feat(batch): add secrets props to job definition (#20871)

Add a secrets property to batch.JobDefinitionContainer. This interface is almost the same as ecs.ContainerDefinitionOptions.

This is reopen PR of #19506

closes #10976

----

### All Submissions:

* [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [x] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)?
	* [x] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Author: yoshizawa56

packages/@aws-cdk/aws-batch/README.md

@@ -300,6 +300,23 @@ new batch.JobDefinition(this, 'job-def', {
 });
 ```
 
+### Using the secret on secrets manager
+
+You can set the environment variables from secrets manager.
+
+```ts
+const dbSecret = new secretsmanager.Secret(this, 'secret');
+
+new batch.JobDefinition(this, 'batch-job-def-secrets', {
+  container: {
+    image: ecs.EcrImage.fromRegistry('docker/whalesay'),
+    secrets: {
+      PASSWORD: ecs.Secret.fromSecretsManager(dbSecret, 'password'),
+    },
+  },
+});
+```
+
 ### Importing an existing Job Definition
 
 #### From ARN

packages/@aws-cdk/aws-batch/lib/job-definition.ts

@@ -112,6 +112,13 @@ export interface JobDefinitionContainer {
    */
   readonly environment?: { [key: string]: string };
 
+  /**
+   * The environment variables from secrets manager or ssm parameter store
+   *
+   * @default none
+   */
+  readonly secrets?: { [key: string]: ecs.Secret };
+
   /**
    * The image used to start a container.
    */
@@ -453,6 +460,14 @@ export class JobDefinition extends Resource implements IJobDefinition {
       platformCapabilities: props.platformCapabilities ?? [PlatformCapabilities.EC2],
     });
 
+    // add read secrets permission to execution role
+    if ( props.container.secrets && props.container.executionRole ) {
+      const executionRole = props.container.executionRole;
+      Object.values(props.container.secrets).forEach((secret) => {
+        secret.grantRead(executionRole);
+      });
+    }
+
     this.jobDefinitionArn = this.getResourceArnAttribute(jobDef.ref, {
       service: 'batch',
       resource: 'job-definition',
@@ -507,6 +522,14 @@ export class JobDefinition extends Resource implements IJobDefinition {
     return {
       command: container.command,
       environment: this.deserializeEnvVariables(container.environment),
+      secrets: container.secrets
+        ? Object.entries(container.secrets).map(([key, value]) => {
+          return {
+            name: key,
+            valueFrom: value.arn,
+          };
+        })
+        : undefined,
       image: this.imageConfig.imageName,
       instanceType: container.instanceType && container.instanceType.toString(),
       jobRoleArn: container.jobRole && container.jobRole.roleArn,

packages/@aws-cdk/aws-batch/rosetta/default.ts-fixture

@@ -4,6 +4,7 @@ import { Stack } from '@aws-cdk/core';
 import * as ec2 from '@aws-cdk/aws-ec2';
 import * as batch from '@aws-cdk/aws-batch';
 import * as ecs from '@aws-cdk/aws-ecs';
+import * as secretsmanager from '@aws-cdk/aws-secretsmanager';
 
 class Fixture extends Stack {
   constructor(scope: Construct, id: string) {

packages/@aws-cdk/aws-batch/test/batch.integ.snapshot/batch-stack.assets.json

@@ -0,0 +1,19 @@
+{
+  "version": "20.0.0",
+  "files": {
+    "d3685c79f9ec67f5dd6fda839a136b079f201b3d72695fe0ea3b3788c3471cc8": {
+      "source": {
+        "path": "batch-stack.template.json",
+        "packaging": "file"
+      },
+      "destinations": {
+        "current_account-current_region": {
+          "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
+          "objectKey": "d3685c79f9ec67f5dd6fda839a136b079f201b3d72695fe0ea3b3788c3471cc8.json",
+          "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
+        }
+      }
+    }
+  },
+  "dockerImages": {}
+}

packages/@aws-cdk/aws-batch/test/batch.integ.snapshot/batch-stack.template.json

