-1

I am using the serverless framework and I am building all my resources all at once. I have lambda@edge function in AWS cloudfront viewer request side and the function needs access to cognito user pool id. Since I am not able to pass environment variables to lambda@edge functions, I have no choice but to hard code the user pool id in the lambda@edge function which is very annoying to say the least. But things get even worst, I am not able to get the user pool id until I deploy everything then pick the user pool id and hard code it in the function and then redeploy. Is there a better solution to all this?

ugexe
  • 5,297
  • 1
  • 28
  • 49
Aimn Blbol
  • 907
  • 11
  • 20

2 Answers2

1

You can externalise sensitive information in AWS Parameter Store.

The main difference from Environment Variables is that it's only available over API calls. On the other hand, it does give you a lot of flexibility to change the values as you wish on Parameter Store and leave your Lambda functions untouched. You can also control the access to the Parameter Store with IAM Roles, which gives you an extra layer of security.

You can check this tutorial to see how to store/retrieve data from AWS Parameter Store.

Thales Minussi
  • 6,965
  • 1
  • 30
  • 48
  • Using AWS Parameter Store has the same kind of problem. If the variable I need changes, I will have to change the variable value inside AWS Parameter Store. I am looking for a way where the value of the variable is passed during deployment process automatically kind of what happens with regular lambda functions. – Aimn Blbol Apr 11 '19 at 14:26
  • @AimnBlbol How are you building your Lambda function? If you are using Cloudformation (or SAM) then you can store the parameter in Parameter Store in the template. See [the documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ssm-parameter.html) for details and limitation. – morras Apr 11 '19 at 15:01
  • @morras thanks for your answer. The data that I am trying to pass to the lambda@edge is not sensitive. I was trying to stay away from Parameter store because it is slow to retrieve data. – Aimn Blbol Apr 20 '19 at 04:39
0

There is a good solution I found here, using terraform, but the approach with for example would be the same: https://transcend.io/blog/lambda-edge-functions-in-terraform

  • Use terraform (or your tool of choice) to create a JSON file containing your configuration (similar to .env files)
  • Read it from your handler function
  • Deploy both the file and function with terraform (by selecting it as directory)
import { readFileSync } from 'fs';

const config = JSON.parse(readFileSync('./config.json'));

The author uses a special terraform module, but you can also do this manually or even use a fixed file per environment.

plaintext_params = {
  userpool_id              = var.userpool_id
  client_id                = var.client_id
  userpool_region          = var.userpool_region
  ui_subdomain             = var.ui_subdomain
  scopes                   = join(" ", var.scopes)
  client_secret_param_name = var.ssm_client_secret_param_name
}

I used a different terraform module to deploy my Lambda@Edge function.

Sebastian Waschnick
  • 57
  • 1
  • 4