add API_KEYS_FILE and STORAGE_PROFILE_FILE to migration

skandragon · skandragon · commit ed94251b0777 · 2025-08-25T17:24:57.000-05:00
diff --git a/generated-templates/lakerunner-migration.yaml b/generated-templates/lakerunner-migration.yaml
@@ -93,6 +93,10 @@ Resources:
               Value: lakerunner
             - Name: CONFIGDB_SSLMODE
               Value: require
+            - Name: API_KEYS_FILE
+              Value: env:API_KEYS_ENV
+            - Name: STORAGE_PROFILE_FILE
+              Value: env:STORAGE_PROFILES_ENV
           Image: !Ref 'ContainerImage'
           LogConfiguration:
             LogDriver: awslogs
@@ -112,6 +116,10 @@ Resources:
                 - '${S}:password::'
                 - S: !ImportValue
                     Fn::Sub: ${CommonInfraStackName}-DbSecretArn
+            - Name: API_KEYS_ENV
+              ValueFrom: !Sub 'arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/lakerunner/api_keys'
+            - Name: STORAGE_PROFILES_ENV
+              ValueFrom: !Sub 'arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/lakerunner/storage_profiles'
       Cpu: !Ref 'Cpu'
       ExecutionRoleArn: !GetAtt 'TaskExecutionRole.Arn'
       Family: lakerunner-migration
@@ -323,6 +331,12 @@ Resources:
                     - ${SecretArn}*
                     - SecretArn: !ImportValue
                         Fn::Sub: ${CommonInfraStackName}-DbSecretArn
+              - Action:
+                  - ssm:GetParameter
+                Effect: Allow
+                Resource:
+                  - !Sub 'arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/lakerunner/api_keys'
+                  - !Sub 'arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/lakerunner/storage_profiles'
             Version: '2012-10-17'
           PolicyName: TaskExecutionSecretsPolicy
     Type: AWS::IAM::Role
diff --git a/src/lakerunner_migration.py b/src/lakerunner_migration.py
@@ -181,6 +181,14 @@ def ci_export(suffix):
                         "Effect": "Allow",
                         "Action": ["secretsmanager:GetSecretValue"],
                         "Resource": [Sub("${SecretArn}*", SecretArn=DbSecretArnValue)]
+                    },
+                    {
+                        "Effect": "Allow",
+                        "Action": ["ssm:GetParameter"],
+                        "Resource": [
+                            Sub("arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/lakerunner/api_keys"),
+                            Sub("arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/lakerunner/storage_profiles")
+                        ]
                     }
                 ]
             }
@@ -224,10 +232,14 @@ def ci_export(suffix):
                 Environment(Name="CONFIGDB_DBNAME", Value="lakerunner"),
                 Environment(Name="CONFIGDB_USER", Value="lakerunner"),
                 Environment(Name="CONFIGDB_SSLMODE", Value="require"),
+                Environment(Name="API_KEYS_FILE", Value="env:API_KEYS_ENV"),
+                Environment(Name="STORAGE_PROFILE_FILE", Value="env:STORAGE_PROFILES_ENV"),
             ],
             Secrets=[
                 EcsSecret(Name="LRDB_PASSWORD", ValueFrom=Sub("${S}:password::", S=DbSecretArnValue)),
-                EcsSecret(Name="CONFIGDB_PASSWORD", ValueFrom=Sub("${S}:password::", S=DbSecretArnValue))
+                EcsSecret(Name="CONFIGDB_PASSWORD", ValueFrom=Sub("${S}:password::", S=DbSecretArnValue)),
+                EcsSecret(Name="API_KEYS_ENV", ValueFrom=Sub("arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/lakerunner/api_keys")),
+                EcsSecret(Name="STORAGE_PROFILES_ENV", ValueFrom=Sub("arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/lakerunner/storage_profiles"))
             ]
         )
     ]

Original file line number	Diff line number	Diff line change
`@@ -181,6 +181,14 @@ def ci_export(suffix):`
`181`	`181`	`"Effect": "Allow",`
`182`	`182`	`"Action": ["secretsmanager:GetSecretValue"],`
`183`	`183`	`"Resource": [Sub("${SecretArn}*", SecretArn=DbSecretArnValue)]`
	`184`	`+ },`
	`185`	`+ {`
	`186`	`+ "Effect": "Allow",`
	`187`	`+ "Action": ["ssm:GetParameter"],`
	`188`	`+ "Resource": [`
	`189`	`+ Sub("arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/lakerunner/api_keys"),`
	`190`	`+ Sub("arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/lakerunner/storage_profiles")`
	`191`	`+ ]`
`184`	`192`	`}`
`185`	`193`	`]`
`186`	`194`	`}`
`@@ -224,10 +232,14 @@ def ci_export(suffix):`
`224`	`232`	`Environment(Name="CONFIGDB_DBNAME", Value="lakerunner"),`
`225`	`233`	`Environment(Name="CONFIGDB_USER", Value="lakerunner"),`
`226`	`234`	`Environment(Name="CONFIGDB_SSLMODE", Value="require"),`
	`235`	`+ Environment(Name="API_KEYS_FILE", Value="env:API_KEYS_ENV"),`
	`236`	`+ Environment(Name="STORAGE_PROFILE_FILE", Value="env:STORAGE_PROFILES_ENV"),`
`227`	`237`	`],`
`228`	`238`	`Secrets=[`
`229`	`239`	`EcsSecret(Name="LRDB_PASSWORD", ValueFrom=Sub("${S}:password::", S=DbSecretArnValue)),`
`230`		`- EcsSecret(Name="CONFIGDB_PASSWORD", ValueFrom=Sub("${S}:password::", S=DbSecretArnValue))`
	`240`	`+ EcsSecret(Name="CONFIGDB_PASSWORD", ValueFrom=Sub("${S}:password::", S=DbSecretArnValue)),`
	`241`	`+ EcsSecret(Name="API_KEYS_ENV", ValueFrom=Sub("arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/lakerunner/api_keys")),`
	`242`	`+ EcsSecret(Name="STORAGE_PROFILES_ENV", ValueFrom=Sub("arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/lakerunner/storage_profiles"))`
`231`	`243`	`]`
`232`	`244`	`)`
`233`	`245`	`]`