secret_config 0.6.4 → 0.9.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +185 -64
- data/Rakefile +7 -7
- data/bin/{secret_config → secret-config} +1 -1
- data/lib/secret_config.rb +32 -3
- data/lib/secret_config/cli.rb +148 -97
- data/lib/secret_config/config.rb +44 -0
- data/lib/secret_config/errors.rb +3 -0
- data/lib/secret_config/parser.rb +76 -0
- data/lib/secret_config/providers/file.rb +17 -4
- data/lib/secret_config/providers/ssm.rb +11 -3
- data/lib/secret_config/registry.rb +52 -27
- data/lib/secret_config/setting_interpolator.rb +45 -0
- data/lib/secret_config/string_interpolator.rb +33 -0
- data/lib/secret_config/utils.rb +1 -1
- data/lib/secret_config/version.rb +1 -1
- data/test/config/application.yml +35 -5
- data/test/parser_test.rb +82 -0
- data/test/providers/file_test.rb +5 -5
- data/test/providers/ssm_test.rb +37 -12
- data/test/registry_test.rb +57 -26
- data/test/secret_config_test.rb +62 -13
- data/test/setting_interpolator_test.rb +152 -0
- data/test/test_helper.rb +6 -6
- data/test/utils_test.rb +4 -4
- metadata +13 -5
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: f21043b5cb86e83686e3e3cdb920c39bdd21c6c8e8dcfbd2d1cc34f81aef8e8c
|
4
|
+
data.tar.gz: d932bca14ac864d3558e825ae226f227da60af5abe53f81dc601b05c2c51bfde
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: d72ec54655bab806b3c1c7243fc033e529924f0024cae1c2f604904b3ea620e833e36744a1dfbbe8bb1b2d0c6d5fc0b644bb7477f7978c186fcbdca795596fb9
|
7
|
+
data.tar.gz: cf24dc349803e4bd328fe471b0bcec0cd1f94b5b94b0261db990f4acab975494497b31044807f1fe87ba9d2ff5bb408db1674cedafad6676200c3de0904bc158
|
data/README.md
CHANGED
@@ -5,6 +5,21 @@ Centralized Configuration and Secrets Management for Ruby and Rails applications
|
|
5
5
|
|
6
6
|
Securely store configuration information centrally, supporting multiple tenants of the same application.
|
7
7
|
|
8
|
+
## v0.9 Upgrade Notes
|
9
|
+
|
10
|
+
Note that the command line program name has changed from `secret_config` to `secret-config`.
|
11
|
+
Be careful that the arguments have also changed. The arguments are now consistent across operations.
|
12
|
+
The command line examples below have also been updated to reflect the changes.
|
13
|
+
|
14
|
+
Please run `secret-config --help` to see the new arguments and updated operations.
|
15
|
+
|
16
|
+
## Overview
|
17
|
+
|
18
|
+
Securely store centralized configuration information such as:
|
19
|
+
* Settings
|
20
|
+
* Passwords
|
21
|
+
* Encryption keys and certificates
|
22
|
+
|
8
23
|
## Features
|
9
24
|
|
10
25
|
Supports storing configuration information in:
|
@@ -13,7 +28,21 @@ Supports storing configuration information in:
|
|
13
28
|
* Environment Variables
|
14
29
|
* Environment Variables take precedence and can be used to override any setting.
|
15
30
|
* AWS System Manager Parameter Store
|
16
|
-
* Encrypt and securely store secrets such as passwords centrally.
|
31
|
+
* Encrypt and securely store secrets such as passwords centrally.
|
32
|
+
|
33
|
+
Since all values are stored as strings in the central directory or config file, the following type conversions
|
34
|
+
are supported:
|
35
|
+
* integer
|
36
|
+
* float
|
37
|
+
* string
|
38
|
+
* boolean
|
39
|
+
* symbol
|
40
|
+
* json
|
41
|
+
|
42
|
+
Supported conversions:
|
43
|
+
* base64
|
44
|
+
|
45
|
+
Arrays are also supported when the value contains a known separator by which to break down the values.
|
17
46
|
|
18
47
|
## Benefits
|
19
48
|
|
@@ -23,7 +52,7 @@ Benefits of moving sensitive configuration information into AWS System Manager P
|
|
23
52
|
* Environment variables force all config into a single level.
|
24
53
|
* Reduces the number of environment variables.
