时间戳

首页 > 解决方案 > AWS SSM 作为 Terraform 中任务的 valueFrom 不起作用

amazon-web-services - AWS SSM 作为 Terraform 中任务的 valueFrom 不起作用

问题描述

我正在 AWS 中定义一个我已经使用aws_ecs_task_definition模块工作的任务。我正在使用terraform模块中的环境变量设置一些环境变量,但其中一些将通过提供AWS SSM。没有的正常创建AWS SSM是:

environment : [
        {
          name : "user",
          value : "name"
        },
      ],

这就像一个魅力。

然后我尝试了:

environment : [
        {
          name : "user",
          valueFrom : "my_env_var_name_in_ssm"
        },
      ],

但它不起作用。当我转到任务定义的 UI 时,ENV变量不存在,UI 的 json 定义中也不存在。

然后我尝试在 UI 中创建它们并且任务完美运行,我看到当您设置 valueFrom 时,该ENV变量是在 json 定义的 secrets 部分下创建的。所以我试图复制它,Terraform例如:

secrets : [
        {
          name : "user",
          valueFrom : "my_env_var_name_in_ssm"
        },
      ],

但它也不起作用。任务定义json为:

{
  "ipcMode": null,
  "executionRoleArn": "arn",
  "containerDefinitions": [
    {
      "dnsSearchDomains": null,
      "environmentFiles": null,
      "logConfiguration": null,
      "entryPoint": null,
      "portMappings": [
        {
          "hostPort": 8080,
          "protocol": "tcp",
          "containerPort": 8080
        },
        {
          "hostPort": 8793,
          "protocol": "tcp",
          "containerPort": 8793
        }
      ],
      "command": null,
      "linuxParameters": null,
      "cpu": 7,
      "environment": [
        {
          "name": "name",
          "value": "harcoded"
        },
      ],
      "resourceRequirements": null,
      "ulimits": null,
      "dnsServers": null,
      "mountPoints": [],
      "workingDirectory": null,
      "secrets": null,
      "dockerSecurityOptions": null,
      "memory": null,
      "memoryReservation": 128,
      "volumesFrom": [],
      "stopTimeout": null,
      "image": "image_arn",
      "startTimeout": null,
      "firelensConfiguration": null,
      "dependsOn": null,
      "disableNetworking": null,
      "interactive": null,
      "healthCheck": null,
      "essential": true,
      "links": null,
      "hostname": null,
      "extraHosts": null,
      "pseudoTerminal": null,
      "user": null,
      "readonlyRootFilesystem": null,
      "dockerLabels": null,
      "systemControls": null,
      "privileged": null,
      "name": "my-name"
    }
  ],
  "placementConstraints": [],
  "memory": null,
  "taskRoleArn": "arn",
  "compatibilities": [
    "EC2"
  ],
  "taskDefinitionArn": "arn",
  "family": "family-name",
  "requiresAttributes": [
    {
      "targetId": null,
      "targetType": null,
      "value": null,
      "name": "com.amazonaws.ecs.capability.ecr-auth"
    },
    {
      "targetId": null,
      "targetType": null,
      "value": null,
      "name": "com.amazonaws.ecs.capability.docker-remote-api.1.21"
    },
    {
      "targetId": null,
      "targetType": null,
      "value": null,
      "name": "com.amazonaws.ecs.capability.task-iam-role"
    },
    {
      "targetId": null,
      "targetType": null,
      "value": null,
      "name": "ecs.capability.execution-role-ecr-pull"
    },
    {
      "targetId": null,
      "targetType": null,
      "value": null,
      "name": "com.amazonaws.ecs.capability.docker-remote-api.1.18"
    },
    {
      "targetId": null,
      "targetType": null,
      "value": null,
      "name": "ecs.capability.task-eni"
    }
  ],
  "pidMode": null,
  "requiresCompatibilities": [],
  "networkMode": "awsvpc",
  "cpu": null,
  "revision": 2,
  "status": "ACTIVE",
  "inferenceAccelerators": null,
  "proxyConfiguration": null,
  "volumes": []
}

如您所见,json 返回:"secrets": null, 当 terraformcontainer_definitions像这样运行时:

container_definitions = jsonencode(
  [
    {
      name = aws_ecs_cluster.cluster.name,
      image = "${var.image_url}:latest",
      cpu = 7,
      dnsSearchDomains = null,
      network_configuration = "awsvpc",
      entryPoint = null,
      portMappings = [
        {
          hostPort = 8080,
          protocol = "tcp",
          containerPort = 8080
        },
        {
          hostPort = 8793,
          protocol = "tcp",
          containerPort = 8793
        }
      ],
      command : null,
      linuxParameters : null,
      environment : [
        {
          name : "name",
          value : "harcoded"
        },
      ],
      secrets : [
        {
          name : "parameter-name",
          valueFrom : "arn:aws:ssm:eu-west-2:111111111:parameter/my_env_var_name_in_ssm"
        },
      ],
      resourceRequirements : null,
      ulimits : null,
      dnsServers : null,
      mountPoints : null,
      workingDirectory : null,
      secrets : null,
      dockerSecurityOptions : null,
      memoryReservation : 128,
      volumesFrom : [],
      stopTimeout : null,
      startTimeout : null,
      firelensConfiguration : null,
      dependsOn : null,
      disableNetworking : null,
      interactive : null,
      healthCheck: null
      essential : true,
      links : null,
      hostname : null,
      extraHosts : null,
      pseudoTerminal : null,
      user : null,
      readonlyRootFilesystem : null,
      dockerLabels : null,
      systemControls : null,
      privileged : null
    }
  ]
  )
}

terraform apply工作正常,但secrets不在 terraform 执行操作的输出中,因此 json 定义显示为空是正常的。然后我想真正的问题是如何在 terraform 中编写它。

如何AWS SSM在 Terraform 中定义的 AWS ECS 任务中用作 valueFrom?如您所见,json是

标签: amazon-web-servicesdockerterraformamazon-ecs

解决方案

您的任务定义已secrets定义两次。一次是值,一次是null

请参阅我从您发布的代码中复制的此块中的第一行和最后一行:

  secrets : [
    {
      name : "parameter-name",
      valueFrom : "arn:aws:ssm:eu-west-2:111111111:parameter/my_env_var_name_in_ssm"
    },
  ],
  resourceRequirements : null,
  ulimits : null,
  dnsServers : null,
  mountPoints : null,
  workingDirectory : null,
  secrets : null,

您需要删除该行secrets : null,因为它覆盖了之前的设置。

推荐阅读