(aws-ecs): pass a secret to ContainerImage's buildArgs

[fitzchak]

Currently it is possible to pass only strings to ContainerImage's buildArgs.
Feature request: Add an option to pass a secret to ContainerImage. This parameter can be called buildArgsSecrets or secrets as for QueueProcessingFargateService.

Use Case

I need to create a .ssh key on the machine at build time.

Proposed Solution

const image = ContainerImage.fromAsset('../project-processor', {
  buildArgsSecrets: {
    GIT_SSH_KEY: EcsSecret.fromSecretsManager(secret, 'gitSshKey'),
  }
});

const service = new QueueProcessingFargateService(this, 'QueueProcessingFargateService', {
  cluster,
  queue,
  image,
  secrets: {
    BOT_TOKEN: EcsSecret.fromSecretsManager(secret, 'botToken'),
  }
});

Dockerfile:

ARG GIT_SSH_KEY
RUN echo "${GIT_SSH_KEY}" > /root/.ssh/git_user_key

---

This is a 🚀 Feature Request

[dillon-odonovan]

I have a similar need. I'd like to have some Docker Lambda functions (.NET 5) and also have a need to pull in private packages from an internal repository. I'd prefer to have the packages restored during the Docker build, but I cannot find a way to securely provide the token to the Docker build step.

We're capable of achieving this by defining our own CodeBuild projects, retrieving the value from some secure location (e.g., SSM) and then providing that variable to Docker via --build-arg MY_ARG=$MY_SECRET where MY_SECRET is an environment variable on the build agent resolved from SSM.

In an attempt to provide an environment variable in a similar fashion but without the overhead of explicitly setting up a CodeBuild project, we tried to use a CDK Pipeline (pipelines/CodePipeline). This defines a CodeBuild project for us and nearly fits our needs. However, the build args are provided to Docker in quotes and so the reference is not expanded (--build-arg MY_ARG=$MY_SECRET (what we did ourselves) vs --build-arg 'MY_ARG=$MY_SECRET' (what CDK generates))

[whummer]

We have a similar use case - would be great to see this supported! 👍 The only workarounds currently seems to be to either:

1. use plaintext string build args (could be problematic from a security point of view)

2. pass the secret as a runtime parameter to the container, run some initialization logic using the secret on container startup (can have a significant performance impact, and jeopardize the stability of deployments)

Did anyone come across any other workarounds? @fitzchak @dillon-odonovan

If any of the maintainers could give us a hint where to start with this, we may be able to contribute a pull request, potentially. Thanks!