(ECS): Missing support for environment files for Fargate deployments

[sergekukharev]

Description

I'm trying to configure my Fargate service to use Environment Files. The official documentation says ¹:

Support for environment files is restricted to the EC2 launch type for files hosted on S3.

At the same time, Fargate supports Environment Files for a long time ²³.

Is there any chance this feature will be added soon? Since it's supported by EC2 already, should be an easy win.

Use Case

I need this to manage my secrets and env variables in a more secure way. Any workaround ideas are appreciated.

Proposed Solution

Environment files are supported fully for Fargate deployments. Bonus points - it's possible to provide env files configuration in ApplicationLoadBalancedTaskImageOptions

Other information

Unit tests are misleading for this configuration. The following test will pass, while cdk synth won't add the environment file to the template:

// Code
// ...
taskDefinition.addContainer("StaticoonBotContainerWeb", ContainerDefinitionOptions.builder()
                        .containerName("web")
                        .portMappings(List.of(PortMapping.builder().hostPort(1234).containerPort(1234).build()))
                        .image(image)
                        .environmentFiles(List.of(new S3EnvironmentFile(bucket, "<key>")))
                        .build());
// ...

// Test
@Test
void usesS3EnvironmentFile() {
    template.hasResourceProperties("AWS::ECS::TaskDefinition", Map.of(
            "ContainerDefinitions", Match.arrayWith(List.of(Match.objectLike(Map.of(
                    "EnvironmentFiles", List.of(Map.of(
                            "Type", "s3",
                            "Value", "arn:aws:s3:::<bucket>/<key>"
                    ))
            ))))
    ));
}

Acknowledge

• I may be able to implement this feature request
• This feature might incur a breaking change

Footnotes

1. https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecs-readme.html#environment-variables ↩

2. https://aws.amazon.com/blogs/containers/latest-updates-to-aws-fargate-for-amazon-ecs/ ↩

3. https://github.com/aws/containers-roadmap/issues/371 ↩

[madeline-k]

Thanks for opening this feature request, @sergekukharev. This would be a great feature to have. I am labelling this as p2 for now, which means that the CDK team will not be able to work on it right now. But, we always welcome contributions! Take a look at the contributing guide to get started.

[github-actions]

This issue has not received any attention in 1 year. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

[MrArnoldPalmer]

keep

[tam0ri]

I confirmed that currently we can add environmentFiles for FargateTaskDefinition. I verified with the following code. (CDK version 2.94.0)

    const bucket = s3.Bucket.fromBucketName(this, 'Bucket', myBucketName);
    const taskDefinition = new ecs.FargateTaskDefinition(this, 'TaskDef');
    taskDefinition.addContainer('amazonlinux', {
      image: ecs.ContainerImage.fromRegistry('public.ecr.aws/amazonlinux/amazonlinux:latest'),
      environmentFiles: [
        ecs.EnvironmentFile.fromBucket(bucket, 'assets/demo-env-file.env')
      ],
    });

cdk synth generated the following template.

  TaskDef54694570:
    Type: AWS::ECS::TaskDefinition
    Properties:
      ContainerDefinitions:
        - EnvironmentFiles:
            - Type: s3
              Value:
                Fn::Join:
                  - ""
                  - - "arn:"
                    - Ref: AWS::Partition
                    - :s3:::<My Bucket Name>/assets/demo-env-file.env
          Essential: true
          Image: public.ecr.aws/amazonlinux/amazonlinux:latest
          Name: amazonlinux
      Cpu: "256"
      Family: Issue18226StackTaskDef8EAEF185
      Memory: "512"
      NetworkMode: awsvpc
      RequiresCompatibilities:
        - FARGATE
      TaskRoleArn:
        Fn::GetAtt:
          - TaskDefTaskRole1EDB4A67
          - Arn
    Metadata:
      aws:cdk:path: Issue18226Stack/TaskDef/Resource

It seems that this restriction has been removed by #11820. So we just only need to remove the description Support for environment files is restricted to the EC2 launch type for files hosted on S3. from the document. I'll submit PR to solve this.