{"id":16726469,"url":"https://github.com/brunobonacci/1config","last_synced_at":"2025-03-17T01:31:39.624Z","repository":{"id":45672209,"uuid":"177453290","full_name":"BrunoBonacci/1config","owner":"BrunoBonacci","description":"A command line tool and a library to manage application secrets and configuration safely and effectively.","archived":false,"fork":false,"pushed_at":"2022-07-18T11:34:45.000Z","size":23547,"stargazers_count":33,"open_issues_count":1,"forks_count":5,"subscribers_count":4,"default_branch":"master","last_synced_at":"2025-03-15T04:36:32.947Z","etag":null,"topics":["aws","aws-lambda","clojure","configuration","configuration-management","java","security"],"latest_commit_sha":null,"homepage":"","language":"Clojure","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/BrunoBonacci.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2019-03-24T18:30:40.000Z","updated_at":"2024-10-30T02:26:43.000Z","dependencies_parsed_at":"2022-08-28T16:03:04.711Z","dependency_job_id":null,"html_url":"https://github.com/BrunoBonacci/1config","commit_stats":null,"previous_names":[],"tags_count":22,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/BrunoBonacci%2F1config","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/BrunoBonacci%2F1config/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/BrunoBonacci%2F1config/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/BrunoBonacci%2F1config/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/BrunoBonacci","download_url":"https://codeload.github.com/BrunoBonacci/1config/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":243836015,"owners_count":20355615,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","aws-lambda","clojure","configuration","configuration-management","java","security"],"created_at":"2024-10-12T22:53:17.618Z","updated_at":"2025-03-17T01:31:35.599Z","avatar_url":"https://github.com/BrunoBonacci.png","language":"Clojure","funding_links":[],"categories":[],"sub_categories":[],"readme":"# 1Config\n[![Clojars Project](https://img.shields.io/clojars/v/com.brunobonacci/oneconfig.svg)](https://clojars.org/com.brunobonacci/oneconfig) ![CircleCi](https://img.shields.io/circleci/project/BrunoBonacci/1config.svg) ![last-commit](https://img.shields.io/github/last-commit/BrunoBonacci/1config.svg) [![cljdoc badge](https://cljdoc.org/badge/com.brunobonacci/oneconfig)](https://cljdoc.org/jump/release/com.brunobonacci/oneconfig)\n\n\u003ca href=\"https://cljdoc.org/d/com.brunobonacci/oneconfig/\" target=\"_blank\"\u003e\u003cimg src=\"https://raw.githubusercontent.com/BrunoBonacci/1config/master/doc/images/1cfg.png\" width=\"120\" height=\"120\" /\u003e\u003c/a\u003e\n\n**A tool and a library to manage application secrets and configuration safely and effectively.**\n\nHere some of the key-points and advantages:\n\n  * Easy way to retrieve and manage configuration for your AWS deployed services\n  * Compatible with AWS Lambdas as well\n  * AWS KMS envelope encryption for extra security (same as S3-SSE, EBS and RDS)\n  * Support for key-rotation\n  * Highly available (as available as DynamoDB + KMS)\n  * Support for multiple environments in the same AWS account\n  * Support for multiple services in the same environment\n  * Support for multiple concurrent versions of the same service\n  * Zero config approach (or at most 1 config `;-)`)\n  * *Anti-tampering checks for configuration entries* (entries can't be manipulated manually)\n  * Supports Clojure, Java, Groovy, and other JVM languages (more to come)\n  * Command line tool for managing changes to the configuration\n  * Graphical User interface for managing changes to the configuration\n  * Support for local development (outside AWS)\n  * Highly-configurable and secure authorization.\n  * Support for EDN, JSON, YAML, Java Properties and plain-text.\n\n*Now available with a GUI as well:*\n\n\u003cdiv style=\"text-align:center\"\u003e\n\u003cimg src=\"./doc/images/1config-ui.gif\"\u003e\n\u003c/div\u003e\n\n(*Many thanks to [Eugene Tolbakov @etolbakov](https://github.com/etolbakov)*)\n\n## Security model\n\n*1Config* uses the same security model as Amazon S3 server-side\nencryption, EBS volumes encryption and Amazon RDS encryption.  It uses\nAmazon KMS to generate a **master encryption key** for each\napplication managed by *1Config*. Then for each configuration entry a\nnew encryption key is generated, it is used to encrypt the\nconfiguration entry, then the key itself is encrypted using the master\nencryption key, and it is stored along with the encrypted payload.\n\n![key management](./doc/images/key-hierarchy-cmk.png)\n\nIt means that **every configuration entry is encrypted with its own\nkey**.  With the above strategy we benefit from all the KMS security\nfeatures, such as: the ability to rotate keys, we minimalize the\nimpact of getting one key compromised, and the ability to have fine\ngrained control on how can access the key to encrypt/decrypt\nconfiguration entries.\n\n![encryption process](./doc/images/1config.png)\n\nThe diagram explains how to security model works. Here the steps involved:\n\n  - An operator wants to store a new configuration entry for a application\n  - The operator, using the command line tool (`1cfg`) creates a new\n    **master encryption key** for the Application.\n  - If IAM permissions allow it the operation will succeed.\n  - Then it uses the *master encryption key* to generate a data key.\n  - The data key will be used to encrypt the plaintext configuration\n  - If IAM permissions allow it the operation will succeed.\n  - Then the *data key* itself will be encrypted using the *master key*.\n  - Finally it stores the encrypted payload and the encrypted data key\n    together into DynamoDB table (`1Config`).\n  - At this point the operator is done and the application is ready to\n    retrieve the configuration.\n  - The application will lookup the correct entry for the environment\n    and version to use and fetch the encrypted payload with the\n    encrypted encryption key.\n  - To decrypt the payload it will have to contact KMS and attempt to\n    decrypt the data encryption key.\n  - If the application has the correct IAM roles to use the master key\n    the operation will succeed.\n  - Once the data key has bee decrypted by KMS, then the Application\n    can decrypt the configuration payload and retrieve the plaintext\n    information.\n  - **Luckly, all above steps are done automatically by `1Config`.**\n\n\n## What's next?\n  * See the [Quick Start](./doc/quick-start.md) guide to install\n  * Check the [Command line tool](./doc/cli-tool.md)\n  * Read the [Best Practices](./doc/best-practices.md)\n  * Check the [full documentation online](https://cljdoc.org/jump/release/com.brunobonacci/oneconfig)\n\n## Contributors\n\nMany thanks to all the contributors to this project, to those who\nhelped to shape it with their ideas, testing, suggestions, and PRs.\n\nA very special thanks to:\n\n  - [Eugene Tolbakov @etolbakov](https://github.com/etolbakov)\n\n## License\n\nCopyright © 2019-2021 Bruno Bonacci - Distributed under the [Apache License v2.0](http://www.apache.org/licenses/LICENSE-2.0)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbrunobonacci%2F1config","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbrunobonacci%2F1config","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbrunobonacci%2F1config/lists"}