Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

SecretOptions for FireLens

See original GitHub issue

It is currently possible to define secrets for FireLens logging configurations. [1]
This is not implemented in the FireLensLogDriver from @aws-cdk/aws-ecs.

[1] https://github.com/aws-samples/amazon-ecs-firelens-examples/blob/master/examples/fluent-bit/datadog/task-definition.json

Use Case

It is important to define secrets via secretOptions otherwise the API keys such as the DataDog API key are displayed as plain text in some logs.

Proposed Solution

I implemented a workaround as a custom class (which extends the current aws-cdk implementation), but I guess that the property should simply be added to the FireLensLogDriver.

import { FireLensLogDriver, FireLensLogDriverProps, LogDriverConfig, ContainerDefinition } from "@aws-cdk/aws-ecs";
import { Construct } from "@aws-cdk/core";
import { IStringParameter } from "@aws-cdk/aws-ssm";

interface FireLensSecret {
    valueFrom: IStringParameter;
    name: string;
}

interface FireLensSecretAsString {
    valueFrom: string;
    name: string;
}

/**
 * Specifies the firelens log driver configuration options.
 */
export interface FireLensLogDriverWithSecretsProps extends FireLensLogDriverProps {
    /**
     * The configuration options to send to the log driver.
     * @default - the log driver options
     */
    readonly secretOptions?: FireLensSecret[];
}

export interface FireLensWithSecretLogDriverConfig extends LogDriverConfig {
    readonly secretOptions: FireLensSecretAsString[];
}

export class FireLensLogDriverWithSecrets extends FireLensLogDriver {
    private readonly secretOptions: FireLensSecret[];

    /**
     * Constructs a new instance of the FireLensLogDriver class.
     * @param props the awsfirelens log driver configuration options.
     */
    constructor(props: FireLensLogDriverWithSecretsProps) {
        super(props);

        this.secretOptions = props.secretOptions || [];
    }

    /**
     * Called when the log driver is configured on a container
     */
    public bind(_scope: Construct, _containerDefinition: ContainerDefinition): FireLensWithSecretLogDriverConfig {
        const config = super.bind(_scope, _containerDefinition);

        return {
            secretOptions: this.secretOptions.map((mapping) => {
                return {
                    name: mapping.name,
                    valueFrom: mapping.valueFrom.parameterArn,
                };
            }),
            ...config,
        };
    }
}

My sample implementation above does not take into account Secrets Manager credentials. It is for SSM parameters only.

👋 I may be able to implement this feature request
⚠️ This feature might incur a breaking change

This is a 🚀 Feature Request

Issue Analytics

State:
Created 3 years ago
Reactions:15
Comments:5 (1 by maintainers)

Top GitHub Comments

4reactions

epvanhoutencommented, May 11, 2021

I am needing this functionality as well.

1reaction

toblicommented, May 24, 2020

See also https://github.com/aws/aws-cdk/issues/7264. I was looking into a PR for that, but support for secret log options should be applicable to all log drivers.