https://pulumi.com logo
#aws
Title
# aws
b

billowy-ocean-41790

10/14/2020, 9:49 PM
Hi! I'm trying to use AWS SecretsManager with an ECS service I'm provisioning. In the few places that receive a secret ARN, the pulumi typescript expects a
string
rather than an
Output<string>
. We'd expect it to accept
string | Output<string>
, so that we can dynamically assign it from a
new aws.secretsmanager.Secret
.
b

billowy-army-68599

10/14/2020, 10:20 PM
Hey! can you share the code you have currently so I can visualize what you're saying
b

billowy-ocean-41790

10/14/2020, 10:23 PM
I can post snippets. The main repo is not open source.
Copy code
const service = new awsx.ecs.EC2Service(ecsName, {
    cluster,
    desiredCount: 1,
    deploymentMinimumHealthyPercent: 0,
    subnets: args.vpc.privateSubnetIds,
    taskDefinitionArgs: {
      containers: {
        [name]: {
          image: imageUrl,
          repositoryCredentials: {
            credentialsParameter: config.privateRegistrySecretArn,
          },
          memory: 128,
          portMappings: [],
          secrets: [{ name: 'SECRETS', valueFrom: config.applicationSecretArn }],
          environment: [{ name: 'ENVIRONMENT', value: config.environment }],
        },
      },
      executionRole: executionRole,
      taskRole: taskRole,
    },
  });
Here is the ECS snippet that I’ve arrived at. In the
secrets
list and in the
credentialsParameter
, I am referencing the ARN of secrets in AWS secrets manager.
My first pass was to create the secret using Pulumi.
Copy code
const applicationSecret = new aws.secretsmanager.Secret('app-secret', {});
so in place of
config.applicationSecretArn
I wanted to use
applicationSecret.arn
, or if that wouldn’t work wrap it in
pulumi.interpolate
.
The problem is that
applicationSecret.arn
returns a promise, and
pulumi.interpolate
returns an
Output<string>
, but for both
credentialsParameter
and
valueFrom
the only valid type is
string
.
b

billowy-army-68599

10/14/2020, 10:59 PM
ah, think I'm following. It's difficult to allow things like
taskDefinitionArgs
to take an output because of the upstream schema - outputs are reserved really for things now known until after compile time. I suspect there's a technical reason why we can't allow
Output[string]
here (cc @white-balloon-205?) but I don't know it off the top of my head. In any case, you should be able to achieve what you need using an
apply
.
g

gentle-diamond-70147

10/15/2020, 2:31 PM
This is being tracked in https://github.com/pulumi/pulumi-awsx/issues/453 and has a couple options for workarounds in the comments there, FYI.
b

billowy-ocean-41790

10/15/2020, 3:27 PM
Awesome, that link is very helpful! I was playing with apply, but hadn’t realized that it could be used at the level of the
secrets
key.