I'm trying to migrate my existing ECS cluster to CDK and am having issues with secrets.
In my original definition JSON, it's configured using valueFrom as below:
"secrets": [
{
"name": "SECRET_ENV_VARIABLE",
"valueFrom": "arn:aws:ssm:us-east-2:XXXXXXXX:parameter/path/to/parameter"
}
]
where /path/to/parameter is a SecureString parameter, but when I try to replicate this in CDK (C#) as follows:
var definition = new FargateTaskDefinition(this, "TaskDefinition", new FargateTaskDefinitionProps
{
Cpu = 256,
MemoryLimitMiB = 512,
Family = "definition-family",
});
definition.AddContainer("ServiceTask", new ContainerDefinitionOptions
{
...
Secrets = new Dictionary<string, Secret>
{
{ "SECRET_ENV_VARIABLE", Secret.FromSsmParameter(StringParameter.FromStringParameterName(this, "SecretEnvVariable", "/path/to/parameter")) }
}
});
I get Parameters [/path/to/parameter] referenced by template have types not supported by CloudFormation.
Looking at the generated template, I see the valueFrom entry as in my original JSON, but I also see a generated Cloudformation parameter:
"SecretEnvVariable2A88BA98": {
"Type": "AWS::SSM::Parameter::Value<String>",
"Default": "/path/to/parameter"
}
This Cloudformation parameter is not referenced anywhere in the template, so is there a way I can achieve the same valueFrom output without the problematic Cloudformation parameter?
You are using a Secure String parameters, not a regular String Parameter, so you should be using StringParameter.fromSecureStringParameterAttributes() instead of StringParameter.fromStringParameterName()