Configuration & Environment

Overview

Configuration is managed via environment variables per deployment stage. Serverless Framework injects values from serverless.yml (and stage-specific files), while local development uses .env files loaded by Nest. Keep secrets in AWS Parameter Store or Secrets Manager—never commit them.

Environment stages

• Feature branches deploy locally only (no auto deploy).
• Custom stages (e.g., qa) can be added; document them here.

Required variables

Store secrets in:

• Dev: .env.development.local (gitignored) or AWS Parameter Store using sls param.
• Prod: AWS Secrets Manager referenced via ${ssm:/service/prod/MONGODB_URI}.

Local loading

Use @t3-oss/env-core (already installed) or dotenv to load .env files.

// env.ts
import { createEnv } from "@t3-oss/env-core";

export const env = createEnv({
  server: {
    MONGODB_URI: {
      devDefault: "mongodb://localhost:27017/tasks",
      input: process.env.MONGODB_URI,
    },
    LOG_LEVEL: {
      input: process.env.LOG_LEVEL ?? "debug",
    },
  },
  runtimeEnv: process.env,
});

Then inject into Nest's config module:

ConfigModule.forRoot({
  isGlobal: true,
  validationSchema: z.object({
    MONGODB_URI: z.string().url(),
    LOG_LEVEL: z.enum(["debug", "info", "warn", "error"]),
  }),
});

Serverless configuration

In serverless.yml, define stage-specific variables:

provider:
  name: aws
  runtime: nodejs20.x
  architecture: arm64
  environment:
    MONGODB_URI: ${ssm:/service/${sls:stage}/MONGODB_URI~true}
    LOG_LEVEL: info

Use CircleCI contexts per environment to provide AWS credentials and SSM/Secrets Manager access.

Secret rotation

• Rotate database credentials quarterly.
• Update SSM/Secrets Manager values and redeploy; no code change needed.
• Document changes in this page so the team knows which environments were updated.