AWS SSM 作为 Terraform 中任务的 valueFrom 不起作用

Question

AWS SSM 作为 Terraform 中任务的 valueFrom 不起作用

Mai*_*aik 2 amazon-web-services amazon-ecs docker terraform

我正在 AWS 中定义一个任务，我已经使用aws_ecs_task_definition模块来工作该任务。我正在使用模块中的环境变量设置一些环境变量terraform，但其中一些将通过提供AWS SSM。没有的正常创建AWS SSM是：

environment : [
        {
          name : "user",
          value : "name"
        },
      ],

Run Code Online (Sandbox Code Playgroud)

这就像一个魅力。

然后我尝试：

environment : [
        {
          name : "user",
          valueFrom : "my_env_var_name_in_ssm"
        },
      ],

Run Code Online (Sandbox Code Playgroud)

但这不起作用。当我转到任务定义的 UI 时，该ENV变量不存在，也不存在于 UI 的 json 定义中。

然后我尝试在 UI 中创建它们，并且任务工作完美，我看到当您设置 valueFrom 时，变量ENV是在 json 定义的 Secrets 部分下创建的。所以我尝试将其复制为Terraform：

secrets : [
        {
          name : "user",
          valueFrom : "my_env_var_name_in_ssm"
        },
      ],

Run Code Online (Sandbox Code Playgroud)

但它也不起作用。任务定义 json 为：

{
  "ipcMode": null,
  "executionRoleArn": "arn",
  "containerDefinitions": [
    {
      "dnsSearchDomains": null,
      "environmentFiles": null,
      "logConfiguration": null,
      "entryPoint": null,
      "portMappings": [
        {
          "hostPort": 8080,
          "protocol": "tcp",
          "containerPort": 8080
        },
        {
          "hostPort": 8793,
          "protocol": "tcp",
          "containerPort": 8793
        }
      ],
      "command": null,
      "linuxParameters": null,
      "cpu": 7,
      "environment": [
        {
          "name": "name",
          "value": "harcoded"
        },
      ],
      "resourceRequirements": null,
      "ulimits": null,
      "dnsServers": null,
      "mountPoints": [],
      "workingDirectory": null,
      "secrets": null,
      "dockerSecurityOptions": null,
      "memory": null,
      "memoryReservation": 128,
      "volumesFrom": [],
      "stopTimeout": null,
      "image": "image_arn",
      "startTimeout": null,
      "firelensConfiguration": null,
      "dependsOn": null,
      "disableNetworking": null,
      "interactive": null,
      "healthCheck": null,
      "essential": true,
      "links": null,
      "hostname": null,
      "extraHosts": null,
      "pseudoTerminal": null,
      "user": null,
      "readonlyRootFilesystem": null,
      "dockerLabels": null,
      "systemControls": null,
      "privileged": null,
      "name": "my-name"
    }
  ],
  "placementConstraints": [],
  "memory": null,
  "taskRoleArn": "arn",
  "compatibilities": [
    "EC2"
  ],
  "taskDefinitionArn": "arn",
  "family": "family-name",
  "requiresAttributes": [
    {
      "targetId": null,
      "targetType": null,
      "value": null,
      "name": "com.amazonaws.ecs.capability.ecr-auth"
    },
    {
      "targetId": null,
      "targetType": null,
      "value": null,
      "name": "com.amazonaws.ecs.capability.docker-remote-api.1.21"
    },
    {
      "targetId": null,
      "targetType": null,
      "value": null,
      "name": "com.amazonaws.ecs.capability.task-iam-role"
    },
    {
      "targetId": null,
      "targetType": null,
      "value": null,
      "name": "ecs.capability.execution-role-ecr-pull"
    },
    {
      "targetId": null,
      "targetType": null,
      "value": null,
      "name": "com.amazonaws.ecs.capability.docker-remote-api.1.18"
    },
    {
      "targetId": null,
      "targetType": null,
      "value": null,
      "name": "ecs.capability.task-eni"
    }
  ],
  "pidMode": null,
  "requiresCompatibilities": [],
  "networkMode": "awsvpc",
  "cpu": null,
  "revision": 2,
  "status": "ACTIVE",
  "inferenceAccelerators": null,
  "proxyConfiguration": null,
  "volumes": []
}

Run Code Online (Sandbox Code Playgroud)

正如你所看到的，json 返回："secrets": null, 当 terraform 运行时，container_definitions如下所示：

container_definitions = jsonencode(
  [
    {
      name = aws_ecs_cluster.cluster.name,
      image = "${var.image_url}:latest",
      cpu = 7,
      dnsSearchDomains = null,
      network_configuration = "awsvpc",
      entryPoint = null,
      portMappings = [
        {
          hostPort = 8080,
          protocol = "tcp",
          containerPort = 8080
        },
        {
          hostPort = 8793,
          protocol = "tcp",
          containerPort = 8793
        }
      ],
      command : null,
      linuxParameters : null,
      environment : [
        {
          name : "name",
          value : "harcoded"
        },
      ],
      secrets : [
        {
          name : "parameter-name",
          valueFrom : "arn:aws:ssm:eu-west-2:111111111:parameter/my_env_var_name_in_ssm"
        },
      ],
      resourceRequirements : null,
      ulimits : null,
      dnsServers : null,
      mountPoints : null,
      workingDirectory : null,
      secrets : null,
      dockerSecurityOptions : null,
      memoryReservation : 128,
      volumesFrom : [],
      stopTimeout : null,
      startTimeout : null,
      firelensConfiguration : null,
      dependsOn : null,
      disableNetworking : null,
      interactive : null,
      healthCheck: null
      essential : true,
      links : null,
      hostname : null,
      extraHosts : null,
      pseudoTerminal : null,
      user : null,
      readonlyRootFilesystem : null,
      dockerLabels : null,
      systemControls : null,
      privileged : null
    }
  ]
  )
}

Run Code Online (Sandbox Code Playgroud)

terraform apply工作正常，但它们secrets不在 terraform 执行操作的输出中，因此 json 定义显示 null 是正常的。那么我想真正的问题是如何用 terraform 编写它。

如何AWS SSM在 Terraform 中定义的 AWS ECS 任务中用作 valueFrom？正如你所看到的，json 是

Answer 1

Mar*_*k B 6

您的任务定义已secrets定义两次。一次带有值，一次带有null：

请参阅我从您发布的代码中复制的此块中的第一行和最后一行：

  secrets : [
    {
      name : "parameter-name",
      valueFrom : "arn:aws:ssm:eu-west-2:111111111:parameter/my_env_var_name_in_ssm"
    },
  ],
  resourceRequirements : null,
  ulimits : null,
  dnsServers : null,
  mountPoints : null,
  workingDirectory : null,
  secrets : null,

Run Code Online (Sandbox Code Playgroud)

您需要删除该行，secrets : null因为它会覆盖之前的设置。

归档时间：	4 年前
查看次数：	2042 次
最近记录：	4 年前