lib/hako/schedulers/ecs.rb in hako-2.5.0 vs lib/hako/schedulers/ecs.rb in hako-2.5.1

@@ -3,10 +3,11 @@
 require 'aws-sdk-autoscaling'
 require 'aws-sdk-ec2'
 require 'aws-sdk-ecs'
 require 'aws-sdk-s3'
 require 'aws-sdk-sns'
+require 'aws-sdk-ssm'
 require 'hako'
 require 'hako/error'
 require 'hako/scheduler'
 require 'hako/schedulers/ecs_autoscaling'
 require 'hako/schedulers/ecs_definition_comparator'
@@ -102,10 +103,11 @@
           volumes_definition.each do |d|
             print_volume_definition_in_cli_format(d)
           end
           definitions.each do |d|
             print_definition_in_cli_format(d)
+            check_secrets(d)
           end
           if @autoscaling
             @autoscaling.apply(Aws::ECS::Types::Service.new(cluster_arn: @cluster, service_name: @app_id))
           end
           ecs_elb_client.modify_attributes
@@ -190,10 +192,11 @@
           definitions.each do |d|
             if d[:name] == 'app'
               d[:command] = commands
             end
             print_definition_in_cli_format(d, additional_env: env)
+            check_secrets(d)
           end
           0
         else
           updated, task_definition = register_task_definition_for_oneshot(definitions)
           if updated
@@ -335,10 +338,15 @@
       # @return [Aws::EC2::Client]
       def ec2_client
         @ec2_client ||= Aws::EC2::Client.new(region: @region)
       end
 
+      # @return [Aws::SSM::Client]
+      def ssm_client
+        @ssm_client ||= Aws::SSM::Client.new(region: @region)
+      end
+
       # @return [EcsElb, EcsElbV2]
       def ecs_elb_client
         @ecs_elb_client ||=
           if @ecs_elb_options
             EcsElb.new(@app_id, @region, @ecs_elb_options, dry_run: @dry_run)
@@ -1216,9 +1224,30 @@
         if definition[:command]
           cmd << "\\\n  "
           cmd += definition[:command]
         end
         puts cmd.join(' ')
+        nil
+      end
+
+      # @param [Hash] container_definition
+      # @return [nil]
+      def check_secrets(container_definition)
+        parameter_names = (container_definition[:secrets] || []).map { |secret| secret.fetch(:value_from) }
+        invalid_parameter_names = parameter_names.each_slice(10).flat_map do |names|
+          names = names.map do |name|
+            if name.start_with?('arn:')
+              name.slice(%r{:parameter(/.+)\z}, 1)
+            else
+              name
+            end
+          end
+          ssm_client.get_parameters(names: names).invalid_parameters
+        end
+        unless invalid_parameter_names.empty?
+          raise Error.new("Invalid parameters for secrets: #{invalid_parameter_names}")
+        end
+
         nil
       end
 
       # @param [Aws::ECS::Types::Service] service
       # @return [nil]