SecretOptions for FireLens
See original GitHub issueIt is currently possible to define secrets for FireLens logging configurations. [1]
This is not implemented in the FireLensLogDriver from @aws-cdk/aws-ecs
.
Use Case
It is important to define secrets via secretOptions otherwise the API keys such as the DataDog API key are displayed as plain text in some logs.
Proposed Solution
I implemented a workaround as a custom class (which extends the current aws-cdk implementation), but I guess that the property should simply be added to the FireLensLogDriver.
import { FireLensLogDriver, FireLensLogDriverProps, LogDriverConfig, ContainerDefinition } from "@aws-cdk/aws-ecs";
import { Construct } from "@aws-cdk/core";
import { IStringParameter } from "@aws-cdk/aws-ssm";
interface FireLensSecret {
valueFrom: IStringParameter;
name: string;
}
interface FireLensSecretAsString {
valueFrom: string;
name: string;
}
/**
* Specifies the firelens log driver configuration options.
*/
export interface FireLensLogDriverWithSecretsProps extends FireLensLogDriverProps {
/**
* The configuration options to send to the log driver.
* @default - the log driver options
*/
readonly secretOptions?: FireLensSecret[];
}
export interface FireLensWithSecretLogDriverConfig extends LogDriverConfig {
readonly secretOptions: FireLensSecretAsString[];
}
export class FireLensLogDriverWithSecrets extends FireLensLogDriver {
private readonly secretOptions: FireLensSecret[];
/**
* Constructs a new instance of the FireLensLogDriver class.
* @param props the awsfirelens log driver configuration options.
*/
constructor(props: FireLensLogDriverWithSecretsProps) {
super(props);
this.secretOptions = props.secretOptions || [];
}
/**
* Called when the log driver is configured on a container
*/
public bind(_scope: Construct, _containerDefinition: ContainerDefinition): FireLensWithSecretLogDriverConfig {
const config = super.bind(_scope, _containerDefinition);
return {
secretOptions: this.secretOptions.map((mapping) => {
return {
name: mapping.name,
valueFrom: mapping.valueFrom.parameterArn,
};
}),
...config,
};
}
}
My sample implementation above does not take into account Secrets Manager credentials. It is for SSM parameters only.
- 👋 I may be able to implement this feature request
- ⚠️ This feature might incur a breaking change
This is a 🚀 Feature Request
Issue Analytics
- State:
- Created 3 years ago
- Reactions:15
- Comments:5 (1 by maintainers)
Top Results From Across the Web
FireLens log routing for Linux - AWS App2Container
This topic walks you through setting up log file routing with FireLens for Amazon ECS for your Linux application containers that were generated...
Read more >AWS FireLens plugin for log forwarding
If your log data is already being monitored by AWS FireLens , you can use our FireLens integration to forward and enrich your...
Read more >Elastic Cloud with AWS FireLens: Accelerate time to insight ...
In this blog, we will cover how to get started with agentless data ingestion to Elastic Cloud using AWS FireLens. Streamline log and...
Read more >Monitoring your ECS Fargate logs with AWS FireLens and ...
Next, click Configure via JSON. Edit and paste the following logConfiguration. "logConfiguration": { "logDriver": "awsfirelens", "secretOptions" ...
Read more >Configuring parser with Fargate / Firelens – DataSet Customer Portal
Fargate / Firelens implementations use the DataSet Fluentd image to upload logs via the task definition. As such, the Scalyr Agent image...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
I am needing this functionality as well.
See also https://github.com/aws/aws-cdk/issues/7264. I was looking into a PR for that, but support for secret log options should be applicable to all log drivers.