Add secrect to ECS TaskDefinition (#191)

keerts · web-flow · commit 8a77821a8443 · 2020-01-30T10:32:43.000Z
diff --git a/src/crucible/aws/ecs/container_definition.clj b/src/crucible/aws/ecs/container_definition.clj
@@ -2,7 +2,8 @@
   "AWS::ECS::TaskDefinition > ContainerDefinition"
   (:require [clojure.spec.alpha :as s]
             [crucible.aws.ecs.key-value-pair :as key-value-pair]
-            [crucible.resources :refer [spec-or-ref]]))
+            [crucible.resources :refer [spec-or-ref]]
+            [crucible.aws.ecs.secret :as secret]))
 
 (s/def ::image (spec-or-ref string?))
 
@@ -87,6 +88,8 @@
 (s/def ::hard-limit (spec-or-ref integer?))
 (s/def ::soft-limit (spec-or-ref integer?))
 
+(s/def ::secrets (s/coll-of ::secret/secret-spec :kind vector?))
+
 (s/def ::ulimits (s/keys :req [::hard-limit
                                ::soft-limit]
                          :opt [::name]))
@@ -123,6 +126,7 @@
                                             ::port-mappings
                                             ::privileged
                                             ::readonly-root-filesystem
+                                            ::secrets
                                             ::ulimits
                                             ::user
                                             ::volumes-from
diff --git a/src/crucible/aws/ecs/secret.clj b/src/crucible/aws/ecs/secret.clj
@@ -0,0 +1,10 @@
+(ns crucible.aws.ecs.secret
+  "AWS::ECS::TaskDefinition > Secret"
+  (:require [clojure.spec.alpha :as s]
+            [crucible.resources :refer [spec-or-ref]]))
+
+(s/def ::name (spec-or-ref string?))
+(s/def ::value-from (spec-or-ref string?))
+
+(s/def ::secret-spec (s/keys :req [::name
+                                   ::value-from]))
diff --git a/test/crucible/aws/ecs/task_test.clj b/test/crucible/aws/ecs/task_test.clj
@@ -0,0 +1,19 @@
+(ns crucible.aws.ecs.task-test
+  (:require [crucible.aws.ecs.task-definition :as task]
+            [crucible.aws.ecs.container-definition :as container]
+            [crucible.aws.ecs.secret :as secret]
+            [crucible.core :refer [xref]]
+            [clojure.spec.alpha :as s]
+            [clojure.test :refer :all]))
+
+(deftest task-tests
+
+  (testing "task with secrets"
+    (is
+      (s/valid? ::task/task-definition
+                {::task/cpu "2048"
+                 ::task/memory "4096"
+                 ::task/container-definitions [{::container/name "rclone"
+                                                ::container/image "rclone/rclone"
+                                                ::container/secrets [{::secret/name "rclone-access-key"
+                                                                      ::secret/value-from "arn:aws:secretsmanager:region:aws_account_id:secret:value-u9bH6K"}]}]}))))
