aws
diff --git a/‎CONTRIBUTING.md‎
Lines changed: 5 additions & 0 deletions b/‎CONTRIBUTING.md‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎docs/DESIGN_GUIDELINES.md‎
Lines changed: 2 additions & 2 deletions b/‎docs/DESIGN_GUIDELINES.md‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎packages/@aws-cdk/aws-batch/README.md‎
Lines changed: 17 additions & 0 deletions b/‎packages/@aws-cdk/aws-batch/README.md‎
Lines changed: 17 additions & 0 deletions
diff --git a/‎packages/@aws-cdk/aws-batch/lib/job-definition.ts‎
Lines changed: 23 additions & 0 deletions b/‎packages/@aws-cdk/aws-batch/lib/job-definition.ts‎
Lines changed: 23 additions & 0 deletions
diff --git a/‎packages/@aws-cdk/aws-batch/rosetta/default.ts-fixture‎
Lines changed: 1 addition & 0 deletions b/‎packages/@aws-cdk/aws-batch/rosetta/default.ts-fixture‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎packages/@aws-cdk/aws-batch/test/batch.integ.snapshot/batch-stack.assets.json‎
Lines changed: 19 additions & 0 deletions b/‎packages/@aws-cdk/aws-batch/test/batch.integ.snapshot/batch-stack.assets.json‎
Lines changed: 19 additions & 0 deletions
diff --git a/‎packages/@aws-cdk/aws-batch/test/batch.integ.snapshot/batch-stack.template.json‎
Lines changed: 42 additions & 0 deletions b/‎packages/@aws-cdk/aws-batch/test/batch.integ.snapshot/batch-stack.template.json‎
Lines changed: 42 additions & 0 deletions
diff --git a/‎packages/@aws-cdk/aws-batch/test/batch.integ.snapshot/cdk.out‎
Lines changed: 1 addition & 1 deletion b/‎packages/@aws-cdk/aws-batch/test/batch.integ.snapshot/cdk.out‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎packages/@aws-cdk/aws-batch/test/batch.integ.snapshot/integ.json‎
Lines changed: 2 additions & 2 deletions b/‎packages/@aws-cdk/aws-batch/test/batch.integ.snapshot/integ.json‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎packages/@aws-cdk/aws-batch/test/batch.integ.snapshot/manifest.json‎
Lines changed: 13 additions & 1 deletion b/‎packages/@aws-cdk/aws-batch/test/batch.integ.snapshot/manifest.json‎
Lines changed: 13 additions & 1 deletion
@@ -329,6 +329,11 @@ $ yarn watch & # runs in the background
   [conventionalcommits](https://www.conventionalcommits.org).
   * The title must begin with `feat(module): title`, `fix(module): title`, `refactor(module): title` or
     `chore(module): title`.
+    * `feat`: indicates a feature added (requires tests and README updates in principle, but can be suppressed)
+    * `fix`: indicates a bug fixes (requires tests in principle, but can be suppressed)
+    * `docs`: indicates updated documentation (docstrings or Markdown files)
+    * `refactor`: indicates a feature-preserving refactoring
+    * `chore`: something without directly visible user benefit (does not end up in the CHANGELOG). Typically used for build scripts, config, or changes so minor they don't warrant showing up the CHANGELOG.
   * Titles for `feat` and `fix` PRs end up in the change log. Think about what makes most sense for users reading the changelog while writing them.
     * `feat`: describe the feature (not the action of creating the commit or PR, for example, avoid words like "added" or "changed")
     * `fix`: describe the bug (not the solution)
 
@@ -754,10 +754,10 @@ interface IFoo extends IConstruct {
 class Foo extends Construct implements IFoo {
   public bar() { }
 
-  /** @mutating */
+  @config
   public goo() { }
 
-  public mutateMe() { } // ERROR! missing "@mutating" or missing on IFoo
+  public mutateMe() { } // ERROR! missing "@config" or missing on IFoo
 }
 ```
 
 
@@ -300,6 +300,23 @@ new batch.JobDefinition(this, 'job-def', {
 });
 ```
 
+### Using the secret on secrets manager
+
+You can set the environment variables from secrets manager.
+
+```ts
+const dbSecret = new secretsmanager.Secret(this, 'secret');
+
+new batch.JobDefinition(this, 'batch-job-def-secrets', {
+  container: {
+    image: ecs.EcrImage.fromRegistry('docker/whalesay'),
+    secrets: {
+      PASSWORD: ecs.Secret.fromSecretsManager(dbSecret, 'password'),
+    },
+  },
+});
+```
+
 ### Importing an existing Job Definition
 
 #### From ARN
 
@@ -112,6 +112,13 @@ export interface JobDefinitionContainer {
    */
   readonly environment?: { [key: string]: string };
 
+  /**
+   * The environment variables from secrets manager or ssm parameter store
+   *
+   * @default none
+   */
+  readonly secrets?: { [key: string]: ecs.Secret };
+
   /**
    * The image used to start a container.
    */
@@ -453,6 +460,14 @@ export class JobDefinition extends Resource implements IJobDefinition {
       platformCapabilities: props.platformCapabilities ?? [PlatformCapabilities.EC2],
     });
 
