feat(client-apprunner): This release adds support of securely referen…

…cing secrets and configuration data that are stored in Secrets Manager and SSM Parameter Store by adding them as environment secrets in your App Runner service.
aws · Jan 5, 2023 · 285e1c2 · 285e1c2
1 parent eff2ce7
commit 285e1c2
Show file tree

Hide file tree

Showing 4 changed files with 111 additions and 25 deletions.
diff --git a/clients/client-apprunner/src/endpoint/EndpointParameters.ts b/clients/client-apprunner/src/endpoint/EndpointParameters.ts
@@ -24,7 +24,7 @@ export const resolveClientEndpointParameters = <T>(
 };
 
 export interface EndpointParameters extends __EndpointParameters {
-  Region?: string;
+  Region: string;
   UseDualStack?: boolean;
   UseFIPS?: boolean;
   Endpoint?: string;

diff --git a/clients/client-apprunner/src/endpoint/ruleset.ts b/clients/client-apprunner/src/endpoint/ruleset.ts
@@ -6,24 +6,25 @@ import { RuleSetObject } from "@aws-sdk/util-endpoints";
    or see "smithy.rules#endpointRuleSet"
    in codegen/sdk-codegen/aws-models/apprunner.json */
 
-const p="required",
-q="fn",
-r="argv",
-s="ref";
-const a="PartitionResult",
-b="tree",
-c="error",
-d="endpoint",
-e={[p]:false,"type":"String"},
-f={[p]:true,"default":false,"type":"Boolean"},
-g={[s]:"Endpoint"},
-h={[q]:"booleanEquals",[r]:[{[s]:"UseFIPS"},true]},
-i={[q]:"booleanEquals",[r]:[{[s]:"UseDualStack"},true]},
-j={},
-k={[q]:"booleanEquals",[r]:[true,{[q]:"getAttr",[r]:[{[s]:a},"supportsFIPS"]}]},
-l={[q]:"booleanEquals",[r]:[true,{[q]:"getAttr",[r]:[{[s]:a},"supportsDualStack"]}]},
-m=[g],
-n=[h],
-o=[i];
-const _data={version:"1.0",parameters:{Region:e,UseDualStack:f,UseFIPS:f,Endpoint:e},rules:[{conditions:[{[q]:"aws.partition",[r]:[{[s]:"Region"}],assign:a}],type:b,rules:[{conditions:[{[q]:"isSet",[r]:m},{[q]:"parseURL",[r]:m,assign:"url"}],type:b,rules:[{conditions:n,error:"Invalid Configuration: FIPS and custom endpoint are not supported",type:c},{type:b,rules:[{conditions:o,error:"Invalid Configuration: Dualstack and custom endpoint are not supported",type:c},{endpoint:{url:g,properties:j,headers:j},type:d}]}]},{conditions:[h,i],type:b,rules:[{conditions:[k,l],type:b,rules:[{endpoint:{url:"https://apprunner-fips.{Region}.{PartitionResult#dualStackDnsSuffix}",properties:j,headers:j},type:d}]},{error:"FIPS and DualStack are enabled, but this partition does not support one or both",type:c}]},{conditions:n,type:b,rules:[{conditions:[k],type:b,rules:[{type:b,rules:[{endpoint:{url:"https://apprunner-fips.{Region}.{PartitionResult#dnsSuffix}",properties:j,headers:j},type:d}]}]},{error:"FIPS is enabled but this partition does not support FIPS",type:c}]},{conditions:o,type:b,rules:[{conditions:[l],type:b,rules:[{endpoint:{url:"https://apprunner.{Region}.{PartitionResult#dualStackDnsSuffix}",properties:j,headers:j},type:d}]},{error:"DualStack is enabled but this partition does not support DualStack",type:c}]},{endpoint:{url:"https://apprunner.{Region}.{PartitionResult#dnsSuffix}",properties:j,headers:j},type:d}]}]};
+const r="fn",
+s="argv",
+t="ref";
+const a=true,
+b=false,
+c="String",
+d="PartitionResult",
+e="tree",
+f="error",
+g="endpoint",
+h={"required":true,"default":false,"type":"Boolean"},
+i={[t]:"Endpoint"},
+j={[r]:"booleanEquals",[s]:[{[t]:"UseFIPS"},true]},
+k={[r]:"booleanEquals",[s]:[{[t]:"UseDualStack"},true]},
+l={},
+m={[r]:"booleanEquals",[s]:[true,{[r]:"getAttr",[s]:[{[t]:d},"supportsFIPS"]}]},
