Introduction
AWS Lambda environment variables use to adjust the function's behavior without updating the code. An environment variable is a pair of strings that are stored in a function's version-specific configuration. Lambda runtime makes environment variables available to our code and sets additional environment variables that contain information about the function and invocation request. We are going to use the addLambdaEnvironmentVariables operation to add the Lambda function environment variables. We can use the file or Input Argument to add the environment variables and the operation also supports encryption of the variables using AWS KMS key. We can select the option to publish a new version, by default operation will not publish the new version. The operation will use the configured AWS cloud account to perform the operation.
Objective
The goal of the tutorial is to add the environment variables using the environment file present at the git repository and input argument, in the already created Lambda Function. We are going to add secured variables also and to encrypt these variables we are going to use the AWS KMS key. Also we are going to publish the function version with added environment variables. We will have project property added in the deploy workflow and this project property value will be the list of the environment variables that we are going to provide in the input argument of the environment variables. We can use the dynamic value in both the environment file and input argument, please refer the document to get more details about environment variables' acceptable structure.
configuration of the properties e.g. Cloud account, and CLI path.
cloning the environment file from a Git repository.
adding the environment variables to the Lamba function.
sample code to retrieve the value of secured environment variables.
Checklist
Checklist | Description |
AWS Access Key | AWS Access Key of the user. |
AWS Secret Key | Password for the Access Key |
AWS Default Region | Default region can be set. eg. ap-south-1 |
AWS CLI installation | AWS CLI needs to be installed where the plugin operation shall run (FlexDeploy server) |
AWS CLI in class path | AWS CLI should be added to the class path on the FlexDeploy Server. Else the path can also be set under FlexDeploy environment level property |
AWS Lambda Function | AWS Lambda Function should be already present. |
AWS KMS Key | AWS KMS key to secured the environment variable. |
Configure Cloud account
To connect with AWS Lambda Function, we required to configure Cloud account, with credentials details. Configure AWS Cloud Account under Integration. FlexDeploy will connect to the Lambda Function and add the environment variables.
Navigate to the Integrations
Select Cloud from the left-hand pane
Create a new Cloud account with the “+” button. Create a new Cloud account of provider type “AWS”
It should have a AWS Access Key and AWS Secret Key. The user must have relevant access to AWS Lambda Function.
AWS Secret Key is a password field and hence needs to be kept hidden. To update the same click on the pencil icon as shown below
Update the AWS Secret Key value under Secret Text. This is to make sure no one else can retrieve the password
After configuration we would be able to use the Cloud Account as a drop down from the list.
Git repository structure
The Git repository contains the Environment file.
The Sample Git repository structure is given below.
Pre-requisite
Configure IAM user
To access the Lambda Function we need to create an AWS IAM account with required permissions. To create the AWS IAM user navigate to the AWS Identity and Access Management (IAM) service page, and click on the Add users option. Next assign the required permission to access the Lambda Function. Once user is created, AWS secret key can be generated, this key we have to configure in Cloud account.
For more information about IAM user please ref. IAM users - AWS Identity and Access Management
CLI installation
AWS CLI should be installed in the m/c where the plugin is to be executed. Preferably add AWS CLI path in m/c classpath.
Build and Deploy Workflows
Navigate to the Workflows tab and create a workflow using the “+”(Click to create new Workflow) button as highlighted below.
Next, create one Build and Deploy workflow as shown below. The workflow Type field defines the type of workflow.
Build Workflow
Navigate to the Workflows
Select the “+” button from the left-hand pane to create a new workflow
Deploy Workflow
navigate to the Workflows
Select the “+” button from the left-hand pane to create a new workflow
The Workflow Group and Subgroup define the folder hierarchy. Once both workflows are created it should look like the below. No constraint on workflow or folder naming convention.
The steps of the workflow execution can be configured through the Workflow Definition section.
Below given is a sample build workflow to copy the file from Git repository.
Step-i: Clone Git Repository
This step will clone the Git repository codebase into the project execution working directory. The Git URL will be retrieved from Source Control configured under Project Configuration.
Step-ii: Copy the environment file
The below step will copy the environment file to the artifact. Also check the Produces Artifact option to save the files as artifact so that can be used from Deploy workflow.
Step-i: add environment variables
This step will add environment variables to the Lambda Function and publish the version.
In above configuration using following Inputs.
