Dotenv & Configuration Management
Standardizing local environment configuration is a critical control plane for platform engineering. Unmanaged .env drift between developer workstations, container runtimes, and CI/CD pipelines introduces silent failures, security exposure, and prolonged onboarding cycles. This guide delivers tactical workflows for enforcing configuration parity, automating secure secret injection, and establishing deterministic local environment automation.
1. Standardized .env Template Generation & Version Control
A deterministic configuration baseline begins with a version-controlled template and strict lifecycle enforcement.
Configuration Artifacts
.env.example
# REQUIRED: Application runtime mode
NODE_ENV=development # string: development|staging|production
# REQUIRED: Database connection string (format: postgresql://user:pass@host:port/db)
DATABASE_URL=postgresql://postgres:postgres@localhost:5432/app_dev
# OPTIONAL: Feature flags
ENABLE_TELEMETRY=false # boolean: true|false
LOG_LEVEL=info # string: debug|info|warn|error.gitignore
# Track template, ignore all local/secret variants
.env.example
!.env.local
!.env.*.local
.env
.env.*.pre-commit-config.yaml
repos:
- repo: local
hooks:
- id: env-drift-check
name: Validate .env against .env.example
entry: bash -c 'diff -u .env.example .env || (echo "ERROR: .env drift detected. Sync keys with .env.example" && exit 1)'
language: system
types: [file]
pass_filenames: false
always_run: truepackage.json (Husky/Lint-Staged Integration)
{
"scripts": {
"prepare": "husky",
"validate:env": "dotenv-cli -- zod validate env-schema.ts"
},
"lint-staged": {
".env": ["npm run validate:env"]
}
}Drift Diagnostics
Execute the following in CI or pre-deploy hooks to enforce schema alignment:
# Fail pipeline if untracked keys exist or values deviate structurally
diff -u .env.example .env > /dev/null 2>&1 || exit 1
git-secrets --scanPlatform Caveats
- WSL2: Windows line endings (
CRLF) corruptdiffandenvsubstparsing. Enforcegit config --global core.autocrlf inputand rundos2unix .env.examplebefore committing. - Docker Desktop: Volume sync latency on macOS/Windows can cause stale
.envreads during rapid container restarts. AddCOMPOSE_PROJECT_NAMEto isolate environments and usedocker compose down -vbefore reinitializing.
Aligning local configuration standards with broader Environment Sync, Secrets & CI Parity protocols ensures cross-repo consistency and eliminates environment-specific debugging overhead.
2. Containerized Configuration Injection via Docker Compose
Explicit environment mapping prevents host variable leakage and guarantees container runtime determinism.
Configuration Artifacts
docker-compose.yml
version: "3.8"
services:
app:
build: .
env_file:
- .env
- .env.local
environment:
# Explicit overrides take precedence over env_file
- NODE_ENV=production
ports:
- "3000:3000"
volumes:
- .:/app
- /app/node_modulesdocker-compose.override.yml
version: "3.8"
services:
app:
environment:
- DEBUG=app:*
- ENABLE_HOT_RELOAD=true
ports:
- "9229:9229" # Node inspectordocker-compose.secrets.yml (Compliance-Grade Alternative)
version: "3.8"
services:
app:
secrets:
- db_password
environment:
- DATABASE_URL=postgresql://postgres:${DB_PASSWORD}@db:5432/app_prod
secrets:
db_password:
file: ./secrets/db_password.txtDrift Diagnostics
Verify resolved configuration schema without interpolating secrets:
# Generate deterministic config hash for CI comparison
docker compose config --no-interpolate | sha256sum > .ci/env-baseline.sha256
git diff --exit-code .ci/env-baseline.sha256 || echo "DRIFT: Compose schema mismatch"Platform Caveats
- ARM64 (Apple Silicon): Base images default to
linux/arm64. If upstream dependencies lack multi-arch builds, explicitly declareplatform: linux/amd64indocker-compose.ymland enable Rosetta 2 in Docker Desktop settings. - WSL2 Backend: Docker Desktop maps Windows drives to
/mnt/c/or/host_mnt/. Use relativeenv_filepaths to avoid absolute path resolution failures when switching between native Linux and WSL2.
For production-grade local parity and compliance, cross-reference secure secret handling with Local Secret Vaults & Rotation to replace plaintext .env injection with ephemeral credential mounts.
3. Devcontainer & VS Code Environment Bootstrapping
Isolated development environments eliminate "works on my machine" failures by containerizing the IDE toolchain alongside application dependencies.