+n={[r]:"booleanEquals",[s]:[true,{[r]:"getAttr",[s]:[{[t]:d},"supportsDualStack"]}]},
+o=[i],
+p=[j],
+q=[k];
+const _data={version:"1.0",parameters:{Region:{required:a,type:c},UseDualStack:h,UseFIPS:h,Endpoint:{required:b,type:c}},rules:[{conditions:[{[r]:"aws.partition",[s]:[{[t]:"Region"}],assign:d}],type:e,rules:[{conditions:[{[r]:"isSet",[s]:o},{[r]:"parseURL",[s]:o,assign:"url"}],type:e,rules:[{conditions:p,error:"Invalid Configuration: FIPS and custom endpoint are not supported",type:f},{type:e,rules:[{conditions:q,error:"Invalid Configuration: Dualstack and custom endpoint are not supported",type:f},{endpoint:{url:i,properties:l,headers:l},type:g}]}]},{conditions:[j,k],type:e,rules:[{conditions:[m,n],type:e,rules:[{endpoint:{url:"https://apprunner-fips.{Region}.{PartitionResult#dualStackDnsSuffix}",properties:l,headers:l},type:g}]},{error:"FIPS and DualStack are enabled, but this partition does not support one or both",type:f}]},{conditions:p,type:e,rules:[{conditions:[m],type:e,rules:[{type:e,rules:[{endpoint:{url:"https://apprunner-fips.{Region}.{PartitionResult#dnsSuffix}",properties:l,headers:l},type:g}]}]},{error:"FIPS is enabled but this partition does not support FIPS",type:f}]},{conditions:q,type:e,rules:[{conditions:[n],type:e,rules:[{endpoint:{url:"https://apprunner.{Region}.{PartitionResult#dualStackDnsSuffix}",properties:l,headers:l},type:g}]},{error:"DualStack is enabled but this partition does not support DualStack",type:f}]},{endpoint:{url:"https://apprunner.{Region}.{PartitionResult#dnsSuffix}",properties:l,headers:l},type:g}]}]};
 export const ruleSet: RuleSetObject = _data;
diff --git a/clients/client-apprunner/src/models/models_0.ts b/clients/client-apprunner/src/models/models_0.ts
@@ -753,10 +753,30 @@ export interface CodeConfigurationValues {
   Port?: string;
 
   /**
-   * <p>The environment variables that are available to your running App Runner service. An array of key-value pairs. Keys with a prefix of
-   *         <code>AWSAPPRUNNER</code> are reserved for system use and aren't valid.</p>
+   * <p>The environment variables that are available to your running App Runner service. An array of key-value pairs.</p>
    */
   RuntimeEnvironmentVariables?: Record<string, string>;
+
+  /**
+   * <p>An array of key-value pairs representing the secrets and parameters that get referenced to your service as an environment variable.
+   *       The supported values are either the full Amazon Resource Name (ARN) of the Secrets Manager secret or the full ARN of the parameter in the Amazon Web Services Systems Manager Parameter Store.</p>
+   *          <note>
+   *             <ul>
+   *                <li>
+   *                   <p>
+   *             If the Amazon Web Services Systems Manager Parameter Store parameter exists in the same Amazon Web Services Region as the service that you're launching,
+   *             you can use either the full ARN or name of the secret. If the parameter exists in a different Region, then the full ARN must be specified.
+   *           </p>
+   *                </li>
+   *                <li>
+   *                   <p>
+   *             Currently, cross account referencing of Amazon Web Services Systems Manager Parameter Store parameter is not supported.
+   *           </p>
+   *                </li>
+   *             </ul>
+   *          </note>
+   */
+  RuntimeEnvironmentSecrets?: Record<string, string>;
 }
 
