Skip to content

Commit b9988fb

Browse files
aaronwalkeraaronwalker
authored
Merge pull request #22 from petlitskiy/petlitskiyfix-ExecutionRole-v1
Prevent `secret_policy` from being overridden v1
2 parents b780f95 + 35aef18 commit b9988fb

File tree

1 file changed

+4
-4
lines changed

1 file changed

+4
-4
lines changed

ecs-task.cfndsl.rb

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -20,7 +20,7 @@
2020
RetentionInDays log_retention
2121
}
2222

23-
definitions, task_volumes, secrets = Array.new(4){[]}
23+
definitions, task_volumes, secrets = Array.new(3){[]}
2424
secrets_policy = {}
2525

2626
task_definition = external_parameters.fetch(:task_definition, {})
@@ -190,7 +190,7 @@
190190
if task['secrets'].key?('ssm')
191191
secrets.push *task['secrets']['ssm'].map {|k,v| { Name: k, ValueFrom: v.is_a?(String) && v.start_with?('/') ? FnSub("arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter#{v}") : v }}
192192
resources = task['secrets']['ssm'].map {|k,v| v.is_a?(String) && v.start_with?('/') ? FnSub("arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter#{v}") : v }
193-
secrets_policy['ssm-secrets'] = {
193+
secrets_policy["ssm-secrets-#{task_name}"] = {
194194
'action' => 'ssm:GetParameters',
195195
'resource' => resources
196196
}
@@ -200,7 +200,7 @@
200200
if task['secrets'].key?('secretsmanager')
201201
secrets.push *task['secrets']['secretsmanager'].map {|k,v| { Name: k, ValueFrom: v.is_a?(String) && v.start_with?('/') ? FnSub("arn:aws:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:#{v}") : v }}
202202
resources = task['secrets']['secretsmanager'].map {|k,v| v.is_a?(String) && v.start_with?('/') ? FnSub("arn:aws:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:#{v}-*") : v }
203-
secrets_policy['secretsmanager'] = {
203+
secrets_policy["secretsmanager-#{task_name}"] = {
204204
'action' => 'secretsmanager:GetSecretValue',
205205
'resource' => resources
206206
}
@@ -210,7 +210,7 @@
210210
unless task['secrets'].empty?
211211
secrets.push *task['secrets'].map {|k,v| { Name: k, ValueFrom: v.is_a?(String) && v.start_with?('/') ? FnSub("arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter#{v}") : v }}
212212
resources = task['secrets'].map {|k,v| v.is_a?(String) && v.start_with?('/') ? FnSub("arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter#{v}") : v }
213-
secrets_policy['ssm-secrets-inline'] = {
213+
secrets_policy["ssm-secrets-inline-#{task_name}"] = {
214214
'action' => 'ssm:GetParameters',
215215
'resource' => resources
216216
}

0 commit comments

Comments
 (0)