Git Configuration - Geekoosh/flyway-lambda GitHub Wiki

Flyway Lambda supports loading Git configuration from environment variables, function parameters, and AWS Secret manager (for Git credentials).

Function parameters take precedence over both environment variables and secrets.

Git options

Option	Description	Parameter	Environment variable	Value type	Required	Default
Git repo address	HTTPS URL without credentials	gitRepository	GIT_REPOSITORY	string	Yes
Git branch	Branch name (e.g., master, develop)	gitBranch	GIT_BRANCH	string	Yes
Folders within repo	List of folders within the repo to load migration scripts from (e.g., migrations/sql)	folders	GIT_FOLDERS	comma-delimited list of strings	No
Commit to clone from	Optional commit id to pull	commit		string	No
Git username	Repo username	username	GIT_USERNAME	string	Yes
Git password	User password	password	GIT_PASSWORD	string	Yes
Reuse code between invocations	With large Git repos, invoked frequently for migration, reusing the repo between invocations have the potential to minimize the initial cloning time.	reuseRepo	GIT_REUSE_REPO	0/1 or false/true	No	false

Example for invoking the lambda with Git parameters:

aws lambda invoke --function-name FlywayLambda --payload '{ "gitRequest": {"gitBranch": "develop"} }' response.json

AWS Secret Manager

For enhanced security, Flyway lambda supports loading Git repo credentials stored in AWS Secret Manager.

Follow the instructions to store Git credentials and make them available for the Flyway lambda:

Create a secret in AWS Secret Manager and set its value to a JSON of the following format:

{"username": "[Git user]", "password": "[Git password]"}

Create a lambda environment variable GIT_SECRET with either the secret name or secret ARN
Add permissions to access the secret to the lambda execution IAM role

{
  "Effect": "Allow",
  "Action": [
     "secretsmanager:DescribeSecret",
     "secretsmanager:GetSecretValue"
  ],
  "Resource": "[secret ARN or *]"
}