search

aws-amplify / amplify-cli

The AWS Amplify CLI is a toolchain for simplifying serverless web and mobile development.
Apache License 2.0
2.83k stars 823 forks source link

Automatic Lambda cross-env variables / secrets #13087

Closed redjonzaci closed 1 year ago

redjonzaci commented 1 year ago

Amplify CLI Version

12.2.3

Question

I tried amplify update function and added an environment secret. I thought that it would automatically be added to any new env I created, but it didn't. Now the problem is that we only use PR preview environments and the build fails because the environment secret has no value for this new env. What would be the suggested approach to use an environment secret in every env, without having to manually add it whenever a new env is created?

ykethan commented 1 year ago

Hey @redjonzaci, this is currently not supported in Amplify CLI. As this would pose security issues in your environment. If you would like to still implement this feature, I would suggest utilizing Amplify hooks with the AWS SDK like

  1. creating a pre-push hook to read SSM parameters by path prefix with the env you want to copy from.
  2. then create SSM Parameters 1:1 with the PR Preview env name documentation: https://docs.amplify.aws/cli/reference/ssm-parameter-store/
redjonzaci commented 1 year ago

Hey @ykethan thanks for the response! If I am creating new envs only when I create new PRs, would the solution you are describing work so that my first build doesn't fail and then the env secret would be set on the Lambda?

I think I understand that we could set the secrets on a "main" env and then on each new PR copy those, but how would the Lambda access them? Or is that done automatically, when secrets with that Lambda's name exist in the env?

ykethan commented 1 year ago

Hey @redjonzaci, the permissions for SSM access is generated with the env cfn parameter. To mitigate the build failures you could try setting the Point all Pull Requests for this branch to an existing environment which should build the preview on a existing env.

related: https://github.com/aws-amplify/amplify-cli/issues/12950

redjonzaci commented 1 year ago

@ykethan I got a little confused by the answer, and I couldn't find the "Point all Pull Requests" option, but for now, we will create a SSM parameter manually and then make a request to retrieve it whenever we need it.

ykethan commented 1 year ago

@redjonzaci the Point all Pull Requests for this branch to an existing environment should be availble in the AWS Amplify console under App settings -> Preview -> select a branch -> Click on Manage, the option should show in a popup.

josefaidt commented 1 year ago

Hey @redjonzaci are you still experiencing this? Were you able to successfully set up and use secrets/env vars in SSM for PR previews?

redjonzaci commented 1 year ago

@ykethan I got a little confused by the answer, and I couldn't find the "Point all Pull Requests" option, but for now, we will create a SSM parameter manually and then make a request to retrieve it whenever we need it.

Hey @josefaidt, we settled on this solution, so for the moment, it's okay.

ykethan commented 1 year ago

@redjonzaci thank you for the confirmation. closing the issue, please feel free in reaching out to us again.

github-actions[bot] commented 1 year ago

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see. If you need more assistance, please open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.