Secrets and Configuration
Our applications use configuration values stored in a local YAML file. The defaults for these values
are defined in
config/application.yml.default. Configuration and secrets can be tailored per
environment by merging default values with an environment-specific YAML file.
- In local development, this file lives at
config/application.ymland is created during setup.
- In deployed environments, this file is downloaded from S3 when activating or deploying an instance
Changing configuration for a deployed application requires a passenger restart, since this merge step only happens at activation.
The S3 buckets that contain secrets are versioned, so we can recover old versions if needed.
At the end of the day, since these are just files in S3, you can use whatever workflow you want to download, edit, and write them. Make sure you clean up files on your local machine when done.
The easiest way to interact with secrets is the
app-s3-secret command in the
See guide to app-s3-secret for more information.
Configuration in Rails Apps
To use a value in the
application.yml in our Rails apps, follow these steps. The IDP, PKI,
and Dashboard apps all use this approach, with files named the same way.
Declare the feature flag in
config.add(:my_feature_flag, type: :boolean)
Configure a default value in
config/application.yml.defaultat the top level of the file. If there is no value specified in S3 for this config, this default value will be used in production.
To use the value in code, access it via as a property of