|
25
54
|
* In a large application the number of secrets can grow dramatically.
|
26
|
-
*
|
55
|
+
* Replaces sensitive data stored in local yaml or configuration files.
|
27
56
|
* Including securing and managing encryption keys.
|
28
57
|
* When encryption keys change, such as during a key rotation, config files don't have to be changed.
|
29
58
|
* Removes security concerns with placing passwords in the clear into environment variables.
|
@@ -34,10 +63,10 @@ Benefits of moving sensitive configuration information into AWS System Manager P
|
|
34
63
|
* Configure multiple distinct application instances to support multiple tenants.
|
35
64
|
* For example, use separate databases with unique credentials for each tenant.
|
36
65
|
* Separation of responsibilities is achieved since operations can manage production configuration.
|
37
|
-
* Developers do not need to be involved with production configuration such as host names and passwords.
|
38
|
-
* All values are encrypted by default when stored in the AWS Parameter Store.
|
66
|
+
* Developers do not need to be involved with production configuration such as host names and passwords.
|
67
|
+
* All values are encrypted by default when stored in the AWS Parameter Store.
|
39
68
|
* Prevents accidentally not encrypting sensitive data.
|
40
|
-
|
69
|
+
|
41
70
|
## Introduction
|
42
71
|
|
43
72
|
When Secret Config starts up it reads all configuration entries into memory for all keys under the configured path.
|
@@ -49,7 +78,7 @@ via a process signal, or by calling it through an event, or via a messaging syst
|
|
49
78
|
It is suggested that any programmatic lookup to values stored in Secret Config are called every time a value is
|
50
79
|
being used, rather than creating a local copy of the value. This ensures that a refresh of the registry will take effect
|
51
80
|
immediately for any code reading from Secret Config.
|
52
|
-
|
81
|
+
|
53
82
|
## API
|
54
83
|
|
55
84
|
When Secret Config starts up it reads all configuration entries immediately for all keys under the configured path.
|
@@ -65,7 +94,7 @@ Fetch the value for the supplied key, returning nil if not found:
|
|
65
94
|
# Key is present:
|
66
95
|
SecretConfig["logger/level"]
|
67
96
|
# => "info"
|
68
|
-
|
97
|
+
|
69
98
|
# Key is missing:
|
70
99
|
SecretConfig["logger/blah"]
|
71
100
|
# => nil
|
@@ -77,7 +106,7 @@ Fetch the value for the supplied key, raising `SecretConfig::MissingMandatoryKey
|
|
77
106
|
# Key is present:
|
78
107
|
SecretConfig.fetch("logger/level")
|
79
108
|
# => "info"
|
80
|
-
|
109
|
+
|
81
110
|
# Key is missing:
|
82
111
|
SecretConfig.fetch("logger/blah")
|
83
112
|
# => SecretConfig::MissingMandatoryKey (Missing configuration value for /development/logger/blah)
|
@@ -90,7 +119,7 @@ SecretConfig.fetch("logger/level", default: "info")
|
|
90
119
|
# => "info"
|
91
120
|
~~~
|
92
121
|
|
93
|
-
Since AWS SSM Parameter store and environment variables only support string values,
|
122
|
+
Since AWS SSM Parameter store and environment variables only support string values,
|
94
123
|
it is neccessary to convert the string back to the type required by the program.
|
95
124
|
|
96
125
|
The following types are supported:
|
@@ -111,6 +140,20 @@ SecretConfig.fetch("symmetric_encryption/version", type: :integer)
|
|
111
140
|
# => 0
|
112
141
|
~~~
|
113
142
|
|
143
|
+
Sometimes it is useful to store arrays of values as a single key.
