The latest articles on DEV Community by Lucas de Camargo (@lucasdecamargo). https://dev.to/lucasdecamargo https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3448998%2F86e6b981-6381-4c1d-be77-f8fceaf4fbf4.jpg https://dev.to/lucasdecamargo en Lucas de Camargo Thu, 18 Dec 2025 12:59:39 +0000 https://dev.to/lucasdecamargo/aws-governance-with-a-terragrunt-live-environment-3lgi https://dev.to/lucasdecamargo/aws-governance-with-a-terragrunt-live-environment-3lgi <p>Many tech enthusiasts have the desire to start or to move their stack to AWS and benefit from its 200+ global services. It may feel intuitive to create an account on AWS and start creating resources in the AWS Console, but this is the absolutely <strong>don't</strong> when working in the Cloud.</p> <p>I have introduced some basic concepts of Governance on AWS in <a href="https://dev.to/lucasdecamargo/introducing-the-three-aws-governance-pillars-with-terraform-mkk">First steps to Governance on AWS using Terraform</a>. To recap briefly: proper AWS governance is built on <strong>Three Governance Pillars</strong>: Organizations, Accounts, and Service Control Policies (SCPs). You may understand these concepts, but if you're still manually creating resources, you're missing the foundation that makes governance actually work: <strong>Infrastructure as Code</strong>.</p> <p>Without IaC, you'll spend weeks trying to reverse-engineer your own infrastructure just to understand what you've built. Worse, when disaster strikes, like a misconfiguration, a security breach, or even accidental resource deletion, recovery becomes a manual, error-prone nightmare instead of a simple deployment operation.</p> <p>If you're already familiar with Terraform, you know the pain: managing multiple AWS accounts leads to massive code duplication, enormous state files, and configurations you're afraid to touch because you've lost track of dependencies. This is where <strong>Terragrunt</strong> becomes essential. It eliminates code duplication through a hierarchical configuration system while maintaining clear separation of concerns across your multi-account environment.</p> <p>In this guide, we'll build a Terragrunt live environment: a Git repository that versions your AWS infrastructure, organized by accounts and regions, with configurations that cascade intelligently through the hierarchy. We'll establish the foundation that makes deploying your governance resources (in the next post) both simple and maintainable.</p> <h2> Getting Started </h2> <p>The content of the Terragrunt Live Environment for this series is being maintained in my GitHub repository. In this post, I'm explaining the concepts of the repository structure, and deploying the first organization resource.</p> <p> </p> <div class="ltag-github-readme-tag"> <div class="readme-overview"> <h2> <img src="https://assets.dev.to/assets/github-logo-5a155e1f9a670af7944dd5e12375bc76ed542ea80224905ecaf878b9157cdefc.svg" alt="GitHub logo"> <a href="https://github.com/lucasdecamargo" rel="noopener noreferrer"> lucasdecamargo </a> / <a href="https://github.com/lucasdecamargo/terragrunt-live-example" rel="noopener noreferrer"> terragrunt-live-example </a> </h2> <h3> Template for a Terragrunt stack using my AWS Terraform modules including Governance management. </h3> </div> <div class="ltag-github-body"> <div id="readme" class="md"> <div class="markdown-heading"> <h1 class="heading-element">terragrunt-live-example</h1> </div> <p>Template for a Terragrunt stack using my AWS Terraform modules including Governance management.</p> </div> </div> <br> <div class="gh-btn-container"><a class="gh-btn" href="https://github.com/lucasdecamargo/terragrunt-live-example" rel="noopener noreferrer">View on GitHub</a></div> <br> </div> <h3> Installation </h3> <p>We'll be using three essential tools to manage our AWS infrastructure:</p> <ul> <li> <a href="https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html" rel="noopener noreferrer">AWS CLI v2</a> authenticates and interacts with AWS services from your terminal. It's required for Terraform to communicate with AWS APIs.</li> <li> <a href="https://developer.hashicorp.com/terraform/install" rel="noopener noreferrer">Terraform</a> is the Infrastructure as Code (IaC) engine that provisions and manages AWS resources using declarative configuration files.</li> <li> <a href="https://terragrunt.gruntwork.io/docs/getting-started/install/" rel="noopener noreferrer">Terragrunt</a> is a thin wrapper around Terraform that helps eliminate code duplication and manage multiple environments.</li> </ul> <blockquote> <p><strong>Tip:</strong> If you're using VS Code, install these extensions for better HCL syntax support:</p> <ul> <li><a href="https://marketplace.visualstudio.com/items?itemName=HashiCorp.HCL" rel="noopener noreferrer">HashiCorp HCL</a></li> <li><a href="https://marketplace.visualstudio.com/items?itemName=HashiCorp.terraform" rel="noopener noreferrer">HashiCorp Terraform</a></li> </ul> </blockquote> <h3> Named Profiles </h3> <p>Go and quickly read my post about <a href="https://dev.to/lucasdecamargo/configuring-aws-named-profiles-7cj">AWS Named Profiles</a>, if you haven't yet.</p> <p>At this point, it is considered that our AWS account doesn't yet have the SSO service enabled. Therefore, we need an access key that has the required permissions for deploying the resources we're creating in this post. These are the following:</p> <ol> <li> <a href="https://github.com/lucasdecamargo/terragrunt-live-example/blob/main/policies/backend-policy.json" rel="noopener noreferrer">Backend Policy</a> for creating and updating the remote state files in our AWS root account.</li> <li> <a href="https://github.com/lucasdecamargo/terragrunt-live-example/blob/main/policies/organization-policy.json" rel="noopener noreferrer">Organization Policy</a> for deploying the organization resources we're creating in this post.</li> </ol> <p>Make sure to check out the permissions in my <a href="https://github.com/lucasdecamargo/terragrunt-live-example/tree/main/policies" rel="noopener noreferrer">GitHub repository</a> for the Terragrunt Live Environment example.</p> <ul> <li>In your AWS Console, go to IAM -&gt; Policies, and create a new policy for each of the JSON documents I have under the <code>policies</code> folder in my repository.</li> <li>Next, go again to IAM -&gt; Users, create a new <code>terragrunt-root</code> user, and attach these policies to it.</li> <li>Generate a new pair o acess keys, and add it your AWS credentials file, <a href="https://dev.to/lucasdecamargo/configuring-aws-named-profiles-7cj">as we discussed</a>, with a name of <code>acme-root</code>, for example.</li> </ul> <h3> Live Environment </h3> <p>Our AWS infrastructure is going to <strong>live</strong> in a structured Git repository. Terragrunt allows us to define a folder structure based on our AWS accounts and to share variables and configurations across the stacks deployed to each account.</p> <p>Typically, you'd see in <a href="https://docs.gruntwork.io/2.0/docs/overview/concepts/infrastructure-live" rel="noopener noreferrer">Gruntwork's recommendation</a> the following pattern for live repositories:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>account └ _global └ region └ _global └ environment └ category └ resource </code></pre> </div> <p>As an example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>backend └ _global └ networking └ route53-public-api-domain └ us-east-1 └ _global └ storage └ s3-assets └ dev └ compute └ ecs-public-api-cluster </code></pre> </div> <p>The <code>_global</code> folders contain resources that aren't tied to a specific region (like Route53 hosted zones, IAM roles, or S3 buckets with global names) or environment-agnostic resources.</p> <p>However, when onboarding to the Cloud for the first time, it can be challenging to predict exactly what environments and categories you'll need from the start. We can simplify this structure significantly by <strong>encoding the environment into the account name itself</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>account └ _global └ region └ resource backend-dev └ _global └ route53-public-api-domain └ us-east-1 └ s3-assets └ ecs-public-api-cluster </code></pre> </div> <p>This approach aligns perfectly with our multi-account governance strategy from the previous post. We create a dedicated <code>backend-dev</code> account within our Development OU for all development work. When you're ready for production, you simply create a <code>backend-prod</code> account under your Production OU — each account maintains its own isolated folder structure.</p> <p>This simplified pattern offers a better deal for startups because it is easier to get started with, as less folder nesting means less cognitive overhead when you're learning, and it is simple to evolve by refactoring it into more granular structure later as your needs grow.</p> <h2> Writing the Terragrunt Stack </h2> <p>Now that we understand the basics of a Terragrunt live environment, let's create our first stack. We'll build a Git repository to version our infrastructure state and walk through each component step by step.</p> <p>We start by creating a Git repository locally that will version the state of our infrastructure. Consider these naming options:</p> <ul> <li> <code>terragrunt-live-management</code> or <code>terragrunt-live-governance</code> - if you want separate repositories for different groups of stacks</li> <li> <code>terragrunt-live</code> - if you're targeting a monorepo for all of your IaC stacks</li> </ul> <p>I'm using <code>terragrunt-live-example</code> for this post, and our fictional organization will be called <code>acme</code> — we'll use this name when creating AWS resources.</p> <h3> Directory Structure </h3> <p>As we discussed earlier, the repository structure begins with a directory for an AWS account, followed by a directory for the region, and finally a directory for each resource we're deploying.</p> <p>The key to understanding Terragrunt is that each layer uses an HCL file to declare local variables that cascade down through the hierarchy:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>terragrunt-live-example ├── root # Root Account │ ├── _global # Global Region │ │ ├── organization # Organization Resource │ │ │ └── terragrunt.hcl │ │ └── region.hcl │ └── account.hcl └── root.hcl </code></pre> </div> <p>When deploying the organization resource in <code>terragrunt.hcl</code>, Terragrunt loads all definitions in this order: <code>root.hcl</code> → <code>account.hcl</code> → <code>region.hcl</code> → <code>terragrunt.hcl</code>. This layered approach keeps our configuration DRY (Don't Repeat Yourself) and makes it easy to share common settings across resources.</p> <h3> Locals </h3> <p>Terragrunt locals are similar to Terraform locals. They provide a mechanism to define named expressions within a terragrunt.hcl configuration file. These expressions are evaluated and their results can be referenced throughout the same configuration file, promoting reusability and reducing repetition.</p> <p>In this example, we define the local variables for each directory layer.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># root/account.hcl</span> <span class="nx">locals</span> <span class="p">{</span> <span class="nx">account_name</span> <span class="p">=</span> <span class="s2">"root"</span> <span class="nx">aws_named_profile</span> <span class="p">=</span> <span class="s2">"acme-root"</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"Account"</span> <span class="p">=</span> <span class="s2">"root"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># root/_global/region.hcl</span> <span class="nx">locals</span> <span class="p">{</span> <span class="nx">aws_region</span> <span class="p">=</span> <span class="s2">"us-east-1"</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"Region"</span> <span class="p">=</span> <span class="s2">"global"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>These locals are going to be available in the inner layers we are going to be working on, preventing us from repeating ourselves when declaring our Terraform modules based on these layer values.</p> <p>Note that even though the region is <code>_global</code>, we still need to specify a default region (<code>us-east-1</code>) because the AWS CLI requires <em>some</em> region to be defined for API calls.</p> <h3> The Root File </h3> <p>The <code>root.hcl</code> file is the foundation of our Terragrunt configuration. We use Terragrunt's built-in functions <code>read_terragrunt_config</code> and <code>find_in_parent_folders</code> to automatically load the local variables we defined at each layer:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># root.hcl</span> <span class="nx">locals</span> <span class="p">{</span> <span class="c1"># Automatically load account-level variables</span> <span class="nx">account_vars</span> <span class="p">=</span> <span class="nx">read_terragrunt_config</span><span class="p">(</span><span class="nx">find_in_parent_folders</span><span class="p">(</span><span class="s2">"account.hcl"</span><span class="p">))</span> <span class="c1"># Automatically load region-level variables</span> <span class="nx">region_vars</span> <span class="p">=</span> <span class="nx">read_terragrunt_config</span><span class="p">(</span><span class="nx">find_in_parent_folders</span><span class="p">(</span><span class="s2">"region.hcl"</span><span class="p">))</span> <span class="p">}</span> </code></pre> </div> <p>It's important to understand that <code>find_in_parent_folders</code> executes from the perspective of the resource level. This means when Terragrunt processes the <code>organization</code> resource, it searches upward through parent directories to find these configuration files.</p> <p>Now we can use the inherited parameters to build new local variables:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># root.hcl</span> <span class="nx">locals</span> <span class="p">{</span> <span class="c1"># Automatically load account-level variables</span> <span class="nx">account_vars</span> <span class="p">=</span> <span class="nx">read_terragrunt_config</span><span class="p">(</span><span class="nx">find_in_parent_folders</span><span class="p">(</span><span class="s2">"account.hcl"</span><span class="p">))</span> <span class="c1"># Automatically load region-level variables</span> <span class="nx">region_vars</span> <span class="p">=</span> <span class="nx">read_terragrunt_config</span><span class="p">(</span><span class="nx">find_in_parent_folders</span><span class="p">(</span><span class="s2">"region.hcl"</span><span class="p">))</span> <span class="c1"># Extract locals from the loaded configurations</span> <span class="nx">account_name</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">account_vars</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">account_name</span> <span class="nx">aws_named_profile</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">account_vars</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">aws_named_profile</span> <span class="nx">aws_region</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">region_vars</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">aws_region</span> <span class="c1"># Define common variables used across all resources</span> <span class="nx">org_name</span> <span class="p">=</span> <span class="s2">"acme"</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"ManagedBy"</span> <span class="p">=</span> <span class="s2">"Terragrunt"</span> <span class="p">}</span> <span class="c1"># Merge all tags hierarchically</span> <span class="nx">default_tags</span> <span class="p">=</span> <span class="nx">merge</span><span class="p">(</span> <span class="nx">local</span><span class="p">.</span><span class="nx">tags</span><span class="p">,</span> <span class="nx">local</span><span class="p">.</span><span class="nx">account_vars</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">tags</span><span class="p">,</span> <span class="nx">local</span><span class="p">.</span><span class="nx">region_vars</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">tags</span><span class="p">,</span> <span class="p">)</span> <span class="p">}</span> </code></pre> </div> <p>We also declare an <code>inputs</code> block to pass variables to underlying Terraform modules, making them available for cross-stack references:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># root.hcl (continued)</span> <span class="nx">inputs</span> <span class="err">=</span> <span class="nx">merge</span><span class="err">(</span> <span class="nx">local</span><span class="err">.</span><span class="nx">account_vars</span><span class="err">.</span><span class="nx">locals</span><span class="err">,</span> <span class="nx">local</span><span class="err">.</span><span class="nx">region_vars</span><span class="err">.</span><span class="nx">locals</span><span class="err">,</span> <span class="err">)</span> </code></pre> </div> <h3> Generating Providers </h3> <p>With our variables configured, we can now declare the AWS Provider for the account we're deploying to. If you're not familiar with providers, they are plugins that serve as the interface between Terraform and external services or platforms. They enable Terraform to manage resources, interact with APIs, and perform operations on various cloud platforms.