Hey, community. I’m looking for a solution to create a configuration snapshot aligned with each release. If I’m correct, Doppler doesn’t currently support whole-secret-set versioning, so I’m looking for a workaround. Cloning the config from CI/CD came to mind. Something like prd_${commit}, and then, creating a token and handing it over to my AWS ECS tasks at runtime.
How does it sound to you?
Are you aware of any idiomatic workarounds for versioning Doppler configurations?
You’re correct that we don’t currently have config versioning. Probably the easiest way to handle this is to take advantage of the Doppler CLI’s fallback files. These are encrypted snapshots of your secrets that you can embed in your Docker images with your release. This is typically recommended in situations where you can’t sync secrets to a local store from Doppler and desire to insulate your deployment against potential outages that might prevent your app from starting (or protect against potential rate limit issues), but it can also be used to “pin” secrets at a specific state for a release if you like. You can find some more information about this method here:
Hi Joel. I appreciate your message. I definitely will consider the fallback files option. I also would love to read your thoughts on the option I shared, if that’s possible. Thank you for all your help.
@jjrdn Creating a fallback file is essentially what you described (fetching a snapshot of the config in the state it was in). I suppose you could create a new project and manually copy the secrets to that project if you wanted, but just creating a branch config (e.g., prd_<commit>) would not have the outcome you’re desiring here because it inherits all of its secret values from the root config. If those values aren’t different from root when set, then the secret continues being in a “inheriting” state and when the secret changes down the road, it’ll change in that config as well. So, to “clone” a config in a specific state, you would need to copy it to a completely separate environment. We have a limit of 4 environments per project on the Developer plan and 15 environments per project on the other plans, so creating those on a per-commit basis likely wouldn’t scale well for you (and isn’t really how Doppler was designed to be used).
Hi, Joel. I’m sorry for the late response. What you shared makes sense.
Quick question. Can you confirm that --fallback-only would be the way to ensure that the docker run only considers the config snapshot present in the container?
