The project I\u2019ve been working on for some time has multiple environments for multiple clients and each environment has its environment configurations. Therefore, I needed a secure way to store the environment configurations and to fetch them in real-time while the application was being deployed.<\/p>\n\n\n\n
After doing some research, I found that AWS provides Environment Variables<\/a> for AWS CodeDeploy during deployment that we can use with lifecycle event hooks.<\/p>\n\n\n\n I came across the idea to store environment <\/strong>configurations as a secret in AWS Secrets Manager<\/strong> with name same as CodeDeploy deployment <\/strong>group <\/strong>name; and fetch the configurations using DEPLOYMENT_GROUP_NAME<\/strong> environment variable amidst the deployment.<\/p>\n\n\n\n e.g. If we have a deployment group with name Client-Dashboard-DG,<\/strong> we\u2019ll also store the secret in secret manager with the same name.<\/strong><\/p>\n\n\n\n Next, in the appspec.yml file, we will execute a bash script to get the secrets from the AWS Secret Manager. This is how our `appspec.yml` file would look like<\/p>\n\n\n\n And `getconfig.sh` file would look like this<\/p>\n\n\n\n Our JS file to get the secrets would look like<\/p>\n\n\n\nhooks:
BeforeInstall:
- location: scripts\/getconfig.sh
timeout: 600
runas: root<\/pre>\n\n\n\n#!\/bin\/bash\n\ncd \/opt\/codedeploy-agent\/deployment-root\/${DEPLOYMENT_GROUP_ID}\/${DEPLOYMENT_ID}\/deployment-archive\/export \n\nNODE_PATH=\/usr\/lib\/node_modules\/\n\nnode scripts\/secret-manager-to-env.js<\/pre>\n\n\n\n\/\/ Use this code snippet in your app.\n\/\/ If you need more information about configurations or implementing the sample code, visit the AWS docs:\n\/\/ https:\/\/aws.amazon.com\/developers\/getting-started\/nodejs\/\n\n\/\/ Load the AWS SDK\nDEPLOYMENT_GROUP_NAME = process.env.DEPLOYMENT_GROUP_NAME\n\nvar AWS = require('aws-sdk'),\n region = \"us-west-2\",\n secretName = `${DEPLOYMENT_GROUP_NAME}`,\n secret,\n decodedBinarySecret;\nvar fs = require('fs');\n\n\/\/ Create a Secrets Manager client\nvar client = new AWS.SecretsManager({\n region: region\n});\n\n\/\/ In this sample we only handle the specific exceptions for the 'GetSecretValue' API.\n\/\/ See https:\/\/docs.aws.amazon.com\/secretsmanager\/latest\/apireference\/API_GetSecretValue.html\n\/\/ We rethrow the exception by default.\n\nclient.getSecretValue({SecretId: secretName}, function(err, data) {\n if (err) {\n console.log(\"*******************************\")\n console.log(\"Error fetching secrets\")\n console.log(\"*******************************\")\n process.exit(1);\n\tif (err.code === 'DecryptionFailureException')\n \/\/ Secrets Manager can't decrypt the protected secret text using the provided KMS key.\n \/\/ Deal with the exception here, and\/or rethrow at your discretion.\n throw err;\n else if (err.code === 'InternalServiceErrorException')\n \/\/ An error occurred on the server side.\n \/\/ Deal with the exception here, and\/or rethrow at your discretion.\n throw err;\n else if (err.code === 'InvalidParameterException')\n \/\/ You provided an invalid value for a parameter.\n \/\/ Deal with the exception here, and\/or rethrow at your discretion.\n throw err;\n else if (err.code === 'InvalidRequestException')\n \/\/ You provided a parameter value that is not valid for the current state of the resource.\n \/\/ Deal with the exception here, and\/or rethrow at your discretion.\n throw err;\n else if (err.code === 'ResourceNotFoundException')\n \/\/ We can't find the resource that you asked for.\n \/\/ Deal with the exception here, and\/or rethrow at your discretion.\n throw err;\n }\n else {\n \/\/ Decrypts secret using the associated KMS CMK.\n \/\/ Depending on whether the secret is a string or binary, one of these fields will be populated.\n if ('SecretString' in data) {\n secret = JSON.parse(data.SecretString);\n for (let key in secret) {\n if(secret.hasOwnProperty(key))\n fs.appendFile('.env', `${key}='${secret[key]}'` + '\\r\\n', function (err) {\n if (err) throw err;\n console.log(`${key}='${secret[key]}' Saved!`);\n });\n }\n\n } else {\n let buff = new Buffer(data.SecretBinary, 'base64');\n decodedBinarySecret = buff.toString('ascii');\n }\n }\n \n \/\/ Your code goes here. \n});<\/code><\/pre>\n\n\n\n