Environment & Configuration

🆕 Rust Lambda Extension for any Runtime to preload SSM Parameters as Secure Environment Variables! Crypteia

Most Rails applications require over a dozen environment variables to configure itself along with other popular gems used. Most notable is ActiveRecord's DATABASE_URL but others like RAILS_MASTER_KEY require us to consider how we configure your Lambda.

There are numerous ways to configure environment variables ranging from "quick and dirty" by adding secrets to your git repo (DO NOT DO THIS) all the way to a strict "separation of config" from code using countless methods to achieve a proper Twelve-Factor app. We want to cover a few topics that may help you pick and choose what works best for you.

Our Cookiecutter

We disable encrypted credentials in favor of a more simple SECRET_KEY_BASE setting. The starter project places a temporary value for this environment variable in the config/initializers/secret_key_base.rb file. Please remove the ENV['SECRET_KEY_BASE'] = '0123...' line and use SSM Parameter Store described below.

Stop Using AWS Keys & Secrets

If your application uses other AWS resources like S3, you may be using environment variables like AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY. Avoid this pattern. Instead, please add explicit IAM policies within your template.yaml file. They will be attached to your Lambda's Execution Role and inherently give your Lambda the needed permissions.

Using Dotenv & Rails

Our cookiecutter project integrates the Dotenv gem. This can be useful for all Rails environments from development, test, and production. For example, you can commit common development environment variables to .env.development or lock down test configurations in .env.test.

Please take some time to read their documentation. Alternatively, you can remove Dotenv all together and replace it with any other system that makes sense for you. Our starter project is just that, a starting point.

SSM Parameter Store

🆕 Please take a look at Crypteia, a new Rust-based Lambda Extension for any Runtime to preload SSM Parameters as Secure Environment Variables!

Please consider using AWS' Systems Manager Parameter Store to store your credentials for each stage of your deploy and leverage our place holder in bin/_build under the "Environments & Configuration" section to pull your configurations into a Dotenv file to be packaged for deploy. Lamby provides a Rake task to help with this. For example, this will take every parameter under the /my_awesome_lambda/production/env path and save it to a .env.production file. The Lamby starter includes this SSM gem already. But make sure you check it is there.

gem 'aws-sdk-ssm'
echo "== Environments & Configuration =="
$ ./bin/rails \
  -rlamby \
  lamby:ssm:dotenv \

Optionally, if you use GitHub Actions, there are numerous AWS SSM to .env projects out there so your CI/CD pipeline could handle this too.