Input Name | Input Code | Type | Required | Description |
Additional Arguments | FDAWS_LAMBDA_INP_ADD_ENV_VAR_ADDITIONAL_ARG | String | No | Literal key and value pairs. e.g. --region=us-east-1 --memory-size=512 --timeout=33 And for boolean type arguments give the option without any value. e.g --publish --debug |
Environment Variables | FDAWS_LAMBDA_INP_ENV_VAR | String | No | Environment Variables in acceptable format. |
Publish new version | FDAWS_LAMBDA_INP_PUBLISH_VERSION | Boolean | No | Select to publish a new version. Default value is false. |
Project configuration
Navigate to the Project tab and create a Project with a logical name(AWS-Lambda-Environment-Variable in this case)
Configure the Build and Deploy workflow that has been created in previous steps as shown below.
Source Control
Configure the Source SCM repository under Source Control as shown below.
To configure Project specific Source Control one first need to navigate to the Project Configuration tab.
Next, expand the SOURCE CONTROL option from the left-hand pane.
Select the appropriate Source Control Type
Configure Source Repository. For detailed steps of Source Control configuration please refer to Configure Source Control in FlexDeploy
Project Properties
Lambda Function name: Name of the Function to add the environment variables, if lambda function name is not given name of the environment file will be use as function name.
Environment Variable File Path: Path of the file which contains list of the environment variables.
Please refer to the document for more details about Lambda function name and Environment Variable File path . AWS Lambda - Environment Variable File and zip File location options
KMS detail: Key Id or Key ARN details, both are accepted. Please refer to the document for more details. https://docs.aws.amazon.com/kms/latest/developerguide/overview.html
Target Properties
Select Topology from the menu and then select Targets. Select the target group and environment, provide the properties detail, according to the description.
Properties | Mandatory field | Description |
Cloud Account | Optional | Select the Cloud Account to connect the Lambda Function. |
CLI Path | Optional | Directory where Cloud CLI is installed. |
AWS Region | Optional | Value of the AWS Region. |
Below given are the environment-specific values which need to be updated.
Cloud Account
The AWS Cloud account needs to be set here from the drop-down. It will show all Cloud Accounts configured under Topology, which we have already mentioned earlier.
CLI path
AWS CLI path can be set as environment property, if it’s not set then by default plugin will check for CLI in system classpath.
Override properties at Project level
Let assume a scenario, where we want to change Cloud account for any specific project. Apart from setting at environment level, it can also be set at project properties by using Override Property. Please check below mentioned steps.
Navigate to the Project Configuration tab as shown above.
Next, select the PROPERTIES option from the left-hand pane.
Click on the OVERRIDE option.
Select the Cloud Account option from Property.
Select the Environment from the drop down list.
Select the Target Group from the drop down list.
Build and Deploy Execution
For detailed steps on how to perform build and deploy, please refer to document.
After Deploy Execution
Once the add environment operation successful we can see the variable details on the AWS Lambda Function console.
And we have selected the publish version option from the workflow so we can verify the published function version, from the plugin output and AWS Lambda console.
Sample code to retrieve the secured variables
We have also added some non-secured variables ( Password and Mysql_Connection_String ) to the Lambda Function and to encrypt these variables we have used AWS KMS key, to get the values of secured variables we can use the sample code provided by AWS Lambda according to the Function code language. In our case we are using java script, below is the sample code to get the value of secured and non-secured variables and creating the response to print the values.
const AWS = require('aws-sdk'); AWS.config.update({ region: 'us-east-1' }); const functionName = process.env.AWS_LAMBDA_FUNCTION_NAME; let password; let userName; let connectionString; function processEvent(event) { } exports.handler = async (event) => { const kms = new AWS.KMS(); try { password = process.env['Password']; userName = process.env['UserName']; connectionString = process.env['Mysql_Connection_String']; let req = { CiphertextBlob: Buffer.from(password, 'base64'), EncryptionContext: { LambdaFunctionName: functionName }, }; let data = await kms.decrypt(req).promise(); password= data.Plaintext.toString('ascii'); req = { CiphertextBlob: Buffer.from(connectionString, 'base64'), EncryptionContext: { LambdaFunctionName: functionName }, }; data = await kms.decrypt(req).promise(); connectionString = data.Plaintext.toString('ascii'); } catch (err) { console.log('Decrypt error:', err); throw err; } processEvent(event); const response = { UserName: userName, Password: password, ConnectionString: connectionString }; return { "isBase64Encoded": false, "statusCode": 200, "body": JSON.stringify(response), "headers": { "content-type": "application/json" } }; };
We can use the test option of the AWS-Lambda to test our function code, in our case test response will be: