Best way to use Git repository as an AWS Lambda source within Terraform?

Question

I'm working with Terraform to configure an AWS Lambda with API Gateway and DynamoDB, for the infrastructure i'm using a private repository and for the Lambda code source i'm using a different private repository.

After a research i have already found a way to download a source code to use in Terraform using:

locals {
  package_url = "https://github.com/.../main.zip"
  downloaded  = "downloaded_package_${md5(local.package_url)}.zip"
  lambda_src_path = "${path.module}/lambda"

 }

resource "null_resource" "download_package" {
     triggers = {
          downloaded = local.downloaded
     }

     provisioner "local-exec" {
         command = "curl -L -o ${local.downloaded} ${local.package_url}"
     }
 }

This would work fine if the repo is public, otherwise a solution would be using:

curl -H 'Authorization: token TOKEN' \
-H 'Accept: application/vnd.github.v3.raw' \
-O \
-L https://api.github.com/repos/owner/repo/contents/path

I would like to ask what would be the best solution to achieve that, maybe using .env data inside the Terraform repository.

Thanks

Answer 1

Don't store secrets in .env file, since those would be part of repo and at risk to be compromised. You should never store secrets in repo. The solution depends on where you actually have your repo hosted. But all providers support storing secrets one way or another.

For example github has https://docs.github.com/en/actions/security-guides/encrypted-secrets