More infra fixes, like secrets

.env

@@ -1,6 +1,5 @@
-PRISMA_CONNECTION_LIMIT=5
+PRISMA_CONNECTION_LIMIT=15
 CREATE_AURORA_DATABASE=true
-AUTH_SECRET="663F6Z2VT8IIKhbkPanZlx0Q/eQk7asTxIaEzZHCcWY="
 
 # set this to enable a bastion EC2 host you can tunnel through to connect to the database
 # create a keypair in your desired account and region and add the name here

stacks/config.ts

@@ -1,2 +1 @@
 export const IS_PRODUCTION = process.env.IS_PRODUCTION === 'true';
-export const AUTH_SECRET = process.env.AUTH_SECRET ?? '';

stacks/index.ts

@@ -11,6 +11,7 @@ import { Network } from './network';
 import { RestApi } from './restApi';
 import { Web } from './web';
 import { Aspects } from 'aws-cdk-lib';
+import { Secrets } from './secrets';
 
 // deal with dynamic imports of node built-ins (e.g. "crypto")
 // from https://github.com/evanw/esbuild/pull/2067#issuecomment-1073039746
@@ -29,6 +30,7 @@ export default function main(app: sst.App) {
 
   app
     .stack(Network)
+    .stack(Secrets)
     .stack(Dns)
     .stack(Layers)
     .stack(Database)

stacks/secrets.ts

@@ -0,0 +1,30 @@
+import { Secret } from 'aws-cdk-lib/aws-secretsmanager';
+import { Config, StackContext } from 'sst/constructs';
+
+export function Secrets({ stack }: StackContext) {
+  const secretsArn = process.env.SECRETS_ARN;
+
+  // needed for NEXTAUTH_SECRET env var since there is no way to provide it via SST Config
+  let secrets;
+  if (secretsArn) {
+    // import
+    secrets = Secret.fromSecretCompleteArn(stack, 'Secrets', secretsArn);
+  } else {
+    secrets = secretsArn
+      ? Secret.fromSecretCompleteArn(stack, 'Secrets', secretsArn)
+      : new Secret(stack, 'App', {
+          description: `${stack.stackName} ${stack.stage} secrets`,
+          // secret default template
+          generateSecretString: {
+            secretStringTemplate: JSON.stringify({ RANDOM: 'AUTH_SECRET' }),
+            generateStringKey: 'AUTH_SECRET',
+            excludePunctuation: true,
+          },
+        });
+  }
+
+  // add more SST secrets here
+  const SECRET_1 = new Config.Secret(stack, 'SECRET_1');
+
+  return { secrets, SECRET_1 };
+}

stacks/web.ts

@@ -2,17 +2,21 @@ import { NextjsSite, StackContext, use } from 'sst/constructs';
 import { AppSyncApi } from './appSyncApi';
 import { Auth } from './auth';
 import { Dns } from './dns';
-import { AUTH_SECRET } from './config';
+import { Secrets } from './secrets';
 
 export function Web({ stack, app }: StackContext) {
   const { userPool, webClient, cognitoDomainName } = use(Auth);
+  const { secrets, ...configSecrets } = use(Secrets);
   const appSyncApi = use(AppSyncApi);
   const dns = use(Dns);
 
+  const allSecrets = Object.values(configSecrets);
+
   // docs: https://docs.serverless-stack.com/constructs/NextjsSite
   const frontendSite = new NextjsSite(stack, 'Web', {
     path: 'web',
     openNextVersion: '3.0.6',
+    bind: [...allSecrets],
     customDomain: dns.domainName
       ? {
           domainName: dns.domainName,
@@ -32,7 +36,7 @@ export function Web({ stack, app }: StackContext) {
       NEXT_PUBLIC_COGNITO_CLIENT_ID: webClient.userPoolClientId,
       NEXT_PUBLIC_COGNITO_USER_POOL_ID: userPool.userPoolId,
       NEXT_PUBLIC_COGNITO_DOMAIN_NAME: cognitoDomainName,
-      AUTH_SECRET,
+      NEXTAUTH_SECRET: secrets.secretValueFromJson('NEXTAUTH_SECRET').toString(),
     },
   });