Merge pull request #8 from tinymarsracing/patch-6

fixed jwt env vars & moved sensitive vpc settings into env vars
graphile · Mar 23, 2019 · e1ed462 · e1ed462
2 parents 89694b7 + 0a083cd
commit e1ed462
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 6 deletions.
diff --git a/.env.template b/.env.template
@@ -9,3 +9,5 @@ export JWT_PG_TYPE_IDENTIFIER="forum_example.jwt_token"
 export AWS_SERVICE_NAME="my-postgraphile-lambda"
 export AWS_REGION="us-east-1"
 export AWS_STAGE="dev"
+export AWS_VPC_SECURITY_GROUP_IDS="sg-1234asdf"
+export AWS_VPC_SUBNET_IDS="subnet-2345sdfg,subnet-3456dfgh,subnet-4567fghj"
diff --git a/README.md b/README.md
@@ -70,19 +70,21 @@ Achieving this can be a bit confusing if you're new to VPCs. When you create you
 
 If you want to learn more, here's some more info on [VPCs in the context of RDS](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_VPC.WorkingWithRDSInstanceinaVPC.html) and on [security groups](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html).
 
-Now, we just have to make sure that our Lambda is created within our VPC as well. For that just add the following to the specifications of your `graphql` function in your `serverless.yml` file:
+Now, we just have to make sure that our Lambda is created within our VPC as well. For that just use the AWS_VPC environment variables from the `.env.template` and add the following to the specifications of your `graphql` function in your `serverless.yml` file:
 
 ```
 vpc:
   securityGroupIds:
-    - sg-123456
+    "Fn::Split":
+      - ","
+      - ${env:AWS_VPC_SECURITY_GROUP_IDS}
   subnetIds:
-    - subnet-123
-    - subnet-456
-    - subnet-789
+    "Fn::Split":
+      - ","
+      - ${env:AWS_VPC_SUBNET_IDS}
 ```
 
-You can find all these values in the RDS console under "Connectivity & Security". (As the securityGroupId it's enough to use the `default` one: this basically makes the Lambda function part of the VPC.)
+You can find all these values in the RDS console under "Connectivity & Security". (As the securityGroupId it's enough to use the `default` one: this basically makes the Lambda function part of the VPC. There should be 3 subnetIds.)
 
 (You will also need to add `"iam:AttachRolePolicy"` to the permissions of the Serverless IAM role policy you will later create.)
 

diff --git a/serverless.yml b/serverless.yml
@@ -30,3 +30,5 @@ functions:
     environment:
       DATABASE_URL: ${env:DATABASE_URL}
       DATABASE_SCHEMAS: ${env:DATABASE_SCHEMAS}
+      JWT_SECRET: ${env:JWT_SECRET}
+      JWT_PG_TYPE_IDENTIFIER: ${env:JWT_PG_TYPE_IDENTIFIER}