RDS Configuration - Geekoosh/flyway-lambda GitHub Wiki

Flyway Lambda supports loading DB configuration from environment variables, function parameters, and AWS Secret manager (for DB credentials).

Function parameters take precedence over both environment variables and secrets.

DB options

Option	Description	Parameter	Environment variable	Value type	Required	Default
DB username	username	username	DB_USERNAME	string	Yes
DB password	password	password	DB_PASSWORD	string	Yes
Connection string	Connection string including the master db name, without credentials (e.g. myrds.123456789012.us-east-2.rds.amazonaws.com/mydb)	connectionString	DB_CONNECTION_STRING	string	Yes

Example for invoking the lambda with DB parameters:

aws lambda invoke --function-name FlywayLambda --payload '{ "dbRequest": {"username": "someone"} }' response.json

AWS Secret Manager

For enhanced security, Flyway lambda supports loading DB credentials stored in AWS Secret Manager.

Follow the instructions to store DB credentials and make them available for the Flyway lambda:

1. Create a secret in AWS Secret Manager and set its value to a JSON of the following format:

{"username": "[DB user]", "password": "[DB password]"}

2. Create a lambda environment variable DB_SECRET with either the secret name or secret ARN

3. Add permissions to access the secret to the lambda execution IAM role

{
  "Effect": "Allow",
  "Action": [
     "secretsmanager:DescribeSecret",
     "secretsmanager:GetSecretValue"
  ],
  "Resource": "[secret ARN or *]"
}

Accessing RDS instance

Since the Flyway lambda required access to the RDS instance, it's important:

1. Lambda is deployed to the same VPC as the RDS instance and on the same private subnets
2. RDS security group allows access to the Flyway Lambda.

Achieve the security group permission for the lambda by either:

1. Set the same RDS security group to the lambda
2. Create a new security group for the lambda and allow it to access the RDS security group on the DB port (e.g. 5432 for Postgres)