feat(ecs): add function for adding secrets to containers after instantiating them (#21826)

### Description

Similar to `addEnvironment()`, an `addSecret()` method is useful to add secrets to ECS Containers after instantiating them via the constructor.

### Use Case

The most important use-case is when writing Task Definition Extensions or Aspects to augment ECS services. For example, setting environment variables and secrets for a logging or monitoring solution.

Right now, this can be done only using Escape Hatches and there is no higher level functionality to obtain this behaviour.

### Proposed Solution

```typescript
const container = taskDefinition.addContainer('nginx', {
  image: ecs.ContainerImage.fromRegistry('nginx'),
});

container.addSecret('SECRET_1', ecs.Secret.fromSecretsManager(secret));
container.addSecret('SECRET_2', ecs.Secret.fromSecretsManager(secretField, 'password'));
```

closes #18959

----

### All Submissions:

* [X] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [X] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)?
	* [X] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Author: FlorinAsavoaie

packages/@aws-cdk/aws-ecs/README.md

@@ -479,6 +479,8 @@ const newContainer = taskDefinition.addContainer('container', {
   },
 });
 newContainer.addEnvironment('QUEUE_NAME', 'MyQueue');
+newContainer.addSecret('API_KEY', ecs.Secret.fromSecretsManager(secret));
+newContainer.addSecret('DB_PASSWORD', ecs.Secret.fromSecretsManager(secret, 'password'));
 ```
 
 The task execution role is automatically granted read permissions on the secrets/parameters. Support for environment

packages/@aws-cdk/aws-ecs/lib/base/task-definition.ts

@@ -379,8 +379,6 @@ export class TaskDefinition extends TaskDefinitionBase {
 
   private _passRoleStatement?: iam.PolicyStatement;
 
-  private _referencesSecretJsonField?: boolean;
-
   private runtimePlatform?: RuntimePlatform;
 
   /**
@@ -614,9 +612,6 @@ export class TaskDefinition extends TaskDefinitionBase {
     if (this.defaultContainer === undefined && container.essential) {
       this.defaultContainer = container;
     }
-    if (container.referencesSecretJsonField) {
-      this._referencesSecretJsonField = true;
-    }
   }
 
   /**
@@ -695,7 +690,12 @@ export class TaskDefinition extends TaskDefinitionBase {
    * specific JSON field of a secret stored in Secrets Manager.
    */
   public get referencesSecretJsonField(): boolean | undefined {
-    return this._referencesSecretJsonField;
+    for (const container of this.containers) {
+      if (container.referencesSecretJsonField) {
+        return true;
+      }
+    }
+    return false;
   }
 
   /**

packages/@aws-cdk/aws-ecs/lib/container-definition.ts

@@ -435,12 +435,6 @@ export class ContainerDefinition extends Construct {
    */
   public readonly logDriverConfig?: LogDriverConfig;
 
-  /**
-   * Whether this container definition references a specific JSON field of a secret
-   * stored in Secrets Manager.
-   */
-  public readonly referencesSecretJsonField?: boolean;
-
   /**
    * The name of the image referenced by this container.
    */
@@ -458,7 +452,7 @@ export class ContainerDefinition extends Construct {
 
   private readonly imageConfig: ContainerImageConfig;
 
-  private readonly secrets?: CfnTaskDefinition.SecretProperty[];
+  private readonly secrets: CfnTaskDefinition.SecretProperty[] = [];
 
   private readonly environment: { [key: string]: string };
 
@@ -486,16 +480,8 @@ export class ContainerDefinition extends Construct {
     }
 
     if (props.secrets) {
-      this.secrets = [];
       for (const [name, secret] of Object.entries(props.secrets)) {
-        if (secret.hasField) {
-          this.referencesSecretJsonField = true;
-        }
-        secret.grantRead(this.taskDefinition.obtainExecutionRole());
-        this.secrets.push({
-          name,
-          valueFrom: secret.arn,
-        });
+        this.addSecret(name, secret);
       }
     }
 
@@ -602,6 +588,18 @@ export class ContainerDefinition extends Construct {
     this.environment[name] = value;
   }
 
+  /**
+   * This method adds a secret as environment variable to the container.
+   */
+  public addSecret(name: string, secret: Secret) {
+    secret.grantRead(this.taskDefinition.obtainExecutionRole());
+
+    this.secrets.push({
+      name,
+      valueFrom: secret.arn,
+    });
+  }
+
   /**
    * This method adds one or more resources to the container.
    */
@@ -658,6 +656,19 @@ export class ContainerDefinition extends Construct {
     return undefined;
   }
 
+  /**
+   * Whether this container definition references a specific JSON field of a secret
+   * stored in Secrets Manager.
+   */
+  public get referencesSecretJsonField(): boolean | undefined {
