What you don’t know can hurt you!
November 12, 2019Keys to Workplace Wellness Part 2 – Physical Wellness
December 11, 2019Recently, I have been tasked with creating and deploying projects to our production environments. As I have been working through these steps I am realizing the importance of how environment-specific values are handled. There are at least a couple of reasons I have come up with for creating these projects without these values in the codebase.
- Committing secrets to your code repositories is not recommended for security reasons.
- The presence of these values in the code requires either manual switching as code is deployed through the various environments or conditional logic that selects the correct environment based on context.
I would like to explore a strategy we can use to keep these values out of our code in order to avoid these pitfalls.
Typically environment variables look something like the following:
# environment variables
ENV=development
DB_HOST=localhost
DB_USER=projectxyz
DB_PASSWORD=Supers3cr3t!
DB_NAME=mydatabase
An environment variable is any value that changes based on the environmental context in which the code is running. These are typically data persistence settings like SQL or NoSQL database settings. Other values like API keys for third-party tools commonly exist in the environment variables for a project codebase.
So, the approach we have employed is as follows:
In our Node.js development, we have a need to load these environment variables so they can be referenced with the `process.env` global variable (process.env: What it is and why/when/how to use it effectively) within our code. The code snippet might look something like:
// Connection configurations
const connection = mysql.createConnection({
host: process.env.DB_HOST,
user: process.env.DB_USERNAME,
password: process.env.DB_PASSWORD,
database: process.env.DB_NAME
});
Local Development (dotenv)
We utilize the dotenv npm package as a dev dependency in our package.json in order to load the values from a root `.env` file. This file is identical in contents to what we demonstrated with our environment variables above.As NPM indicates dotenv is a “module that loads environment variables from a .env file into `process.env`”. The NPM description goes on to indicate this config methodology is based on The Twelve-Factor App.
Production (env_file in docker-compose.yml)
The applications we are deploying are run within Docker containers. The important final step after application building and deployment to our registry is running `docker-compose up`. When this command is executed we want the production-specific environment variables to be referenced. We accomplish this with the creation of the .env file with its values and then the inclusion of `env_file` and the name of our environment file in our `docker-compose.yml` file.
registry:
...
env_file: ./.env
The .env file is added to the .gitignore file within the project and as a result maintains a clean repository free of secrets, conditionally environment value references, or explicit values that need to be updated during the deployment processes.