brian-ixlayer
commented
1 year ago The use case for extra_env_vars is for merging extra environment variables on top of the default ones if you need to do so. You would add these in your {env}.tfvars file like so:
extra_env_vars = [
{
name = "MY_ENV_VAR"
value = "my-value"
}
]If you want to add sensitive data that should not be committed to code, there are a few options:
- ideally you can use the boto3 library or some other wrapper to call secrets rather than passing them to your task definition (link). In my example project in this repo I use
aws-secretsmanager-cachingwhich is maintained by AWS - Add a secrets manager secret to your container as an environment variable (link)
- use the
extra_env_varsto add a value that you can safely commit to the.tfvarsfile like I have shown above - if you want to put the value in GitHub secrets then you will need to pass it down through the application from the top level main.tf file down to the web module. So you need to add it to the
.varsfiles. I assume you are not using my Terraform modules directly but instead are using your own modules. Then you can change them as you need to support adding extra environment variables through environment secrets. You would also need to update the GitHub Actions scripts to inject theTF_VARS_env vars to the step that runsterraform plan/apply
Let me know if you have any other questions about these suggestions, hope that helps!
pdang29
I tried to pass Github secrets to terraform using TF_VAR_variable_name, then use as an environment variable for Gunicorn task, but so far it has not been successful. I saw in your terraform-aws-django modules/prod/app module "api" there is a variable called extra_env_vars. What is the use case for this? Can we actually use this variable to pass secrets from Github?
I would appreciate if you have any suggestions on how to pass extra environment variables to django.
Thanks!