Environment variables and Secrets

Thunder supports environment variables and secrets across all deployment patterns. Variables can be configured during the build phase via CodeBuild/CodePipeline, and at runtime for Lambda and Fargate deployments.

Architecture Support

Different deployment architectures support different variable scopes:

Pattern	Build Env Vars	Runtime Env Vars
Single Page Application (SPA)	✓ CodeBuild	—
Serverless Functions	✓ CodeBuild	✓ Lambda
Web Service	✓ CodeBuild	✓ Fargate

Build Environment Variables

Build environment variables are available during the CodeBuild phase of your deployment pipeline and are used to configure your application before deployment.

Plain Variables

Pass key-value pairs directly to CodeBuild:

const stackProps: SPAProps = {
  // ... other props
  buildProps: {
    buildcmd: 'bun run build',
    variables: [
      { NODE_ENV: 'production' },
      { PUBLIC_API_URL: 'https://api.example.com' },
      { ANALYTICS_ID: 'gtag-12345' }
    ],
  },
};

Variables are available during the build process and embedded in your application bundle:

# During build
echo $NODE_ENV  # production
echo $PUBLIC_API_URL  # https://api.example.com

Secrets

Store sensitive build secrets in AWS Parameter Store as SecureString parameters. CodeBuild automatically decrypts and injects them during the build phase.

const stackProps: SPAProps = {
  // ... other props
  buildProps: {
    buildcmd: 'bun run build',
    secrets: [
      {
        key: 'NPM_TOKEN',
        resource: 'arn:aws:ssm:us-east-1:123456789012:parameter/npm-token'
      },
      {
        key: 'GITHUB_TOKEN',
        resource: 'arn:aws:ssm:us-east-1:123456789012:parameter/github-token'
      }
    ],
  },
};

Creating Parameter Store Secrets:

AWS Console
CLI

Go to AWS Systems Manager → Parameter Store
Create parameter with name: e.g. /thunder/npm-token
Select SecureString type (uses KMS encryption)
Paste your secret value
Reference in your stack configuration

# Create a SecureString parameter
aws ssm put-parameter \
  --name "/thunder/npm-token" \
  --value "your-npm-token-value" \
  --type "SecureString"

Secrets are not embedded in your build output and are only available during the build phase.

Runtime Environment Variables

Runtime environment variables are available when your application is executing. Supported for Serverless Functions (Lambda) and Web Service (Fargate) patterns.

Plain Variables

Pass configuration to your Lambda function or Fargate container:

// Lambda/Serverless Functions
const fnProps: FunctionProps = {
  // ... other props
  functionProps: {
    variables: [
      { NODE_ENV: 'production' },
      { PUBLIC_API_URL: 'https://api.example.com' },
      { MAX_CONNECTIONS: '100' }
    ],
  }
};

// Fargate/Web Service
const svcProps: WebServiceProps = {
  // ... other props
  serviceProps: {
    variables: [
      { NODE_ENV: 'production' },
      { PUBLIC_API_URL: 'https://api.example.com' },
      { LOG_LEVEL: 'info' }
    ],
  },
};

Access variables in your application code:

// Node.js/TypeScript
const apiUrl = process.env.PUBLIC_API_URL;
const maxConnections = parseInt(process.env.MAX_CONNECTIONS || '50');

Secrets

Store sensitive runtime secrets in AWS Secrets Manager. Your Lambda function or Fargate task automatically receives permissions to read these secrets.

// Lambda/Serverless Functions
const fnProps: FunctionProps = {
  // ... other props
  functionProps: {
    secrets: [
      {
        key: 'DATABASE_URL',
        resource: 'arn:aws:secretsmanager:us-east-1:123456789012:secret:db-url-abc123'
      },
      {
        key: 'API_KEY',
        resource: 'arn:aws:secretsmanager:us-east-1:123456789012:secret:external-api-key-xyz789'
      }
    ],
  }
};

// Fargate/Web Service
const svcProps: WebServiceProps = {
  // ... other props
  serviceProps: {
    secrets: [
      {
        key: 'DATABASE_URL',
        resource: 'arn:aws:secretsmanager:us-west-2:123456789012:secret:db-url-abc123'
      },
      {
        key: 'STRIPE_SECRET_KEY',
        resource: 'arn:aws:secretsmanager:us-west-2:123456789012:secret:stripe-key-def456'
      }
    ],
  },
};

Access secrets the same way as environment variables:

// Access in your application code
const dbUrl = process.env.DATABASE_URL;
const stripeKey = process.env.STRIPE_SECRET_KEY;

Creating Secrets Manager Secrets:

AWS Console
CLI

Go to AWS Secrets Manager
Click Store a new secret
Select Other type of secret
Enter secret value (plain text)
Give it a name: e.g. db-url-abc123
Note the full ARN
Reference the ARN in your stack configuration

# Create a secret with plain text value
aws secretsmanager create-secret \
  --name "db-url-abc123" \
  --secret-string "postgres://user:password@host:5432/dbname"

The library automatically grants your Lambda function or Fargate task the secretsmanager:GetSecretValue permission for referenced secrets.