Environment & Configuration

Most Rails applications require over a dozen environment variables to configure themselves or popular gems used. Most notable is ActiveRecord's DATABASE_URL but others like RAILS_MASTER_KEY require us to consider how we configure your Lambda.

There are numerous ways to configure environment variables ranging from quick and dirty commits to git (DO NOT DO THIS) all the way to a strict separation of config from code using countless methods to achieve a proper Twelve-Factor app. We want to cover a few topics that may help you pick and choose what works best for you.

Our Cookiecutter

After the SAM init process we asked you to run a bin/setup script. This calls a bin/_setup-credentials script which generates your new application's RAILS_MASTER_KEY which Rails places into a config/master.key file. This file is git ignored. We store the contents of this secret key securely in AWS using their Systems Manager Parameter Store service.

When you deploy your application to application to Lambda, we read the master key back out and write it out to a Dotenv file located at .env.${RAILS_ENV}. This file and hence the RAILS_MASTER_KEY environment variable are set early in your application's boot process within the app.rb file.

Rails Encrypted Credentials

Given the handling of the RAILS_MASTER_KEY above, Rails Credentials is a perfect fit for Lambda. It allows you to bundle all configuration aspect within a single file. This also keeps your lambda talking to 3rd party services while they scale up and are started for you. For most users, using Rails.application.credentials for all your configs may be all you need.

Lamby adds the bin/credentials file to easily decrypt and edit your credentials using EDITOR=vim within your Docker container.

Stop Using AWS Keys & Secrets

If your application uses other AWS resources like S3, you may be using environment variables like AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY. Avoid this pattern. Instead please add explicit IAM policies within your template.yaml file. They will be attached to your Lambda's Execution Role and inherently give your Lambda the needed permissions.

Using Dotenv & Rails

Our cookiecutter project integrates the Dotenv gem. This can be useful for all Rails environments from development, test, and production. For example, you can commit common development environment variables to .env.development or lock down test configurations in .env.test. Please take some time to read their documentation.

SMS Parameter Store

You may find your want more than just the RAILS_MASTER_KEY as an environment during your build & deploy. You may want to consider using AWS' Systems Manager Parameter Store like we have in our bin/build script. For example, these are the AWS CLI commands to put and get values.

$ aws ssm put-parameter \
  --name "/myapp/SOME_OTHER_ENV" \
  --type "SecureString" \
  --value "somesecretvalue"
SOME_OTHER_ENV=$(aws ssm get-parameter \
  --name "/myapp/SOME_OTHER_ENV" \
  --with-decryption \
  --query "Parameter.Value" \
  --output text 2> /dev/null | echo "$(</dev/stdin)"
)
Lamby 🆕 HTTP API Support     GitHub