feat(apprunner): apprunner secrets manager (#23692)

---- ### All Submissions: * [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) ### Adding new Construct Runtime Dependencies: * [x] This PR adds new construct runtime dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-construct-runtime-dependencies) ### New Features * [x] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)? * [x] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
aws · Jan 19, 2023 · a914fc0 · a914fc0
1 parent 3dc40b4
commit a914fc0
Show file tree

Hide file tree

Showing 14 changed files with 1,599 additions and 116 deletions.
diff --git a/packages/@aws-cdk/aws-apprunner/README.md b/packages/@aws-cdk/aws-apprunner/README.md
@@ -160,3 +160,39 @@ new apprunner.Service(this, 'Service', {
   vpcConnector,
 });
 ```
+
+## Secrets Manager
+
+To include environment variables integrated with AWS Secrets Manager, use the `environmentSecrets` attribute.
+You can use the `addSecret` method from the App Runner `Service` class to include secrets from outside the 
+service definition.
+
+```ts
+import * as secretsmanager from '@aws-cdk/aws-secretsmanager';
+import * as ssm from '@aws-cdk/aws-ssm';
+
+declare const stack: Stack;
+
+const secret = new secretsmanager.Secret(stack, 'Secret');
+const parameter = ssm.StringParameter.fromSecureStringParameterAttributes(stack, 'Parameter', {
+  parameterName: '/name',
+  version: 1,
+});
+
+const service = new apprunner.Service(stack, 'Service', {
+  source: apprunner.Source.fromEcrPublic({
+    imageConfiguration: {
+      port: 8000,
+      environmentSecrets: {
+        SECRET: apprunner.Secret.fromSecretsManager(secret),
+        PARAMETER: apprunner.Secret.fromSsmParameter(parameter),
+        SECRET_ID: apprunner.Secret.fromSecretsManagerVersion(secret, { versionId: 'version-id' }),
+        SECRET_STAGE: apprunner.Secret.fromSecretsManagerVersion(secret, { versionStage: 'version-stage' }),
+      },
+    },
+    imageIdentifier: 'public.ecr.aws/aws-containers/hello-app-runner:latest',
+  })
+});
+
+service.addSecret('LATER_SECRET', apprunner.Secret.fromSecretsManager(secret, 'field'));
+```