</p> <p>We use Terragrunt's <code>generate</code> block to inject the provider configuration into our Terraform modules. This keeps our configuration DRY by defining this common setup once in <code>root.hcl</code> rather than repeating it in every resource:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># root.hcl (continued)</span> <span class="nx">generate</span> <span class="s2">"provider"</span> <span class="p">{</span> <span class="nx">path</span> <span class="p">=</span> <span class="s2">"provider.tf"</span> <span class="nx">if_exists</span> <span class="p">=</span> <span class="s2">"overwrite_terragrunt"</span> <span class="nx">contents</span> <span class="p">=</span> <span class="o">&lt;&lt;</span><span class="no">EOF</span><span class="sh"> provider "aws" { profile = "${local.aws_named_profile}" region = "${local.aws_region}" default_tags { tags = ${jsonencode(local.default_tags)} } } </span><span class="no">EOF </span><span class="p">}</span> </code></pre> </div> <p>When you run <code>terragrunt init</code>, this automatically generates a <code>provider.tf</code> file in the Terraform working directory with the appropriate configuration for your environment.</p> <h3> Remote State Files </h3> <p>In IaC, the state file is crucial — it stores information about your infrastructure's current status, acting as a bridge between your configuration files and the actual resources deployed in AWS. Terraform uses this state file as its single source of truth to understand what infrastructure it has created and is managing. Every change plan that Terraform calculates is based on this state file.</p> <p>Here's the key insight: since we're working in AWS, we can use our AWS accounts to store their own state files. It's also a best practice to use a separate state file per region for each AWS account. This approach:</p> <ul> <li>Minimizes the potential impact of state file corruption</li> <li>Improves performance by keeping state files smaller</li> <li>Reduces cross-regional dependencies</li> </ul> <p>We use Terragrunt's <code>remote_state</code> block to configure S3 as our state backend, with DynamoDB for state locking to prevent multiple Terraform operations from modifying the state concurrently:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># root.hcl (continued)</span> <span class="nx">remote_state</span> <span class="p">{</span> <span class="nx">backend</span> <span class="p">=</span> <span class="s2">"s3"</span> <span class="nx">config</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">encrypt</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="s2">"${local.org_name}-tfstate-${local.account_name}-${local.aws_region}-TRGRUNT"</span> <span class="nx">key</span> <span class="p">=</span> <span class="s2">"${path_relative_to_include()}/terraform.tfstate"</span> <span class="nx">region</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">aws_region</span> <span class="nx">dynamodb_table</span> <span class="p">=</span> <span class="s2">"tfstate-lock"</span> <span class="nx">profile</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">aws_named_profile</span> <span class="p">}</span> <span class="nx">generate</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">path</span> <span class="p">=</span> <span class="s2">"backend.tf"</span> <span class="nx">if_exists</span> <span class="p">=</span> <span class="s2">"overwrite_terragrunt"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>This configuration will create an S3 bucket named <code>acme-tfstate-root-us-east-1</code> when deploying the <code>organization</code> resource. Remember that S3 bucket names must be globally unique — if the name is already taken, you'll need to modify your naming convention by adding additional tokens like <code>TRGRUNT</code>.</p> <h3> Units (Resources) </h3> <p>A <em>unit</em> in Terragrunt is a directory containing a <code>terragrunt.hcl</code> file. This hermetic unit of infrastructure is the smallest deployable entity in Terragrunt. It’s also the most important feature Terragrunt has.</p> <p>With our foundation complete, we can now declare AWS resources in our Terragrunt live stack. Let's use the organization module from the <a href="https://dev.to/lucasdecamargo/introducing-the-three-aws-governance-pillars-with-terraform-mkk">previous post</a> in this series, which is maintained in <a href="https://github.com/lucasdecamargo/terraform-aws-governance/tree/main/organization" rel="noopener noreferrer">my GitHub repository</a>.</p> <p>This module requires only the variable <code>aws_allowed_regions</code> which specifies what regions are allowed by our root organization:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># https://github.com/lucasdecamargo/terraform-aws-governance/tree/main/organization/variables.tf</span> <span class="nx">variable</span> <span class="s2">"aws_allowed_regions"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The AWS regions allowed by the organization."</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">list</span><span class="p">(</span><span class="nx">string</span><span class="p">)</span> <span class="nx">default</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"us-east-1"</span><span class="p">,</span> <span class="s2">"us-east-2"</span><span class="p">]</span> <span class="p">}</span> </code></pre> </div> <p>To use this module, we create the simple Terragrunt configuration:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># root/_global/organization/terragrunt.hcl</span> <span class="nx">terraform</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"git::git@github.com:lucasdecamargo/terraform-aws-governance.git//organization"</span> <span class="p">}</span> <span class="nx">include</span> <span class="s2">"root"</span> <span class="p">{</span> <span class="nx">path</span> <span class="p">=</span> <span class="nx">find_in_parent_folders</span><span class="p">(</span><span class="s2">"root.hcl"</span><span class="p">)</span> <span class="p">}</span> <span class="nx">inputs</span> <span class="err">=</span> <span class="p">{</span> <span class="nx">aws_allowed_regions</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"us-east-1"</span><span class="p">,</span> <span class="s2">"us-east-2"</span><span class="p">,</span> <span class="s2">"sa-east-1"</span><span class="p">]</span> <span class="p">}</span> </code></pre> </div> <p>Let's break down what each block does:</p> <ul> <li>The <code>terraform</code> block specifies the source of the module we're deploying, pointing to the <code>organization</code> directory in my GitHub repository (by default, it uses the main branch)</li> <li>The <code>include</code> block links this resource to our live repository configuration, starting with <code>root.hcl</code> </li> <li>The <code>inputs</code> block provides the required variables to the Terraform module</li> </ul> <h2> Deploying with Terragrunt </h2> <p>At this point, our Terragrunt live environment is configured and ready to deploy. Let's understand how Terragrunt's deployment workflow works and the different ways you can deploy your infrastructure.</p> <p>Unlike plain Terraform, Terragrunt automatically calls <code>terraform init</code> before other commands when it detects that initialization is needed. After creating creating the remote state backend, the typical workflow is simply:</p> <ol> <li> <strong>Plan:</strong> Review what changes will be made</li> <li> <strong>Apply:</strong> Execute the changes</li> </ol> <p>Once the backend is bootstrapped for an account, Terragrunt handles initialization automatically for subsequent commands and no manual <code>init</code> step required unless you need to update providers or modules.</p> <h3> Deploying the Remote State Backend </h3> <p>Before deploying any infrastructure in an account, you need to create the remote state backend. Our <code>root.hcl</code> configuration specifies an S3 bucket and DynamoDB table for state management at the account level, but these don't exist yet.</p> <p>You must explicitly bootstrap these backend resources using:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd </span>root/_global/organization terragrunt init <span class="nt">--backend-bootstrap</span> </code></pre> </div> <p>This creates the backend infrastructure for the entire root account:</p> <ul> <li>An S3 bucket named <code>acme-tfstate-root-us-east-1-TRGRUNT</code> (with encryption enabled)</li> <li>A DynamoDB table named <code>tfstate-lock</code> for state locking</li> </ul> <p><strong>Note:</strong> Automatic backend bootstrapping is deprecated functionality and will not be the default behavior in future Terragrunt versions. Always use the --backend-bootstrap flag explicitly.</p> <p>Once the backend is created for an account, you don't need to bootstrap it again—all units within that account will use the same S3 bucket and DynamoDB table for their state files.</p> <h3> Deployment Scopes </h3> <p>You can run <code>run --all</code> commands at any depth of the stack to run the units in that stack and all of its children. Here are the different scopes:</p> <p><strong>Deploying a Single Unit</strong>*</p> <p>The most common approach — deploy one specific resource:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd </span>root/_global/organization terragrunt plan terragrunt apply </code></pre> </div> <p><strong>Deploying an Entire Region</strong></p> <p>Deploy all units within a region:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd </span>root/_global terragrunt run <span class="nt">--all</span> plan terragrunt run <span class="nt">--all</span> apply </code></pre> </div> <p><strong>Deploying an Entire Account</strong></p> <p>Deploy all resources across all regions in an account:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd </span>root terragrunt run <span class="nt">--all</span> plan terragrunt run <span class="nt">--all</span> apply </code></pre> </div> <p>When using <code>run --all</code>, Terragrunt analyzes the dependencies in your stack and determines an order for runs so that outputs are ready to be used as inputs in dependent units.</p> <p><strong>Important:</strong> When using <code>run --all</code> with apply or destroy, Terragrunt automatically adds the <code>-auto-approve</code> flag, meaning you won't be prompted to confirm each unit. <strong>Always run plan first to review changes.</strong></p> <h2> What's Next? </h2> <p>We've established our Terragrunt live environment with the complete repository structure, configuration hierarchy, and deployment workflow. Our infrastructure is now version-controlled, DRY, and ready to scale across multiple accounts and regions.</p> <p>Follow me to get updates about my series <em>IaC Startup on AWS</em>. I'm writing new posts about configuring AWS named profiles, and deploying governance infrastructure with Terragrunt and Terraform. By the end, you'll have a production-ready, multi-account AWS environment managed entirely through Infrastructure as Code.</p> <p>Also, make sure to check my <a href="https://github.com/lucasdecamargo" rel="noopener noreferrer">GitHub profile</a> for new projects and updates.</p> <p>Buy me a coffee if you like this post! :)</p> <p><a href="https://buymeacoffee.com/lucasdecamargo" rel="noopener noreferrer"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fcdn.buymeacoffee.com%2Fbuttons%2Fdefault-orange.png" alt="Buy Me A Coffee" height="41" width="174"></a></p> aws architecture terraform cloud Lucas de Camargo Sat, 13 Dec 2025 21:34:49 +0000 https://dev.to/lucasdecamargo/configuring-aws-named-profiles-7cj https://dev.to/lucasdecamargo/configuring-aws-named-profiles-7cj <p>Following up with our series of engineering an IaC Startup on AWS, there's this one addendum I must talk about.</p> <p>When working with multiple AWS accounts you need a way to tell the AWS CLI and Terraform which account to use for each operation. This is where <strong>named profiles</strong> come in.</p> <p>A named profile is a collection of credentials and configuration settings that represents a specific identity in a specific AWS account. Instead of constantly switching credentials or passing them as command-line arguments, you define profiles once in your local AWS configuration files and reference them by name.</p> <p>For example, you might have:</p> <ul> <li> <code>management-admin</code> - Administrator access to your management account</li> <li> <code>backend-dev-admin</code> - Administrator access to your development account</li> <li> <code>backend-prod-developer</code> - Limited developer access to production</li> </ul> <p>Named profiles are essential when working with Terraform and Terragrunt. Each stack may need to deploy resources to a different AWS account or assume different roles. By using named profiles in your Terraform provider configuration, you explicitly declare which identity should be used:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">provider</span> <span class="s2">"aws"</span> <span class="p">{</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"us-east-1"</span> <span class="nx">profile</span> <span class="p">=</span> <span class="s2">"backend-dev-admin"</span> <span class="p">}</span> </code></pre> </div> <p>When Terraform runs, it looks for this profile in your local AWS configuration files and authenticates accordingly.</p> <p>AWS profiles are configured in two files in your home directory:</p> <p><strong><code>~/.aws/credentials</code></strong> - Stores authentication credentials (access keys or SSO configuration)</p> <p><strong><code>~/.aws/config</code></strong> - Stores regional and output preferences</p> <p>There are two primary ways to authenticate a profile.</p> <h2> Single Sign-On (SSO) - Recommended </h2> <p>This is the secure, modern approach that aligns with AWS best practices and the governance foundation we established. Instead of long-lived access keys, SSO provides temporary credentials that automatically expire:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ini"><code><span class="c"># ~/.aws/credentials </span><span class="nn">[profile management-admin]</span> <span class="py">sso_start_url</span> <span class="p">=</span> <span class="s">https://mycorp.awsapps.com/start</span> <span class="py">sso_region</span> <span class="p">=</span> <span class="s">us-east-1</span> <span class="py">sso_account_id</span> <span class="p">=</span> <span class="s">123456789012</span> <span class="py">sso_role_name</span> <span class="p">=</span> <span class="s">AdministratorAccess</span> </code></pre> </div> <p>It is recommended to explicitly define the configuration values for each profile:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ini"><code><span class="c"># ~/.aws/config </span><span class="nn">[profile management-admin]</span> <span class="py">region</span> <span class="p">=</span> <span class="s">us-east-1</span> <span class="py">output</span> <span class="p">=</span> <span class="s">json</span> </code></pre> </div> <p>To use an SSO profile, you need to login with the AWS CLI before running Terraform or any CLI command, which opens a browser for authentication and caches temporary credentials.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws sso login <span class="nt">--profile</span> management-admin <span class="c"># Test it with</span> aws sts get-caller-identity <span class="nt">--profile</span> management-admin </code></pre> </div> <h2> Access Keys </h2> <p>Long-lived access keys can be stored directly in <code>~/.aws/credentials</code>, but <strong>this approach is discouraged by AWS security best practices because</strong>:</p> <ul> <li>Keys don't expire automatically</li> <li>If accidentally committed to Git or exposed, they remain valid until manually rotated</li> <li>They don't provide the same audit trail as SSO </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight ini"><code><span class="c"># ~/.aws/credentials (avoid this approach if possible) </span><span class="nn">[management-admin]</span> <span class="py">aws_access_key_id</span> <span class="p">=</span> <span class="s">AKIAIOSFODNN7EXAMPLE</span> <span class="py">aws_secret_access_key</span> <span class="p">=</span> <span class="s">wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY</span> </code></pre> </div> <p><strong>Important:</strong> The <code>default</code> profile (with no <code>profile</code> prefix) is the profile used when no specific profile is specified. For safety, leave it unconfigured.</p> <h2> Testing Profiles </h2> <p>Once you've configured your profiles, it's essential to verify they're working correctly before attempting to deploy infrastructure.</p> <p>For SSO profiles, start by logging in:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Login to the SSO profile</span> aws sso login <span class="nt">--profile</span> management-admin </code></pre> </div> <p>This opens your browser for authentication. After successfully logging in, the credentials are cached locally (typically for 8-12 hours, depending on your SSO configuration).</p> <p>For access key profiles, the test is simpler since no login is required.</p> <p>Test your profiles by retrieving your caller identity:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws sts get-caller-identity <span class="nt">--profile</span> management-admin </code></pre> </div> <p>You should see output like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"UserId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"AROA...:user@example.com"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Account"</span><span class="p">:</span><span class="w"> </span><span class="s2">"123456789012"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Arn"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:sts::123456789012:assumed-role/AdministratorAccess/user@example.com"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>You can also list resources to verify permissions:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># List S3 buckets</span> aws s3 <span class="nb">ls</span> <span class="nt">--profile</span> management-admin <span class="c"># List EC2 instances in a specific region</span> aws ec2 describe-instances <span class="nt">--region</span> us-east-1 <span class="nt">--profile</span> management-admin </code></pre> </div> <p>If you see "UnauthorizedOperation" or "AccessDenied" errors, check that your IAM user or role has the necessary permissions attached.