|
144
|
+
|
145
|
+
~~~ruby
|
146
|
+
# Example: A list of host names could be stored as: "primary.example.net,secondary.example.net,backup.example.net"
|
147
|
+
# To extract it as an array of strings:
|
148
|
+
SecretConfig.fetch("address_services/hostnames", separator: ",")
|
149
|
+
# => ["primary.example.net", "secondary.example.net", "backup.example.net"]
|
150
|
+
|
151
|
+
# Example: A list of ports could be stored as: "12345,5343,26815"
|
152
|
+
# To extract it as an array of Integers:
|
153
|
+
SecretConfig.fetch("address_services/ports", type: :integer, separator: ",")
|
154
|
+
# => [12345, 5343, 26815]
|
155
|
+
~~~
|
156
|
+
|
114
157
|
When storing binary data, it should be encoded with strict base64 encoding. To automatically convert it back to binary
|
115
158
|
specify the encoding as `:base64`
|
116
159
|
|
@@ -118,7 +161,7 @@ specify the encoding as `:base64`
|
|
118
161
|
# Return a value that was stored in Base64 encoding format:
|
119
162
|
SecretConfig.fetch("symmetric_encryption/iv")
|
120
163
|
# => "FW+/wLubAYM+ZU0bWQj59Q=="
|
121
|
-
|
164
|
+
|
122
165
|
# Base64 decode a value that was stored in Base64 encoding format:
|
123
166
|
SecretConfig.fetch("symmetric_encryption/iv", encoding: :base64)
|
124
167
|
# => "\x15o\xBF\xC0\xBB\x9B\x01\x83>eM\eY\b\xF9\xF5"
|
@@ -162,7 +205,7 @@ SecretConfig.refresh!
|
|
162
205
|
~~~
|
163
206
|
|
164
207
|
Example, refresh the registry any time a SIGUSR2 is raised, add the following code on startup:
|
165
|
-
|
208
|
+
|
166
209
|
~~~ruby
|
167
210
|
Signal.trap('USR2') do
|
168
211
|
SecretConfig.refresh!
|
@@ -179,7 +222,7 @@ Where `1234` above is the process PID.
|
|
179
222
|
## Development and Test use
|
180
223
|
|
181
224
|
In the development environment create the file `config/application.yml` within which to store local development credentials.
|
182
|
-
Depending on your team setup you may want to use the same file for all developers so can check it into you change control system.
|
225
|
+
Depending on your team setup you may want to use the same file for all developers so can check it into you change control system.
|
183
226
|
|
184
227
|
For example: `config/application.yml`
|
185
228
|
|
@@ -222,7 +265,7 @@ Note: Do not put any production credentials into this file.
|
|
222
265
|
|
223
266
|
### Environment Variables
|
224
267
|
|
225
|
-
Any of the above values can be overridden with an environment variable.
|
268
|
+
Any of the above values can be overridden with an environment variable, unless explicitly configured `SecretConfig.check_env_var = false`.
|
226
269
|
|
227
270
|
To overwrite any of these settings with an environment variable:
|
228
271
|
|
@@ -319,7 +362,7 @@ Then the application that uses the above library / gem just needs to add the rel
|
|
319
362
|
|
320
363
|
~~~yaml
|
321
364
|
http_client:
|
322
|
-
url: https://test.example.com
|
365
|
+
url: https://test.example.com
|
323
366
|
pool_size: 20
|
324
367
|
read_timeout: 300
|
325
368
|
~~~
|
@@ -328,7 +371,7 @@ This avoids a custom config file just for the above library.
|
|
328
371
|
|
329
372
|
Additionally the values can be overridden with environment variables at any time:
|
330
373
|
|
331
|
-
export HTTP_CLIENT_URL=https://production.example.com
|
374
|
+
export HTTP_CLIENT_URL=https://production.example.com
|
332
375
|
|
333
376
|
## Configuration
|
334
377
|
|
@@ -339,15 +382,15 @@ Add the following line to Gemfile
|
|
339
382
|
Out of the box Secret Config will look in the local file system for the file `config/application.yml`
|
340
383
|
as covered above. By default it will use env var `RAILS_ENV` to define the path to look under for settings.
|
341
384
|
|
342
|
-
The default settings are great for getting started in development and test, but should not be used in production.
|
385
|
+
The default settings are great for getting started in development and test, but should not be used in production.
|
343
386
|
|
344
387
|
To ensure Secret Config is configured and available for use within any of the config files, add
|
345
|
-
the following lines to the very top of `application.rb` under the line `class Application < Rails::Application`:
|
388
|
+
the following lines to the very top of `application.rb` under the line `class Application < Rails::Application`:
|
346
389
|
|
347
390
|
~~~ruby
|
348
391
|
module MyApp
|
349
392
|
class Application < Rails::Application
|
350
|
-
|
393
|
+
|
351
394
|
# Add the following lines to configure Secret Config:
|
352
395
|
if Rails.env.development? || Rails.env.test?