+    for (const secret of this.secrets) {
+      if (secret.valueFrom.endsWith('::')) {
+        return true;
+      }
+    }
+    return false;
+  }
+
   /**
    * The inbound rules associated with the security group the task or service will use.
    *
@@ -726,7 +737,7 @@ export class ContainerDefinition extends Construct {
       logConfiguration: this.logDriverConfig,
       environment: this.environment && Object.keys(this.environment).length ? renderKV(this.environment, 'name', 'value') : undefined,
       environmentFiles: this.environmentFiles && renderEnvironmentFiles(cdk.Stack.of(this).partition, this.environmentFiles),
-      secrets: this.secrets,
+      secrets: this.secrets.length ? this.secrets : undefined,
       extraHosts: this.props.extraHosts && renderKV(this.props.extraHosts, 'hostname', 'ipAddress'),
       healthCheck: this.props.healthCheck && renderHealthCheck(this.props.healthCheck),
       links: cdk.Lazy.list({ produce: () => this.links }, { omitEmpty: true }),

packages/@aws-cdk/aws-ecs/lib/fargate/fargate-service.ts

@@ -128,11 +128,6 @@ export class FargateService extends BaseService implements IFargateService {
       throw new Error('Only one of SecurityGroup or SecurityGroups can be populated.');
     }
 
-    if (props.taskDefinition.referencesSecretJsonField
-        && props.platformVersion
-        && SECRET_JSON_FIELD_UNSUPPORTED_PLATFORM_VERSIONS.includes(props.platformVersion)) {
-      throw new Error(`The task definition of this service uses at least one container that references a secret JSON field. This feature requires platform version ${FargatePlatformVersion.VERSION1_4} or later.`);
-    }
     super(scope, id, {
       ...props,
       desiredCount: props.desiredCount,
@@ -154,6 +149,14 @@ export class FargateService extends BaseService implements IFargateService {
 
     this.configureAwsVpcNetworkingWithSecurityGroups(props.cluster.vpc, props.assignPublicIp, props.vpcSubnets, securityGroups);
 
+    this.node.addValidation({
+      validate: () => this.taskDefinition.referencesSecretJsonField
+      && props.platformVersion
+      && SECRET_JSON_FIELD_UNSUPPORTED_PLATFORM_VERSIONS.includes(props.platformVersion)
+        ? [`The task definition of this service uses at least one container that references a secret JSON field. This feature requires platform version ${FargatePlatformVersion.VERSION1_4} or later.`]
+        : [],
+    });
+
     this.node.addValidation({
       validate: () => !this.taskDefinition.defaultContainer ? ['A TaskDefinition must have at least one essential container'] : [],
     });

packages/@aws-cdk/aws-ecs/package.json

@@ -85,6 +85,7 @@
     "@aws-cdk/aws-efs": "0.0.0",
     "@aws-cdk/cdk-build-tools": "0.0.0",
     "@aws-cdk/integ-runner": "0.0.0",
+    "@aws-cdk/integ-tests": "0.0.0",
     "@aws-cdk/cfn2ts": "0.0.0",
     "@aws-cdk/cx-api": "0.0.0",
     "@aws-cdk/pkglint": "0.0.0",

packages/@aws-cdk/aws-ecs/test/container-definition.test.ts

@@ -548,7 +548,7 @@ describe('container definition', () => {
         const actual = container.containerPort;
         const expected = 8080;
         expect(actual).toEqual(expected);
-      }).toThrow(/Container MyContainer hasn't defined any ports. Call addPortMappings()./);
+      }).toThrow(/Container MyContainer hasn't defined any ports. Call addPortMappings\(\)./);
 
 
     });
@@ -597,7 +597,7 @@ describe('container definition', () => {
           const actual = container.ingressPort;
           const expected = 8080;
           expect(actual).toEqual(expected);
-        }).toThrow(/Container MyContainer hasn't defined any ports. Call addPortMappings()./);
+        }).toThrow(/Container MyContainer hasn't defined any ports. Call addPortMappings\(\)./);
 
 
       });
@@ -1258,7 +1258,7 @@ describe('container definition', () => {
     });
 
     // WHEN
-    taskDefinition.addContainer('cont', {
+    const container = taskDefinition.addContainer('cont', {
       image: ecs.ContainerImage.fromRegistry('test'),
       memoryLimitMiB: 1024,
       secrets: {
@@ -1268,6 +1268,7 @@ describe('container definition', () => {
         SECRET_STAGE: ecs.Secret.fromSecretsManagerVersion(secret, { versionStage: 'version-stage' }),
       },
     });
+    container.addSecret('LATER_SECRET', ecs.Secret.fromSecretsManager(secret, 'field'));
 
     // THEN
     Template.fromStack(stack).hasResourceProperties('AWS::ECS::TaskDefinition', {
@@ -1331,6 +1332,20 @@ describe('container definition', () => {
                 ],
               },
             },
+            {
+              Name: 'LATER_SECRET',
+              ValueFrom: {
+                'Fn::Join': [
+                  '',
+                  [
+                    {
+                      Ref: 'SecretA720EF05',
+                    },