@@ -1365,6 +1365,14 @@
    "UpdateReplacePolicy": "Retain",
    "DeletionPolicy": "Retain"
   },
+  "batchsecret7CD5E4C6": {
+   "Type": "AWS::SecretsManager::Secret",
+   "Properties": {
+    "GenerateSecretString": {}
+   },
+   "UpdateReplacePolicy": "Delete",
+   "DeletionPolicy": "Delete"
+  },
   "batchjobdeffromecrE0E30DAD": {
    "Type": "AWS::Batch::JobDefinition",
    "Properties": {
@@ -1486,6 +1494,32 @@
     }
    }
   },
+  "executionroleDefaultPolicy497F11A3": {
+   "Type": "AWS::IAM::Policy",
+   "Properties": {
+    "PolicyDocument": {
+     "Statement": [
+      {
+       "Action": [
+        "secretsmanager:DescribeSecret",
+        "secretsmanager:GetSecretValue"
+       ],
+       "Effect": "Allow",
+       "Resource": {
+        "Ref": "batchsecret7CD5E4C6"
+       }
+      }
+     ],
+     "Version": "2012-10-17"
+    },
+    "PolicyName": "executionroleDefaultPolicy497F11A3",
+    "Roles": [
+     {
+      "Ref": "executionroleD9A39BE6"
+     }
+    ]
+   }
+  },
   "batchjobdeffargate7FE30059": {
    "Type": "AWS::Batch::JobDefinition",
    "Properties": {
@@ -1509,6 +1543,14 @@
        "Type": "MEMORY",
        "Value": "512"
       }
+     ],
+     "Secrets": [
+      {
+       "Name": "SECRET",
+       "ValueFrom": {
+        "Ref": "batchsecret7CD5E4C6"
+       }
+      }
      ]
     },
     "PlatformCapabilities": [

packages/@aws-cdk/aws-batch/test/batch.integ.snapshot/cdk.out

@@ -1 +1 @@
-{"version":"17.0.0"}
+{"version":"20.0.0"}

packages/@aws-cdk/aws-batch/test/batch.integ.snapshot/integ.json

@@ -1,7 +1,7 @@
 {
-  "version": "18.0.0",
+  "version": "20.0.0",
   "testCases": {
-    "aws-batch/test/integ.batch": {
+    "integ.batch": {
       "stacks": [
         "batch-stack"
       ],

packages/@aws-cdk/aws-batch/test/batch.integ.snapshot/manifest.json

@@ -1,5 +1,5 @@
 {
-  "version": "17.0.0",
+  "version": "20.0.0",
   "artifacts": {
     "Tree": {
       "type": "cdk:tree",
@@ -285,6 +285,12 @@
             "data": "batchjobrepo4C508C51"
           }
         ],
+        "/batch-stack/batch-secret/Resource": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "batchsecret7CD5E4C6"
+          }
+        ],
         "/batch-stack/batch-job-def-from-ecr/Resource": [
           {
             "type": "aws:cdk:logicalId",
@@ -303,6 +309,12 @@
             "data": "executionroleD9A39BE6"
           }
         ],
+        "/batch-stack/execution-role/DefaultPolicy/Resource": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "executionroleDefaultPolicy497F11A3"
+          }
+        ],
         "/batch-stack/batch-job-def-fargate/Resource": [
           {
             "type": "aws:cdk:logicalId",

packages/@aws-cdk/aws-batch/test/batch.integ.snapshot/tree.json

@@ -8,8 +8,8 @@
         "id": "Tree",
         "path": "Tree",
         "constructInfo": {
-          "fqn": "@aws-cdk/core.Construct",
-          "version": "0.0.0"
+          "fqn": "constructs.Construct",
+          "version": "10.1.33"
         }
       },
       "batch-stack": {
@@ -1614,6 +1614,30 @@
               "version": "0.0.0"
             }
           },
+          "batch-secret": {
+            "id": "batch-secret",
+            "path": "batch-stack/batch-secret",
+            "children": {
+              "Resource": {
+                "id": "Resource",
+                "path": "batch-stack/batch-secret/Resource",
+                "attributes": {
+                  "aws:cdk:cloudformation:type": "AWS::SecretsManager::Secret",
+                  "aws:cdk:cloudformation:props": {
+                    "generateSecretString": {}
+                  }
+                },
+                "constructInfo": {
+                  "fqn": "@aws-cdk/aws-secretsmanager.CfnSecret",
+                  "version": "0.0.0"
+                }
+              }
+            },
