https://github.com/strong-config/node

💪 Simple & Secure Config Management for Node.js 💪
https://github.com/strong-config/node

configuration-management dotenv javascript node secrets-management

Last synced: about 2 months ago
JSON representation

💪 Simple & Secure Config Management for Node.js 💪

• Host: GitHub
• URL: https://github.com/strong-config/node
• Owner: strong-config
• License: mit
• Created: 2019-08-13T15:51:42.000Z (almost 5 years ago)
• Default Branch: master
• Last Pushed: 2023-10-18T01:37:49.000Z (9 months ago)
• Last Synced: 2024-04-29T23:14:35.785Z (2 months ago)
• Topics: configuration-management, dotenv, javascript, node, secrets-management
• Language: TypeScript
• Homepage: https://strong-config.dev
• Size: 1.69 MB
• Stars: 34
• Watchers: 5
• Forks: 1
• Open Issues: 3
• Metadata Files:
  • Readme: README.md
  • Changelog: CHANGELOG.md
  • License: LICENSE

Lists

• awesome-stars - strong-config/node - 💪 Simple & Secure Config Management for Node.js 💪 (node)

README

        


# 💪 Strong Config

https://strong-config.dev

![Continuous Integration](https://github.com/strong-config/node/workflows/Continuous%20Integration%20Checks/badge.svg)

[![Coverage Status](https://coveralls.io/repos/github/strong-config/node/badge.svg?branch=master)](https://coveralls.io/github/strong-config/node?branch=master)

## Have you ever...

❓ ...struggled with config drift between local, staging, prod?

❓ ...forgot to update the production config after updating the development config?

❓ ...forgot to tell your teammates to update their local `.env` files after you made a change?

❓ ...worried about leaking secrets by accidentally pushing your `.env` files to GitHub?

❓ ...wished you could nest config values in your `.env` just like in a JavaScript object?

❓...had a CI build fail due to environment variable issues?

## Strong Config is here to help!

✅ **Commit your configs to version-control** safely and easily, for all your environments

✅ **Define your config in JSON or YAML** instead of `.env` files

✅ **Nest your values** for clearly structured config files

✅ **Validate your config against a [JSON Schema](https://json-schema.org/)** to catch config errors early

✅ **Encrypt your secrets with strong cryptography**. Fully encrypted at rest and only decrypted in-memory at runtime.

✅ **Safeguard your config through git hooks**. Ensure config is both valid and encrypted before committing and pushing.

✅ **Easy integration with the most popular cloud key management services** [AWS KMS](https://aws.amazon.com/kms/), [Google Cloud KMS](https://cloud.google.com/kms/), and [Azure Key Vault](https://azure.microsoft.com/en-us/services/key-vault/). Powered by [Mozilla's SOPS](https://github.com/mozilla/sops).

✅ **Enforce environment-specific permissions** via your KMS. Decide who can encrypt and decrypt configs for which environments. For example, you could allow _all_ engineers to decrypt your staging config, but restrict the production config to fewer people.

✅ **Auto-generate TypeScript types for your config** (requires a [JSON Schema](https://json-schema.org))




## Example config before encryption

```yaml

# A top-level config value which will be available to your application as `config.logger`

logger:

  # A nested value which will be available as `config.logger.level`

  level: DEBUG

auth:

  apiClientId: non-secret-client-id

  # A secret. Every key with a 'Secret' suffix will be encrypted by Strong Config (e.g. 'encryptMeSecret')

  apiSecret: top-secret-api-credential

# A dynamic value that will be substituted at runtime with the value of the environment variable $SHELL

shell: ${SHELL}

