secrets

jetbridge · Jul 2, 2024 · 54d47fd · 54d47fd
2 parents fb02a0f + df443fe
commit 54d47fd
Show file tree

Hide file tree

Showing 4 changed files with 33 additions and 12 deletions.
diff --git a/.env b/.env
@@ -1,4 +1,4 @@
-PRISMA_CONNECTION_LIMIT=5
+PRISMA_CONNECTION_LIMIT=15
 CREATE_AURORA_DATABASE=true
 
 # for local dev environments which use docker-compose, you can disable running migrations in AWS by setting this to false

diff --git a/stacks/index.ts b/stacks/index.ts
@@ -37,6 +37,7 @@ export default function main(app: sst.App) {
 
   app
     .stack(Network)
+    .stack(Secrets)
     .stack(Dns)
     .stack(Layers)
     .stack(Database)

diff --git a/stacks/secrets.ts b/stacks/secrets.ts
@@ -1,13 +1,30 @@
 import { Secret } from 'aws-cdk-lib/aws-secretsmanager';
-import { StackContext } from 'sst/constructs';
+import { Config, StackContext } from 'sst/constructs';
 
 export function Secrets({ stack }: StackContext) {
-  const secret = new Secret(stack, 'Secret', {
-    generateSecretString: {
-      secretStringTemplate: JSON.stringify({}),
-      generateStringKey: 'RANDOM',
-    },
-  });
-
-  return { secret };
+  const secretsArn = process.env.SECRETS_ARN;
+
+  // needed for NEXTAUTH_SECRET env var since there is no way to provide it via SST Config
+  let secrets;
+  if (secretsArn) {
+    // import
+    secrets = Secret.fromSecretCompleteArn(stack, 'Secrets', secretsArn);
+  } else {
+    secrets = secretsArn
+      ? Secret.fromSecretCompleteArn(stack, 'Secrets', secretsArn)
+      : new Secret(stack, 'App', {
+          description: `${stack.stackName} ${stack.stage} secrets`,
+          // secret default template
+          generateSecretString: {
+            secretStringTemplate: JSON.stringify({ RANDOM: 'AUTH_SECRET' }),
+            generateStringKey: 'AUTH_SECRET',
+            excludePunctuation: true,
+          },
+        });
+  }
+
+  // add more SST secrets here
+  const SECRET_1 = new Config.Secret(stack, 'SECRET_1');
+
+  return { secrets, SECRET_1 };
 }
diff --git a/stacks/web.ts b/stacks/web.ts
@@ -7,19 +7,22 @@ import { Secrets } from './secrets';
 
 export function Web({ stack, app }: StackContext) {
   const { userPool, webClient, cognitoDomainName } = use(Auth);
+  const { secrets, ...configSecrets } = use(Secrets);
   const appSyncApi = use(AppSyncApi);
   const dns = use(Dns);
-  const { secret } = use(Secrets);
   const isLocal = app.local;
 
   if (!isLocal && !WEB_URL) {
     console.warn(`Please set WEB_URL in .env.${app.stage} to the URL of your frontend site.`);
   }
 
+  const allSecrets = Object.values(configSecrets);
+
   // docs: https://docs.serverless-stack.com/constructs/NextjsSite
   const frontendSite = new NextjsSite(stack, 'Web', {
     path: 'web',
     openNextVersion: '3.0.6',
+    bind: [...allSecrets],
     customDomain: dns.domainName
       ? {
           domainName: dns.domainName,
@@ -33,7 +36,7 @@ export function Web({ stack, app }: StackContext) {
     },
     memorySize: 1024,
     environment: {
-      NEXTAUTH_SECRET: secret.secretValueFromJson('RANDOM').toString(),
+      NEXTAUTH_SECRET: secrets.secretValueFromJson('NEXTAUTH_SECRET').toString(),
       NEXTAUTH_URL: isLocal ? 'http://localhost:6001' : WEB_URL ?? 'https://set-me-in-.env',
 
       NEXT_PUBLIC_REGION: stack.region,