feat: inject API keys from Secrets Manager into ECS task definitions

[tyrahappy]

Problem

ECS containers cannot read .env files — API keys must be injected at container startup via AWS Secrets Manager. Without this, containers would start but all Kimi/Gemini API calls would fail with missing key errors.

Changes

• modules/ecs/main.tf — adds secrets block to both API and worker task definitions, injecting KIMI_API_KEY and GEMINI_API_KEY from Secrets Manager ARNs
• modules/ecs/variables.tf — adds kimi_api_key_secret_arn and gemini_api_key_secret_arn variables
• modules/iam/main.tf — grants ECS execution role secretsmanager:GetSecretValue on the two secret ARNs (scoped to flair2/{env}/kimi-api-key* and flair2/{env}/gemini-api-key*)
• variables.tf — exposes the two ARN variables at root level with creation instructions
• environments/dev.tfvars — adds placeholder ARN values with comments showing the exact aws secretsmanager create-secret commands to run

Manual step required before terraform apply

aws secretsmanager create-secret \
  --name flair2/dev/kimi-api-key \
  --secret-string "YOUR_KIMI_KEY" \
  --region us-west-2

aws secretsmanager create-secret \
  --name flair2/dev/gemini-api-key \
  --secret-string "YOUR_GEMINI_KEY" \
  --region us-west-2

Then paste the returned ARNs into terraform/environments/dev.tfvars.

Test plan

• terraform validate passes
• After creating secrets: terraform plan shows secrets injected into task definitions
• Container env vars KIMI_API_KEY and GEMINI_API_KEY present after deploy

🤖 Generated with Claude Code

[0b00101111]

Review

Good work — secrets injection is the right approach for ECS, IAM scoping is correct, and the manual step docs are clear.

Bug: env var names don't match app config

The secrets inject KIMI_API_KEY and GEMINI_API_KEY, but backend/app/config.py uses env_prefix="FLAIR2_", so the app reads FLAIR2_KIMI_API_KEY and FLAIR2_GEMINI_API_KEY.

As-is, the containers will start but both keys will be empty strings.

Fix in modules/ecs/main.tf (both API and worker task definitions):

secrets = [
  { name = "FLAIR2_KIMI_API_KEY", valueFrom = var.kimi_api_key_secret_arn },
  { name = "FLAIR2_GEMINI_API_KEY", valueFrom = var.gemini_api_key_secret_arn }
]

Everything else looks good

• IAM policy scoped to flair2/{env}/kimi-api-key* and flair2/{env}/gemini-api-key* — least privilege
• Both API and worker tasks get the same secrets — correct
• dev.tfvars has clear instructions with exact CLI commands

Fix the env var names and this is ready to merge.

[tyrahappy]

Fixed: renamed both secret env vars to use the FLAIR2_ prefix to match app/config.py's env_prefix="FLAIR2_":

• KIMI_API_KEY → FLAIR2_KIMI_API_KEY
• GEMINI_API_KEY → FLAIR2_GEMINI_API_KEY

Both API and worker task definitions updated. Ready to merge.