|
353
396
|
# Use 'config/application.yml'
|
@@ -355,8 +398,8 @@ module MyApp
|
|
355
398
|
else
|
356
399
|
# Read configuration from AWS SSM Parameter Store
|
357
400
|
config.secret_config.use :ssm, path: "/#{Rails.env}/my_app"
|
358
|
-
end
|
359
|
-
|
401
|
+
end
|
402
|
+
|
360
403
|
# ....
|
361
404
|
end
|
362
405
|
end
|
@@ -370,7 +413,7 @@ By placing the secret config configuration as the very first configuration item,
|
|
370
413
|
configuration item to access the centralized configuration in AWS System Manager Parameter Store.
|
371
414
|
|
372
415
|
The environment variable `SECRET_CONFIG_PROVIDER` can be used to override the provider when needed.
|
373
|
-
For example:
|
416
|
+
For example:
|
374
417
|
`export SECRET_CONFIG_PROVIDER=ssm`
|
375
418
|
Or,
|
376
419
|
`export SECRET_CONFIG_PROVIDER=file`
|
@@ -380,31 +423,31 @@ multiple paths. For example:
|
|
380
423
|
|
381
424
|
/production1/my_application
|
382
425
|
/production2/my_application
|
383
|
-
|
426
|
+
|
384
427
|
/production/instance1/my_application
|
385
428
|
/production/instance2/my_application
|
386
|
-
|
429
|
+
|
387
430
|
The `path` is completely flexible, but must be unique for every AWS account under which the application will run.
|
388
431
|
The same `path` can be used in different AWS accounts though. It is also not replicated across regions.
|
389
432
|
|
390
|
-
When writing settings to the parameter store, it is recommended to use a custom KMS key to encrypt the values
|
391
|
-
To supply the key to encrypt the values with, add the `key_id` parameter:
|
433
|
+
When writing settings to the parameter store, it is recommended to use a custom KMS key to encrypt the values, if you don't specify a key ID, the system uses the default key associated with your AWS account `alias/aws/ssm`.
|
434
|
+
To supply the key to encrypt the values with, add the `key_id` parameter:
|
392
435
|
|
393
436
|
~~~ruby
|
394
437
|
module MyApp
|
395
438
|
class Application < Rails::Application
|
396
|
-
|
439
|
+
|
397
440
|
# Add the following lines to configure Secret Config:
|
398
441
|
if Rails.env.development? || Rails.env.test?
|
399
442
|
# Use 'config/application.yml'
|
400
443
|
config.secret_config.use :file
|
401
444
|
else
|
402
445
|
# Read configuration from AWS SSM Parameter Store
|
403
|
-
config.secret_config.use :ssm,
|
446
|
+
config.secret_config.use :ssm,
|
404
447
|
path: "/#{Rails.env}/my_app",
|
405
448
|
key_id: 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'
|
406
|
-
end
|
407
|
-
|
449
|
+
end
|
450
|
+
|
408
451
|
# ....
|
409
452
|
end
|
410
453
|
end
|
@@ -412,8 +455,33 @@ end
|
|
412
455
|
|
413
456
|
Note: The relevant KMS key must be created first prior to using it here.
|
414
457
|
|
415
|
-
|
416
|
-
|
458
|
+
`ssm` provider supports various configuration parameters that can be provided as keyword arguments for `config.secret_config.use :ssm, path, **args`
|
459
|
+
|
460
|
+
Args hash:
|
461
|
+
* **:key_id** (String) - The `key_id` is only used when writing settings to the AWS Parameter store and can be left off when that instance will only read from the parameter store. Can be configred with environment variable `SECRET_CONFIG_KEY_ID`.
|
462
|
+
* **:retry_count** (Integer, default=10) - Max number of retries in case of execution failure.
|
463
|
+
* **:retry_max_ms** (Integer, default=3_000) - Interval in ms between retries, `sleep` is used to facilitate throttling.
|
464
|
+
* any options suported by [Aws::SSM::Client](https://docs.aws.amazon.com/sdkforruby/api/Aws/SSM/Client.html#initialize-instance_method) e.g. **:credentials**:
|
465
|
+
~~~ruby
|
466
|
+
config.secret_config.use :ssm,
|
467
|
+
path: "/#{Rails.env}/my_app",
|
468
|
+
key_id: 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx',
|
469
|
+
credentials: Aws::AssumeRoleCredentials.new(
|
470
|
+
role_arn: "arn:aws:iam::111111122222222:role/assume_role_name",
|
471
|
+
role_session_name: "session-name-to-identify-#{SecureRandom.uuid}"
|
472
|
+
))
|
473
|
+
~~~
|
474
|
+
|
475
|
+
### Secret Config Environment variables
|
476
|
+
|
477
|
+
Priority describes when environment variable is used as a default value, preceds configuration value or overrides.
