Moriyama Configbuilder: Securely store and share .NET and Umbraco configuration
Today we’ve released Moriyama Configbuilder on GitHub – an internally developed tool for managing ASP.NET and Umbraco configuration.
The Problem
When inheriting projects, we often come across sensitive configuration files committed to source control such as connection strings, API keys, logins and passwords.
We also inherit projects where the configuration has been correctly removed from version control, but the accompanying project README has a long 20 step list of how to get your application up and running, and how to obtain all the relevant configuration.
Our support team could often work upon 3 or 4 different projects per day, so we needed and easy and standardised way of managing our application configuration – in a single place per project – and a way of sharing that configuration amongst all our team members.
The Solution
Version 4.7.2 of the .NET framework introduces the notion of Configuraion Builders – which are pieces of code that allow you to dynamically build .NET configuration on demand rather than using a static configuration file.
There are some default implementations available, but they are mainly key/value based, and don’t allow for more complex configuration.
WebDeploy already defines a standard for defining parameters within a .NET application using a parameters.xml file – and an accompanying SetParameters file format that contains the values for those parameters.
Moriyama Configbuilder uses these two file formats to dynamically build configuration at runtime.
An Example
We can start by defining a parameter in my Parameters.xml file:
<parameter
description="Cache:CachedStorageAccount"
name="Cache:CachedStorageAccount"
defaultvalue="#{Cache:CachedStorageAccount}#">
<parameterEntry
match="//caching/caches/cache[@name='AzureBlobCache']/settings/setting[@key='CachedStorageAccount']/@value"
kind="XmlFile"
scope="\\config\\imageprocessor\\cache.config$" />
</parameter>
The example above is a connection string that ImageProcessor uses to connect to Azure blob storage. You can see that the configuration uses XPath to define the parameter within a configuration file.
Next in my SetParameters file I can put the actual value of that connection string:
<setParameter
name="Cache:CachedStorageAccount"
value="[my connection string here]" />
Lastly – we remove the sensitive value from the original configuration file: config\imageprocessor\cache.config
On startup – Moriyama ConfigBuilder will now read the parameter from the external file.
Securing Secrets
With all your sensitive application configuration in one file – you can easily make sure that this is ignored by git, and you don’t end up with any sensitive information in version control.
You’ll need to come up with a way of securely storing and sharing this configuration – at Moriyama we have a task that is part of our build process that can push and pull this configuration to secure storage.
An extra benefit to having this centralised storage is that we can have an automated process that routinely rotates connection strings and other credentials as an extra layer of security.
Need Help?
At Moriyama we’ve more than 10 years' experience of helping companies to rationalise their development, build and release processes bringing them in line with up-to-date devops best practice.
I you need help, then please get in touch to discuss your project.