Problem/Motivation

Environment variables to pass in global settings/configurations are a thing:

  • Most hosters have some sort of support for them and expose the DB settings as such, for example https://github.com/pantheon-systems/drops-8/blob/master/sites/default/settings.pantheon.php#L39
  • It really explitely defined to be environment specific.
  • Many systems have .env files to share those.

Usecases

Pro/Cons

Questions

Proposed resolution

Remaining tasks

User interface changes

API changes

Data model changes

Comments

dawehner created an issue. See original summary.

dawehner’s picture

moshe weitzman’s picture

Issue summary: View changes

Added a Pro about security. It links to https://12factor.net/config

Wim Leers’s picture

Thanks for proposing this, @dawehner! Curious what people more knowledgeable than me wrt server security have to say :) I like the apparent simplicity!

dawehner’s picture

Issue summary: View changes
dawehner’s picture

I added some blog post with some criticism.

mpdonadio’s picture

How crazy / insecure would be be to totally pull settings.php from environment, which can also handle overrides already?

shrop’s picture

This topic reminded me of this article I read a while back that speaks to security of env vars. It appears that a few people in the article have varying opinions, but worth knowing some considerations around this topic.
http://searchsecurity.techtarget.com/blog/Security-Bytes/Environment-var...

This one has some good tips on securing env vars:
http://blog.honeybadger.io/securing-environment-variables/

For this article already mentioned in the issue description, I would like to see documentation around better ways to mange keys and other "secrets" than placing them in env vars.
http://movingfast.io/articles/environment-variables-considered-harmful/