|
478
|
+
|
479
|
+
Name | Desctiption | Priority
|
480
|
+
------------------------- | --------------------------------------------------------------- | --------
|
481
|
+
`SECRET_CONFIG_PATH` | path from which the configuration data will be read | precede
|
482
|
+
`SECRET_CONFIG_PROVIDER` | override the provider configured for `config.secret_config.use` | override
|
483
|
+
`SECRET_CONFIG_KEY_ID` | encryption `key_id` | default
|
484
|
+
`SECRET_CONFIG_ACCOUNT_ID`| used in `rspec` to configure AWS Account Id for role assuming | required
|
417
485
|
|
418
486
|
### Shared configuration for development and test
|
419
487
|
|
@@ -423,7 +491,7 @@ configuration file `application.yml` can be shared. Update the lines above to:
|
|
423
491
|
~~~ruby
|
424
492
|
module MyApp
|
425
493
|
class Application < Rails::Application
|
426
|
-
|
494
|
+
|
427
495
|
# Add the following lines:
|
428
496
|
if Rails.env.development? || Rails.env.test?
|
429
497
|
# Use 'config/application.yml'
|
@@ -431,8 +499,8 @@ module MyApp
|
|
431
499
|
else
|
432
500
|
# Read configuration from AWS SSM Parameter Store
|
433
501
|
config.secret_config.use :ssm, path: "/#{Rails.env}/my_app"
|
434
|
-
end
|
435
|
-
|
502
|
+
end
|
503
|
+
|
436
504
|
# ....
|
437
505
|
end
|
438
506
|
end
|
@@ -471,25 +539,74 @@ to view and modify parameters:
|
|
471
539
|
- `ssm:GetParameters`
|
472
540
|
- `ssm:GetParameter`
|
473
541
|
|
542
|
+
## String Interpolation
|
543
|
+
|
544
|
+
Values supplied for config settings can be replaced inline with date, time, hostname, pid and random values.
|
545
|
+
|
546
|
+
For example to include the `hostname` in the log file name setting:
|
547
|
+
|
548
|
+
~~~yaml
|
549
|
+
development:
|
550
|
+
logger:
|
551
|
+
level: info
|
552
|
+
file_name: /var/log/my_application_%{hostname}.log
|
553
|
+
~~~
|
554
|
+
|
555
|
+
Available interpolations:
|
556
|
+
|
557
|
+
* %{date}
|
558
|
+
* Current date in the format of "%Y%m%d" (CCYYMMDD)
|
559
|
+
* %{date:format}
|
560
|
+
* Current date in the supplied format. See strftime
|
561
|
+
* %{time}
|
562
|
+
* Current date and time down to ms in the format of "%Y%m%d%Y%H%M%S%L" (CCYYMMDDHHMMSSmmm)
|
563
|
+
* %{time:format}
|
564
|
+
* Current date and time in the supplied format. See strftime
|
565
|
+
* %{env:name}
|
566
|
+
* Extract value from the named environment variable.
|
567
|
+
* %{hostname}
|
568
|
+
* Full name of this host.
|
569
|
+
* %{hostname:short}
|
570
|
+
* Short name of this host. Everything up to the first period.
|
571
|
+
* %{pid}
|
572
|
+
* Process Id for this process.
|
573
|
+
* %{random}
|
574
|
+
* URL safe Random 32 byte value.
|
575
|
+
* %{random:size}
|
576
|
+
* URL safe Random value of `size` bytes.
|
577
|
+
|
578
|
+
#### Notes:
|
579
|
+
|
580
|
+
* To prevent interpolation use %%{...}
|
581
|
+
* %% is not touched, only %{...} is searched for.
|
582
|
+
* Since these interpolations are only evaluated at load time and
|
583
|
+
every time the registry is refreshed there is no runtime overhead when keys are fetched.
