使用 Git 存储库作为 Terraform 中的 AWS Lambda 源的最佳方法?
[英]Best way to use Git repository as an AWS Lambda source within Terraform?
问题描述
I'm working with Terraform to configure an AWS Lambda with API Gateway and DynamoDB, for the infrastructure i'm using a private repository and for the Lambda code source i'm using a different private repository.
我正在与 Terraform 一起使用 API 网关和 DynamoDB 配置 AWS Lambda,对于我使用私有存储库的基础设施和 Lambda 代码源,我使用不同的私有存储库。
After a research i have already found a way to download a source code to use in Terraform using:经过研究,我已经找到了一种下载源代码以在 Terraform 中使用的方法:
locals {
package_url = "https://github.com/.../main.zip"
downloaded = "downloaded_package_${md5(local.package_url)}.zip"
lambda_src_path = "${path.module}/lambda"
}
resource "null_resource" "download_package" {
triggers = {
downloaded = local.downloaded
}
provisioner "local-exec" {
command = "curl -L -o ${local.downloaded} ${local.package_url}"
}
}
This would work fine if the repo is public, otherwise a solution would be using:如果回购是公开的,这会很好用,否则解决方案将使用:
curl -H 'Authorization: token TOKEN' \
-H 'Accept: application/vnd.github.v3.raw' \
-O \
-L https://api.github.com/repos/owner/repo/contents/path
I would like to ask what would be the best solution to achieve that, maybe using.env data inside the Terraform repository.我想问一下实现该目标的最佳解决方案是什么,也许是使用 Terraform 存储库中的 .env 数据。
Thanks谢谢
1 个解决方案
解决方案1
2 2022-11-21 10:39:10
Don't store secrets in.env file, since those would be part of repo and at risk to be compromised.不要将秘密存储在 .env 文件中,因为它们将成为回购协议的一部分并且有被泄露的风险。 You should never store secrets in repo.你永远不应该在回购中存储秘密。 The solution depends on where you actually have your repo hosted.解决方案取决于您实际托管存储库的位置。 But all providers support storing secrets one way or another.但是所有提供者都支持以一种或另一种方式存储秘密。
For example github has https://docs.github.com/en/actions/security-guides/encrypted-secrets例如 github 有https://docs.github.com/en/actions/security-guides/encrypted-secrets
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.