</p> <h2> Deploying Governance before SSO </h2> <p>Here's the chicken and the egg! The problem with the first and recommended approach is that we need to first enable SSO in AWS and define an account for each user with the right accesss permissions. Without SSO, we're left with no choice rather using a temporary access key to work with IaC on AWS.</p> <p>If creating an admin user in IAM with no restrictions feels too much and not a good governance approach for you, I have written a set of granular permissions that are needed for deploying our organization resources until we configure SSO.</p> <p>Check out the permissions in my <a href="https://github.com/lucasdecamargo/terragrunt-live-example/tree/main/policies" rel="noopener noreferrer">GitHub repository</a> for the Terragrunt Live Environment example.</p> <ul> <li>In your AWS Console, go to IAM -&gt; Policies, and create a new policy for each of the JSON documents I have under the <code>policies</code> folder in my repository.</li> <li>Next, go again to IAM -&gt; Users, create a new <code>terragrunt-root</code> user, and attach these policies to it.</li> <li>Generate a new pair o acess keys, and add it your AWS credentials file, as we discussed, with some name of <code>acme-root</code>, for example.</li> </ul> <h2> What's Next? </h2> <p>Now that we've configured AWS named profiles for secure authentication across multiple accounts, we have everything we need to actually deploy our governance infrastructure.</p> <p>Follow me to get updates about my series <em>IaC Startup on AWS</em>. I'm writing new posts about deploying governance infrastructure with Terragrunt and Terraform.</p> <p>Also, make sure to check my <a href="https://github.com/lucasdecamargo" rel="noopener noreferrer">GitHub profile</a> for new projects and updates.</p> <p>Buy me a coffee if you like this post! :)</p> <p><a href="https://buymeacoffee.com/lucasdecamargo" rel="noopener noreferrer"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fcdn.buymeacoffee.com%2Fbuttons%2Fdefault-orange.png" alt="Buy Me A Coffee" width="434" height="100"></a></p> aws terraform devops cloud Lucas de Camargo Sat, 13 Dec 2025 20:30:30 +0000 https://dev.to/lucasdecamargo/introducing-the-three-aws-governance-pillars-with-terraform-mkk https://dev.to/lucasdecamargo/introducing-the-three-aws-governance-pillars-with-terraform-mkk <p>I've seen many excellent tech enthusiasts come up with great ideas to start a service, an app, or even an entire business. Most are familiar with what AWS offers, but few understand how to establish proper governance in their new organization, no matter how small. This gap often leads to painful consequences down the road — infrastructure that's difficult to audit, security vulnerabilities that grow with each new resource, and technical debt that becomes exponentially harder to fix as your startup scales.</p> <p>Although some prefer to use backend as a service tools such as Supabase for hosting their website and building their user base, these tools not only come with high costs, but they're limited frameworks when compared to the 200+ global, on-demand services offered by AWS. More importantly, they abstract away the infrastructure knowledge that becomes critical as you grow.</p> <p>On the other hand, starting up with AWS may feel overwhelming at first glance, not to mention that management and governance may get out of control when creating resources directly in the AWS Console. Without proper structure from day one, you'll find yourself manually clicking through the console, creating resources inconsistently across environments, with no clear audit trail of who changed what or when. I've seen startups spend weeks trying to reverse-engineer their own infrastructure just to understand what they've built.</p> <p>The good news? Once you learn how to get started on AWS the <strong>right</strong> way—with Infrastructure as Code and proper governance from the beginning—it becomes intuitive to scale at very low prices, like $0.50 per month for hosting a website. More importantly, you'll have a <strong>reproducible, auditable, and secure foundation</strong> aligned with the AWS Well-Architected Framework. Every new project, environment, or team member can leverage the same proven patterns, eliminating weeks of setup time and preventing costly security mistakes before they happen.</p> <p><strong>This series will show you exactly how to build that foundation</strong>, starting with the governance primitives that AWS itself recommends: Organizations, Accounts, and Policies. Whether you're a solo founder or building with a small team, these patterns will save you countless hours and headaches as you grow.</p> <h2> The Three Governance Pillars </h2> <p>To get hands-on with your new infrastructure skills, let me introduce three AWS resources that are going to be the ground basis of our business: Organizations, Accounts, and Policies.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fadg7a4oyy9xhywhqzfhl.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fadg7a4oyy9xhywhqzfhl.png" alt="AWS Organization"></a></p> <p><strong>AWS Organizations and Organization Units</strong></p> <p>Like the control tower for your entire cloud infrastructure, an Organization provides centralized management for multiple AWS accounts, allowing you to structure them hierarchically like a family tree. At the very top sits the Organization Root - this is the parent container for everything in your AWS account. Below the root, you create Organizational Units (OUs), which are logical groupings that help you organize accounts by function, environment, or business unit. For example, you might have separate OUs for "Production," "Development," and "Security." The key difference is that the Organization Root is singular and encompasses everything, while OUs are the building blocks you create to segment and organize your accounts.</p> <p>Organizations work hand-in-hand with Accounts (which live inside OUs) and Policies (which can be attached at any level of the hierarchy to enforce governance rules).</p> <p><strong>AWS Organization Accounts</strong></p> <p>Individual AWS accounts are the fundamental security and resource boundaries in AWS. Each account acts as an isolated container for resources, with its own billing, access controls, and resource limits. Working with multiple accounts isn't just a nice-to-have - it's a critical best practice because it provides natural blast radius containment (if something goes wrong in one account, others remain unaffected), simplified compliance boundaries, and clearer cost allocation.</p> <p>Within an Organization, accounts nest inside units and inherit any policies applied to their parent OU or the organization root, creating a powerful governance cascade from top to bottom.</p> <p><strong>Service Control Policies (SCPs)</strong></p> <p>Organization policies are your guardrails - they define the maximum permissions that any entity within an account can have, regardless of what their IAM permissions say. Think of them as a safety net that prevents accidental or intentional actions that could harm your organization. Common examples include preventing accounts from leaving the organization, restricting which AWS regions can be used, or blocking the deletion of critical resources like CloudTrail logs.</p> <p>SCPs attach to the Organization Root, OUs, or individual accounts, and they flow downward through the hierarchy - a policy attached to an OU automatically applies to all accounts within that OU and any nested OUs below it.</p> <p>The example above illustrates a simple but mature organizational structure. AWS Organizations is designed to evolve with your startup - you'll typically begin with just two or three accounts addressing immediate needs, then add new organizational units and accounts as real requirements emerge from your business operations. This iterative approach isn't a compromise; it's the recommended path because it ensures every piece of your infrastructure exists for a concrete purpose rather than speculative needs. Since you can freely reorganize accounts and OUs later, there's no penalty for starting simple.</p> <h2> Terraform Modules </h2> <p>In this section, we'll create reusable Terraform modules for our governance resources. These modules will live in a GitHub repository called <code>terraform-aws-governance</code> and will be designed to work together as building blocks for your AWS foundation.</p> <p><strong>Choosing the Right Granularity</strong></p> <p>When structuring Infrastructure as Code (IaC), there are three common approaches, each with trade-offs:</p> <ol> <li><p><strong>Monolithic</strong>: One large Terraform configuration managing everything. Quick to start but becomes cubersome as you grow and risky to change.