Use DB_SECRET env var and deploy env IDs (#16)

danielnaab · web-flow · commit 992b1a128f10 · 2025-10-06T13:52:26.000-05:00
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -8,8 +8,8 @@ name: 'Deploy'
 # PREREQUISITES:
 # 1. Deploy infrastructure first to create ECR repositories:
 #    cd infra/cdktf
-#    pnpm deploy:aws-main    # for main branch
-#    pnpm deploy:aws-demo    # for demo branch
+#    pnpm deploy:flexion-sandbox-main    # for main branch
+#    pnpm deploy:flexion-sandbox-demo    # for demo branch
 #
 # 2. Configure GitHub secrets:
 #    - AWS_ACCOUNT_ID
diff --git a/apps/sandbox/src/index.ts b/apps/sandbox/src/index.ts
@@ -6,26 +6,26 @@ import { createCustomServer } from './server.js';
 const port = process.env.PORT || 4321;
 
 const getAppRunnerSecrets = async () => {
-  const dbSecretArn = process.env.DB_SECRET_ARN;
+  const dbSecretStr = process.env.DB_SECRET;
   const dbHost = process.env.DB_HOST;
   const dbPort = process.env.DB_PORT;
   const dbName = process.env.DB_NAME;
 
-  if (!dbSecretArn || !dbHost || !dbPort || !dbName) {
+  if (!dbSecretStr || !dbHost || !dbPort || !dbName) {
     console.error(
-      'Missing required environment variables: DB_SECRET_ARN, DB_HOST, DB_PORT, DB_NAME'
+      'Missing required environment variables: DB_SECRET, DB_HOST, DB_PORT, DB_NAME'
     );
     return;
   }
 
-  const vault = getAWSSecretsManagerVault();
-  const dbSecretString = await vault.getSecret(dbSecretArn);
-  if (dbSecretString === undefined) {
-    console.error('Error getting secret:', dbSecretArn);
+  const dbSecret = JSON.parse(dbSecretStr);
+  if (!dbSecret.username || !dbSecret.password) {
+    console.error(
+      '`DB_SECRET` environment variable is missing username or password'
+    );
     return;
   }
 
-  const dbSecret = JSON.parse(dbSecretString);
   return {
     dbUri: `postgresql://${dbSecret.username}:${dbSecret.password}@${dbHost}:${dbPort}/${dbName}`,
   };
diff --git a/infra/cdktf/README.md b/infra/cdktf/README.md
@@ -59,10 +59,10 @@ export AWS_DEFAULT_REGION=us-east-1
 
 ```bash
 # Deploy infrastructure for demo environment
-pnpm deploy:aws-demo
+pnpm deploy:flexion-sandbox-demo
 
 # Deploy infrastructure for main/production environment
-pnpm deploy:aws-main
+pnpm deploy:flexion-sandbox-main
 ```
 
 This creates:
diff --git a/infra/cdktf/package.json b/infra/cdktf/package.json
@@ -21,8 +21,8 @@
     "clean:gen": "rimraf .gen",
     "deploy:cloud-gov-main": "DEPLOY_ENV=cloud-gov-main cdktf deploy",
     "deploy:cloud-gov-demo": "DEPLOY_ENV=cloud-gov-demo cdktf deploy",
-    "deploy:aws-main": "DEPLOY_ENV=aws-main cdktf deploy",
-    "deploy:aws-demo": "DEPLOY_ENV=aws-demo cdktf deploy",
+    "deploy:flexion-sandbox-main": "DEPLOY_ENV=aws-main cdktf deploy",
+    "deploy:flexion-sandbox-demo": "DEPLOY_ENV=aws-demo cdktf deploy",
     "deploy:main:local": "DEPLOY_GIT_REF=main DEPLOY_ENV=cloud-gov-main cdktf deploy",
     "dev": "tsc -w",
     "test": "echo 'no tests'"
diff --git a/infra/cdktf/src/lib/aws/sandbox-stack.ts b/infra/cdktf/src/lib/aws/sandbox-stack.ts
@@ -340,7 +340,7 @@ export class SandboxStack extends Construct {
               DB_NAME: 'postgres',
             },
             runtimeEnvironmentSecrets: {
-              DB_SECRET_ARN: dbSecret.arn,
+              DB_SECRET: dbSecret.arn,
             },
           },
         },
