Lower costs

openlawnz · Apr 9, 2024 · 6495276 · 6495276
1 parent 83a695b
commit 6495276
Show file tree

Hide file tree

Showing 4 changed files with 331 additions and 2,462 deletions.
diff --git a/lib/app-stack.ts b/lib/app-stack.ts
@@ -6,8 +6,8 @@ import { NodejsFunction } from 'aws-cdk-lib/aws-lambda-nodejs';
 import { ARecord, HostedZone, RecordTarget } from 'aws-cdk-lib/aws-route53';
 import { Construct } from 'constructs';
 import * as targets from 'aws-cdk-lib/aws-route53-targets';
-import { LayerVersion, Runtime } from 'aws-cdk-lib/aws-lambda';
-import { Effect, Policy, PolicyStatement } from 'aws-cdk-lib/aws-iam';
+import { Runtime } from 'aws-cdk-lib/aws-lambda';
+import * as sm from "aws-cdk-lib/aws-secretsmanager";
 require('dotenv').config()
 
 if (
@@ -24,7 +24,6 @@ if (
 }
 
 const SECRET_ARN: string = process.env.SECRET_ARN;
-const LAYER_ARN: string = process.env.LAYER_ARN;
 const CERTIFICATE_ARN: string = process.env.CERTIFICATE_ARN;
 const VPC_ID: string = process.env.VPC_ID;
 const SECURITY_GROUP_IDS: string[] = process.env.SECURITY_GROUP_IDS.split(",");
@@ -41,7 +40,6 @@ export class AppStack extends cdk.Stack {
   constructor(scope: Construct, id: string, props?: cdk.StackProps) {
     super(scope, id, props);
 
-
     const toDeploy = DEPLOYMENT_MAP[DEPLOYMENT_KEY];
 
     if (!toDeploy) {
@@ -51,17 +49,23 @@ export class AppStack extends cdk.Stack {
     const environmentToDeploy = toDeploy.environment;
     const domainToDeploy = toDeploy.domainName;
 
+    const secret = sm.Secret.fromSecretAttributes(this, "ImportedSecret", {
+      secretCompleteArn: SECRET_ARN
+    });
+
     id = id + environmentToDeploy
 
     const vpc = Vpc.fromLookup(this, VPC_ID, { isDefault: true })
-
-    const layer = LayerVersion.fromLayerVersionArn(this, "cdklayer", LAYER_ARN)
 
     const APILambda = new NodejsFunction(this, `APIHandler${environmentToDeploy}`, {
       entry: 'src/index.js',
       environment: {
         STAGE: environmentToDeploy,
-        SECRET_ARN
+        DB_HOST: secret.secretValueFromJson('DB_HOST').unsafeUnwrap(),
+        PORT: secret.secretValueFromJson('PORT').unsafeUnwrap(),
+        DB_USER: secret.secretValueFromJson('DB_USER').unsafeUnwrap(),
+        DB_PASSWORD: secret.secretValueFromJson('DB_PASSWORD').unsafeUnwrap(),
+        GRAPHILE_LICENSE: secret.secretValueFromJson('GRAPHILE_LICENSE').unsafeUnwrap()
       },
       memorySize: 512,
       vpc,
@@ -73,44 +77,17 @@ export class AppStack extends cdk.Stack {
           'express',
           '@graphile-contrib/pg-simplify-inflector',
           '@graphile/pro',
-          '@aws-sdk/client-secrets-manager',
           'graphile-utils',
           'pg',
           'postgraphile'
         ],
         externalModules: ['pg-native']
       },
-      handler: 'handler',
-      layers: [layer]
+      handler: 'handler'
     });
 
     // https://docs.aws.amazon.com/mediaconnect/latest/ug/iam-policy-examples-asm-secrets.html#iam-policy-examples-asm-specific-secrets
 
-    const secretsManagerPolicy = new PolicyStatement({
-      actions: [
-        "secretsmanager:GetResourcePolicy",
-        "secretsmanager:GetSecretValue",
-        "secretsmanager:DescribeSecret",
-        "secretsmanager:ListSecretVersionIds"
-      ],
-      effect: Effect.ALLOW,
-      resources: [process.env.SECRET_ARN as string],
-    });
-
-    const secretsManagerPolicyList = new PolicyStatement({
-      actions: [
-        "secretsmanager:ListSecrets"
-      ],
-      effect: Effect.ALLOW,
-      resources: ["*"],
-    });
-
-    APILambda.role?.attachInlinePolicy(
-      new Policy(this, 'secrets-manager-policy', {
-        statements: [secretsManagerPolicy, secretsManagerPolicyList],
-      }),
-    );
-
     const certificate = Certificate.fromCertificateArn(this, 'Certificate', CERTIFICATE_ARN);
 
     const api = new LambdaRestApi(this, `API${environmentToDeploy}`, {