Ability to fill dynamic values & secrets #20
Comments
|
Do you have an example of how you would want to provide the task def setting and value you want to update? I think part of the challenge today is that GitHub Actions inputs are fairly inflexible. In GH Actions, the input keys are typically fixed in the action.yml, and then the input value must be a string. For example, you can't provide a map of task def keys you want to update mapped to your desired value as an input. There are some workarounds here, but neither of them seem particular user-friendly. Just brainstorming here, there are a couple other tools that might be useful for accomplishing what you're looking to do. Something like envsubst can evaluate environment variables in a file and replace them with the current env variable value. So for example, in your task def: There are a few envsubst GitHub Actions in the marketplace, though I haven't tried any of them. You could also merge multiple files together to enable having stage-specific settings. For example, have a task-def-base.json, task-def-dev.json, task-def-prod.json. task-def-base.json can have most of your settings that are common across stages, with task-def-prod.json just containing a CPU setting override. A tool like yq can merge files together: Please let me know if either of these work for you! |
|
Hm, I can't get around to trying the suggestions for a bit, but they look usable. Maybe providing a json file in the ci.yml name: Render Amazon ECS task definition
id: render-web-container
uses: aws-actions/amazon-ecs-render-task-definition@v1
with:
task-definition: task-definition.json
container-name: web
other-vars: other-vars.json
image: amazon/amazon-ecs-sample:latest
other-vars.json {
"memoryReservation": 256,
"cpu": 1024,
"environment: [
"LOG_LEVEL": "info",
"OTHER_VAR": "abc123"
],
"secrets": [
"FACEBOOK_API_KEY": "arn:aws:secretsmanager:us-east-1:account_id:secret:project/FACEBOOK_API_KEY-abcDEF"}",
"STRIPE_API_KEY": "arn:aws:secretsmanager:us-east-1:account_id:secret:project/STRIPE_API_KEY-defGHI"}"
]
}After this action ran, task def would look like: |
|
Okay, so as I wrote that, I kind of see that we'd prob want the task def to be separate for each, i.e.: taskdefs and in the action, use or something similar? Would prob be easier than envsubst everywhere. Would you agree with the above method? |
|
Ah, I see so similar to how So I think you could do: And then: |
|
Similarly, I want to pass account numbers in ARNs in as secrets to the task-definition.json to keep them out of the repo. |
|
Has any work been done this? Being able to merge in any value into the task definition or having environment variables exposed as a first class input would be great. Thanks! |
|
Bump because passing in account id, arns as secrets seems like a needed feature. |
Not sure if this should be one in the same issue, but; I wanted to deploy task definitions to two environments changing the CPU value. Generally this is static, but could change; I also have a lot of application settings that could change. I'm unsure of the ability of actions/core but it would be nice to be able to have syntax that could provide this functionality. Secondly, it might fall in the same category, but a list of secrets we have (using AWS Secret Manager) being inputed dynamically into the task def (as those could change too). Hopefully that use case was easy to follow. I'd love to help develop this if it's possible and looking to discuss how it could be accomplished.
The text was updated successfully, but these errors were encountered: