Managing configuration from the command line is not enough. Functions need a way to get environment specific configuration in order to execute.
This example uses S3 for the configuration store, but will work with any supported storage solution.
- Place the following files in the lambda function folder.
- Create a configuration file
dev.jsonin the lambda function folder.
{
"user": "user",
"password": "************"
}-
In the lambda function folder, use a local install of cStore to push the
dev.jsonfile to an AWS S3 bucket with adevtag. The resultingcstore.ymlfile should be checked into the repo but not thedev.jsonfile as it may contain secrets. -
Add this line of code to the lambda function handler file to load configuration.
var config = cstore.pull('cstore_linux_amd64', process.env.ENVIRONMENT)- Update the terraform lambda function environment variables to specify which environment config file should be retrieved when the lambda function executes.
resource "aws_lambda_function" "lambda" {
function_name = "${var.app}-${var.environment}-ci-auto-rotate"
filename = "${data.archive_file.lambda_zip.output_path}"
source_code_hash = "${data.archive_file.lambda_zip.output_base64sha256}"
handler = "handler.handler"
runtime = "nodejs8.10"
timeout = 10
role = "${aws_iam_role.lambda_exec.arn}"
tags = "${var.tags}"
environment {
variables = {
ENVIRONMENT = "${var.environment}"
}
}
}-
Set up the S3 Bucket policy to allow access for the AWS lambda function's role.
-
Set up the AWS lambda role policy to allow S3 bucket access.
data "aws_iam_policy_document" "app_policy" {
statement {
effect = "Allow"
actions = [
"s3:Get*",
]
resources = [
"${var.aws_s3_bucket_arn}/*",
]
}
# Only required, if injecting secrets from Secrets Manager.
statement {
effect = "Allow"
actions = [
"secretsmanager:GetSecretValue",
]
resources = [
"arn:aws:secretsmanager:us-east-1:${var.account_id}:secret:${var.config_context}/*",
]
}
}- Deploy the lambda function.