@strong-config/node
v1.3.1
Published
Simple & Secure Config Management for Node.js
Downloads
1,102
Keywords
Readme
💪 Strong Config
https://strong-config.dev
Have you ever...
❓ ...struggled with config drift between local, staging, prod?
❓ ...forgot to update the production config after updating the development config?
❓ ...forgot to tell your teammates to update their local .env
files after you made a change?
❓ ...worried about leaking secrets by accidentally pushing your .env
files to GitHub?
❓ ...wished you could nest config values in your .env
just like in a JavaScript object?
❓...had a CI build fail due to environment variable issues?
Strong Config is here to help!
✅ Commit your configs to version-control safely and easily, for all your environments
✅ Define your config in JSON or YAML instead of .env
files
✅ Nest your values for clearly structured config files
✅ Validate your config against a JSON Schema to catch config errors early
✅ Encrypt your secrets with strong cryptography. Fully encrypted at rest and only decrypted in-memory at runtime.
✅ Safeguard your config through git hooks. Ensure config is both valid and encrypted before committing and pushing.
✅ Easy integration with the most popular cloud key management services AWS KMS, Google Cloud KMS, and Azure Key Vault. Powered by Mozilla's SOPS.
✅ Enforce environment-specific permissions via your KMS. Decide who can encrypt and decrypt configs for which environments. For example, you could allow all engineers to decrypt your staging config, but restrict the production config to fewer people.
✅ Auto-generate TypeScript types for your config (requires a JSON Schema)
Example config before encryption
# A top-level config value which will be available to your application as `config.logger`
logger:
# A nested value which will be available as `config.logger.level`
level: DEBUG
auth:
apiClientId: non-secret-client-id
# A secret. Every key with a 'Secret' suffix will be encrypted by Strong Config (e.g. 'encryptMeSecret')
apiSecret: top-secret-api-credential
# A dynamic value that will be substituted at runtime with the value of the environment variable $SHELL
shell: ${SHELL}
Example config after encryption
logger:
# This value remains as is because it doesn't have a 'Secret' suffix
level: DEBUG
auth:
apiClientId: non-secret-client-id
# This is now encrypted and safe to commit into version control :)
apiSecret: ENC[AES256_GCM,data:aeQ+hlVIah7WyJoVR/Jbkb6GLH7ihsV0D81+U++pkiWD0zeoRL/Oe9Q3Tz6j/TNvKKVDnohIMyw3UVjELOuSY+A==,iv:nVRZWogV4B7o=,tag:KrE2jssfP4uCvqq+pc/JyQ==,type:str]
# Also still the same value which will be substituted only at runtime
shell: ${SHELL}
# The below section is auto-generated by sops and contains important metadata to
# decrypt the config at runtime. Do not manually edit or delete this section.
sops:
gcp_kms:
- resource_id: projects/my-project/locations/europe-west2/keyRings/my-project-key-ring/cryptoKeys/my-strong-config-key
created_at: '2020-01-07T10:11:12Z'
enc: AiAAmdAgj1dw1XdD2MsVpvmA4Deo867hmcX2B3NDhe9BCF2axuZ18hJJFK9oBlE1BrD70djwqi+L8T+NRNVnGUP+1//w8cJATAfJ8W/cQZFcdFTqjezC+VYv9xYI8i1bRna4xfFo/INIJtFDR38ZH1nrQg==
lastmodified: '2020-01-07T10:11:12Z'
mac: ENC[AES256_GCM,data:ABcd1EF2gh3IJKl4MNOpQr5stuvWXYz6sBCDEfGhIjK=,iv:A1AaAAAaa111a1Aa111AA/aaaAaaAAaa+aAaAaAAAaA=,tag:AAaaA1a1aaaAa/aa11AaaA==,type:str]
encrypted_suffix: Secret
version: 3.5.0
Quickstart
For the full documentation, check https://strong-config.dev. Here's a short teaser:
Install
@strong-config/node
and the SOPS binary.npm install @strong-config/node # or yarn add @strong-config/node
Sidenote: The Sops Binary After package installation, Strong Config automatically runs a
postinstall
script that checks for availability of the sops binary on your system. If it can't find the sops binary, it will try to download it tonode_modules/.bin/sops
which is always part of$PATH
when youyarn run
ornpm run
scripts. Alternatively, you can also install sops globally viabrew install sops
(macOS). For other systems check the official sops releases on GitHub.Create a config file
# By default, strong-config uses the ./config folder. # You can configure this to be a different folder via the options mkdir config # We'll use YAML here, but this could also JSON echo "myFirstConfig: strong" > config/development.yml echo "myFirstSecret: a development secret" >> config/development.yml
Load config in your application code
/* src/config.js */ const StrongConfig = require('@strong-config/node') // Instantiate StrongConfig, then decrypt and load config file const config = new StrongConfig().getConfig() // This will print "{ myFirstConfig: 'strong' }" to the console console.log(config) /* * OPTIONAL (but recommended) * Call `new StrongConfig()` just once in your application, then export the memoized config for other files to use. * If you call `new StrongConfig()` again from another file, it would still work, but would re-instantiate a new * StrongConfig instance and load the config file from disk again which is slower than loading it from memory. */ module.exports = config
Run your app
strong-config
relies on theNODE_ENV
environment variable to determine which config file to load. For example, settingNODE_ENV=development
will load./config/development.yaml
# Set the environment variable NODE_ENV=development yarn start # or `NODE_ENV=development npm start
If you used our example code from the previous step, the config should now be printed to the terminal 💪.
Check the Strong Config website for more documentation
Check out the full documentation on https://strong-config.dev to learn how to:
- Encrypt your config
- Validate your config against a schema
- Generate TypeScript types for your config
...and more :)