</p></li> <li><p><strong>One-repo-per-module</strong>: Each module in its own repository. Maximum isolation but harder to maintain consistency and versioning across related modules.</p></li> <li><p><strong>Grouped modules</strong>: Related modules in a single repository (our choice). This balances reusability with maintainability - our <code>terraform-aws-governance</code> repo will contain modules for organizations, organizational units, accounts, and eventually billing and audit configurations.</p></li> </ol> <p>We're choosing the grouped approach because governance resources are inherently related and often change together. This structure also works excellently with Terragrunt, which we'll use later to orchestrate these modules into a complete infrastructure stack while maintaining clear separation of concerns.</p> <p>Starting with the essentials, we'll create three foundational modules:</p> <ul> <li> <strong>organization</strong>: Creates the AWS Organization with baseline security policies</li> <li> <strong>organizational-unit</strong>: Creates OUs with customizable policies </li> <li> <strong>account</strong>: Provisions new AWS accounts within specified OUs</li> </ul> <p>Each module is designed to be stateless and idempotent, meaning you can safely run them multiple times without side effects. The folder structure is defined as below:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>terraform-aws-governance/ ├── organization/ │ ├── main.tf │ ├── variables.tf │ └── outputs.tf ├── organization-unit/ │ ├── main.tf │ ├── variables.tf │ └── outputs.tf └── account/ ├── main.tf ├── variables.tf └── outputs.tf </code></pre> </div> <p>The full implementation of this blog post is available in my <a href="https://github.com/lucasdecamargo/terraform-aws-governance" rel="noopener noreferrer">GitHub repository</a>. </p> <p> </p> <div class="ltag-github-readme-tag"> <div class="readme-overview"> <h2> <img src="https://assets.dev.to/assets/github-logo-5a155e1f9a670af7944dd5e12375bc76ed542ea80224905ecaf878b9157cdefc.svg" alt="GitHub logo"> <a href="https://github.com/lucasdecamargo" rel="noopener noreferrer"> lucasdecamargo </a> / <a href="https://github.com/lucasdecamargo/terraform-aws-governance" rel="noopener noreferrer"> terraform-aws-governance </a> </h2> <h3> Terraform modules for AWS governance services, like Organizations, Identity and Budget. </h3> </div> <div class="ltag-github-body"> <div id="readme" class="md"> <div class="markdown-heading"> <h1 class="heading-element">Terraform AWS Governance Modules</h1> </div> <p>A collection of Terraform modules that codify the governance pillars featured in the blog post <em>IaC Startup on AWS: Governance Pillars</em>.^{<a href="https://github.com/lucasdecamargo/terraform-aws-governance#user-content-fn-blog-50df82bdbd4dde10e7c8f2920f4ada06" id="user-content-fnref-blog-50df82bdbd4dde10e7c8f2920f4ada06" rel="noopener noreferrer">1</a>}</p> <p>The modules help you bootstrap an AWS Organization with opinionated Service Control Policies (SCPs), create Organizational Units (OUs), and provision member accounts with consistent guardrails. They are designed to be composed together or orchestrated with tools such as Terragrunt.</p> <div class="markdown-heading"> <h2 class="heading-element">Module Overview</h2> </div> <ul> <li> <code>organization</code>: Creates the AWS Organization, enables key services, and attaches baseline SCPs that lock operations to approved regions, protect logging, and keep IAM Identity Center centralized.</li> <li> <code>organization-unit</code>: Provisions an OU under any parent and allows you to attach existing SCPs or create a custom policy for that branch of the hierarchy.</li> <li> <code>account</code>: Automates new AWS member accounts with optional billing console access, inherited SCP attachments, and per-account guardrails.</li> </ul> <div class="markdown-heading"> <h3 class="heading-element">organization</h3> </div> <ul> <li>Enables IAM and IAM Identity Center integration, sets the feature…</li> </ul> </div> <br> </div> <br> <div class="gh-btn-container"><a class="gh-btn" href="https://github.com/lucasdecamargo/terraform-aws-governance" rel="noopener noreferrer">View on GitHub</a></div> <br> </div> <p>Let's begin with the organization module, which establishes our governance foundation.</p> <h3> Organization </h3> <p>This module creates the foundation of your AWS governance structure. Let's start with the core resource - the AWS Organization itself:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_organizations_organization"</span> <span class="s2">"this"</span> <span class="p">{</span> <span class="nx">aws_service_access_principals</span> <span class="p">=</span> <span class="p">[</span> <span class="c1"># Allows IAM roles to work across accounts</span> <span class="s2">"iam.amazonaws.com"</span><span class="p">,</span> <span class="c1"># Enables centralized user management</span> <span class="s2">"sso.amazonaws.com"</span> <span class="p">]</span> <span class="c1"># Enables all organization features</span> <span class="nx">feature_set</span> <span class="p">=</span> <span class="s2">"ALL"</span> <span class="nx">enabled_policy_types</span> <span class="p">=</span> <span class="p">[</span> <span class="c1"># Primary governance tool (SCPs)</span> <span class="s2">"SERVICE_CONTROL_POLICY"</span> <span class="p">]</span> <span class="p">}</span> </code></pre> </div> <p>This resource can only be created once, from what will become your management account. The <code>feature_set = "ALL"</code> is crucial - it enables Service Control Policies, which are your primary governance tool. Without this, you'd only get consolidated billing.</p> <p>Service Control Policies (SCPs) are preventive controls that define the maximum permissions for your organization. Even if someone has full administrator access in an account, they can't perform actions that SCPs deny. Let's implement three essential policies that every startup should have from day one.</p> <p><strong>SCP 1: Restricting AWS Regions</strong></p> <p>Many startups need to restrict where data can be stored for compliance or cost reasons. This policy ensures resources can only be created in your approved regions:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">variable</span> <span class="s2">"aws_allowed_regions"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The AWS regions allowed by the organization."</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">list</span><span class="p">(</span><span class="nx">string</span><span class="p">)</span> <span class="nx">default</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"us-east-1"</span><span class="p">,</span> <span class="s2">"us-east-2"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_organizations_policy"</span> <span class="s2">"deny_non_allowed_regions"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"DenyNonAllowedRegions"</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"SERVICE_CONTROL_POLICY"</span> <span class="c1"># Ensure the policy is created after the organization is created</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_organizations_organization</span><span class="p">.</span><span class="nx">this</span><span class="p">]</span> <span class="nx">content</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[{</span> <span class="nx">Sid</span> <span class="p">=</span> <span class="s2">"DenyAllOutsideAllowedRegions"</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Deny"</span> <span class="nx">Action</span> <span class="p">=</span> <span class="s2">"*"</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="s2">"*"</span> <span class="nx">Condition</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">StringNotEquals</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"aws:RequestedRegion"</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">aws_allowed_regions</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}]</span> <span class="p">})</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_organizations_policy_attachment"</span> <span class="s2">"deny_non_allowed_regions"</span> <span class="p">{</span> <span class="nx">policy_id</span> <span class="p">=</span> <span class="nx">aws_organizations_policy</span><span class="p">.</span><span class="nx">deny_non_allowed_regions</span><span class="p">.</span><span class="nx">id</span> <span class="nx">target_id</span> <span class="p">=</span> <span class="nx">aws_organizations_organization</span><span class="p">.</span><span class="nx">this</span><span class="p">.</span><span class="nx">roots</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">id</span> <span class="p">}</span> </code></pre> </div> <p>Notice how we use a variable for <code>aws_allowed_regions</code>. This makes it easy to adjust as your compliance requirements evolve. The region <code>us-east-1</code> is always needed for AWS global resources that are hosted in the North Virginia region. If you are in western Europe, you'd use <code>["us-east-1", "eu-west-1"]</code>.