How do I add a lambda environmental variable with terraform?

14
votes

I want my lambda to call APIs, and that requires an API token. I want to place the API token into a lambda environment variable. How can I have terraform do this instead? Or am I approaching this the wrong way?

4
aws-lambdaterraformterraform-provider-aws
This may help using SSM parameter store and hiding values - SNR

4 Answers

10
votes

The Documentation here gives a pretty good example. Basically it's a environment block with a variables block. Then whatever key value pairs you want. Assuming you're using nodejs you can then refer to these variables in your lambda code by doing process.env.api_key. These values would be stored in plain text in your terraform code as well as the terraform state file. AWS encrypts the environment variables but you do need to concern yourself with how those values get there. If you are uncomfortable with them being stored in git and whatever storage you use for your state file then you can add them in manually through the console.

resource "aws_lambda_function" "test_lambda" {
  filename         = "lambda_function_payload.zip"
  function_name    = "lambda_function_name"
  runtime          = "nodejs8.10"
  ...

  environment {
    variables = {
      api_key = "super_secret"
    }
  }
}
4
votes

You can use aws secret manager to store your data. more info. to use them in your terraform follow below steps:

  1. Store your sensitive data such as passwords and api keys.
  2. Add "aws_secretsmanager_secret" data to your terraform, more info
  3. Add "aws_secretsmanager_secret_version" based on the secret from the previous step. more info
  4. Assuming your secret are stored in a key-value structure use

${jsondecode(data.aws_secretsmanager_secret_version.secrets.secret_string)["YOUR_KEY"]}

2
votes

If you want to pass a super_secret_value in terraform then instead passing through a tfvars file, you might want to consider using Vault or AWS Secret Manager.

But, even if you use Vault or AWS Secret Manager, secrets maybe be visible in tfstate file. But to mitigate the risk, you can encrypt the tfstate file on S3 and put restrict policy so that only required people can access this state file.

1
votes

If you have, like for most traditional NodeJS app, en .env file that is loaded with dotenv locally, here is a trick to proxy those variables into your Terraform files as variables:

env $(sed -e 's/^/TF_VAR_/' ../../.env.preproduction) terraform plan \
 -out=terraform-preproduction.plan

Then, just declare the env vars as variables and use them:

variable "SECRET" {
  description = "The application SECRET env var"
}

resource "aws_lambda_function" "test_lambda" {
  filename         = "lambda_function_payload.zip"
  function_name    = "lambda_function_name"
  runtime          = "nodejs8.10"
  ...

  environment {
    variables = {
      api_key = "${var.SECRET}"
    }
  }
}