@@ -260,7 +260,7 @@ resource "aws_iam_role" "execution-role" {
260260 Statement = [{
261261 Action = [" ssm:GetParameters"
262262 Effect = " Allow"
263- Resource = [aws_ssm_parameter.connection- token[0 ].arn]
263+ Resource = [aws_ssm_parameter.connection- token[0 ].arn, aws_ssm_parameter.ceph - key[ 0 ].arn ]
264264 }]
265265 })
266266 }
@@ -381,6 +381,13 @@ resource "aws_ssm_parameter" "connection-token" {
381381 value = . connection-token
382382}
383383
384+ resource "aws_ssm_parameter" "ceph-key" {
385+ count = . create ? 1 : 0
386+ name = " depot-connection-${ var . connection-id } -ceph-key"
387+ type = " SecureString"
388+ value = . ceph-key
389+ }
390+
384391resource "aws_ecs_task_definition" "cloud-agent" {
385392 count = . create ? 1 : 0
386393 family = " depot-connection-${ var . connection-id } -cloud-agent"
@@ -394,23 +401,29 @@ resource "aws_ecs_task_definition" "cloud-agent" {
394401 name = " cloud-agent"
395402 image = " ghcr.io/depot/cloud-agent:${ var . cloud-agent-version } "
396403 essential = true
397- environment = [
398- { name = " CLOUD_AGENT_AWS_AVAILABILITY_ZONE" = var.availability- zone },
399- { name = " CLOUD_AGENT_AWS_LAUNCH_TEMPLATE_ARM" = aws_launch_template.arm[0 ].id },
400- { name = " CLOUD_AGENT_AWS_LAUNCH_TEMPLATE_X86" = aws_launch_template.x86[0 ].id },
401- { name = " CLOUD_AGENT_AWS_SG_BUILDKIT" = aws_security_group.instance- buildkit[0 ].id },
402- { name = " CLOUD_AGENT_AWS_SG_DEFAULT" = aws_security_group.instance- default[0 ].id },
403- { name = " CLOUD_AGENT_AWS_SUBNET_ID" = aws_subnet.public[0 ].id },
404- { name = " CLOUD_AGENT_CLUSTER_ARN" = aws_ecs_cluster.cloud- agent[0 ].arn },
405- { name = " CLOUD_AGENT_CONNECTION_ID" = var.connection- id },
406- { name = " CLOUD_AGENT_SERVICE_NAME" = local.service- name },
407- { name = " CLOUD_AGENT_TF_MODULE_VERSION" = local.version },
408-
409- # This environment variable is unused, but causes ECS to redeploy if the connection token changes
410- { name = " _CLOUD_AGENT_CONNECTION_TOKEN_HASH" = sha256 (var. connection-token ) },
411- ]
404+ environment = concat (
405+ [
406+ { name = " CLOUD_AGENT_AWS_AVAILABILITY_ZONE" = var.availability- zone },
407+ { name = " CLOUD_AGENT_AWS_LAUNCH_TEMPLATE_ARM" = aws_launch_template.arm[0 ].id },
408+ { name = " CLOUD_AGENT_AWS_LAUNCH_TEMPLATE_X86" = aws_launch_template.x86[0 ].id },
409+ { name = " CLOUD_AGENT_AWS_SG_BUILDKIT" = aws_security_group.instance- buildkit[0 ].id },
410+ { name = " CLOUD_AGENT_AWS_SG_DEFAULT" = aws_security_group.instance- default[0 ].id },
411+ { name = " CLOUD_AGENT_AWS_SUBNET_ID" = aws_subnet.public[0 ].id },
412+ { name = " CLOUD_AGENT_CLUSTER_ARN" = aws_ecs_cluster.cloud- agent[0 ].arn },
413+ { name = " CLOUD_AGENT_CONNECTION_ID" = var.connection- id },
414+ { name = " CLOUD_AGENT_SERVICE_NAME" = local.service- name },
415+ { name = " CLOUD_AGENT_TF_MODULE_VERSION" = local.version },
416+ { name = " CLOUD_AGENT_TF_MODULE_VERSION" = local.version },
417+ { name = " CLOUD_AGENT_CEPH_CONFIG" = var.ceph- config },
418+
419+ # This environment variable is unused, but causes ECS to redeploy if the connection token changes
420+ { name = " _CLOUD_AGENT_CONNECTION_TOKEN_HASH" = sha256 (var. connection-token ) },
421+ ],
422+ var. extra-env
423+ )
412424 secrets = [
413425 { name = " CLOUD_AGENT_CONNECTION_TOKEN" = aws_ssm_parameter.connection- token[0 ].arn },
426+ { name = " CLOUD_AGENT_CEPH_KEY" = aws_ssm_parameter.ceph- key[0 ].arn },
414427 ]
415428 logConfiguration = {
416429 logDriver = " awslogs"
0 commit comments