrets": null,
"dockerSecurityOptions": null,
"memory": null,
"memoryReservation": 128,
"volumesFrom": [],
"stopTimeout": null,
"image": "image_arn",
"startTimeout": null,
"firelensConfiguration": null,
"dependsOn": null,
"disableNetworking": null,
"interactive": null,
"healthCheck": null,
"essential": true,
"links": null,
"hostname": null,
"extraHosts": null,
"pseudoTerminal": null,
"user": null,
"readonlyRootFilesystem": null,
"dockerLabels": null,
"systemControls": null,
"privileged": null,
"name": "my-name"
}
],
"placementConstraints": [],
"memory": null,
"taskRoleArn": "arn",
"compatibilities": [
"EC2"
],
"taskDefinitionArn": "arn",
"family": "family-name",
"requiresAttributes": [
{
"targetId": null,
"targetType": null,
"value": null,
"name": "com.amazonaws.ecs.capability.ecr-auth"
},
{
"targetId": null,
"targetType": null,
"value": null,
"name": "com.amazonaws.ecs.capability.docker-remote-api.1.21"
},
{
"targetId": null,
"targetType": null,
"value": null,
"name": "com.amazonaws.ecs.capability.task-iam-role"
},
{
"targetId": null,
"targetType": null,
"value": null,
"name": "ecs.capability.execution-role-ecr-pull"
},
{
"targetId": null,
"targetType": null,
"value": null,
"name": "com.amazonaws.ecs.capability.docker-remote-api.1.18"
},
{
"targetId": null,
"targetType": null,
"value": null,
"name": "ecs.capability.task-eni"
}
],
"pidMode": null,
"requiresCompatibilities": [],
"networkMode": "awsvpc",
"cpu": null,
"revision": 2,
"status": "ACTIVE",
"inferenceAccelerators": null,
"proxyConfiguration": null,
"volumes": []
}
如你所见 json returns: "secrets": null,
当 terraform 运行 a container_definitions 像这样时:
container_definitions = jsonencode(
[
{
name = aws_ecs_cluster.cluster.name,
image = "${var.image_url}:latest",
cpu = 7,
dnsSearchDomains = null,
network_configuration = "awsvpc",
entryPoint = null,
portMappings = [
{
hostPort = 8080,
protocol = "tcp",
containerPort = 8080
},
{
hostPort = 8793,
protocol = "tcp",
containerPort = 8793
}
],
command : null,
linuxParameters : null,
environment : [
{
name : "name",
value : "harcoded"
},
],
secrets : [
{
name : "parameter-name",
valueFrom : "arn:aws:ssm:eu-west-2:111111111:parameter/my_env_var_name_in_ssm"
},
],
resourceRequirements : null,
ulimits : null,
dnsServers : null,
mountPoints : null,
workingDirectory : null,
secrets : null,
dockerSecurityOptions : null,
memoryReservation : 128,
volumesFrom : [],
stopTimeout : null,
startTimeout : null,
firelensConfiguration : null,
dependsOn : null,
disableNetworking : null,
interactive : null,
healthCheck: null
essential : true,
links : null,
hostname : null,
extraHosts : null,
pseudoTerminal : null,
user : null,
readonlyRootFilesystem : null,
dockerLabels : null,
systemControls : null,
privileged : null
}
]
)
}
terraform apply 工作正常,但 secrets 不在 terraform 执行的操作的输出中,因此 json 定义显示 null 是正常的。那么我想真正的问题是如何在 terraform 中编写它。
如何在 Terraform 中定义的 AWS ECS 任务中使用 AWS SSM 作为 valueFrom?如您所见,json 是
您的任务定义 secrets 定义了两次。一次是一个值,一次是 null:
查看我从您发布的代码中复制的此块中的第一行和最后一行:
secrets : [
{
name : "parameter-name",
valueFrom : "arn:aws:ssm:eu-west-2:111111111:parameter/my_env_var_name_in_ssm"
},
],
resourceRequirements : null,
ulimits : null,
dnsServers : null,
mountPoints : null,
workingDirectory : null,
secrets : null,
您需要删除行 secrets : null,因为它会覆盖之前的设置。