per-env | Clean up your package.json with per-NODE_ENV npm scripts | Build Tool library

I work with terraform 5 years. I did a lot of mistakes with in my career with modules and environments. Below text is just share of my knowledge and experience. They may be bad.

Real example project may is hard to find because terraform is not used to create opensource projects. It's often unsafe to share terraform files because you are showing all vulnerabilities from your intrastructure

You should create module that has single purpose, but your module should be generic.

You can create bastion host module, but better idea is to create a module for generic server. This module may have some logic dedicated to your business problem like, CW Log group, some generic security group rules, etc.

Sometimes it is worth to create more specific module.

Let's say you have application, that requires Lambda, ECS service, CloudWatch alarms, RDS, EBS etc. All of that elements are strongly connected.

You have 2 options:

• Create separated modules for each above items - But then your application uses 5 modules.
• Create one big module and then you can deploy your app with single module
• Mix above solutions - I prefer that

Everything depends on details and some circumstances.

But I will show you how I use terraform in my productions in different companies.

This is project, where you have environment as directories. For each application, networking, data resoruces you have separated state. I keep mutable data in separated directory(like RDS, EBS, EFS, S3, etc) so all apps, networking, etc can be destroyed and recreated, because they are stateless. No one can destroy statefull items because data can be lost. This is what i was doing for last few years.

The NiFi encrypt-config tool interacts with the following configuration files:

• nifi.properties
• login-identity-providers.xml
• authorizers.xml
• bootstrap.conf
• flow.xml.gz

It does not handle any linked custom variable definition files, and there is no mechanism for sensitive variables to be properly secured and stored. Variables do not support any sensitive values at all for this reason.

Variables are treated as deprecated in modern versions of NiFi -- still supported but their use is discouraged -- and parameters were introduced in version 1.10.0 as a modern solution. Parameters do support sensitive values and are accessible from every property descriptor at the framework level rather than on a per-field basis depending on the developer's explicit decision to support them. You should prioritize parameters for the storage of sensitive values needed in your flow definitions.

Depending on your threat model, you may have less robust but acceptable alternatives:

• If you accept the security level of environment variables, you can populate these directly and they will be referenced in any properties which support Expression Language, the same as "NiFi variables"
• You can edit the nifi.properties file through a custom Docker image, startup scripts, etc. Any modified or added properties in that file can be encrypted by adding their key (property key descriptor, not cryptographic key) as a comma-delimited list to nifi.sensitive.props.additional.keys in that file. These properties will also be protected by the toolkit and decrypted in memory during NiFi application startup. However, nifi.properties is meant to hold framework-level configuration values, not component-level properties.

To create and use a custom configuration source, two implementations are needed:

1. IConfigurationSource
2. IConfigurationProvider

It's the IConfigurationSource implementation that gets added to the IConfigurationBuilder's sources. This implementation is also responsible for creating its own IConfigurationProvider, which is reponsible for loading the data from the source.

Here's both a custom implementation of IConfigurationSource (ExpandJsonConfigurationSource) and IConfigurationProvider (ExpandJsonConfigurationProvider):

I've tried to solve that problem few days ago.

And what I learned:

First attempt

I try to use credentials per environment with

There are two questions here — a) is it secure, and b) why are the values undefined?

The answer to the first question is 'no'. Any time you include credentials in JavaScript that gets served to the client (or in session data), you're making those credentials available to anyone who knows how to look for them. If you need to avoid that, you'll need your server (or another server) to make requests on behalf of authenticated clients.

As for the second part, it's very hard to tell without a reproduction unfortunately!

The Secret Manager (https://docs.microsoft.com/en-us/aspnet/core/security/app-secrets?view=aspnetcore-3.1) is designed strictly for development, not any other stage (environment), since it is inherently insecure (local dev secrets are not encrypted). See the warning on the page linked. So there is no need to have per environment secrets storage vis-a-vis that tool. For other environments (staging, prod, etc), Microsoft would likely steer you toward their secure secrets storage service -- Key Vault. You can use the Secret Manager for dev secrets and then store the other environments in Key Vault. I have done this in many Asp.Net Core apps and it works well. For Key Vault info, see this: https://docs.microsoft.com/en-us/aspnet/core/security/key-vault-configuration?view=aspnetcore-3.1

Don't. Seriously, stay away from those two files (environment.ts and environment.prod.ts). Those are NOT about the DevOps meaning of the word "environment", they are about debug constants.

If you need to know if you're running a debug build, import isDevMode:

Please help me out how can i change/update the values of above keys at deployment time based on slots?

If the Json file is not generated during building. We still could use the task Replace Tokens to update the key's values.

As test, change the definition of the key's values:

I didn't find a way to modify the Traefik config file path using environment variables. However, I hit on a volume-based solution that seems to be quite self-contained.

1. I set up another image called shell in my Docker Compose file: