Allow ECS to pull docker image from private repo

Use AWS::NoValue

Remove {}

Try at CredentialsParameter level

Duplicate code :/

Remove volume

cloudformation/nakama/task.yaml

@@ -38,9 +38,14 @@ Parameters:
     Type: Number
     Description: Port for the Postgres server
     Default: 5432
+  RepositoryCredentialsSecret:
+    Type: String
+    Description: Arn of repostiory secret from AWS Secrets Manager. See https://docs.aws.amazon.com/AmazonECS/latest/developerguide/private-auth.html for more information
+    Default: ""
 
 Conditions:
   CreateSecret: !Equals [!Ref NakamaPasswordOverride, ""]
+  NoRepositoryCredentials: !Equals [!Ref RepositoryCredentialsSecret, ""]
 
 Resources:
 
@@ -64,39 +69,66 @@ Resources:
     Type: AWS::ECS::TaskDefinition
     Properties:
       ContainerDefinitions:
-      - Name: nakama
-        Essential: 'true'
-        Image: !Ref NakamaContainer
-        MemoryReservation: 800
-        PortMappings:
-        - HostPort: 0
-          ContainerPort: 7348
-        - HostPort: 0
-          ContainerPort: 7349
-        - HostPort: 0
-          ContainerPort: 7350
-        - HostPort: 0
-          ContainerPort: 7351
-        LogConfiguration:
-          LogDriver: awslogs
-          Options:
-            awslogs-region:
-              Ref: AWS::Region
-            awslogs-group:
-              Ref: LogGroup
-        MountPoints:
-          - ContainerPath: /nakama/volume
-            SourceVolume: "nakama-volume"
-        EntryPoint: 
-            - "/bin/sh"
-            - "-ecx"
-            - !Join ["", [
-              !Sub "/nakama/nakama migrate up --database.address ${DatabaseUsername}:${DatabasePassword}@${DatabaseEndpoint}:${DatabasePort} &&\n",
-              !Sub "exec /nakama/nakama --name ${ServerName} --database.address ${DatabaseUsername}:${DatabasePassword}@${DatabaseEndpoint}:${DatabasePort} --console.username ${NakamaUsername} --console.password \"",
-              !If [CreateSecret, !Join ["", ["{{resolve:secretsmanager:",  !Ref AdminPortalPassword,":SecretString}}" ]], !Ref NakamaPasswordOverride ], "\""
-              ]]                
-      Volumes:
-        - Name: "nakama-volume"
+      - !If
+        - NoRepositoryCredentials
+        - Name: nakama
+          Essential: 'true'
+          Image: !Ref NakamaContainer
+          MemoryReservation: 800
+          PortMappings:
+          - HostPort: 0
+            ContainerPort: 7348
+          - HostPort: 0
+            ContainerPort: 7349
+          - HostPort: 0
+            ContainerPort: 7350
+          - HostPort: 0
+            ContainerPort: 7351
+          LogConfiguration:
+            LogDriver: awslogs
+            Options:
+              awslogs-region:
+                Ref: AWS::Region
+              awslogs-group:
+                Ref: LogGroup
+          EntryPoint: 
+              - "/bin/sh"
+              - "-ecx"
+              - !Join ["", [
+                !Sub "/nakama/nakama migrate up --database.address ${DatabaseUsername}:${DatabasePassword}@${DatabaseEndpoint}:${DatabasePort} &&\n",
+                !Sub "exec /nakama/nakama --name ${ServerName} --database.address ${DatabaseUsername}:${DatabasePassword}@${DatabaseEndpoint}:${DatabasePort} --console.username ${NakamaUsername} --console.password \"",
+                !If [CreateSecret, !Join ["", ["{{resolve:secretsmanager:",  !Ref AdminPortalPassword,":SecretString}}" ]], !Ref NakamaPasswordOverride ], "\""
+                ]]
+        - Name: nakama
+          Essential: 'true'
+          Image: !Ref NakamaContainer
+          RepositoryCredentials:
+            CredentialsParameter: !Ref RepositoryCredentialsSecret
+          MemoryReservation: 800
+          PortMappings:
+          - HostPort: 0
+            ContainerPort: 7348
+          - HostPort: 0
+            ContainerPort: 7349
+          - HostPort: 0
+            ContainerPort: 7350
+          - HostPort: 0
+            ContainerPort: 7351
+          LogConfiguration:
+            LogDriver: awslogs
+            Options:
+              awslogs-region:
+                Ref: AWS::Region
+              awslogs-group:
+                Ref: LogGroup
+          EntryPoint: 
+              - "/bin/sh"
+              - "-ecx"
+              - !Join ["", [
+                !Sub "/nakama/nakama migrate up --database.address ${DatabaseUsername}:${DatabasePassword}@${DatabaseEndpoint}:${DatabasePort} &&\n",
+                !Sub "exec /nakama/nakama --name ${ServerName} --database.address ${DatabaseUsername}:${DatabasePassword}@${DatabaseEndpoint}:${DatabasePort} --console.username ${NakamaUsername} --console.password \"",
+                !If [CreateSecret, !Join ["", ["{{resolve:secretsmanager:",  !Ref AdminPortalPassword,":SecretString}}" ]], !Ref NakamaPasswordOverride ], "\""
+                ]]
 Outputs:
   TaskArn:
     Description: ARN of the TaskDefinition

cloudformation/nakama/top.yaml

@@ -25,6 +25,10 @@ Parameters:
     Type: String
     Description: The cluster to run the Nakama service on, if empty will create new cluster.
     Default: ""
+  RepositoryCredentialsSecret:
+    Type: String
+    Description: Arn of repostiory secret from AWS Secrets Manager. See https://docs.aws.amazon.com/AmazonECS/latest/developerguide/private-auth.html for more information
+    Default: ""
   
   #-----------------
   # Load Balancing 
@@ -149,6 +153,7 @@ Metadata:
         default: "ECS Configuration"
       Parameters:
       - EcsClusterOverride
+      - RepositoryCredentialsSecret
     - Label:
         default: "Database Configuration"
       Parameters:
@@ -212,6 +217,8 @@ Metadata:
         default: "RDS Storage"
       RdsAccessCidr:
         default: "RDS Allow Access CIDR"
+      RepositoryCredentialsSecret:
+        default: "Docker Repository Credentials"
 
 
 Conditions:
@@ -298,6 +305,7 @@ Resources:
         DatabasePort: !If ["CreateRdsStack", !GetAtt RdsDatabase.Outputs.RdsPort, !Ref DatabasePort]
         NakamaUsername: !Ref NakamaUsername
         NakamaPasswordOverride: !Ref NakamaPasswordOverride
+        RepositoryCredentialsSecret: !Ref RepositoryCredentialsSecret
 
   EcsService:
     DependsOn: LoadBalancing