Explicit task_exec_secret_arns

[sestrella]

Is your request related to a new offering from AWS?

Is this functionality available in the AWS provider for Terraform? See CHANGELOG.md, too.

• No 🛑: please wait to file a request until the functionality is avaialble in the AWS provider
• Yes ✅: please list the AWS provider version which introduced this functionality

Is your request related to a problem? Please describe.

Not a problem in and of itself; nevertheless, the primary motivation is to make it easier to limit the scope of the task_exec policy to only the secrets explicitly mentioned in the container_definitions section.

Describe the solution you'd like.

Limit the scope of the task_exec policy to only the secrets that are actually used within the container_definitions.

Describe alternatives you've considered.

Obtain the ARNs for all the secrets defined in the container_definitions and pass them to task_exec_secret_arns.

Additional context

Currently task_exec_secret_arns defaults to ["arn:aws:secretsmanager:*:*:secret:*"]; therefore, a flag could be introduced to change this behaviour so it grabs the secrets ARNs by looping over all container_definitions:

container_definitions_secrets = flatten([for k, v in module.container_definition : v.container_definition.secrets])
task_exec_secret_arns = var.explicit_task_exec_secret_arns ? [for v in local.container_definitions_secrets : v.valueFrom] : var.task_exec_secret_arns

[github-actions]

This issue has been automatically marked as stale because it has been open 30 days
with no activity. Remove stale label or comment or this issue will be closed in 10 days