Improve deploying env variables safely #144
Comments
|
The third option would be to give a flag that lets you pass environment variables one by one but they could pop up in logs again. So not viable |
|
After talking with @philnash the design we'll go with is a mix of the two options. The behavior is the following: If the user runs For the |
dkundel
added
enhancement
This PR adds support for a --load-system-env flag. This works similar to the existing --load-local-env variable on the start command but is required to be used in tandem with the --env flag and will use the file specified in --env as a filter. Only empty values in the env file will be populated by the system env variables. This PR doesn't add that behavior to the "start" command as this would be a breaking change that will be introduced in a separate version. fix #144
This PR adds support for a --load-system-env flag. This works similar to the existing --load-local-env variable on the start command but is required to be used in tandem with the --env flag and will use the file specified in --env as a filter. Only empty values in the env file will be populated by the system env variables. This PR doesn't add that behavior to the "start" command as this would be a breaking change that will be introduced in a separate version. fix #144
This PR adds support for a --load-system-env flag. This works similar to the existing --load-local-env variable on the start command but is required to be used in tandem with the --env flag and will use the file specified in --env as a filter. Only empty values in the env file will be populated by the system env variables. This PR doesn't add that behavior to the "start" command as this would be a breaking change that will be introduced in a separate version. fix #144
This PR adds support for a --load-system-env flag. This works similar to the existing --load-local-env variable on the start command but is required to be used in tandem with the --env flag and will use the file specified in --env as a filter. Only empty values in the env file will be populated by the system env variables. This PR doesn't add that behavior to the "start" command as this would be a breaking change that will be introduced in a separate version. fix #144
Right now the way we are deploying
.envfiles intuitive if you deploy from your own machine but isn't really friendly for a CI/CD environment. Essentially you have to create a ".env.production" file and it could potentially contain secrets you don't want to expose. Especially for OSS projects.I've been thinking about two options.
Option 1
The
startcommand already supports a flag--load-local-envthat loads all environment variables that are available on the system and provides them as env variables during local dev as backup for the ones in the.envfile. We could add the same flag to bothpromoteand todeploybut that would mean we would just take all of the environment variables we find, not giving you a fine grained control.Option 2
We support basic "templating" in the .env file. That way you could have a
.env.prodfile that is checked into your repository but it looks something like this:ACCOUNT_SID={{$TWILIO_ACCOUNT_SID}} AUTH_TOKEN={{$TWILIO_AUTH_TOKEN}} MY_PHONE_NUMBER={{$MY_SECRET_PHONE_NUMBER}} GREETING=helloThis would swap out
$TWILIO_ACCOUNT_SID,$TWILIO_AUTH_TOKENand$MY_SECRET_PHONE_NUMBERwith the respective system environment variables.We could start introducing this as an experimental flag first and then fully ship it with the next major version. I think this gives folks a bit more control.
The text was updated successfully, but these errors were encountered: