confcrypt

[ library, mit, program, unclassified ] [ Propose Tags ]

Please see the README on GitHub at https://github.com/CollegeVine/confcrypt#readme


[Skip to Readme]
Versions [faq] 0.1.0.0, 0.1.0.1, 0.1.0.2, 0.1.0.3, 0.1.0.4, 0.2.0.0, 0.2.3.0, 0.2.3.3
Change log ChangeLog.md
Dependencies amazonka, amazonka-kms, base (>=4.7 && <5), base64-bytestring, bytestring, conduit, confcrypt, containers, crypto-pubkey-openssh, crypto-pubkey-types, cryptonite, deepseq, lens, megaparsec, mtl, optparse-applicative, parser-combinators, text, transformers [details]
License MIT
Copyright 2018 Chris Coffey, CollegeVine
Author Chris Coffey
Maintainer chris@collegevine.com
Home page https://github.com/https://github.com/collegevine/confcrypt#readme
Bug tracker https://github.com/https://github.com/collegevine/confcrypt/issues
Source repo head: git clone https://github.com/https://github.com/collegevine/confcrypt
Uploaded by ChrisCoffey at 2018-10-13T22:50:32Z
Distributions LTSHaskell:0.1.0.4, NixOS:0.2.3.3
Executables confcrypt
Downloads 3169 total (3 in the last 30 days)
Rating (no votes yet) [estimated by Bayesian average]
Your Rating
  • λ
  • λ
  • λ
Status Hackage Matrix CI
Docs not available [build log]
All reported builds failed as of 2018-10-13 [all 3 reports]

Modules

  • ConfCrypt
    • ConfCrypt.Commands
    • ConfCrypt.Default
    • ConfCrypt.Encryption
    • ConfCrypt.Parser
    • Providers
      • ConfCrypt.Providers.AWS
    • ConfCrypt.Types
    • ConfCrypt.Validation

Downloads

Maintainer's Corner

For package maintainers and hackage trustees


Readme for confcrypt-0.1.0.1

[back to package description]

confcrypt

As soon as an application is deployed or built on more than a single machine, you tend to start worrying about managing the configuration. There are a number of ways to approach this problem, but ultimately there's a need to protect sentisive inforamtion like database password and api tokens. While you can always store those directly in a config management system like AWS' Parameter Store, doing so means you can't track configuration changes in source control. This application provides yet another simple and straightforward means of hiding config information within source control.

CircleCI

Installing confcrypt

Mac OSX

Using confcrypt

  • create a config confcrypt create <filename> creates a new empty confcrypt config named <filename>.econf. Internally, it looks like this:

    # confcrypt schema
    # Configuration parameters may be either a String, Int, or Boolean
    # Parameter schema take the following shape:
    # schema := [term | value | comment]
    #   term := confname : type
    #   confname := [a-z,A-Z,_,0-9]
    #   type := String | Int | Boolean
    #   value := confname = String
    #   comment := # String
    #
    # For example:
    # DB_CONN_STR : String
    # DB_CONN_STR = Connection String
    # USE_SSL : Boolean
    # USE_SSL = True
    # TIMEOUT_MS : Int
    # TIMEOUT_MS = 300
    
  • read a config confcrypt read --key <filename> <filename> This command reads in the provided file, decrypts the configuration variables using the provided key, then prints them to stdout. This allows you to pipe the results to other utilities. Returns 0 on success.

  • add a parameter confcrypt add --key <filename> --name <String> --type <SchemaType> --vaue <String> <filename> Adds a new confguration parameter to the file.--nameand--valueare required, while--typeis optional. If--type` is provided, the schema record will be added immediately before the config variable. In total this adds two lines to the file. Returns 0 on sccess.

  • remove a parameter `confcrypt delete --name <filename> Removes an existing config parameter & associated schema. Returns 0 on success or 1 if the parameter is not found in the file.

  • edit a parameter in-place confcrypt edit --key <filename> --name <String> --value <String> --type <SchemaType> <filename> Modifies an existing configuration parameter in place, leaving all other lines unchanged. While this isn't how it's actually implemented, this operation is equivalent to piping confcrypt read to a new file, editing the parameter, then reencrypting it.

  • validate a config confcrypt validate --key <filename> <filename> Checks that each config parameter matches the type of its schema. All errors are accumulated and returned at the end, with a response code equal to the number of failures.

  • Using Amazon KMS instead of a local key The --use-aws flag changes the behavior of the --key parameter to represent a KMS key id rather than an on-disk rsa key file.

The confcrypt file format

```
# confcrypt schema
# Configuration parameters may be either a String, Int, or Boolean
# Parameter schema take the following shape:
# schema := [term | value | comment]
#   term := confname : type
#   confname := [a-z,A-Z,_,0-9]
#   type := String | Int | Boolean
#   value := confname = String
#   comment := # String
#
# For example:
# DB_CONN_STR : String
# DB_CONN_STR = Connection String
# USE_SSL : Boolean
# USE_SSL = True
# TIMEOUT_MS : Int
# TIMEOUT_MS = 300
```

While the default config created via `confcrypt new ...` places the schema on line `n` and parameters on `n+1`, there's no required ordering for the file. In fact, you can choose to entirely omit the schema and only store configuration paraemters in an `econf` file, but this will cause `confcrypt validate` to fail.