Examples ¶
Simple raw configuration ¶
From file ¶
files:
/tmp/test.txt:
content: >-
test from a yaml raw content
owner: john
group: root
mode: 600
/tmp/aws.template:
source:
S3:
BucketName: ${BUCKET_NAME:-sacrificial-lamb}
Key: aws.yml
/tmp/ssm.txt:
source:
Ssm:
ParameterName: /cicd/shared/kms/arn
commands:
post:
- file /tmp/ssm.txt
/tmp/secret.txt:
source:
Secret:
SecretId: GHToken
/tmp/public.json:
source:
Url:
Url: https://ifconfig.me/all.json
/tmp/aws.png:
source:
Url:
Url: https://dunhamconnect.com/wp-content/uploads/aws-migration-1200x675.jpg
ecs_files_composer -f input.yaml
In env var through docker-compose ¶
services:
files-sidecar:
command: -e ECS_FILES
environment:
ECS_FILES: |
files:
/opt/files/aws.template:
source:
S3:
BucketName: ${BUCKET_NAME:-sacrificial-lamb}
Key: aws.yml
/opt/files/ssm.txt:
source:
Ssm:
ParameterName: /cicd/shared/kms/arn
commands:
post:
- file /opt/files/ssm.txt
/opt/files/secret.txt:
source:
Secret:
SecretId: GHToken
Note
Note that here, we named the environment variable ECS_FILES , and override the command for ecs_files_composer to use that environment variable name.
From SSM Parameter ¶
{
"files": {
"/tmp/aws.template": {
"source": {
"S3": {
"BucketName": "${BUCKET_NAME:-sacrificial-lamb}",
"Key": "aws.yml"
}
}
},
"/tmp/ssm.txt": {
"source": {
"Ssm": {
"ParameterName": "/cicd/shared/kms/arn"
}
},
"commands": {
"post": [
"file /tmp/ssm.txt"
]
}
},
"/tmp/secret.txt": {
"source": {
"Secret": {
"SecretId": "GHToken"
}
}
},
"/tmp/public.json": {
"source": {
"Url": {
"Url": "https://ifconfig.me/all.json"
}
}
}
}
}
This is a simple translation from YAML to JSON (for simplicity) that we are going to put into SSM as a String
aws ssm put-parameter --name /files/config/parameter --value file://test.json --type String
services:
files-sidecar:
command: --from-ssm /files/config/parameter
ecs_files_composer --from-ssm /files/config/parameter
Attention
Make sure you have permissions on the Task Role to perform ssm:GetParameter. You also need IAM permissions to perform kms:Decrypt on the KMS Key used to encrypt the SecureString (if used)
From S3 ¶
files:
/tmp/test.txt:
content: >-
test from a yaml raw content
owner: john
group: root
mode: 600
/tmp/aws.template:
source:
S3:
BucketName: ${BUCKET_NAME:-sacrificial-lamb}
Key: aws.yml
/tmp/ssm.txt:
source:
Ssm:
ParameterName: /cicd/shared/kms/arn
commands:
post:
- file /tmp/ssm.txt
/tmp/secret.txt:
source:
Secret:
SecretId: GHToken
/tmp/public.json:
source:
Url:
Url: https://ifconfig.me/all.json
/tmp/aws.png:
source:
Url:
Url: https://dunhamconnect.com/wp-content/uploads/aws-migration-1200x675.jpg
We then upload the file to S3.
aws s3 cp input.yaml s3://sacrificial-lamb/
services:
files-sidecar:
command: --from-s3 s3://sacrificial-lamb/input.yaml
ecs_files_composer --from-s3 s3://sacrificial-lamb/input.yaml
Attention
Make sure you have permissions on the Task Role to perform s3:GetObject. You also need IAM permissions to perform kms:Decrypt on the KMS Key used to encrypt the object (if used)
From Secrets Manager ¶
{
"files": {
"/tmp/aws.template": {
"source": {
"S3": {
"BucketName": "${BUCKET_NAME:-sacrificial-lamb}",
"Key": "aws.yml"
}
}
},
"/tmp/ssm.txt": {
"source": {
"Ssm": {
"ParameterName": "/cicd/shared/kms/arn"
}
}
},
"/tmp/secret.txt": {
"source": {
"Secret": {
"SecretId": "GHToken"
}
}
},
"/tmp/public.json": {
"source": {
"Url": {
"Url": "https://secretdomain.me/all.json",
"Username": "someuser",
"Password": "somecomplicatedPassword"
}
}
}
}
}
Hint
This is the only place where entering sensitive information, for auth or for the content, that is acceptable. Never otherwise put secret information in your job description.
We then create a new secret from the file into Secrets Manager.
aws secretsmanager create-secret --name /config/files/secret --secret-string file://secret_input.json
services:
files-sidecar:
command: --from-secrets /config/files/secret
ecs_files_composer --from-secrets /config/files/secret
Attention
Make sure you have permissions on the Task Role to perform secretsmanager:GetSecretValue. You also need IAM permissions to perform kms:Decrypt on the KMS Key used to encrypt the secret.