pass secrets to build args via env vars

.github/workflows/_build_image.yml

@@ -32,6 +32,8 @@ on:
         required: true
       AWS_REGION:
         required: true
+      DEV_DB_HOST:
+        required: false
 
 jobs:
   build:
@@ -73,6 +75,7 @@ jobs:
           while IFS= read -r line; do
             # skip empty lines
             [ -n "$line" ] || continue
+            line=$(eval echo "$line")
             BUILD_ARGS="$BUILD_ARGS --build-arg $line"
           done <<< "${{ inputs.build_args }}"
       

.github/workflows/deploy_terraform.yml

@@ -142,12 +142,12 @@ jobs:
       build_context: .
       build_args: |
         JUNTE=best
-        DAN=roth
-        DEV_DB_HOST=${{ secrets.DEV_DB_HOST }}
+        DEV_DB_HOST=\${DEV_DB_HOST}
     secrets:
       AWS_ACCESS_KEY_ID: ${{ secrets.DEV_AWS_ACCESS_KEY_ID }}
       AWS_SECRET_ACCESS_KEY: ${{ secrets.DEV_AWS_SECRET_ACCESS_KEY }}
       AWS_REGION: ${{ secrets.DEV_AWS_REGION }}
+      DEV_DB_HOST: ${{ secrets.DEV_DB_HOST }}
 
   # ============================================================
   # Deploy Condition ETL Lambda

backend/condition/handler/Dockerfile

@@ -9,7 +9,8 @@ FROM public.ecr.aws/lambda/python:3.11
 ARG JUNTE
 ENV JUNTE=${JUNTE}
 
-# ENV DEV_DB_HOST=${DEV_DB_HOST}
+ARG DEV_DB_HOST
+ENV DEV_DB_HOST=${DEV_DB_HOST}
 
 # Set working directory (Lambda task root)
 WORKDIR /var/task