Bruteforce secret resolving on the container level

frak-id · May 28, 2024 · 4c4d4c0 · 4c4d4c0
1 parent ae1f7f6
commit 4c4d4c0
Show file tree

Hide file tree

Showing 2 changed files with 53 additions and 10 deletions.
diff --git a/ponder.config.ts b/ponder.config.ts
@@ -1,5 +1,4 @@
 import { createConfig } from "@ponder/core";
-import { Config } from "sst/node/config";
 import { http } from "viem";
 import { erc20ABI } from "./abis/erc20ABI";
 import { multiWebAuthNValidatorV2Abi } from "./abis/multiWebAuthNValidatorABI";
@@ -9,12 +8,7 @@ const pollingConfig = {
     maxRequestsPerSecond: 1,
 } as const;
 
-function getConfigOrEnv(key: keyof typeof Config): string | undefined {
-    try {
-        return Config[key] ?? process.env[key] ?? undefined;
-    } catch {
-        console.error(`Failed to get config for key: ${key}`);
-    }
+function getConfigOrEnv(key: string): string | undefined {
     return process.env[key] ?? undefined;
 }
 

diff --git a/sst.config.ts b/sst.config.ts
@@ -1,4 +1,6 @@
 import { Port, SecurityGroup } from "aws-cdk-lib/aws-ec2";
+import { Secret } from "aws-cdk-lib/aws-ecs";
+import { StringParameter } from "aws-cdk-lib/aws-ssm";
 import type { SSTConfig } from "sst";
 import { Config, Service, type StackContext } from "sst/constructs";
 
@@ -85,6 +87,11 @@ function IndexerStack({ stack }: StackContext) {
             PONDER_TELEMETRY_DISABLED: "true",
         },
     });
+
+    stack.addOutputs({
+        indexerServiceId: indexerService.id,
+    });
+
     // Set up connections to database via security groups
     const cluster = indexerService.cdk?.cluster;
     if (cluster) {
@@ -97,7 +104,49 @@ function IndexerStack({ stack }: StackContext) {
         databaseSecurityGroup.connections.allowFrom(cluster, Port.tcp(5432));
     }
 
-    stack.addOutputs({
-        indexerServiceId: indexerService.id,
-    });
+    // Find the container
+    const containerName = indexerService.getConstructMetadata().data.container;
+    if (!containerName) {
+        console.error("Failed to find container name");
+        return;
+    }
+
+    const container =
+        // Try to find the container via it's name
+        indexerService.cdk?.taskDefinition?.findContainer(containerName) ??
+        // Otherwise,  get the default one
+        indexerService.cdk?.taskDefinition?.defaultContainer;
+    if (!container) {
+        console.error("Failed to find container");
+        return;
+    }
+
+    console.log(
+        `Found container: ${containerName}: ${container.containerName}`
+    );
+
+    // Add all the secrets directly to the container environment
+    for (const secret of secrets) {
+        // Rebuild the SSM access pass to the secret
+        let ssmPath: string;
+        if (secret.name === "DATABASE_URL") {
+            ssmPath = "/indexer/sst/Secret/DATABASE_URL/value";
+        } else {
+            ssmPath = `/sst/frak-indexer/.fallback/Secret/${secret.name}/value`;
+        }
+
+        container.addSecret(
+            secret.name,
+            Secret.fromSsmParameter(
+                // Forced to used deprecated method here since addSecret doesn't support the new `SecretValue`
+                StringParameter.fromSecureStringParameterAttributes(
+                    stack,
+                    `Secret${secret.name}`,
+                    {
+                        parameterName: ssmPath,
+                    }
+                )
+            )
+        );
+    }
 }