 export enum ConfigurationSource {
@@ -842,8 +862,7 @@ export interface CodeRepository {
  */
 export interface ImageConfiguration {
   /**
-   * <p>Environment variables that are available to your running App Runner service. An array of key-value pairs. Keys with a prefix of <code>AWSAPPRUNNER</code>
-   *       are reserved for system use and aren't valid.</p>
+   * <p>Environment variables that are available to your running App Runner service. An array of key-value pairs.</p>
    */
   RuntimeEnvironmentVariables?: Record<string, string>;
 
@@ -859,6 +878,27 @@ export interface ImageConfiguration {
    *          </p>
    */
   Port?: string;
+
+  /**
+   * <p>An array of key-value pairs representing the secrets and parameters that get referenced to your service as an environment variable.
+   *       The supported values are either the full Amazon Resource Name (ARN) of the Secrets Manager secret or the full ARN of the parameter in the Amazon Web Services Systems Manager Parameter Store.</p>
+   *          <note>
+   *             <ul>
+   *                <li>
+   *                   <p>
+   *             If the Amazon Web Services Systems Manager Parameter Store parameter exists in the same Amazon Web Services Region as the service that you're launching,
+   *             you can use either the full ARN or name of the secret. If the parameter exists in a different Region, then the full ARN must be specified.
+   *           </p>
+   *                </li>
+   *                <li>
+   *                   <p>
+   *             Currently, cross account referencing of Amazon Web Services Systems Manager Parameter Store parameter is not supported.
+   *           </p>
+   *                </li>
+   *             </ul>
+   *          </note>
+   */
+  RuntimeEnvironmentSecrets?: Record<string, string>;
 }
 
 export enum ImageRepositoryType {
@@ -2431,6 +2471,7 @@ export const CodeConfigurationValuesFilterSensitiveLog = (obj: CodeConfiguration
   ...(obj.BuildCommand && { BuildCommand: SENSITIVE_STRING }),
   ...(obj.StartCommand && { StartCommand: SENSITIVE_STRING }),
   ...(obj.RuntimeEnvironmentVariables && { RuntimeEnvironmentVariables: SENSITIVE_STRING }),
+  ...(obj.RuntimeEnvironmentSecrets && { RuntimeEnvironmentSecrets: SENSITIVE_STRING }),
 });
 
 /**
@@ -2465,6 +2506,7 @@ export const ImageConfigurationFilterSensitiveLog = (obj: ImageConfiguration): a
   ...obj,
   ...(obj.RuntimeEnvironmentVariables && { RuntimeEnvironmentVariables: SENSITIVE_STRING }),
   ...(obj.StartCommand && { StartCommand: SENSITIVE_STRING }),
+  ...(obj.RuntimeEnvironmentSecrets && { RuntimeEnvironmentSecrets: SENSITIVE_STRING }),
 });
 