</p> <p>In this first deployment, we need to tell Terraform that the policies we are creating depend on the organization resource with the argument <code>depends_on</code>, otherwise it will try to create the policies before the organization completes, which causes an error.</p> <p>The <code>roots[0].id</code> refers to the organization's root - the top of your organizational hierarchy. Policies attached here cascade down to every OU and account below.</p> <p><strong>SCP 2: Centralized Authentication</strong></p> <p>This policy prevents individual accounts from creating their own IAM Identity Center instances (Accounts), ensuring authentication stays centralized:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_organizations_policy"</span> <span class="s2">"deny_member_account_sso"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"DenyMemberAccountSSO"</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"SERVICE_CONTROL_POLICY"</span> <span class="c1"># Ensure the policy is created after the organization is created</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_organizations_organization</span><span class="p">.</span><span class="nx">this</span><span class="p">]</span> <span class="nx">content</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[{</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Deny"</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"sso:CreateInstance"</span><span class="p">,</span> <span class="s2">"sso:DeleteInstance"</span> <span class="p">]</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="s2">"*"</span> <span class="p">}]</span> <span class="p">})</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_organizations_policy_attachment"</span> <span class="s2">"deny_member_account_sso"</span> <span class="p">{</span> <span class="nx">policy_id</span> <span class="p">=</span> <span class="nx">aws_organizations_policy</span><span class="p">.</span><span class="nx">deny_member_account_sso</span><span class="p">.</span><span class="nx">id</span> <span class="nx">target_id</span> <span class="p">=</span> <span class="nx">aws_organizations_organization</span><span class="p">.</span><span class="nx">this</span><span class="p">.</span><span class="nx">roots</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">id</span> <span class="p">}</span> </code></pre> </div> <p>Without this policy, any account could set up its own identity provider, leading to a fragmented authentication landscape that's impossible to audit or secure properly.</p> <p><strong>SCP 3: Protecting Critical Resources</strong></p> <p>This policy prevents accidental or malicious deletion of your audit trail:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_organizations_policy"</span> <span class="s2">"protect_organization_resources"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"ProtectOrganizationResources"</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"SERVICE_CONTROL_POLICY"</span> <span class="c1"># Ensure the policy is created after the organization is created</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_organizations_organization</span><span class="p">.</span><span class="nx">this</span><span class="p">]</span> <span class="nx">content</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">Version</span> <span class="p">=</span> <span class="s2">"2012-10-17"</span> <span class="nx">Statement</span> <span class="p">=</span> <span class="p">[</span> <span class="p">{</span> <span class="nx">Sid</span> <span class="p">=</span> <span class="s2">"ProtectCloudTrail"</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Deny"</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"cloudtrail:DeleteTrail"</span><span class="p">,</span> <span class="s2">"cloudtrail:StopLogging"</span> <span class="p">]</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="s2">"*"</span> <span class="p">},</span> <span class="p">{</span> <span class="nx">Sid</span> <span class="p">=</span> <span class="s2">"PreventLeavingOrganization"</span> <span class="nx">Effect</span> <span class="p">=</span> <span class="s2">"Deny"</span> <span class="nx">Action</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"organizations:LeaveOrganization"</span> <span class="p">]</span> <span class="nx">Resource</span> <span class="p">=</span> <span class="s2">"*"</span> <span class="p">}</span> <span class="p">]</span> <span class="p">})</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_organizations_policy_attachment"</span> <span class="s2">"protect_organization_resources"</span> <span class="p">{</span> <span class="nx">policy_id</span> <span class="p">=</span> <span class="nx">aws_organizations_policy</span><span class="p">.</span><span class="nx">protect_organization_resources</span><span class="p">.</span><span class="nx">id</span> <span class="nx">target_id</span> <span class="p">=</span> <span class="nx">aws_organizations_organization</span><span class="p">.</span><span class="nx">this</span><span class="p">.</span><span class="nx">roots</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">id</span> <span class="p">}</span> </code></pre> </div> <p>These protections ensure that even if credentials are compromised, attackers can't cover their tracks by deleting logs or remove accounts from your organization's oversight.</p> <p><strong>Module Outputs</strong></p> <p>Finally, we export key information that other modules will need:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">output</span> <span class="s2">"organization_root_id"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_organizations_organization</span><span class="p">.</span><span class="nx">this</span><span class="p">.</span><span class="nx">roots</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">id</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The ID of the root of the AWS Organization"</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"scp_policy_ids"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">deny_non_allowed_regions</span> <span class="p">=</span> <span class="nx">aws_organizations_policy</span><span class="p">.</span><span class="nx">deny_non_allowed_regions</span><span class="p">.</span><span class="nx">id</span> <span class="nx">protect_organization_resources</span> <span class="p">=</span> <span class="nx">aws_organizations_policy</span><span class="p">.</span><span class="nx">protect_organization_resources</span><span class="p">.</span><span class="nx">id</span> <span class="nx">deny_member_account_sso</span> <span class="p">=</span> <span class="nx">aws_organizations_policy</span><span class="p">.</span><span class="nx">deny_member_account_sso</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Map of Service Control Policy IDs"</span> <span class="p">}</span> </code></pre> </div> <p>These outputs become the connection points for your next modules. The <code>organization_root_id</code> is where you'll attach OUs, and the <code>scp_policy_ids</code> map lets other modules reference these policies without hardcoding IDs.</p> <p>Remember that this module must be run from your management account and can only be applied once. In practice, you'll run this before creating any other infrastructure. The account running this Terraform code becomes the permanent management account for your organization - choose wisely, as this can't be changed later without recreating the entire organization.</p> <h3> Organization Unit </h3> <p>Now that we have our Organization foundation, we need a way to create logical groupings for our accounts. Organizational Units (OUs) are containers that help you organize accounts based on their function, compliance requirements, or operational needs.</p> <p>The core of our OU module is surprisingly simple - creating an OU requires just a name and a parent:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">variable</span> <span class="s2">"name"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Name of the Organizational Unit"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">validation</span> <span class="p">{</span> <span class="nx">condition</span> <span class="p">=</span> <span class="nx">length</span><span class="p">(</span><span class="nx">var</span><span class="p">.</span><span class="nx">name</span><span class="p">)</span> <span class="err">&lt;</span><span class="p">=</span> <span class="mi">128</span> <span class="nx">error_message</span> <span class="p">=</span> <span class="s2">"OU name must be 128 characters or less"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"parent_id"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"ID of the parent OU or Organization Root"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_organizations_organizational_unit"</span> <span class="s2">"this"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">name</span> <span class="nx">parent_id</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">parent_id</span> <span class="p">}</span> </code></pre> </div> <p>The <code>parent_id</code> is crucial here - it determines where in your organization hierarchy this OU sits. This could be the organization root (for top-level OUs like "Production" or "Development") or another OU (for nested structures like "Production/EU" or "Production/US").