+            "constructInfo": {
+              "fqn": "@aws-cdk/aws-secretsmanager.Secret",
+              "version": "0.0.0"
+            }
+          },
           "batch-job-def-from-ecr": {
             "id": "batch-job-def-from-ecr",
             "path": "batch-stack/batch-job-def-from-ecr",
@@ -1814,6 +1838,50 @@
                   "fqn": "@aws-cdk/aws-iam.CfnRole",
                   "version": "0.0.0"
                 }
+              },
+              "DefaultPolicy": {
+                "id": "DefaultPolicy",
+                "path": "batch-stack/execution-role/DefaultPolicy",
+                "children": {
+                  "Resource": {
+                    "id": "Resource",
+                    "path": "batch-stack/execution-role/DefaultPolicy/Resource",
+                    "attributes": {
+                      "aws:cdk:cloudformation:type": "AWS::IAM::Policy",
+                      "aws:cdk:cloudformation:props": {
+                        "policyDocument": {
+                          "Statement": [
+                            {
+                              "Action": [
+                                "secretsmanager:DescribeSecret",
+                                "secretsmanager:GetSecretValue"
+                              ],
+                              "Effect": "Allow",
+                              "Resource": {
+                                "Ref": "batchsecret7CD5E4C6"
+                              }
+                            }
+                          ],
+                          "Version": "2012-10-17"
+                        },
+                        "policyName": "executionroleDefaultPolicy497F11A3",
+                        "roles": [
+                          {
+                            "Ref": "executionroleD9A39BE6"
+                          }
+                        ]
+                      }
+                    },
+                    "constructInfo": {
+                      "fqn": "@aws-cdk/aws-iam.CfnPolicy",
+                      "version": "0.0.0"
+                    }
+                  }
+                },
+                "constructInfo": {
+                  "fqn": "@aws-cdk/aws-iam.Policy",
+                  "version": "0.0.0"
+                }
               }
             },
             "constructInfo": {
@@ -1849,6 +1917,14 @@
                   "aws:cdk:cloudformation:props": {
                     "type": "container",
                     "containerProperties": {
+                      "secrets": [
+                        {
+                          "name": "SECRET",
+                          "valueFrom": {
+                            "Ref": "batchsecret7CD5E4C6"
+                          }
+                        }
+                      ],
                       "image": "docker/whalesay",
                       "executionRoleArn": {
                         "Fn::GetAtt": [

packages/@aws-cdk/aws-batch/test/integ.batch.ts

@@ -2,6 +2,7 @@ import * as ec2 from '@aws-cdk/aws-ec2';
 import * as ecr from '@aws-cdk/aws-ecr';
 import * as ecs from '@aws-cdk/aws-ecs';
 import * as iam from '@aws-cdk/aws-iam';
+import * as secretsmanager from '@aws-cdk/aws-secretsmanager';
 import * as cdk from '@aws-cdk/core';
 import * as batch from '../lib/';
 
@@ -93,6 +94,7 @@ new batch.JobQueue(stack, 'batch-job-fargate-queue', {
 });
 
 const repo = new ecr.Repository(stack, 'batch-job-repo');
+const secret = new secretsmanager.Secret(stack, 'batch-secret');
 
 new batch.JobDefinition(stack, 'batch-job-def-from-ecr', {
   container: {
@@ -115,5 +117,8 @@ new batch.JobDefinition(stack, 'batch-job-def-fargate', {
   container: {
     image: ecs.ContainerImage.fromRegistry('docker/whalesay'),
     executionRole,
+    secrets: {
+      SECRET: ecs.Secret.fromSecretsManager(secret),
+    },
   },
 });