Raymond Raymond
Raymond
Raymond
articleArticles 568
imageDiagrams 58
commentComments 299
loyaltyKontext Points 6269

AWS CDK Python - Add Environment Variables for CodeBuild Pipeline

event 2023-01-11 visibility 1,093 comment 0 insights toc
ios_share
Twitter Facebook LinkedIn
more_vert
insights Stats
AWS CDK Python - Add Environment Variables for CodeBuild Pipeline

AWS CDK is commonly used on AWS to create CloudFormation templates which creates or updates stacks (group of resources) on AWS. CodeBuild is part of AWS CI/CD offering and can be used to build your projects. This article shows you how to add environment variables from AWS Secrets Manager for CodeBuild Pipeline via CDK Python.

Supported environment variable types

There are three types of environment variables supported in CodeBuild pipeline:

  • PARAMETER_STORE - an environment variable stored in System Manager Parameter Store
  • PLAINTEXT - Default format which stores environment variable as plain text.
  • SECRETS_MANAGER - an environment variable stored in AWS Secrets Manager.

We will show examples of using Secrets Manager.

About AWS Secrets Manager

I won't discuss much about AWS Secrets Manager itself but you can refer to official documentation (links provided in References section).

As any other secrets managers, we store secrets in a encrypted storage using a name to refer to when retrieving the secret. We could stored a single string value as secret value on AWS or use key value format (JSON string).

For example, you may create a secret named dev01/database-credential with content like the following:

{"user":"mydbuser","password":"mydbpassword"}

To retrieve single key value of the secret, we can use notation "SECRET_NAME:KEY_NAME". For example, the following notation can be used to return the password of the secrect:

dev01/database-credential:password

Prerequisites

The following sections assume the following secrets are created and also IAM has been setup properly for the roles of CodeBuild projects.

  • dev01/database-credential: {"user":"mydbuser","password":"mydbpassword"}
  • mysecret: secret value

Both secrets will be used in the following CDK code.

CDK Python

Follow Working with the AWS CDK in Python - AWS Cloud Development Kit (AWS CDK) v2 to setup Python version of AWS CDK.

You can install using pip directly:

pip install aws-cdk-lib

Create CDK code for CodeBuild pipeline using Python

Create the project

Create an example CDK project using the following commands:

mkdir hello-cdk
cd hello-cdk
cdk init app --language python

20230111220853-image.png

If you have VS Code installed, you can open the project folder in the IDE using command code ..

The created project looks like the following screenshot:

20230111221535-image.png

Add CodeBuild pipeline

Open file hello-cdk/hello_cdk_stack.py and update it with the following content:

from aws_cdk import (
    Stack,
    aws_codebuild as codebuild
)
from constructs import Construct


class HelloCdkStack(Stack):

    def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
        super().__init__(scope, construct_id, **kwargs)

        # bucket: s3.Bucket

        codebuild.Project(
            self, "MyTestProject",
            build_spec=codebuild.BuildSpec.from_object({
                "version": "0.2"
            }),
            environment=codebuild.BuildEnvironment(
                build_image=codebuild.WindowsBuildImage.WINDOWS_BASE_2_0,
                environment_variables={
                    "MY_SECRECT_PLAIN_TEXT": codebuild.BuildEnvironmentVariable(
                        type=codebuild.BuildEnvironmentVariableType.PLAINTEXT,
                        value="My plain text secret"),
                    "MY_SECRECT": codebuild.BuildEnvironmentVariable(
                        type=codebuild.BuildEnvironmentVariableType.SECRETS_MANAGER,
                        value="mysecret"),
                    "DB_USER": codebuild.BuildEnvironmentVariable(
                        type=codebuild.BuildEnvironmentVariableType.SECRETS_MANAGER,
                        value="dev01/database-credential:user"),
                    "DB_PASSWORD": codebuild.BuildEnvironmentVariable(
                        type=codebuild.BuildEnvironmentVariableType.SECRETS_MANAGER,
                        value="dev01/database-credential:password"),
                }
            ),
        )
This class creates a Stack with a CodeBuild project. The environment variables are also setup with two sources:
  • Hard-coded plain text
  • Secrets from AWS Secrets Manager. For this case, we just need to specify the secret names. For JSON key value, we can use the notation mentioned previously to retrieve single key value. 

Use the environment variables

You can add code to use these environment variables in the CodeBuild specs. For example, we can change the build_spec attribute of the project to the following scripts:

build_spec=codebuild.BuildSpec.from_object({
                "version": "0.2",
                "phases": {
                    "phase1": {
                        "commands": [
                            "echo ${DB_USER}",
                            "echo ${MY_SECRECT_PLAIN_TEXT}"
                        ]
                    }
                }
            }),

Deploy to AWS

You can run the following commands to deploy into AWS:

cdk bootstrap
cdk synth
cdk deploy

Refer to the CDK commands documentation for more details.

References

EnvironmentVariable - AWS CodeBuild

credential password management - AWS Secrets Manager - Amazon Web Services

More from Kontext
comment Comments
No comments yet.

Please log in or register to comment.

account_circle Log in person_add Register

Log in with external accounts