Feature: Gitlab Token from Secrets Manager

[Obirah]

The GitLab Runner should be able to dynamically resolve the GitLab token from AWS Secrets Manager.

Use Case

Get rid of the need to pass a token and write it into the resulting CloudFormation template in clear text.

Proposed Solution

• Introduce an additional field gitlabTokenSecretName into the props.
• If gitlabToken is not specified and gitlabTokenSecretName is, the construct adds the command $(aws secretsmanager get-secret-value --region ${Aws.REGION} --secret-id gitlab-runner --query SecretString --output text | grep -o '"registration-token":"[^"]*' | grep -o '[^"]*$') instead of the clear text token into the user data.
• If gitlabTokenSecretName is specified, the constructs adds read permissions for the secrets to the instance role:

  instanceRole.addToPrincipalPolicy(new PolicyStatement({
        actions: [
            "secretsmanager:GetSecretValue"
        ],
        effect: Effect.ALLOW,
        resources: [
            `arn:aws:secretsmanager:${Aws.REGION}:${Aws.ACCOUNT_ID}:secret:gitlab-runner*`
        ]
  }));
  

Other

Successfully tested the proposed solution with the existing construct.

• 👋 I may be able to implement this feature request
• ⚠️ This feature might incur a breaking change

---

This is a 🚀 Feature Request

[neilkuan]

Nice feature, Go build it.

[aarcro]

You already put the token in SSM, just remove it from the userdata, and have userdata fetch the value