Configuration Artifacts
.devcontainer/devcontainer.json
{
"name": "App Workspace",
"dockerComposeFile": ["../docker-compose.yml", "../docker-compose.override.yml"],
"service": "app",
"workspaceFolder": "/workspace",
"containerEnv": {
"NODE_ENV": "development",
"CI": "false"
},
"remoteEnv": {
"LOCAL_WORKSPACE_FOLDER": "${localWorkspaceFolder}"
},
"mounts": [
"source=${localEnv:/.env},target=/workspace/.env,type=bind,readonly"
],
"postCreateCommand": "test -f /workspace/.env || cp /workspace/.env.example /workspace/.env && npm ci",
"customizations": {
"vscode": {
"extensions": ["ms-azuretools.vscode-docker", "dbaeumer.vscode-eslint"],
"settings": {
"telemetry.telemetryLevel": "off",
"terminal.integrated.env.linux": {
"NODE_ENV": "development"
}
}
}
}
}Drift Diagnostics
Validate environment consistency immediately after container initialization:
devcontainer up --workspace-folder .
CONTAINER_ID=$(docker ps -q -f label=devcontainer.local_folder)
docker exec $CONTAINER_ID env | grep -E '^(NODE_ENV|DATABASE_URL)=' | sort > .ci/dev-env-dump.txt
diff -u .ci/expected-env.txt .ci/dev-env-dump.txt || exit 1Platform Caveats
- WSL2 Integration: Use the VS Code "Remote - WSL" extension to mount the project directly into the WSL2 filesystem (
\\wsl$\). Avoid mounting from/mnt/c/to bypass 9P protocol latency and file watcher limits. - Docker Desktop Resource Allocation: Devcontainers with hot-reload and debug ports consume significant RAM. Increase Docker Desktop memory limits to
8GB+and disablegRPC FUSEon macOS if file sync hangs duringnpm install.
Validate environment consistency using CI/CD Pipeline Parity Checks to guarantee local dev matches remote runner configurations and eliminates environment-specific pipeline failures.
4. Automated Seed Script & Dynamic Env Population
Static templates fail to capture host-specific topology (IPs, architecture, runtime paths). A POSIX-compliant seed script bridges this gap idempotently.
Configuration Artifacts
scripts/bootstrap-env.sh
#!/usr/bin/env sh
set -euo pipefail
ENV_FILE=".env"
LOCAL_ENV=".env.local"
TEMPLATE=".env.example"
# Idempotency check
if [ -f "$ENV_FILE" ] && [ "$1" != "--force" ]; then
echo "✅ $ENV_FILE exists. Skipping generation. Use --force to overwrite."
exit 0
fi
# Dynamic host injection
HOST_IP=$(hostname -I | awk '{print $1}' 2>/dev/null || echo "127.0.0.1")
ARCH=$(uname -m)
# Template population
if [ -f "$TEMPLATE" ]; then
cp "$TEMPLATE" "$ENV_FILE"
echo "✅ Generated $ENV_FILE from template."
fi
# Append dynamic overrides to .env.local
cat <<EOF > "$LOCAL_ENV"
DOCKER_HOST=${DOCKER_HOST:-unix:///var/run/docker.sock}
LOCAL_IP=${HOST_IP}
HOST_ARCH=${ARCH}
EOF
echo "✅ Populated $LOCAL_ENV with dynamic host values."Makefile
.PHONY: env-init env-validate
env-init:
@bash scripts/bootstrap-env.sh
env-validate:
@bash -n scripts/bootstrap-env.sh
@bash scripts/bootstrap-env.sh --dry-run 2>/dev/null || echo "️ Dry-run validation requires --dry-run flag in script"Drift Diagnostics
Validate syntax and expected variable injection without filesystem mutation:
bash -n scripts/bootstrap-env.sh
./scripts/bootstrap-env.sh --dry-run 2>&1 | grep -E '^(✅|️)' || exit 1Platform Caveats
- macOS vs Linux
envsubst: macOS ships with a minimalenvsubstthat lacks--variablesflag. Installgettextvia Homebrew (brew install gettext) and symlink it, or rely on nativeshparameter expansion as implemented above. - ARM64 Binary Compatibility: If injecting architecture-specific binaries (e.g.,
jq,yq), verifyuname -mreturnsarm64on Apple Silicon andaarch64on Linux ARM. Usecasestatements in the seed script to route to the correct binary path.
Automate template synchronization via Automating .env file generation from CI artifacts workflows to pull pre-validated config bundles for staging and UAT parity without manual intervention.