Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/strong-config/node

💪 Simple & Secure Config Management for Node.js 💪
https://github.com/strong-config/node

configuration-management dotenv javascript node secrets-management

Last synced: 3 months ago
JSON representation

💪 Simple & Secure Config Management for Node.js 💪

Host: GitHub
URL: https://github.com/strong-config/node
Owner: strong-config
License: mit
Created: 2019-08-13T15:51:42.000Z (about 5 years ago)
Default Branch: master
Last Pushed: 2023-10-18T01:37:49.000Z (about 1 year ago)
Last Synced: 2024-08-14T14:42:03.753Z (3 months ago)
Topics: configuration-management, dotenv, javascript, node, secrets-management
Language: TypeScript
Homepage: https://strong-config.dev
Size: 1.69 MB
Stars: 35
Watchers: 5
Forks: 2
Open Issues: 3
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.md
- License: LICENSE

Awesome Lists containing this project

README

# 💪 Strong Config

https://strong-config.dev

![Continuous Integration](https://github.com/strong-config/node/workflows/Continuous%20Integration%20Checks/badge.svg)
[![Coverage Status](https://coveralls.io/repos/github/strong-config/node/badge.svg?branch=master)](https://coveralls.io/github/strong-config/node?branch=master)

## Have you ever...

❓ ...struggled with config drift between local, staging, prod?

❓ ...forgot to update the production config after updating the development config?

❓ ...forgot to tell your teammates to update their local `.env` files after you made a change?

❓ ...worried about leaking secrets by accidentally pushing your `.env` files to GitHub?

❓ ...wished you could nest config values in your `.env` just like in a JavaScript object?

❓...had a CI build fail due to environment variable issues?

## Strong Config is here to help!

✅ **Commit your configs to version-control** safely and easily, for all your environments

✅ **Define your config in JSON or YAML** instead of `.env` files

✅ **Nest your values** for clearly structured config files

✅ **Validate your config against a [JSON Schema](https://json-schema.org/)** to catch config errors early

✅ **Encrypt your secrets with strong cryptography**. Fully encrypted at rest and only decrypted in-memory at runtime.

✅ **Safeguard your config through git hooks**. Ensure config is both valid and encrypted before committing and pushing.

✅ **Easy integration with the most popular cloud key management services** [AWS KMS](https://aws.amazon.com/kms/), [Google Cloud KMS](https://cloud.google.com/kms/), and [Azure Key Vault](https://azure.microsoft.com/en-us/services/key-vault/). Powered by [Mozilla's SOPS](https://github.com/mozilla/sops).

✅ **Enforce environment-specific permissions** via your KMS. Decide who can encrypt and decrypt configs for which environments. For example, you could allow _all_ engineers to decrypt your staging config, but restrict the production config to fewer people.

✅ **Auto-generate TypeScript types for your config** (requires a [JSON Schema](https://json-schema.org))

## Example config before encryption

```yaml
# A top-level config value which will be available to your application as `config.logger`
logger:
# A nested value which will be available as `config.logger.level`
level: DEBUG

auth:
apiClientId: non-secret-client-id
# A secret. Every key with a 'Secret' suffix will be encrypted by Strong Config (e.g. 'encryptMeSecret')
apiSecret: top-secret-api-credential

# A dynamic value that will be substituted at runtime with the value of the environment variable $SHELL
shell: ${SHELL}
```

## Example config after encryption

```yaml
logger:
# This value remains as is because it doesn't have a 'Secret' suffix
level: DEBUG

auth:
apiClientId: non-secret-client-id
# This is now encrypted and safe to commit into version control :)
apiSecret: ENC[AES256_GCM,data:aeQ+hlVIah7WyJoVR/Jbkb6GLH7ihsV0D81+U++pkiWD0zeoRL/Oe9Q3Tz6j/TNvKKVDnohIMyw3UVjELOuSY+A==,iv:nVRZWogV4B7o=,tag:KrE2jssfP4uCvqq+pc/JyQ==,type:str]

# Also still the same value which will be substituted only at runtime
shell: ${SHELL}

# The below section is auto-generated by sops and contains important metadata to
# decrypt the config at runtime. Do not manually edit or delete this section.
sops:
gcp_kms:
- resource_id: projects/my-project/locations/europe-west2/keyRings/my-project-key-ring/cryptoKeys/my-strong-config-key
created_at: '2020-01-07T10:11:12Z'
enc: AiAAmdAgj1dw1XdD2MsVpvmA4Deo867hmcX2B3NDhe9BCF2axuZ18hJJFK9oBlE1BrD70djwqi+L8T+NRNVnGUP+1//w8cJATAfJ8W/cQZFcdFTqjezC+VYv9xYI8i1bRna4xfFo/INIJtFDR38ZH1nrQg==
lastmodified: '2020-01-07T10:11:12Z'
mac: ENC[AES256_GCM,data:ABcd1EF2gh3IJKl4MNOpQr5stuvWXYz6sBCDEfGhIjK=,iv:A1AaAAAaa111a1Aa111AA/aaaAaaAAaa+aAaAaAAAaA=,tag:AAaaA1a1aaaAa/aa11AaaA==,type:str]
encrypted_suffix: Secret
version: 3.5.0
```

## Quickstart

For the full documentation, check https://strong-config.dev. Here's a short teaser:

1. **Install `@strong-config/node` and the SOPS binary.**

```sh
npm install @strong-config/node
# or
yarn add @strong-config/node
```

**Sidenote: The Sops Binary**
After package installation, Strong Config automatically runs a `postinstall` script that checks for availability of the sops binary on your system. If it can't find the sops binary, it will try to download it to `node_modules/.bin/sops` which is always part of `$PATH` when you `yarn run` or `npm run` scripts.
Alternatively, you can also install sops globally via `brew install sops` (macOS). For other systems check the [official sops releases on GitHub](https://github.com/mozilla/sops/releases).

1. **Create a config file**

```sh
# By default, strong-config uses the ./config folder.
# You can configure this to be a different folder via the options
mkdir config

# We'll use YAML here, but this could also JSON
echo "myFirstConfig: strong" > config/development.yml
echo "myFirstSecret: a development secret" >> config/development.yml
```

1. **Load config in your application code**

```js
/* src/config.js */

const StrongConfig = require('@strong-config/node')

// Instantiate StrongConfig, then decrypt and load config file
const config = new StrongConfig().getConfig()

// This will print "{ myFirstConfig: 'strong' }" to the console
console.log(config)

/*
* OPTIONAL (but recommended)
* Call `new StrongConfig()` just once in your application, then export the memoized config for other files to use.
* If you call `new StrongConfig()` again from another file, it would still work, but would re-instantiate a new
* StrongConfig instance and load the config file from disk again which is slower than loading it from memory.
*/
module.exports = config
```

1. **Run your app**

`strong-config` relies on the `NODE_ENV` environment variable to determine which config file
to load. For example, setting `NODE_ENV=development` will load `./config/development.yaml`

```sh
# Set the environment variable
NODE_ENV=development yarn start # or `NODE_ENV=development npm start
```

If you used our example code from the previous step, the config should now be
printed to the terminal 💪.

1. **Check [the Strong Config website](https://strong-config.dev) for more documentation**

Check out the full documentation on https://strong-config.dev to learn how to:

- Encrypt your config
- Validate your config against a schema
- Generate TypeScript types for your config

...and more :)