try using shared resource to fetch secrets

2026-06-08 11:17:27 +00:00 · 2026-02-06 16:22:53 +00:00 · 2026-02-06 16:22:53 +00:00 · bae1735e23
commit bae1735e23
parent f033b144c2
4 changed files with 53 additions and 60 deletions
--- a/.github/workflows/_deploy_lambda.yml
+++ b/.github/workflows/_deploy_lambda.yml
@ -23,9 +23,9 @@ on:
        required: true
        type: string

-      environment_vars:
-        required: false
-        type: string
+      # environment_vars:
+      #   required: false
+      #   type: string

    secrets:
      AWS_ACCESS_KEY_ID:
@ -83,28 +83,12 @@ jobs:
      - name: Terraform Plan
        working-directory: ${{ inputs.lambda_path }}
        run: |
-          ENV_VARS=""
-          if [ -n "${{ inputs.environment_vars }}" ]; then
-            # Convert multiline KEY=VALUE into JSON
-            ENV_VARS=$(echo "${{ inputs.environment_vars }}" | \
-              jq -Rn '
-                [inputs | split("=")] |
-                { (.[0]): .[1] }' | jq -s add | jq -c .)
-          fi
-
-          PLAN_CMD="terraform plan \
-            -var=\"stage=${{ inputs.stage }}\" \
-            -var=\"lambda_name=${{ inputs.lambda_name }}\" \
-            -var=\"ecr_repo_url=${{ steps.repo.outputs.ecr_repo_url }}\" \
-            -var=\"image_digest=${{ inputs.image_digest }}\""
-
-          if [ -n "$ENV_VARS" ]; then
-            PLAN_CMD="$PLAN_CMD -var=\"environment_vars=$ENV_VARS\""
-          fi
-
-          PLAN_CMD="$PLAN_CMD -out=lambdaplan"
-          # echo "Running: $PLAN_CMD"
-          eval $PLAN_CMD
+          terraform plan \
+            -var="stage=${{ inputs.stage }}" \
+            -var="lambda_name=${{ inputs.lambda_name }}" \
+            -var="ecr_repo_url=${{ inputs.ecr_repo }}" \
+            -var="image_digest=${{ inputs.image_digest }}" \
+            -out=lambdaplan

      - name: Terraform Apply
        working-directory: ${{ inputs.lambda_path }}
--- a/.github/workflows/deploy_terraform.yml
+++ b/.github/workflows/deploy_terraform.yml
@ -69,30 +69,30 @@ jobs:
  # ============================================================
  # Fetch DB credentials
  # ============================================================
-  fetch_db:
-    needs: determine_stage
-    runs-on: ubuntu-latest
-    outputs:
-      db_username: ${{ steps.get_db.outputs.db_username }}
-      db_password: ${{ steps.get_db.outputs.db_password }}
+  # fetch_db:
+  #   needs: determine_stage
+  #   runs-on: ubuntu-latest
+  #   outputs:
+  #     db_username: ${{ steps.get_db.outputs.db_username }}
+  #     db_password: ${{ steps.get_db.outputs.db_password }}

-    steps:
-      - uses: actions/checkout@v4
+  #   steps:
+  #     - uses: actions/checkout@v4

-      - name: Configure AWS
-        uses: aws-actions/configure-aws-credentials@v4
-        with:
-          aws-access-key-id: ${{ secrets.DEV_AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.DEV_AWS_SECRET_ACCESS_KEY }}
-          aws-region: ${{ secrets.DEV_AWS_REGION }}
+  #     - name: Configure AWS
+  #       uses: aws-actions/configure-aws-credentials@v4
+  #       with:
+  #         aws-access-key-id: ${{ secrets.DEV_AWS_ACCESS_KEY_ID }}
+  #         aws-secret-access-key: ${{ secrets.DEV_AWS_SECRET_ACCESS_KEY }}
+  #         aws-region: ${{ secrets.DEV_AWS_REGION }}

