add example with encrypted envariables in a file

nikgraf · nikgraf · commit ed193a687721 · 2016-11-25T16:18:03.000+01:00
diff --git a/aws-node-env-variables-encrypted-in-a-file/.gitignore b/aws-node-env-variables-encrypted-in-a-file/.gitignore
@@ -0,0 +1 @@
+secrets.*.yml
diff --git a/aws-node-env-variables-encrypted-in-a-file/README.md b/aws-node-env-variables-encrypted-in-a-file/README.md
@@ -0,0 +1,102 @@
+# Serverless
+
+This example demonstrates how to store secrets like API keys encrypted in your repository while providing them as environment variables to your AWS Lambda functions.
+
+## Use-cases
+
+- Provide secrets like API keys to your Lambda functions
+
+## Why?
+
+While repository hosting services like Github or Bitbucket have very high security standards it's recommended to not store your unencrypted secrets there. In addition in larger teams not everybody needs to have access to theses secrets of your production environment.
+
+Encrypting your secrets per stage and only adding the encrypted files into your repository is a sensible strategy to fulfill the previously described goals. The passwords to decrypt and encrypt the secrets files should only be shared between the necessary developers over a secure channel. In case you are using a Continuous Integration to deploy your infrastructure obviously this system must be aware of the passwords as well.
+
+## Setup
+
+Since this plugin uses the Serverless plugin `serverless-secrets-plugin` you need to setup the `node_modules` by running:
+
+```bash
+npm install
+```
+
+## Usage
+
+### Decrypt and Deploy
+
+In order to deploy the you endpoint simply run
+
+```bash
+serverless deploy --stage dev
+```
+
+The expected result should be similar to:
+
+```bash
+ Error --------------------------------------------------
+
+    Couldn't find the secrets file for this stage: secrets.dev.yml
+
+    For debugging logs, run again after setting SLS_DEBUG env var.
+
+ Get Support --------------------------------------------
+    Docs:          docs.serverless.com
+    Bugs:          github.com/serverless/serverless/issues
+
+    Please report this error. We think it might be a bug.
+
+ Your Environment Information -----------------------------
+    OS:                 darwin
+    Node Version:       6.2.2
+    Serverless Version: 1.2.0
+```
+
+This is happening since the `serverless-secrets-plugin` makes sure a secrets file for the specific stage exists.
+
+Let's decrypt the secrets file so you can deploy the service. To do so run
+
+```bash
+serverless decrypt --stage dev --password 'va$27dC}9382G7ac6?V'
+```
+
+The expected result should be similar to:
+
+```bash
+Serverless: Sucessfully encrypted 'secrets.dev.yml.encrypted' to 'secrets.dev.yml'
+```
+
+Now that you have the unencrypted version of your secrets file this directory you can deploy with
+
+```bash
+serverless deploy --stage dev
+```
+
+### Encrypt
+
+In case you want to add, update or remove entries in your secrets file simply modify your secrets file. Once you are done encrypt it with
+
+```bash
+serverless encrypt --stage dev --password 'va$27dC}9382G7ac6?V'
+```
+
+The expected result should be:
+
+```bash
+Serverless: Sucessfully encrypted 'secrets.dev.yml' to 'secrets.dev.yml.encrypted'
+```
+
+The encrypted file can be checked into your version control system e.g. Git.
+
+### Decrypt and Encrypt the Production Secrets
+
+```bash
+serverless decrypt --stage prod --password 'v2]83WDneGt9AGXv]X6QfP9NW3^J&K3V'
+```
+
+```bash
+serverless encrypt --stage prod --password 'v2]83WDneGt9AGXv]X6QfP9NW3^J&K3V'
+```
+
+# Important Note
+
+Make sure the the secrets files are listed in .gitignore to make sure they are never checked into your repository.
diff --git a/aws-node-env-variables-encrypted-in-a-file/handler.js b/aws-node-env-variables-encrypted-in-a-file/handler.js
@@ -0,0 +1,22 @@
+'use strict';
+
+/* eslint-disable no-console */
+
+module.exports.resetPassword = (event, context, callback) => {
+  console.log('SESSION_KEY: ', process.env.SESSION_KEY);
+
+  // Authenticate the user session
+
+  console.log('EMAIL_SERVICE_API_KEY: ', process.env.EMAIL_SERVICE_API_KEY);
+
+  // The email service api key would be used to send a reset password email.
+
+  const response = {
+    statusCode: 200,
+    body: JSON.stringify({
+      message: 'Password sent.',
+    }),
+  };
+
+  callback(null, response);
+};
diff --git a/aws-node-env-variables-encrypted-in-a-file/package.json b/aws-node-env-variables-encrypted-in-a-file/package.json
@@ -0,0 +1,10 @@
+{
+  "name": "env-variables-encrypted-in-a-file",
+  "version": "1.0.0",
+  "description": "Serverless example managing secrets in an encrypted file",
+  "author": "",
+  "license": "MIT",
+  "dependencies": {
+    "serverless-secrets-plugin": "^0.0.1"
+  }
+}
diff --git a/aws-node-env-variables-encrypted-in-a-file/secrets.dev.yml.encrypted b/aws-node-env-variables-encrypted-in-a-file/secrets.dev.yml.encrypted
diff --git a/aws-node-env-variables-encrypted-in-a-file/secrets.prod.yml.encrypted b/aws-node-env-variables-encrypted-in-a-file/secrets.prod.yml.encrypted
@@ -0,0 +1 @@
+�q�۵�2�)8�G���Gg4}׬}J ]f��۲Ul��f�"ŵ�]�<����~L�8���>�6��_g�L�諩g��M�H��k�wWm��>/����%BRN�EM%�!N�b�
diff --git a/aws-node-env-variables-encrypted-in-a-file/serverless.yml b/aws-node-env-variables-encrypted-in-a-file/serverless.yml
@@ -0,0 +1,21 @@
+service: env-variables-encrypted-in-a-file
+
+frameworkVersion: ">=1.2.0 <2.0.0"
+
+plugins:
+  - serverless-secrets-plugin
+
+provider:
+  name: aws
+  runtime: nodejs4.3
+  stage: dev
+
+custom:
+  secrets: ${file(secrets.${opt:stage, self:provider.stage}.yml)}
+
+functions:
+  resetPassword:
+    handler: handler.resetPassword
+    environment:
+      SESSION_KEY: ${self:custom.secrets.SESSION_KEY}
+      EMAIL_SERVICE_API_KEY: ${self:custom.secrets.EMAIL_SERVICE_API_KEY}

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+�q�۵�2�)8�G��Gg4}׬}J ]f��۲Ul��f�"ŵ�]�<��~L�8��>�6��_g�L�諩g��M�H��k�wWm��>/��%BRN�EM%�!N�b�`