Provisioning secrets using CloudFormation
You have created a secret in AWS Secrets Manager and have added support for injecting secrets securely into your containers using an entrypoint script. Recall that the entrypoint script looks for an environment variable called SECRETS
, and the ApplicationTaskDefinition
and MigrateTaskDefinition
resources in your CloudFormation template for the todobackend stack are currently injecting the application database directly. In order to support using secrets in your stack, you need to configure your ECS task definitions to include the SECRETS
environment variable, configured with the name(s) of your secrets, and you also need to ensure your container have appropriate IAM permissions to retrieve and decrypt your secrets.
Another consideration is how the password for your ApplicationDatabase
resource is configured—this is currently configured to use a password input via stack parameters; however, your database now needs to be able to somehow obtain its password...