Our Thoughts on Modern Configuration and Secrets Management

Introducing 7-Factor Config | CloudTruth

Written by Greg Arnette | Feb 6, 2023 6:21:41 PM

7-Factor Config is a set of principles that describes an efficient way to manage secrets, parameters, and templates, enabling teams to deploy reliably, scale quickly, and reduce unplanned downtime and security incidents.

 

DRY

Don't Repeat Yourself. Configuration data (secrets and parameters) are typically stored as key-value pairs. In the DRY approach, config variable key names are declared once, and then flexible variable values are inserted as needed across build, deploy, and run-time phases using an efficient notion of defaults, inheritances, or overrides.

This approach avoids problems by allowing single changes to propagate where needed, eliminating copy-and-paste errors.

DECOUPLED

The main idea behind externalizing configuration from the source code is to make it flexible and adaptable to different environments. The same deployment process can be run by removing hard-coded configurations with different parameters specified at runtime. This makes managing different environments and independently making code and configuration changes easier.

The benefits of this approach are two-fold. Firstly, it helps to isolate root causes when something goes wrong. By separating code changes from configuration changes, it's easier to determine whether the issue is due to a change in code or configuration. Secondly, externalizing configurations allows the frequent need to change configuration independently from the code. 

ABSTRACTED

The main idea behind separating code and configuration interactions is to make managing the different parts of an application easier. By separating the specific values (such as log level) from the interface (how a system fetches the log level value), it's possible to manage configurations in a more unified and efficient manner. Additionally, defining interfaces for managing configuration values helps to keep secret and sensitive information separate from the code.

The benefits of this principle include improved separation of concerns and responsibilities, which leads to faster deployment times. The separation allows teams to track current configurations and make changes in a unified manner. Furthermore, creating a configuration interface creates an implicit communication channel between application developers and DevOps teams, making it easier for changes to be made and seen. This separation also makes it easier to spin up a new environment, as the configuration interfaces are already defined, and only the values need to be supplied. Finally, the configuration interfaces make the values and their purpose more transparent and easier to understand.

CENTRALIZED

The goal of consolidating all configuration complexity into a single location is to make it easier to manage and track the different configurations and their effects on the application. Keeping all the configuration information in one place makes it easier to manage the complexities of configuring an application.

The benefits of this approach include mitigating downtime by syncing the configuration to the edge where it is used, avoiding config sprawl by keeping all the complexity at the core and simplifying the configuration process by centralizing the configuration and generating it with transformations. This allows client consumers to request the configuration they need without knowing the logic behind generating it. This makes the configuration process more straightforward and reduces the risk of errors.

An example of a client requesting its configuration is "Give me the configuration for "X" versus having to know all the logic needed to generate the configuration for "X.

OBVIOUS

Organizing configuration data, including secrets and parameters, is essential for smooth and efficient operations. When config data is obvious, it is much easier to manage changes and ensure that application developers can easily communicate new config settings to DevOps teams so the downstream impact is understood. 

The benefits of organizing config data include the ability to drill in and out to see only the config data of interest while still having access to all the secrets and parameters. The organization of config data leads to improved communication between team members and makes it easier to understand the impact of changes made to the data. Sharing data and project structure makes deploying new code to production easier.

In conclusion, organized and obvious config data is critical for efficient and effective operations, and DevOps teams should aim to achieve this whenever possible.

SECURE

Securing configuration data is of utmost importance in today's proliferating microservices. Config data, including secrets, must be handled carefully to protect sensitive information such as production database passwords, cloud access keys, and third-party API keys.

The secure management of configuration requires role-based access controls, strong cryptography, and an independent tamper-proof audit trail.

Use a "late-binding" approach to inject secrets and config at the optimal deploy and run time stages, reducing the risk of confidential information being leaked into log files or exposed to bad actors.

Keeping config data secure means using role-based access control to keep production secrets locked while allowing self-service access to developers and eliminating misconfigurations through automated type checking, linting, rules, and ranging on values.

VERSIONED

Versioning configuration data ensures systems and applications' security, compliance, and reliability. Configuration versioning refers to the ability to track changes to parameters, secrets, and templates over time.

There are several reasons why configuration data needs to be versioned. Compliance auditing and security aggregation require versioned configuration data to ensure that sensitive information is protected and managed properly. Additionally, teams need the ability to roll back configuration changes in the event of a problem quickly. Rapid outage triage is also easier with versioned config data, as it provides an efficient method for determining what configuration changes have been made recently across all projects, teams, and environments.

The benefits of versioning config data are numerous. Having all changes tracked in one place makes monitoring and managing configurations easier over time. By making changes in a consolidated fashion, it's possible to make a batch of changes with a checkpoint in a release rather than making changes one at a time. This makes it easier to roll back changes if necessary. Additionally, compliance and audit reporting is easier, team scaling is easier, and outage triage is faster, as the handoff from one team to the next is more efficient in knowledge transfer.