Best practices for Configuration file in your code

Often when I open a code, I see configuration files with 3 kind of variables inside.

• static variables (that we need to manage our code)
• sensitive data (password, secret, password of product use ….)
• we hope static data, that does not depend of our code (connection string …)

example :

# static variables
ALL_FILE_EXPORT_PREFIX="Export_"
DATE_FORMAT="yyyymmdd"
MAX_THREAD=42
....
# Sensitive Data
PASSWORD="Superman1234"
USERNAME_API_I_USE_FROM_A_PRODUCT="ag_comp123"
PASSWORD_API_I_USE_FROM_A_PRODUCT="ykjquztv'-è_é(fcg3564"
JWT_SECRET="aliuzgdlicrbuygf61736874kjresgghk"
# Data That does not depend of our code
Connection_String="mongodb://username:pwd@host1:27017,host2:27017"
PATH_NAS="//path-to-nas/folder"

And the 2 last categories (sensitive data, data that does not depend of us) don’t have to be in our config file.

Sensitive data

Because it’s not secure.

Data that don’t belong to us

For example if Iuse mongo the DBA (administrator of Mongo) can :

• add a new host3,
• change the Virtual Machine where mongo is located
• change the connection_string
• change the username/password of the database.

Or If i have path to directories, the Admin System can change where it’s located.

On all this case I have to change the config file and deploy the code, even if this one was not modified. (Or worst have modification that are not ready for Production)

What is the Good Practices

Sensitive Data and Data that does not belong to us, must be Environment variables.

for example If I use Docker I can send this variables :

docker run [...] -e connection_string="mongodb:...." \
-e path_nas="\\path-to-nas"
-e [....]

You can find a tutorial about it on node there, and on golang there.