I have a Python app (Flask, uwsgi) with the following deployment model: docker container is put to AWS ECR and rolled out by AWS ECS (Fargate). CD is operated by CircleCI. I use an external application config (INI-file) and would like to place it outside the container (which is a good practice in fact). The question is: where exactly should I put such a file so that containers in ECS can read it? To remind: Fargate deployment model is agnostic to specific EC2 instances so I do not see a way to put it there. The piece of code which reads my config:
APP_CONFIG = Path(os.getenv("CONFIG_FILE_PATH", str(DEFAULT_CONFIG_PATH)))
You have several options:
The easiest but also most cumbersome option would be to put the config base64 encoded into the Parameter store and then inject the config as an environment file into the container by pointing to it with the secrets attribute in the task definition. Personally I really don't like this because every time I want to change the config I have to do it manually... change the file, encode it, upload it to the store. In addition the image / entrypoint must be modified to put the file where it belongs.
Store the config in an EFS volume and bind it to the container. Once you have everything set up and containers can access EFS volumes this is a pretty nice solution. You will either update the configs manually in the volume for example from an EC2 instance or push the updated files in your pipeline to the volume.
Hacky approach that I use: Store the config in a git repo that also contains my pipeline definition etc. Override the entrypoint of the image with the entrypoint attribute and inject the config file as base64 as an env var into the container and then from the same entrypoint decode it and put it in it's correct place. I do this because I prefer all my non-secret config to be in the same repo as the task definitions etc.
I'm sure there are more (sophisticated) approaches out there. For example with something like Hashicorp Vault. But I have no experience with them