@studion/infra-code-blocks 0.0.8 → 0.0.9
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +24 -0
- package/dist/components/web-server.d.ts +8 -1
- package/dist/components/web-server.js +22 -2
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -131,6 +131,7 @@ export type WebServerService = {
|
|
|
131
131
|
environment?:
|
|
132
132
|
| aws.ecs.KeyValuePair[]
|
|
133
133
|
| ((services: Services) => aws.ecs.KeyValuePair[]);
|
|
134
|
+
secrets?: aws.ecs.Secret[];
|
|
134
135
|
image: pulumi.Input<string>;
|
|
135
136
|
port: pulumi.Input<number>;
|
|
136
137
|
domain: pulumi.Input<string>;
|
|
@@ -181,6 +182,27 @@ const project = new studion.Project('demo-project', {
|
|
|
181
182
|
});
|
|
182
183
|
```
|
|
183
184
|
|
|
185
|
+
In order to pass sensitive information to the container use `secrets` instead of `environment`. AWS will fetch values from
|
|
186
|
+
Secret Manager based on arn that is provided for the `valueFrom` field.
|
|
187
|
+
|
|
188
|
+
```ts
|
|
189
|
+
const project = new studion.Project('demo-project', {
|
|
190
|
+
environment: 'DEVELOPMENT',
|
|
191
|
+
services: [
|
|
192
|
+
{
|
|
193
|
+
type: 'WEB_SERVER',
|
|
194
|
+
serviceName: 'api',
|
|
195
|
+
image: imageUri,
|
|
196
|
+
port: 3000,
|
|
197
|
+
domain: 'api.my-domain.com',
|
|
198
|
+
secrets: [
|
|
199
|
+
{ name: 'DB_PASSWORD', valueFrom: 'arn-of-the-secret-manager-secret' },
|
|
200
|
+
],
|
|
201
|
+
},
|
|
202
|
+
],
|
|
203
|
+
});
|
|
204
|
+
```
|
|
205
|
+
|
|
184
206
|
### Database
|
|
185
207
|
|
|
186
208
|
AWS RDS Postgres instance.
|
|
@@ -331,6 +353,7 @@ export type WebServerArgs = {
|
|
|
331
353
|
maxCount?: pulumi.Input<number>;
|
|
332
354
|
size?: pulumi.Input<Size>;
|
|
333
355
|
environment?: aws.ecs.KeyValuePair[];
|
|
356
|
+
secrets?: aws.ecs.Secret[];
|
|
334
357
|
healtCheckPath?: pulumi.Input<string>;
|
|
335
358
|
taskExecutionRoleInlinePolicies?: pulumi.Input<
|
|
336
359
|
pulumi.Input<RoleInlinePolicy>[]
|
|
@@ -444,3 +467,4 @@ const project = new studion.Project('demo-project', {
|
|
|
444
467
|
|
|
445
468
|
- [ ] Add worker service for executing tasks
|
|
446
469
|
- [ ] Add MongoDB service
|
|
470
|
+
- [ ] Make db username & password fields optional and autogenerate db username & password if they are not provided
|
|
@@ -61,9 +61,16 @@ export type WebServerArgs = {
|
|
|
61
61
|
*/
|
|
62
62
|
size?: pulumi.Input<Size>;
|
|
63
63
|
/**
|
|
64
|
-
* The environment variables to pass to a container.
|
|
64
|
+
* The environment variables to pass to a container. Don't use this field for
|
|
65
|
+
* sensitive information such as passwords, API keys, etc. For that purpose,
|
|
66
|
+
* please use the `secrets` property.
|
|
67
|
+
* Defaults to [].
|
|
65
68
|
*/
|
|
66
69
|
environment?: aws.ecs.KeyValuePair[];
|
|
70
|
+
/**
|
|
71
|
+
* The secrets to pass to the container. Defaults to [].
|
|
72
|
+
*/
|
|
73
|
+
secrets?: aws.ecs.Secret[];
|
|
67
74
|
/**
|
|
68
75
|
* Path for the health check request. Defaults to "/healtcheck".
|
|
69
76
|
*/
|
|
@@ -26,6 +26,7 @@ const defaults = {
|
|
|
26
26
|
maxCount: 10,
|
|
27
27
|
size: 'small',
|
|
28
28
|
environment: [],
|
|
29
|
+
secrets: [],
|
|
29
30
|
healtCheckPath: '/healtcheck',
|
|
30
31
|
taskExecutionRoleInlinePolicies: [],
|
|
31
32
|
taskRoleInlinePolicies: [],
|
|
@@ -128,6 +129,20 @@ class WebServer extends pulumi.ComponentResource {
|
|
|
128
129
|
},
|
|
129
130
|
],
|
|
130
131
|
}, { parent: this });
|
|
132
|
+
const secretManagerSecretsInlinePolicy = {
|
|
133
|
+
name: `${name}-secret-manager-access`,
|
|
134
|
+
policy: JSON.stringify({
|
|
135
|
+
Version: '2012-10-17',
|
|
136
|
+
Statement: [
|
|
137
|
+
{
|
|
138
|
+
Sid: 'AllowContainerToGetSecretManagerSecrets',
|
|
139
|
+
Effect: 'Allow',
|
|
140
|
+
Action: ['secretsmanager:GetSecretValue'],
|
|
141
|
+
Resource: '*',
|
|
142
|
+
},
|
|
143
|
+
],
|
|
144
|
+
}),
|
|
145
|
+
};
|
|
131
146
|
const taskExecutionRole = new aws.iam.Role(`${name}-ecs-task-exec-role`, {
|
|
132
147
|
name: `${name}-ecs-task-exec-role`,
|
|
133
148
|
assumeRolePolicy,
|
|
@@ -135,7 +150,10 @@ class WebServer extends pulumi.ComponentResource {
|
|
|
135
150
|
'arn:aws:iam::aws:policy/CloudWatchFullAccess',
|
|
136
151
|
'arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryFullAccess',
|
|
137
152
|
],
|
|
138
|
-
inlinePolicies:
|
|
153
|
+
inlinePolicies: [
|
|
154
|
+
secretManagerSecretsInlinePolicy,
|
|
155
|
+
...argsWithDefaults.taskExecutionRoleInlinePolicies,
|
|
156
|
+
],
|
|
139
157
|
}, { parent: this });
|
|
140
158
|
const execCmdInlinePolicy = {
|
|
141
159
|
name: `${name}-ecs-exec`,
|
|
@@ -191,10 +209,11 @@ class WebServer extends pulumi.ComponentResource {
|
|
|
191
209
|
argsWithDefaults.image,
|
|
192
210
|
argsWithDefaults.port,
|
|
193
211
|
argsWithDefaults.environment,
|
|
212
|
+
argsWithDefaults.secrets,
|
|
194
213
|
this.logGroup.name,
|
|
195
214
|
awsRegion,
|
|
196
215
|
])
|
|
197
|
-
.apply(([containerName, image, port, environment, logGroup, region]) => {
|
|
216
|
+
.apply(([containerName, image, port, environment, secrets, logGroup, region,]) => {
|
|
198
217
|
return JSON.stringify([
|
|
199
218
|
{
|
|
200
219
|
readonlyRootFilesystem: false,
|
|
@@ -216,6 +235,7 @@ class WebServer extends pulumi.ComponentResource {
|
|
|
216
235
|
},
|
|
217
236
|
},
|
|
218
237
|
environment,
|
|
238
|
+
secrets,
|
|
219
239
|
},
|
|
220
240
|
]);
|
|
221
241
|
}),
|