 /**

diff --git a/clients/client-apprunner/src/protocols/Aws_json1_0.ts b/clients/client-apprunner/src/protocols/Aws_json1_0.ts
@@ -2434,6 +2434,12 @@ const serializeAws_json1_0CodeConfigurationValues = (input: CodeConfigurationVal
     ...(input.BuildCommand != null && { BuildCommand: input.BuildCommand }),
     ...(input.Port != null && { Port: input.Port }),
     ...(input.Runtime != null && { Runtime: input.Runtime }),
+    ...(input.RuntimeEnvironmentSecrets != null && {
+      RuntimeEnvironmentSecrets: serializeAws_json1_0RuntimeEnvironmentSecrets(
+        input.RuntimeEnvironmentSecrets,
+        context
+      ),
+    }),
     ...(input.RuntimeEnvironmentVariables != null && {
       RuntimeEnvironmentVariables: serializeAws_json1_0RuntimeEnvironmentVariables(
         input.RuntimeEnvironmentVariables,
@@ -2702,6 +2708,12 @@ const serializeAws_json1_0HealthCheckConfiguration = (
 const serializeAws_json1_0ImageConfiguration = (input: ImageConfiguration, context: __SerdeContext): any => {
   return {
     ...(input.Port != null && { Port: input.Port }),
+    ...(input.RuntimeEnvironmentSecrets != null && {
+      RuntimeEnvironmentSecrets: serializeAws_json1_0RuntimeEnvironmentSecrets(
+        input.RuntimeEnvironmentSecrets,
+        context
+      ),
+    }),
     ...(input.RuntimeEnvironmentVariables != null && {
       RuntimeEnvironmentVariables: serializeAws_json1_0RuntimeEnvironmentVariables(
         input.RuntimeEnvironmentVariables,
@@ -2857,6 +2869,16 @@ const serializeAws_json1_0ResumeServiceRequest = (input: ResumeServiceRequest, c
   };
 };
 
+const serializeAws_json1_0RuntimeEnvironmentSecrets = (input: Record<string, string>, context: __SerdeContext): any => {
+  return Object.entries(input).reduce((acc: Record<string, any>, [key, value]: [string, any]) => {
+    if (value === null) {
+      return acc;
+    }
+    acc[key] = value;
+    return acc;
+  }, {});
+};
+
 const serializeAws_json1_0RuntimeEnvironmentVariables = (
   input: Record<string, string>,
   context: __SerdeContext
@@ -3118,6 +3140,10 @@ const deserializeAws_json1_0CodeConfigurationValues = (
     BuildCommand: __expectString(output.BuildCommand),
     Port: __expectString(output.Port),
     Runtime: __expectString(output.Runtime),
+    RuntimeEnvironmentSecrets:
+      output.RuntimeEnvironmentSecrets != null
+        ? deserializeAws_json1_0RuntimeEnvironmentSecrets(output.RuntimeEnvironmentSecrets, context)
+        : undefined,
     RuntimeEnvironmentVariables:
       output.RuntimeEnvironmentVariables != null
         ? deserializeAws_json1_0RuntimeEnvironmentVariables(output.RuntimeEnvironmentVariables, context)
@@ -3439,6 +3465,10 @@ const deserializeAws_json1_0HealthCheckConfiguration = (
 const deserializeAws_json1_0ImageConfiguration = (output: any, context: __SerdeContext): ImageConfiguration => {
   return {
     Port: __expectString(output.Port),
+    RuntimeEnvironmentSecrets:
+      output.RuntimeEnvironmentSecrets != null
+        ? deserializeAws_json1_0RuntimeEnvironmentSecrets(output.RuntimeEnvironmentSecrets, context)
+        : undefined,
     RuntimeEnvironmentVariables:
       output.RuntimeEnvironmentVariables != null
         ? deserializeAws_json1_0RuntimeEnvironmentVariables(output.RuntimeEnvironmentVariables, context)
@@ -3711,6 +3741,19 @@ const deserializeAws_json1_0ResumeServiceResponse = (output: any, context: __Ser
   } as any;
 };
 
+const deserializeAws_json1_0RuntimeEnvironmentSecrets = (
+  output: any,
+  context: __SerdeContext
+): Record<string, string> => {
+  return Object.entries(output).reduce((acc: Record<string, string>, [key, value]: [string, any]) => {
+    if (value === null) {
+      return acc;
+    }
+    acc[key] = __expectString(value) as any;
+    return acc;
+  }, {});
+};
+
 const deserializeAws_json1_0RuntimeEnvironmentVariables = (
   output: any,
   context: __SerdeContext