Task definition defines sensitive environment variable(s) TF-AWS013
Security
Major
You should not make secrets available to a user in plaintext in any scenario.
Secrets can instead be pulled from a secure secret storage system by the service requiring them.
Examples
Bad practice
resource "aws_ecs_task_definition" "my-task" {
container_definitions = <<EOF
[
{
"name": "my_service",
"essential": true,
"memory": 256,
"environment": [
{ "name": "ENVIRONMENT", "value": "development" },
{ "name": "DATABASE_PASSWORD", "value": "oh no D:"}
]
}
]
EOF
}
Recommended
resource "aws_ecs_task_definition" "my-task" {
container_definitions = <<EOF
[
{
"name": "my_service",
"essential": true,
"memory": 256,
"environment": [
{ "name": "ENVIRONMENT", "value": "development" }
]
}
]
EOF
}