Terraform AWS secret manager valueFrom syntax

Question

Im trying to provision a service on ECS using Terraform. I have secrets in AWS Secrets Manager:

{
   "test": "secret"
}

and provide them to my task definition as follows:

 ....
 "secrets": ${jsonencode(
   [
     {
       name = "test_1",
       valueFrom = "arn:aws:secretsmanager:....../test"
     }
   ]
  ....

When I deploy my container, it complains that ResourceNotFoundException: Secrets Manager can't find the specified secret, which makes sense, because such an ARN does not exist. If I drop /test on the end, however, I get test_1 = {"test": "secret"} in my environment, which is ok but not what I want - I want just secret. Thats how it works in examples that I have seen, like for instance here - https://www.chakray.com/creating-fargate-ecs-task-aws-using-terraform/

What am I missing?

Answer 1

In your case, you're looking to use a single key from a secret (which holds a key value pair)

The syntax for valueFrom is

arn:aws:secretsmanager:region:aws_account_id:secret:secret-name:json-key:version-stage:version-id

For easier understanding, you can assume like

"${your_secrets.arn}:${keyname}::"

For example, if your secretname is prod-db-credentials with value

{ "username": "dbuser", "password": "dbpass" }

Then your task definition should be like

{
  "containerDefinitions": [{
    "secrets": [{
      "name": "environment_variable_name",
      "valueFrom": "arn:aws:secretsmanager:ap-southeast-2:222000000036:secret:prod-db-credentials-vXXXXC:username::"
    }]
  }]
}

For more information, you can refer to https://docs.aws.amazon.com/AmazonECS/latest/developerguide/specifying-sensitive-data-secrets.html#secrets-envvar