As soon as an application is deployed or built on more than a single machine, you tend to start worrying about managing the configuration. There are a number of ways to approach this problem, but ultimately there's a need to protect sensitive information like database passwords and api tokens. While you can always store those directly in a config management system like AWS' Parameter Store, doing so means you can't track configuration changes in source control. This application provides yet another simple and straightforward means of hiding config information within source control.
brew tap collegevine/brew
brew install confcrypt
- If you don't have Haskell installed and working already, you'll need it. Install
stackfrom haskellstack.org. - At the root of this repo, run
stack install. (Takes 10-15 minutes.)
-
create a config
confcrypt create <filename>creates a new empty confcrypt config named<filename>.econf. Internally, it looks like this:# confcrypt schema # Configuration parameters may be either a String, Int, or Boolean # Parameter schema take the following shape: # schema := [term | value | comment] # term := confname : type # confname := [a-z,A-Z,_,0-9] # type := String | Int | Boolean # value := confname = String # comment := # String # # For example: # DB_CONN_STR : String # DB_CONN_STR = Connection String # USE_SSL : Boolean # USE_SSL = True # TIMEOUT_MS : Int # TIMEOUT_MS = 300 -
read a config
confcrypt rsa read --key <filename> <filename>This command reads in the provided file, decrypts the configuration variables using the provided key, then prints them to stdout. This allows you to pipe the results to other utilities. Returns 0 on success. -
add a parameter
confcrypt rsa add --key <filename> --name <String> --type <SchemaType> --value <String> --in-place <filename>Adds a new confguration parameter to the file.--nameand--valueare required, while--typeand--in-placeare optional. If--typeis provided, the schema record will be added immediately before the config variable.--in-placetoggles whether to overwrite the provided file or emit the results to stdout. In total this adds two lines to the file. Returns 0 on sccess. -
remove a parameter
confcrypt delete --name <String> --in-place <filename>Removes an existing config parameter & associated schema. Returns 0 on success or 1 if the parameter is not found in the file.--in-placetoggles whether to overwrite the provided file or emit the results to stdout. -
edit a parameter in-place
confcrypt rsa edit --key <filename> --name <String> --value <String> --type <SchemaType> --in-place <filename>Modifies an existing configuration parameter in place, leaving all other lines unchanged. While this isn't how it's actually implemented, this operation is equivalent to pipingconfcrypt readto a new file, editing the parameter, then reencrypting it.--in-placetoggles whether to overwrite the provided file or emit the results to stdout. -
validate a config
confcrypt rsa validate --key <filename> <filename>Checks that each config parameter matches the type of its schema. All errors are accumulated and returned at the end, with a response code equal to the number of failures. -
Using Amazon KMS instead of a local key The
rsacommand tree exists underaws, which changes the behavior of the--keyparameter to represent a KMS key id rather than an on-disk rsa key file. The otherwise the semantics of the commands are identical betweenrsaandkmsbranches.
# confcrypt schema
# Configuration parameters may be either a String, Int, or Boolean
# Parameter schema take the following shape:
# schema := [term | value | comment]
# term := confname : type
# confname := [a-z,A-Z,_,0-9]
# type := String | Int | Boolean
# value := confname = String
# comment := # String
#
# For example:
# DB_CONN_STR : String
# DB_CONN_STR = Connection String
# USE_SSL : Boolean
# USE_SSL = True
# TIMEOUT_MS : Int
# TIMEOUT_MS = 300
Note: confcrypt files must end with a trailing newline.
While the default config created via confcrypt new ... places the schema on line n and parameters on n+1, there's no required ordering for the file. In fact, you can choose to entirely omit the schema and only store configuration paraemters in an econf file, but this will cause confcrypt validate to fail.