🇺🇸 Ed Grosvenor 🇨🇭

Here's my problem. I have a widely distributed team of developers and everyone dips into and out of features across a very large app all the time. This results in frequent slack "Hey! Can I get an API key for XXXX service?" messages. It's a pain for everyone and it's easy to lose track of who has what keys and let the right people know when those keys are rotated.

Laravel recently introduced encrypted environment files, so the obvious choice would be to just encrypt the .env file and share it with everyone. But then that locks everyone into using the same database name, password, cache driver, etc. I use HELO for local mail. Other people use the log driver. So I don't want to overwrite everyone's entire .env file any time something changes.

So what I've done is create an encrypted .env.shared file that gets decrypted when the developer runs php artisan fresh (I'll write up a post about that little command later). Then I load the values from that .env.shared file before the user's local .env file is read into the environment.

This means that I can rotate keys, add new keys to new services, and provide any other shared configuration data with my team seamlessly. They can just set up their own .env file to whatever specifications they need for their own local development environments.

I've also set up an API endpoint on the site that receives a signed request from the user when they run php artisan fresh. That endpoint sends the decrypt key down inside a JSON payload. That means that when staff changes, I can simply rotate my keys, change the encryption key, and send a Slack message to my entire team that they need to run the fresh command to get all the new keys.

Maybe it's time to organize all my thoughts on this and submit.