Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The goal of the tutorial is to add the environment variables, using the environment file present at the git repository and input argument, in the already created Lambda Function. We are going to and also publish the function version. We will also add secured variables also and to encrypt these variables we are going to use the AWS KMS key. Also we are going to publish the function version with added environment variables. We will have project property added in the deploy workflow and this project property value will be contain the list of the environment variables that we are going to provide use in the workflow input argument of the environment variables. We can use the dynamic value in both the environment file and input argument, please refer to the document to get more details about environment variables' acceptable structure.

  • configuration of the properties e.g. Cloud account, and CLI path.

  • cloning the environment file from a Git repository.

  • adding the environment variables to the Lamba function.

  • sample code to retrieve the value of secured environment variables.

...

Checklist

Description

AWS Access Key

AWS Access Key of the user.

AWS Secret Key

Password for the Access Key

AWS Default Region

Default region can be set. eg. ap-south-1

AWS CLI installation

AWS CLI needs to be installed where the plugin operation shall run (FlexDeploy server)

AWS CLI in class path

AWS CLI should be added to the class path on the FlexDeploy Server. Else the path can also be set under FlexDeploy environment level property

AWS Lambda Function

AWS Lambda Function should be already present.

AWS KMS Key

AWS KMS key to secured the environment variable.

Configure Cloud

...

Account

To connect with AWS Lambda Function, we required to configure Cloud account, with credentials details. Configure AWS Cloud Account under Integration. FlexDeploy will connect to the Lambda Function and add the environment variables.

...

After configuration we would be able to use the Cloud Account as a drop down from the list.

...

Create AWS Lambda Function

AWS Lambda is a compute service that lets you run code without provisioning or managing servers. Lambda runs your code on a high-availability compute infrastructure and performs all of the administration of the compute resources, including server and operating system maintenance, capacity provisioning and automatic scaling, and logging. With Lambda, all you need to do is supply your code in one of the language runtimes that Lambda supports. Please refer to the link for more information https://docs.aws.amazon.com/lambda/latest/dg/welcome.html

To create the Lambda Function go to the AWS console

  1. Navigate to the Services

  2. Select Compute from the left-hand pane

  3. Now click on the Lambda service option

...

After selecting the Lambda service, new window will open and it contains detail of all the functions.

...

Now select the create function option, it will open window to create function and configured detail.

...

By default AWS creates execution role with basic Lambda permissions, we can select an existing role also. In above example we are using existing role ( basic-lambda-role ) . Please refer to the link for more information https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html

The role which we are selecting must have basic Lambda permissions, the role we have selected also have permission for KMS key to decrypt the secured variables. If we are using the KMS key to encrypt the secured variables then we must have to give permission to the role to use the KMS key.

...

In above role we can see we have one permissions policy name as kms-access, this policy allow us to use the KMS key to decrypt the variables, which we have used to encrypt the variables.

Policy detail:

...

...

Trust relationships detail: ( Entities that can assume this role under specified conditions )

...

Detail of the AWS Lambda function which we have created and going to use for this tutorial:

...

In above function if we see the Environment variables details under the Configuration, there is no environment variables are present. Once successful execution of the operation we should be able to see some environment variables.

Create AWS KMS Key

AWS Key Management Service (AWS KMS) is a managed service that makes it easy for us to create and control the cryptographic keys that are used to protect our data. Please refer to the link for more information https://aws.amazon.com/kms/

AWS KMS key is required to encrypt the secured variables before adding them to Lambda function. If we don’t have any secured variables in that case we don’t required to configure KMS key detail in the project. In our scenario we are adding both secured and non-secured variables to the Lambda function.

To create the Lambda Function go to the AWS console

  1. Navigate to the Services

  2. Select Security, Identity, & Compliance from the left-hand pane

  3. Now click on the Key Management Service service option

...

Detail of the KMS key which we are using for this tutorial:

...

We can use Key ID or Key ARN value in the project to encrypt the variables, both are accepted.

Git Repository Structure

The Git repository contains the Environment file.The , Sample Git repository structure is given below.

...

Environment Variable File Structure

This is the example of environment file with json structure, please refer the document to get more details about environment variables' acceptable structure.

...

Pre-requisite

Configure IAM

...

User

To access the Lambda Function we need to create an AWS IAM account with required permissions. To create the AWS IAM user navigate to the AWS Identity and Access Management (IAM) service page, and click on the Add users option. Next assign the required permission to access the Lambda Function. Once user is created, AWS secret key can be generated, this key we have to configure in Cloud account.

For more information about IAM user please ref. IAM users - AWS Identity and Access Management

...

CLI

...

Installation

  • AWS CLI should be installed in the m/c where the plugin is to be executed. Preferably add AWS CLI path in m/c classpath.

...

Step-ii: Copy the environment file
The below step will copy the environment file to the artifact. Also check the Produces Artifact option to save the files as artifact so that can be used from Deploy workflow.

...

Below given is a sample deploy workflow to add the environment variable to the AWS Lambda function.

...

Step-i: add environment variables

...

Input Name

Input Code

Type

Required

Description

Additional Arguments

FDAWS_LAMBDA_INP_ADD_ENV_VAR_ADDITIONAL_ARG

String

No

Literal key and value pairs. e.g. --region=us-east-1 --memory-size=512 --timeout=33

And for boolean type arguments give the option without any value. e.g --publish --debug

Environment Variables

FDAWS_LAMBDA_INP_ENV_VAR

String

No

Environment Variables in acceptable format.

Publish new version

FDAWS_LAMBDA_INP_PUBLISH_VERSION

Boolean

No

Select to publish a new version. Default value is false.

Project

...

Configuration

Navigate to the Project tab and create a Project with a logical name(AWS-Lambda-Environment-Variable in this case)

...

Environment Variable File Path: Path of the file which contains list of the environment variables. Please refer to the document for more details about Lambda function name and Environment Variable File path . AWS Lambda - Environment Variable File and zip File location options

KMS detail: AWS KMS key is required to encrypt the secured variables before adding them to Lambda function. If we don’t have any secured variables in that case we don’t required to configure KMS key detail in the project. In our scenario we are adding both secured and non-secured variables to the Lambda function. Key Id or Key ARN details, both are accepted. Please refer to the document for more details. https://docs.aws.amazon.com/kms/latest/developerguide/overview.html

...

The AWS Cloud account needs to be set here from the drop-down. It will show all Cloud Accounts configured under Topology, which we have already mentioned earlier.

...

CLI

...

Path

AWS CLI path can be set as environment property, if it’s not set then by default plugin will check for CLI in system classpath.

...

Override

...

Properties at Project

...

Level

Let assume a scenario, where we want to change Cloud account for any specific project. Apart from setting at environment level, it can also be set at project properties by using Override Property. Please check below mentioned steps.

...

And we have selected the publish version option from the workflow so we can verify the published function version, from the plugin output and AWS Lambda console.

...

Sample

...

Code to

...

Retrieve the

...

Secured Variables

We have also added some non-secured variables ( Password and Mysql_Connection_String ) to the Lambda Function and to encrypt these variables we have used AWS KMS key, to get the values of secured variables we can use the sample code provided by AWS Lambda according to the Function code language. In our case we are using java script, below is the sample code to get the value of secured and non-secured variables and creating the response to print the values.

...

We can use the test option of the AWS-Lambda to test our function code, in our case test response will be:

...

Please refer to the link, for more details about encryption and decryption of the secured variables AWS KMS --encryption-context understanding