|
584
|
+
|
474
585
|
## Command Line Interface
|
475
586
|
|
476
587
|
Secret Config has a command line interface for exporting, importing and copying between paths in the registry.
|
477
588
|
|
478
589
|
~~~
|
479
|
-
|
480
|
-
-e, --export
|
481
|
-
-i, --import
|
482
|
-
|
483
|
-
-
|
590
|
+
secret-config [options]
|
591
|
+
-e, --export SOURCE_PATH Export configuration. Use --file to specify the file name, otherwise stdout is used.
|
592
|
+
-i, --import TARGET_PATH Import configuration. Use --file to specify the file name, --path for the SOURCE_PATH, otherwise stdin is used.
|
593
|
+
--file FILE_NAME Import/Export/Diff to/from this file.
|
594
|
+
-p, --path PATH Import/Export/Diff to/from this path.
|
595
|
+
--diff TARGET_PATH Compare configuration to this path. Use --file to specify the source file name, --path for the SOURCE_PATH, otherwise stdin is used.
|
596
|
+
-s, --set KEY=VALUE Set one key to value. Example: --set mysql/database=localhost
|
597
|
+
-f, --fetch KEY Fetch the value for one setting. Example: --fetch mysql/database.
|
598
|
+
-d, --delete KEY Delete one specific key.
|
599
|
+
-r, --delete-tree PATH Recursively delete all keys under the specified path.
|
484
600
|
-c, --console Start interactive console.
|
485
|
-
|
486
|
-
|
487
|
-
|
488
|
-
|
489
|
-
|
490
|
-
|
491
|
-
|
492
|
-
|
601
|
+
--provider PROVIDER Provider to use. [ssm | file]. Default: ssm
|
602
|
+
--no-filter For --export only. Do not filter passwords and keys.
|
603
|
+
--interpolate For --export only. Evaluate string interpolation and __import__.
|
604
|
+
--prune For --import only. During import delete all existing keys for which there is no key in the import file. Only works with --import.
|
605
|
+
--force For --import only. Overwrite all values, not just the changed ones. Useful for changing the KMS key.
|
606
|
+
--key_id KEY_ID For --import only. Encrypt config settings with this AWS KMS key id. Default: AWS Default key.
|
607
|
+
--key_alias KEY_ALIAS For --import only. Encrypt config settings with this AWS KMS alias.
|
608
|
+
--random_size INTEGER For --import only. Size to use when generating random values when $(random) is encountered in the source. Default: 32
|
609
|
+
-v, --version Display Secret Config version.
|
493
610
|
-h, --help Prints this help.
|
494
611
|
~~~
|
495
612
|
|
@@ -521,18 +638,22 @@ secrets:
|
|
521
638
|
|
522
639
|
Import a yaml file, into a path in AWS SSM Parameter Store:
|
523
640
|
|
524
|
-
|
641
|
+
secret-config --import /production/my_application --file production.yml
|
525
642
|
|
526
643
|
Import a yaml file, into a path in AWS SSM Parameter Store, using a custom KMS key to encrypt the values:
|
527
644
|
|
528
|
-
|
645
|
+
secret-config --import /production/my_application --file production.yml --key_id "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
|
646
|
+
|
647
|
+
Import a yaml file, into a path in AWS SSM Parameter Store, using a custom KMS key alias to encrypt the values:
|
648
|
+
|
649
|
+
secret-config --import /production/my_application --file production.yml --key_alias my_key_alias
|
529
650
|
|
530
651
|
#### Diff
|
531
652
|
|
532
653
|
Before importing a new config file into the AWS SSM Parameter store, a diff can be performed to determine
|
533
654
|
what the differences are that will be applied when the import is run with the `--prune` option.
|
534
655
|
|
535
|
-
|
656
|
+
secret-config --diff /production/my_application --file production.yml
|
536
657
|
|
537
658
|
Key:
|
538
659
|
|
@@ -542,20 +663,20 @@ Key:
|
|
542
663
|
|
543
664
|
#### Export SSM parameters
|
544
665
|
|
545
|
-
In AWS SSM Parameter store it can be difficult to
|
666
|
+
In AWS SSM Parameter store it can be difficult to
|
546
667
|
Export the values from a specific path into a yaml or json file so that they are easier to read.