+    // add read secrets permission to execution role
+    if ( props.container.secrets && props.container.executionRole ) {
+      const executionRole = props.container.executionRole;
+      Object.values(props.container.secrets).forEach((secret) => {
+        secret.grantRead(executionRole);
+      });
+    }
+
     this.jobDefinitionArn = this.getResourceArnAttribute(jobDef.ref, {
       service: 'batch',
       resource: 'job-definition',
@@ -507,6 +522,14 @@ export class JobDefinition extends Resource implements IJobDefinition {
     return {
       command: container.command,
       environment: this.deserializeEnvVariables(container.environment),
+      secrets: container.secrets
+        ? Object.entries(container.secrets).map(([key, value]) => {
+          return {
+            name: key,
+            valueFrom: value.arn,
+          };
+        })
+        : undefined,
       image: this.imageConfig.imageName,
       instanceType: container.instanceType && container.instanceType.toString(),
       jobRoleArn: container.jobRole && container.jobRole.roleArn,
 
@@ -4,6 +4,7 @@ import { Stack } from '@aws-cdk/core';
 import * as ec2 from '@aws-cdk/aws-ec2';
 import * as batch from '@aws-cdk/aws-batch';
 import * as ecs from '@aws-cdk/aws-ecs';
+import * as secretsmanager from '@aws-cdk/aws-secretsmanager';
 
 class Fixture extends Stack {
   constructor(scope: Construct, id: string) {
 
@@ -0,0 +1,19 @@
+{
+  "version": "20.0.0",
+  "files": {
+    "d3685c79f9ec67f5dd6fda839a136b079f201b3d72695fe0ea3b3788c3471cc8": {
+      "source": {
+        "path": "batch-stack.template.json",
+        "packaging": "file"
+      },
+      "destinations": {
+        "current_account-current_region": {
+          "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
+          "objectKey": "d3685c79f9ec67f5dd6fda839a136b079f201b3d72695fe0ea3b3788c3471cc8.json",
+          "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
+        }
+      }
+    }
+  },
+  "dockerImages": {}
+}
@@ -1365,6 +1365,14 @@
    "UpdateReplacePolicy": "Retain",
    "DeletionPolicy": "Retain"
   },
+  "batchsecret7CD5E4C6": {
+   "Type": "AWS::SecretsManager::Secret",
+   "Properties": {
+    "GenerateSecretString": {}
+   },
+   "UpdateReplacePolicy": "Delete",
+   "DeletionPolicy": "Delete"
+  },
   "batchjobdeffromecrE0E30DAD": {
    "Type": "AWS::Batch::JobDefinition",
    "Properties": {
@@ -1486,6 +1494,32 @@
     }
    }
   },
+  "executionroleDefaultPolicy497F11A3": {
+   "Type": "AWS::IAM::Policy",
+   "Properties": {
+    "PolicyDocument": {
+     "Statement": [
+      {
+       "Action": [
+        "secretsmanager:DescribeSecret",
+        "secretsmanager:GetSecretValue"
+       ],
+       "Effect": "Allow",
+       "Resource": {
+        "Ref": "batchsecret7CD5E4C6"
+       }
+      }
+     ],
+     "Version": "2012-10-17"
+    },
+    "PolicyName": "executionroleDefaultPolicy497F11A3",
+    "Roles": [
+     {
+      "Ref": "executionroleD9A39BE6"
+     }
+    ]
+   }
+  },
   "batchjobdeffargate7FE30059": {
    "Type": "AWS::Batch::JobDefinition",
    "Properties": {
@@ -1509,6 +1543,14 @@
        "Type": "MEMORY",
        "Value": "512"
       }
+     ],
+     "Secrets": [
+      {
+       "Name": "SECRET",
+       "ValueFrom": {
+        "Ref": "batchsecret7CD5E4C6"
+       }
+      }
      ]
     },
     "PlatformCapabilities": [
 
@@ -1 +1 @@
-{"version":"17.0.0"}
+{"version":"20.0.0"}
@@ -1,7 +1,7 @@
 {
-  "version": "18.0.0",
+  "version": "20.0.0",
   "testCases": {
-    "aws-batch/test/integ.batch": {
+    "integ.batch": {
       "stacks": [
         "batch-stack"
       ],
 
@@ -1,5 +1,5 @@
 {
-  "version": "17.0.0",
+  "version": "20.0.0",
   "artifacts": {
     "Tree": {
       "type": "cdk:tree",
@@ -285,6 +285,12 @@
             "data": "batchjobrepo4C508C51"
           }
         ],
+        "/batch-stack/batch-secret/Resource": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "batchsecret7CD5E4C6"
+          }
+        ],
         "/batch-stack/batch-job-def-from-ecr/Resource": [
           {
             "type": "aws:cdk:logicalId",
@@ -303,6 +309,12 @@
             "data": "executionroleD9A39BE6"
           }
         ],
+        "/batch-stack/execution-role/DefaultPolicy/Resource": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "executionroleDefaultPolicy497F11A3"
+          }
+        ],
         "/batch-stack/batch-job-def-fargate/Resource": [
           {
             "type": "aws:cdk:logicalId",
Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-{"version":"17.0.0"}`
	`1`	`+{"version":"20.0.0"}`