-      - id: get_db
-        run: |
-          SECRET=$(aws secretsmanager get-secret-value \
-            --secret-id "${{ needs.determine_stage.outputs.stage }}/assessment_model/db_credentials" \
-            --query SecretString --output text)
-          echo "db_username=$(echo $SECRET | jq -r .db_assessment_model_username)" >> $GITHUB_OUTPUT
-          echo "db_password=$(echo $SECRET | jq -r .db_assessment_model_password)" >> $GITHUB_OUTPUT
+  #     - id: get_db
+  #       run: |
+  #         SECRET=$(aws secretsmanager get-secret-value \
+  #           --secret-id "${{ needs.determine_stage.outputs.stage }}/assessment_model/db_credentials" \
+  #           --query SecretString --output text)
+  #         echo "db_username=$(echo $SECRET | jq -r .db_assessment_model_username)" >> $GITHUB_OUTPUT
+  #         echo "db_password=$(echo $SECRET | jq -r .db_assessment_model_password)" >> $GITHUB_OUTPUT


  # ============================================================
@ -186,7 +186,8 @@ jobs:
  # Deploy Condition ETL Lambda
  # ============================================================
  condition_etl_lambda:
-    needs: [condition_etl_image, fetch_db, determine_stage]
+    # needs: [condition_etl_image, fetch_db, determine_stage]
+    needs: [condition_etl_image, determine_stage]
    uses: ./.github/workflows/_deploy_lambda.yml
    with:
      lambda_name: condition-etl
@ -194,9 +195,10 @@ jobs:
      stage: ${{ needs.determine_stage.outputs.stage }}
      ecr_repo: condition-etl-${{ needs.determine_stage.outputs.stage }}
      image_digest: ${{ needs.condition_etl_image.outputs.image_digest }}
-      environment_vars: |
-        DB_USERNAME=${{ needs.fetch_db.outputs.db_username }}
-        DB_PASSWORD=${{ needs.fetch_db.outputs.db_password }}
+      # environment_vars: ${{ toJSON({
+      #   DB_USERNAME: needs.fetch_db.outputs.db_username,
+      #   DB_PASSWORD: needs.fetch_db.outputs.db_password
+      # }) }}
    secrets:
      AWS_ACCESS_KEY_ID: ${{ secrets.DEV_AWS_ACCESS_KEY_ID }}
      AWS_SECRET_ACCESS_KEY: ${{ secrets.DEV_AWS_SECRET_ACCESS_KEY }}
--- a/infrastructure/terraform/lambda/condition-etl/main.tf
+++ b/infrastructure/terraform/lambda/condition-etl/main.tf
@ -1,3 +1,12 @@
+data "aws_secretsmanager_secret_version" "db_credentials" {
+  secret_id = "${var.stage}/assessment_model/db_credentials"
+}
+
+locals {
+  db_credentials = jsondecode(data.aws_secretsmanager_secret_version.db_credentials.secret_string)
+}
+
+
 module "lambda" {
  source = "../modules/lambda_with_sqs"

@ -7,11 +16,13 @@ module "lambda" {
  image_uri = local.image_uri


-  environment = {
-    STAGE = var.stage
-    LOG_LEVEL = "info"
-    DB_USERNAME = var.environment_vars.DB_USERNAME
-    DAN = "hello"
-  }
+  environment = merge(
+    {
+      STAGE     = var.stage
+      LOG_LEVEL = "info"
+      DB_USERNAME = local.db_credentials.db_assessment_model_username
+      DB_PASSWORD = local.db_credentials.db_assessment_model_password
+    },
+  )

 }
--- a/infrastructure/terraform/lambda/condition-etl/variables.tf
+++ b/infrastructure/terraform/lambda/condition-etl/variables.tf
@ -17,10 +17,6 @@ variable "image_digest" {
  description = "Image digest (sha256:...)"
 }

-variable "environment_vars" {
-  type    = map(string)
-  default = {}
-}

 locals {
  image_uri = "${var.ecr_repo_url}@${var.image_digest}"