Reputation: 11414
Where to store environment variables when using AWS CDK Pipelines?
I've followed this tutorial to set up CDK Pipelines using Python with a trigger from Github.
It looks something like this:
import aws_cdk as cdk
from constructs import Construct
from aws_cdk.pipelines import CodePipeline, CodePipelineSource, ShellStep
from my_pipeline.my_pipeline_app_stage import MyPipelineAppStage
class MyPipelineStack(cdk.Stack):
def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
super().__init__(scope, construct_id, **kwargs)
pipeline = CodePipeline(self, "Pipeline",
pipeline_name="MyPipeline",
synth=ShellStep("Synth",
input=CodePipelineSource.git_hub("OWNER/REPO", "main"),
commands=[
"npm install -g aws-cdk",
"python -m pip install -r requirements.txt",
"cdk synth"]))
pipeline.add_stage(MyPipelineAppStage(self, "my-stack"))
I want to be able to get custom environment variables from my CDK stack. For example:
organizational_unit_ids=[
os.environ.get("OU_ID"),
]
I don't want to store these environment variables directly in my code. Now my question is, where should I store these environment variables in order for the synth ShellStep to use them?
Should I add them manually to the CodeBuild action after it has been created?
Or is there somewhere central I can store them?
Upvotes: 1
Views: 3811
Answers (2)
Reputation: 41
When using AWS CDK pipeline, you can store ev in aws systems manager parameter store or aws secrets manager. These are storage for sensitive information.
import software.amazon.awssdk.core.SdkBytes;
import software.amazon.awssdk.services.ssm.SsmClient;
import software.amazon.awssdk.services.ssm.model.GetParameterRequest;
import software.amazon.awssdk.services.ssm.model.GetParameterResponse;
import software.amazon.awssdk.services.ssm.model.ParameterType;
import software.amazon.awssdk.services.ssm.model.PutParameterRequest;
import software.amazon.awssdk.services.ssm.model.PutParameterResponse;
public class ParameterStoreExample {
private static final String PARAMETER_NAME = "/myapp/paramName";
private static final String PARAMETER_VALUE = "mySecretValue";
public static void main(String[] args) {
SsmClient ssmClient = SsmClient.create();
// Store parameter
PutParameterRequest putParameterRequest = PutParameterRequest.builder()
.name(PARAMETER_NAME)
.value(PARAMETER_VALUE)
.type(ParameterType.SECURE_STRING)
.build();
PutParameterResponse putParameterResponse = ssmClient.putParameter(putParameterRequest);
// Retrieve parameter
GetParameterRequest getParameterRequest = GetParameterRequest.builder()
.name(PARAMETER_NAME)
.withDecryption(true)
.build();
GetParameterResponse getParameterResponse = ssmClient.getParameter(getParameterRequest);
String retrievedValue = getParameterResponse.parameter().value();
System.out.println("Retrieved value: " + retrievedValue);
}
Upvotes: -1
Reputation: 25649
CodeBuild can retrieve your env var at run-time.
First, store your environment variable as a parameter in the Parameter Store (or in SecretsManager).
Then, set the parameter to a CodeBuild environment variable. To do this, use the CodeBuildStep construct for the synth input, not ShellStep. The generic ShellStep construct, which supports multiple deployment platforms, can't set CodeBuild environment variables. CodeBuildStep can.
Set the environment variable in the build_environment arg. The value will be retrieved at run-time. Add permissions for CodeBuild to read your parameter value by adding a policy statement to role_policy_statements.
synth=CodeBuildStep(
"Synth",
input=CodePipelineSource.git_hub("OWNER/REPO", "main"),
commands=[
"npm install -g aws-cdk",
"python -m pip install -r requirements.txt",
"cdk synth",
],
build_environment={
"environment_variables": {
"OU_ID": {
"type": codebuild.BuildEnvironmentVariableType.PARAMETER_STORE,
"value": "my-ou-param",
}
}
},
role_policy_statements=[
iam.PolicyStatement(
effect=iam.Effect.ALLOW,
actions=["ssm:GetParameter"],
resources=[
self.format_arn(
service="ssm",
resource="parameter",
resource_name="my-ou-param",
arn_format=cdk.ArnFormat.SLASH_RESOURCE_NAME,
),
],
),
],
),
Upvotes: 5
Related Questions
- How to import existing resources into a cdk-pipelines app?
- How can I access environment variables in Python?
- How to pass output variables of CodePipeline Lambda Action to CodeBuild action
- How to set environment variables in Python?
- (@aws-cdk/pipelines) Build stage for application source code
- How to create AutoScalling Group using CDK for existing EC2 instance?
- How to pass a LambdaStack down to a PipelineStage with AWS-CDK
- How to fetch SSM Parameters from two different accounts using AWS CDK
- CDK pipelines with several application repositories
- error TS2339: Property 'BuildEnvironmentVariable' does not exist on type