💪 Strong Config

https://strong-config.dev

Have you ever...

❓ ...struggled with config drift between local, staging, prod?

❓ ...forgot to update the production config after updating the development config?

❓ ...forgot to tell your teammates to update their local .env files after you made a change?

❓ ...worried about leaking secrets by accidentally pushing your .env files to GitHub?

❓ ...wished you could nest config values in your .env just like in a JavaScript object?

❓...had a CI build fail due to environment variable issues?

Strong Config is here to help!

✅ Commit your configs to version-control safely and easily, for all your environments

✅ Define your config in JSON or YAML instead of .env files

✅ Nest your values for clearly structured config files

✅ Validate your config against a JSON Schema to catch config errors early

✅ Encrypt your secrets with strong cryptography. Fully encrypted at rest and only decrypted in-memory at runtime.

✅ Safeguard your config through git hooks. Ensure config is both valid and encrypted before committing and pushing.

✅ Easy integration with the most popular cloud key management services AWS KMS, Google Cloud KMS, and Azure Key Vault. Powered by Mozilla's SOPS.

✅ Enforce environment-specific permissions via your KMS. Decide who can encrypt and decrypt configs for which environments. For example, you could allow all engineers to decrypt your staging config, but restrict the production config to fewer people.

✅ Auto-generate TypeScript types for your config (requires a JSON Schema)

Example config before encryption

# A top-level config value which will be available to your application as `config.logger`
logger:
  # A nested value which will be available as `config.logger.level`
  level: DEBUG

auth:
  apiClientId: non-secret-client-id
  # A secret. Every key with a 'Secret' suffix will be encrypted by Strong Config (e.g. 'encryptMeSecret')
  apiSecret: top-secret-api-credential

# A dynamic value that will be substituted at runtime with the value of the environment variable $SHELL
shell: ${SHELL}

Example config after encryption

logger:
  # This value remains as is because it doesn't have a 'Secret' suffix
  level: DEBUG

auth:
  apiClientId: non-secret-client-id
  # This is now encrypted and safe to commit into version control :)
  apiSecret: ENC[AES256_GCM,data:aeQ+hlVIah7WyJoVR/Jbkb6GLH7ihsV0D81+U++pkiWD0zeoRL/Oe9Q3Tz6j/TNvKKVDnohIMyw3UVjELOuSY+A==,iv:nVRZWogV4B7o=,tag:KrE2jssfP4uCvqq+pc/JyQ==,type:str]

# Also still the same value which will be substituted only at runtime
shell: ${SHELL}

# The below section is auto-generated by sops and contains important metadata to
# decrypt the config at runtime. Do not manually edit or delete this section.
sops:
  gcp_kms:
    - resource_id: projects/my-project/locations/europe-west2/keyRings/my-project-key-ring/cryptoKeys/my-strong-config-key
      created_at: '2020-01-07T10:11:12Z'
      enc: AiAAmdAgj1dw1XdD2MsVpvmA4Deo867hmcX2B3NDhe9BCF2axuZ18hJJFK9oBlE1BrD70djwqi+L8T+NRNVnGUP+1//w8cJATAfJ8W/cQZFcdFTqjezC+VYv9xYI8i1bRna4xfFo/INIJtFDR38ZH1nrQg==
  lastmodified: '2020-01-07T10:11:12Z'
  mac: ENC[AES256_GCM,data:ABcd1EF2gh3IJKl4MNOpQr5stuvWXYz6sBCDEfGhIjK=,iv:A1AaAAAaa111a1Aa111AA/aaaAaaAAaa+aAaAaAAAaA=,tag:AAaaA1a1aaaAa/aa11AaaA==,type:str]
  encrypted_suffix: Secret
  version: 3.5.0

Quickstart

For the full documentation, check https://strong-config.dev. Here's a short teaser:

1. Install @strong-config/node and the SOPS binary.

   npm install @strong-config/node
   # or
   yarn add @strong-config/node

   Sidenote: The Sops Binary After package installation, Strong Config automatically runs a postinstall script that checks for availability of the sops binary on your system. If it can't find the sops binary, it will try to download it to node_modules/.bin/sops which is always part of $PATH when you yarn run or npm run scripts. Alternatively, you can also install sops globally via brew install sops (macOS). For other systems check the official sops releases on GitHub.

2. Create a config file

   # By default, strong-config uses the ./config folder.
   # You can configure this to be a different folder via the options
   mkdir config
   
   # We'll use YAML here, but this could also JSON
   echo "myFirstConfig: strong" > config/development.yml
   echo "myFirstSecret: a development secret" >> config/development.yml

3. Load config in your application code

   /* src/config.js */
   
   const StrongConfig = require('@strong-config/node')
   
   // Instantiate StrongConfig, then decrypt and load config file
   const config = new StrongConfig().getConfig()
   
   // This will print "{ myFirstConfig: 'strong' }" to the console
   console.log(config)
   
   /*
    * OPTIONAL (but recommended)
    * Call `new StrongConfig()` just once in your application, then export the memoized config for other files to use.
    * If you call `new StrongConfig()` again from another file, it would still work, but would re-instantiate a new
    * StrongConfig instance and load the config file from disk again which is slower than loading it from memory.
    */
   module.exports = config

4. Run your app

   strong-config relies on the NODE_ENV environment variable to determine which config file to load. For example, setting NODE_ENV=development will load ./config/development.yaml

   # Set the environment variable
   NODE_ENV=development yarn start # or `NODE_ENV=development npm start

   If you used our example code from the previous step, the config should now be printed to the terminal 💪.

5. Check the Strong Config website for more documentation

   Check out the full documentation on https://strong-config.dev to learn how to:

   • Encrypt your config
   • Validate your config against a schema
   • Generate TypeScript types for your config

   ...and more :)