+                    ':field::',
+                  ],
+                ],
+              },
+            },
           ],
         }),
       ],

packages/@aws-cdk/aws-ecs/test/ec2/integ.secret-json-field.ts

@@ -1,5 +1,6 @@
 import * as secretsmanager from '@aws-cdk/aws-secretsmanager';
 import * as cdk from '@aws-cdk/core';
+import * as integ from '@aws-cdk/integ-tests';
 import * as ecs from '../../lib';
 
 const app = new cdk.App();
@@ -14,12 +15,18 @@ const secret = new secretsmanager.Secret(stack, 'Secret', {
 
 const taskDefinition = new ecs.Ec2TaskDefinition(stack, 'TaskDef');
 
-taskDefinition.addContainer('web', {
+const container = taskDefinition.addContainer('web', {
   image: ecs.ContainerImage.fromRegistry('amazon/amazon-ecs-sample'),
   memoryLimitMiB: 256,
   secrets: {
     PASSWORD: ecs.Secret.fromSecretsManager(secret, 'password'),
   },
 });
 
+container.addSecret('APIKEY', ecs.Secret.fromSecretsManager(secret, 'apikey'));
+
+new integ.IntegTest(app, 'aws-ecs-ec2-integ-secret-json-field', {
+  testCases: [stack],
+});
+
 app.synth();

packages/@aws-cdk/aws-ecs/test/ec2/secret-json-field.integ.snapshot/aws-ecs-integ-secret-json-field.assets.json

@@ -1,15 +1,15 @@
 {
-  "version": "20.0.0",
+  "version": "21.0.0",
   "files": {
-    "b5f76aca81afb4973dcb922e825af78755db9cb1eb4fe457a9cd07c05e8bf0c7": {
+    "df25aa5385ee86c1e4753a1f126bc9ed3bd97ffd266ccb980e6bc49e8c32f124": {
       "source": {
         "path": "aws-ecs-integ-secret-json-field.template.json",
         "packaging": "file"
       },
       "destinations": {
         "current_account-current_region": {
           "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
-          "objectKey": "b5f76aca81afb4973dcb922e825af78755db9cb1eb4fe457a9cd07c05e8bf0c7.json",
+          "objectKey": "df25aa5385ee86c1e4753a1f126bc9ed3bd97ffd266ccb980e6bc49e8c32f124.json",
           "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
         }
       }

packages/@aws-cdk/aws-ecs/test/ec2/secret-json-field.integ.snapshot/aws-ecs-integ-secret-json-field.template.json

@@ -51,6 +51,20 @@
           ]
          ]
         }
+       },
+       {
+        "Name": "APIKEY",
+        "ValueFrom": {
+         "Fn::Join": [
+          "",
+          [
+           {
+            "Ref": "SecretA720EF05"
+           },
+           ":apikey::"
+          ]
+         ]
+        }
        }
       ]
      }

packages/@aws-cdk/aws-ecs/test/ec2/secret-json-field.integ.snapshot/awsecsec2integsecretjsonfieldDefaultTestDeployAssert5B8058F0.assets.json

@@ -0,0 +1,19 @@
+{
+  "version": "21.0.0",
+  "files": {
+    "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": {
+      "source": {
+        "path": "awsecsec2integsecretjsonfieldDefaultTestDeployAssert5B8058F0.template.json",
+        "packaging": "file"
+      },
+      "destinations": {
+        "current_account-current_region": {
+          "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
+          "objectKey": "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json",
+          "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
+        }
+      }
+    }
+  },
+  "dockerImages": {}
+}

packages/@aws-cdk/aws-ecs/test/ec2/secret-json-field.integ.snapshot/awsecsec2integsecretjsonfieldDefaultTestDeployAssert5B8058F0.template.json

@@ -0,0 +1,36 @@
+{
+ "Parameters": {
+  "BootstrapVersion": {
+   "Type": "AWS::SSM::Parameter::Value<String>",
+   "Default": "/cdk-bootstrap/hnb659fds/version",
+   "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
+  }
+ },
+ "Rules": {
+  "CheckBootstrapVersion": {
+   "Assertions": [
+    {
+     "Assert": {
+      "Fn::Not": [
+       {
+        "Fn::Contains": [
+         [
+          "1",
+          "2",
+          "3",
+          "4",
+          "5"
+         ],
+         {
+          "Ref": "BootstrapVersion"
+         }
+        ]
+       }
+      ]
+     },
+     "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
+    }
+   ]
+  }
+ }
+}

packages/@aws-cdk/aws-ecs/test/ec2/secret-json-field.integ.snapshot/cdk.out

@@ -1 +1 @@
-{"version":"20.0.0"}
+{"version":"21.0.0"}

packages/@aws-cdk/aws-ecs/test/ec2/secret-json-field.integ.snapshot/integ.json

@@ -1,14 +1,12 @@
 {
-  "version": "20.0.0",
+  "version": "21.0.0",
   "testCases": {
-    "integ.secret-json-field": {
+    "aws-ecs-ec2-integ-secret-json-field/DefaultTest": {
       "stacks": [
         "aws-ecs-integ-secret-json-field"
       ],
-      "diffAssets": false,
-      "stackUpdateWorkflow": true
+      "assertionStack": "aws-ecs-ec2-integ-secret-json-field/DefaultTest/DeployAssert",
+      "assertionStackName": "awsecsec2integsecretjsonfieldDefaultTestDeployAssert5B8058F0"
     }
-  },
-  "synthContext": {},
-  "enableLookups": false
+  }
 }