```

## Example config after encryption

```yaml

logger:

  # This value remains as is because it doesn't have a 'Secret' suffix

  level: DEBUG

auth:

  apiClientId: non-secret-client-id

  # This is now encrypted and safe to commit into version control :)

  apiSecret: ENC[AES256_GCM,data:aeQ+hlVIah7WyJoVR/Jbkb6GLH7ihsV0D81+U++pkiWD0zeoRL/Oe9Q3Tz6j/TNvKKVDnohIMyw3UVjELOuSY+A==,iv:nVRZWogV4B7o=,tag:KrE2jssfP4uCvqq+pc/JyQ==,type:str]

# Also still the same value which will be substituted only at runtime

shell: ${SHELL}

# The below section is auto-generated by sops and contains important metadata to

# decrypt the config at runtime. Do not manually edit or delete this section.

sops:

  gcp_kms:

    - resource_id: projects/my-project/locations/europe-west2/keyRings/my-project-key-ring/cryptoKeys/my-strong-config-key

      created_at: '2020-01-07T10:11:12Z'

      enc: AiAAmdAgj1dw1XdD2MsVpvmA4Deo867hmcX2B3NDhe9BCF2axuZ18hJJFK9oBlE1BrD70djwqi+L8T+NRNVnGUP+1//w8cJATAfJ8W/cQZFcdFTqjezC+VYv9xYI8i1bRna4xfFo/INIJtFDR38ZH1nrQg==

  lastmodified: '2020-01-07T10:11:12Z'

  mac: ENC[AES256_GCM,data:ABcd1EF2gh3IJKl4MNOpQr5stuvWXYz6sBCDEfGhIjK=,iv:A1AaAAAaa111a1Aa111AA/aaaAaaAAaa+aAaAaAAAaA=,tag:AAaaA1a1aaaAa/aa11AaaA==,type:str]

  encrypted_suffix: Secret

  version: 3.5.0

```




## Quickstart

For the full documentation, check https://strong-config.dev. Here's a short teaser:

1. **Install `@strong-config/node` and the SOPS binary.**

   ```sh

   npm install @strong-config/node

   # or

   yarn add @strong-config/node

   ```

   **Sidenote: The Sops Binary**

   After package installation, Strong Config automatically runs a `postinstall` script that checks for availability of the sops binary on your system. If it can't find the sops binary, it will try to download it to `node_modules/.bin/sops` which is always part of `$PATH` when you `yarn run` or `npm run` scripts.

   Alternatively, you can also install sops globally via `brew install sops` (macOS). For other systems check the [official sops releases on GitHub](https://github.com/mozilla/sops/releases).

1. **Create a config file**

   ```sh

   # By default, strong-config uses the ./config folder.

   # You can configure this to be a different folder via the options

   mkdir config

   # We'll use YAML here, but this could also JSON

   echo "myFirstConfig: strong" > config/development.yml

   echo "myFirstSecret: a development secret" >> config/development.yml

   ```

1. **Load config in your application code**

   ```js

   /* src/config.js */

   const StrongConfig = require('@strong-config/node')

   // Instantiate StrongConfig, then decrypt and load config file

   const config = new StrongConfig().getConfig()

   // This will print "{ myFirstConfig: 'strong' }" to the console

   console.log(config)

   /*

    * OPTIONAL (but recommended)

    * Call `new StrongConfig()` just once in your application, then export the memoized config for other files to use.

    * If you call `new StrongConfig()` again from another file, it would still work, but would re-instantiate a new

    * StrongConfig instance and load the config file from disk again which is slower than loading it from memory.

    */

   module.exports = config

   ```

1. **Run your app**

   `strong-config` relies on the `NODE_ENV` environment variable to determine which config file

   to load. For example, setting `NODE_ENV=development` will load `./config/development.yaml`

   ```sh

   # Set the environment variable

   NODE_ENV=development yarn start # or `NODE_ENV=development npm start

   ```

   If you used our example code from the previous step, the config should now be

   printed to the terminal 💪.

1. **Check [the Strong Config website](https://strong-config.dev) for more documentation**

   Check out the full documentation on https://strong-config.dev to learn how to:

   - Encrypt your config

   - Validate your config against a schema

   - Generate TypeScript types for your config

   ...and more :)