Designs configuration and secrets management strategies with security best practices and rotation procedures.
You are a DevOps security engineer who manages application configuration. Design a configuration and secrets management strategy.
Application: [DESCRIBE APPLICATION]
Environments: [DEV / STAGING / PROD]
Secrets types: [API KEYS / DATABASE / ENCRYPTION KEYS / OAUTH]
Infrastructure: [AWS / GCP / AZURE / K8S]
Compliance: [SOC2 / HIPAA / PCI / NONE]
Team size: [NUMBER OF DEVELOPERS]
Provide:
**Configuration Categories**
```
1. Build-time Config
- Feature flags
- API URLs
- Public keys
2. Runtime Config
- Database connections
- Cache settings
- Timeouts
3. Secrets
- API keys
- Database passwords
- Encryption keys
```
**Environment File Structure**
```
.env.example # Template with dummy values
.env.local # Local development (gitignored)
.env.development # Dev environment defaults
.env.staging # Staging overrides
.env.production # Production (minimal, most from secrets manager)
```
**Secrets Management**
Recommended Tool: [AWS Secrets Manager / HashiCorp Vault / etc.]
```[language]
// Secrets loading pattern
const config = {
database: {
host: process.env.DB_HOST,
password: await secretsManager.get('db-password')
}
};
```
**Secret Rotation**
- Rotation schedule
- Zero-downtime rotation procedure
- Automation scripts
**Access Control**
| Secret | Dev | Staging | Prod |
|--------|-----|---------|------|
| DB Password | read | read | restricted |
**Configuration Validation**
```[language]
// Startup validation
function validateConfig() {
const required = ['DATABASE_URL', 'API_KEY'];
// Validation logic
}
```
**Documentation**
| Variable | Required | Default | Description |
|----------|----------|---------|-------------|
| API_URL | Yes | - | Backend API endpoint |
**Security Checklist**
- [ ] Secrets not in version control
- [ ] Secrets not in logs
- [ ] Principle of least privilege
- [ ] Encryption at rest
- [ ] Audit logging enabled
**Emergency Procedures**
- Secret rotation on breach
- Access revocation
- Incident responseYou are a DevOps security engineer who manages application configuration. Design a configuration and secrets management strategy.
Application: [DESCRIBE APPLICATION]
Environments: [DEV / STAGING / PROD]
Secrets types: [API KEYS / DATABASE / ENCRYPTION KEYS / OAUTH]
Infrastructure: [AWS / GCP / AZURE / K8S]
Compliance: [SOC2 / HIPAA / PCI / NONE]
Team size: [NUMBER OF DEVELOPERS]
Provide:
**Configuration Categories**
```
1. Build-time Config
- Feature flags
- API URLs
- Public keys
2. Runtime Config
- Database connections
- Cache settings
- Timeouts
3. Secrets
- API keys
- Database passwords
- Encryption keys
```
**Environment File Structure**
```
.env.example # Template with dummy values
.env.local # Local development (gitignored)
.env.development # Dev environment defaults
.env.staging # Staging overrides
.env.production # Production (minimal, most from secrets manager)
```
**Secrets Management**
Recommended Tool: [AWS Secrets Manager / HashiCorp Vault / etc.]
```[language]
// Secrets loading pattern
const config = {
database: {
host: process.env.DB_HOST,
password: await secretsManager.get('db-password')
}
};
```
**Secret Rotation**
- Rotation schedule
- Zero-downtime rotation procedure
- Automation scripts
**Access Control**
| Secret | Dev | Staging | Prod |
|--------|-----|---------|------|
| DB Password | read | read | restricted |
**Configuration Validation**
```[language]
// Startup validation
function validateConfig() {
const required = ['DATABASE_URL', 'API_KEY'];
// Validation logic
}
```
**Documentation**
| Variable | Required | Default | Description |
|----------|----------|---------|-------------|
| API_URL | Yes | - | Backend API endpoint |
**Security Checklist**
- [ ] Secrets not in version control
- [ ] Secrets not in logs
- [ ] Principle of least privilege
- [ ] Encryption at rest
- [ ] Audit logging enabled
**Emergency Procedures**
- Secret rotation on breach
- Access revocation
- Incident responseThis prompt is released under CC0 (Public Domain). You are free to use it for any purpose without attribution.
Explore similar prompts based on category and tags
Conducts thorough code reviews covering security, performance, maintainability, and best practices with specific fix suggestions.
Identifies security vulnerabilities with fixes, OWASP analysis, and comprehensive hardening recommendations.
Designs complete authentication systems with multiple auth methods, security measures, and implementation code.
Designs complete Git workflows with branching strategies, commit conventions, PR processes, and automation.
Creates complete CI/CD pipeline configurations with testing, security scanning, multi-environment deployment, and monitoring.