|
547
668
|
|
548
669
|
Export from a path in AWS SSM Parameter Store to a yaml file, where passwords are filtered:
|
549
670
|
|
550
|
-
|
671
|
+
secret-config --export /production/my_application --file production.yml
|
551
672
|
|
552
673
|
Export from a path in AWS SSM Parameter Store to a yaml file, _without_ filtering out passwords:
|
553
674
|
|
554
|
-
|
675
|
+
secret-config --export /production/my_application --file production.yml --no-filter
|
555
676
|
|
556
677
|
Export from a path in AWS SSM Parameter Store to a json file, where passwords are filtered:
|
557
678
|
|
558
|
-
|
679
|
+
secret-config --export /production/my_application --file production.json
|
559
680
|
|
560
681
|
#### Copy values between paths in AWS SSM parameter store
|
561
682
|
|
@@ -563,18 +684,18 @@ It can be useful to keep a "master" copy of the values for an environment or sta
|
|
563
684
|
in AWS Parameter Store. Then for each stack or environment that is spun up, copy the "master" / "common" values
|
564
685
|
into the new path. Once copied the values specific to that path can be updated accordingly.
|
565
686
|
|
566
|
-
|
687
|
+
Import configuration from an existing path in AWS SSM Parameter Store into another:
|
567
688
|
|
568
|
-
|
689
|
+
secret-config --import /tenant73/my_application --path /production/my_application
|
569
690
|
|
570
691
|
#### Generating random passwords
|
571
692
|
|
572
693
|
In the multi-tenant example above, we may want to generate a secure random password for each tenant.
|
573
|
-
In the source file or registry, set the value to `$random`, this will ensure that during the `import`
|
574
|
-
that the destination will receive a secure random value.
|
694
|
+
In the source file or registry, set the value to `$random`, this will ensure that during the `import`
|
695
|
+
that the destination will receive a secure random value.
|
575
696
|
|
576
|
-
By default the length of the randomized value is 32 bytes, use `--random_size` to adjust the length of
|
577
|
-
the randomized string.
|
697
|
+
By default the length of the randomized value is 32 bytes, use `--random_size` to adjust the length of
|
698
|
+
the randomized string.
|
578
699
|
|
579
700
|
## Docker
|
580
701
|
|
@@ -585,7 +706,7 @@ any changes. The only difference being the path that container uses to read its
|
|
585
706
|
Another important benefit is that the docker image does not contain any production or test credentials since
|
586
707
|
these are all stored in AWS SSM Parameter Store.
|
587
708
|
|
588
|
-
When a Ruby / Rails application is using Secret Config for its configuration settings, it only requires the
|
709
|
+
When a Ruby / Rails application is using Secret Config for its configuration settings, it only requires the
|
589
710
|
following environment variables when starting up the container in for example AWS ECS or AWS Fargate:
|
590
711
|
|
591
712
|
~~~shell
|
@@ -635,14 +756,14 @@ end
|
|
635
756
|
Specifically for docker containers it is necessary to turn off file logging and turn on logging to standard out
|
636
757
|
so that AWS Cloud Watch can pick up the log data.
|
637
758
|
|
638
|
-
To start with `logger/destination` of `stdout` will work with regular non-colorized output. When feeding the
|
759
|
+
To start with `logger/destination` of `stdout` will work with regular non-colorized output. When feeding the
|
639
760
|
log output into something that can process JSON, set `logger/formatter` to `json`.
|
640
761
|
|
641
762
|
The benefit with the above approach is that a developer can pull the exact same container image that is running
|
642
763
|
in production and configure it to run locally on their laptop. For example, set `logger/destination` to `file`.
|
643
764
|
|
644
765
|
The above code can be modified as necessary to add any Semantic Logger appender to write directly to external
|
645
|
-
centralized logging systems, instead of writing to standard out or local files.
|
766
|
+
centralized logging systems, instead of writing to standard out or local files.
|
646
767
|
|
647
768
|
### Email Server and Assets
|
648
769
|
|
@@ -687,7 +808,7 @@ end
|
|
687
808
|
Using this approach the file `config/symmetric-encryption.yml` can be removed once the keys have been moved to
|
688
809
|
the registry.
|
689
810
|
|
690
|
-
To extract existing keys from the config file so that they can be imported into the registry,
|
811
|
+
To extract existing keys from the config file so that they can be imported into the registry,
|
691
812
|
run the code below inside a console in each of the respective environments.
|
692
813
|
|
693
814
|
~~~ruby
|