example-service.toml

# Docker information for the service to be deploy
[docker]
  # The base image for the service excluding the tag
  image = "wafflehacks/cms"

  # The base tag to deploy
  tag = "develop"

  # Image update configuration
  [docker.update]
    # Allow automatic updating when a new image is built (default: true)
    automatic = true

    # Any additional tag(s) to allow for updating the service supports globs (via the globset crate)
    # Automatically includes the base tag
    additional_tags = ["sha-*"]

[web]
  # Whether to enable web access (default: true)
  enabled = true

  # An optional path prefix to run the application under
  # When not provided, the service will run on the base domain
  path = "/testing"

  # The domain where the application can be accessed
  # Defaults to the filename combined with the `deployment.domain` key in the configuration
  domain = "testing.wafflehacks.tech"

# What external services this depends on
# Currently supports: PostgreSQL and Redis
# Connection strings will be automatically injected into environment variables in the format: {service name}_URL
# Ex: - POSTGRES_URL    - REDIS_URL
[dependencies]
  # A service can be explicitly enabled by setting it to false.
  # If it is not included, it will default to disabled.
  redis = false

  # Postgres credentials are automatically generated by Vault using a role with the same name
  # as the deployment, by default. The database and corresponding role (within Postgres)
  # must already exist before deploying the service.
  #
  # The environment variable can be changed by setting the value to the desired name.
  # Environment variable names will be automatically made uppercase.
  postgres = "DATABASE_URL"

  ## Below is the format for setting a custom role for the Postgres database.
  ## It also supports changing the environment variable name by setting a value
  ## for `name`. If unset, it follows the same semantics as the bare version.
  #[postgres]
  #  role = "testing"
  #  #name = "DATABASE_URL"

# Environment variables to pass to the container
# All values must be strings, and the name will be automatically made uppercase when it is
# injected into the container
[environment]
  some = "variable"
  another = "value"
  number = "1"
  boolean = "true"

# Secrets to pass to the container as environment variables
# The location within Vault will be automatically derived from the subdomain and environment variable name
# Ex: - subdomain = `git.wafflehacks.tech` name = `secret_key` --> /kv/git/secret_key
#     - subdomain = `git.dev.wafflehacks.tech` name = `secret_key` --> /kv/dev/git/secret_key
# Like the normal environment variables, the variable name will be automatically be made uppercase
#
# There are currently 3 types of secrets:
#   - `aws`: retrieves AWS credentials for with the given role
#   - `generate`: generates a random secret in the specified format
#   - `load`: loads a pre-existing secret from vault
[secrets]
  # If the secret type does not require additional configuration (i.e. `load` secrets), then the type can be specified
  # as a bare string or as a map. Otherwise, they must be specified as maps (inline or as blocks).
  bare = "load"
  # Inline map
  inline = { type = "load" }
  # Block map
  [secrets.block]
    type = "load"

  [secrets.aws_access_key_id]
    type = "aws"
    # The role to generate the credentials from
    # It must already exist in Vault
    role = "my-role"
    # The part of the key pair to store in the environment variable
    # Options: `access`, `secret`
    part = "access"

  # Stores the secret access key part of the pair
  # There should be one variable per part, however no validation is done to ensure this happens
  [secrets.aws_secret_access_key]
    type = "aws"
    role = "my-role"
    part = "secret"

  [secrets.generated]
    type = "generate"
    # The format to encode the generated string in
    # Options: `alphanumeric`, `base64`, `hex`
    format = "base64"
    # The length of the string to generate
    # When generating a base64 or hex string, the length corresponds to the number of bits
    length = 16
    # Whether to regenerate the secret on redeploy (default: false)
    regenerate = false