amazon-web-servicesterraformssm

Terraform - Use SSM Parameters in ECS container definition


I am using Terraform to deploy an ECS task and would like to use AWS SSM Parameters within the container definition of the ECS task.

I have 3 SSM parameters that I would like to use to override the default properties defined in service.json. (PORT, TEST_PROP_1, TEST_PROP_2)

Is there a way for me to provide the ARN of these SSM parameters for the container definition environment variables?

Terraform resource:

resource "aws_ecs_task_definition" "testapp" {
  family                = "testapp"
  network_mode = "awsvpc"
  cpu = 256
  memory = 512
  container_definitions = file("../modules/ecs_service/task-definitions/service.json")
  requires_compatibilities = [
    "FARGATE"
  ]
  execution_role_arn = "arn:aws:iam::redacted:role/ecsTaskExecutionRole"
  task_role_arn = "arn:aws:iam::redacted:role/ecsTaskExecutionRole"
}

service.json

[
    {
        "name": "testapp",
        "image": "redacted/demoapp:latest",
        "portMappings": [
            {
                "containerPort": 59817,
                "hostPort": 59817,
                "protocol": "tcp"
            }
        ],
        "logConfiguration": {
            "logDriver": "awslogs",
            "options": {
                "awslogs-group": "testappLG",
                "awslogs-region": "us-east-1",
                "awslogs-stream-prefix": "devtest"
            }
        },
        "Environment": [
            {
                "Name": "PORT",
                "Value": "9001"
            },
            {
                "Name": "TEST_PROP_1",
                "Value": "Override value - test prop 1"
            },
            {
                "Name": "TEST_PROP_2",
                "Value": "Override value - test prop 2"
            }
        ]
    }
]

Solution

  • You can either create the SSM parameter in this Terraform run, in which case you would have a reference to it already, or you can look it up using a data source. For example purposes let's say you use a data source:

    data "aws_ssm_parameter" "foo" {
      name = "foo"
    }
    

    Now, instead of the file() function I would use the templatefile() function, so you can use interpolation inside the json. That means the line in your Terraform template would change to this (passing the ARN of a secret you want to use in the JSON):

    container_definitions = templatefile( "../modules/ecs_service/task-definitions/service.json", { 
        secret1 = data.aws_ssm_parameter.foo.arn 
    })
    

    Finally your JSON file would need to look like this in order to tell ECS to lookup the secret and pass it into the container when it creates an instance of your task:

    [
        {
            "name": "testapp",
            "image": "redacted/demoapp:latest",
            "portMappings": [
                {
                    "containerPort": 59817,
                    "hostPort": 59817,
                    "protocol": "tcp"
                }
            ],
            "logConfiguration": {
                "logDriver": "awslogs",
                "options": {
                    "awslogs-group": "testappLG",
                    "awslogs-region": "us-east-1",
                    "awslogs-stream-prefix": "devtest"
                }
            },
            "secrets": [
                {
                    "name": "MY_SECRET",
                    "valueFrom": "${secret1}"
                }
            ],
            "Environment": [
                {
                    "Name": "PORT",
                    "Value": "9001"
                },
                {
                    "Name": "TEST_PROP_1",
                    "Value": "Override value - test prop 1"
                },
                {
                    "Name": "TEST_PROP_2",
                    "Value": "Override value - test prop 2"
                }
            ]
        }
    ]