</p> <p>What makes OUs powerful is their ability to have their own policies while inheriting from their parents. Our module supports two approaches to policy management.</p> <p>Often, you'll want to reuse policies across multiple OUs. For example, you might have a standard "DevelopmentRestrictions" policy that applies to all development OUs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">variable</span> <span class="s2">"attach_policy_ids"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"List of existing SCP policy IDs to attach to this OU"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">list</span><span class="p">(</span><span class="nx">string</span><span class="p">)</span> <span class="nx">default</span> <span class="p">=</span> <span class="p">[]</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_organizations_policy_attachment"</span> <span class="s2">"existing"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="nx">toset</span><span class="p">(</span><span class="nx">var</span><span class="p">.</span><span class="nx">attach_policy_ids</span><span class="p">)</span> <span class="nx">policy_id</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span> <span class="nx">target_id</span> <span class="p">=</span> <span class="nx">aws_organizations_organizational_unit</span><span class="p">.</span><span class="nx">this</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> </code></pre> </div> <p>Using <code>for_each</code> here allows you to attach multiple policies in a single module call. The <code>toset()</code> function ensures Terraform treats the policy IDs as unique identifiers rather than an ordered list, which prevents unnecessary recreations if the order changes.</p> <p><strong>Creating OU-Specific Policies</strong></p> <p>Sometimes an OU needs its own specific restrictions. Our module allows creating a custom policy alongside the OU:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">variable</span> <span class="s2">"create_policy"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Optional custom SCP policy to create and attach to this OU"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">object</span><span class="p">({</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">description</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">content</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">})</span> <span class="nx">default</span> <span class="p">=</span> <span class="kc">null</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_organizations_policy"</span> <span class="s2">"custom"</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">create_policy</span> <span class="err">!</span><span class="p">=</span> <span class="kc">null</span> <span class="err">?</span> <span class="mi">1</span> <span class="err">:</span> <span class="mi">0</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">create_policy</span><span class="p">.</span><span class="nx">name</span> <span class="nx">description</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">create_policy</span><span class="p">.</span><span class="nx">description</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"SERVICE_CONTROL_POLICY"</span> <span class="nx">content</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">create_policy</span><span class="p">.</span><span class="nx">content</span> <span class="p">}</span> </code></pre> </div> <p>The <code>create_policy</code> variable groups related attributes together and makes the module interface cleaner. When calling the module, you either provide all policy details or nothing - preventing partial configurations that could cause errors.</p> <p>The <code>count</code> parameter makes this optional - the policy is only created if you provide the <code>create_policy</code> variable. This pattern keeps the module flexible without requiring complex policy definitions for simple OUs.</p> <p><strong>Module Outputs</strong></p> <p>The outputs are designed to support module composition - using this module's outputs as inputs to others:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">output</span> <span class="s2">"id"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_organizations_organizational_unit</span><span class="p">.</span><span class="nx">this</span><span class="p">.</span><span class="nx">id</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The ID of the Organizational Unit"</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"arn"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_organizations_organizational_unit</span><span class="p">.</span><span class="nx">this</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The ARN of the Organizational Unit"</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"name"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_organizations_organizational_unit</span><span class="p">.</span><span class="nx">this</span><span class="p">.</span><span class="nx">name</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The name of the Organizational Unit"</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"parent_id"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_organizations_organizational_unit</span><span class="p">.</span><span class="nx">this</span><span class="p">.</span><span class="nx">parent_id</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The ID of the parent OU or Organization Root"</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"custom_policy_id"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">create_policy</span> <span class="err">!</span><span class="p">=</span> <span class="kc">null</span> <span class="err">?</span> <span class="nx">aws_organizations_policy</span><span class="p">.</span><span class="nx">custom</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">id</span> <span class="err">:</span> <span class="kc">null</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The ID of the custom policy created for this OU (if any)"</span> <span class="p">}</span> </code></pre> </div> <p>The id output becomes the <code>parent_id</code> input when creating nested OUs or the <code>parent_id</code> when creating accounts. The <code>custom_policy_id</code> makes it possible to re-use the same custom policy in other resources.</p> <h3> Account </h3> <p>With our organization and OUs in place, the next step is to create individual AWS accounts that will live under this governance structure.<br> Each account represents an isolated environment — for example, development, staging, or production. The goal of this module is to make account creation repeatable, compliant, and safe.</p> <p>Creating accounts programmatically through AWS Organizations can be tricky: accounts are immutable in many ways and must always have a unique email address. Having a module for Accounts allow us to wrap this process with sensible defaults and governance best practices.</p> <p>The main resource for provisioning new accounts is <code>aws_organizations_account</code>. This resource instructs AWS Organizations to create a new member account within your organization hierarchy:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">variable</span> <span class="s2">"name"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Name for the account to be created"</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"email"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Email address for this account, needs to be unique"</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"billing_access"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Whether the account should have access to the AWS Billing Console"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">bool</span> <span class="nx">default</span> <span class="p">=</span> <span class="kc">false</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_organizations_account"</span> <span class="s2">"account"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">name</span> <span class="nx">email</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">email</span> <span class="nx">iam_user_access_to_billing</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">billing_access</span> <span class="err">?</span> <span class="s2">"ALLOW"</span> <span class="err">:</span> <span class="s2">"DENY"</span> <span class="nx">lifecycle</span> <span class="p">{</span> <span class="c1"># Ignore changes to prevent the account from being deleted and recreated</span> <span class="nx">ignore_changes</span> <span class="p">=</span> <span class="p">[</span><span class="nx">name</span><span class="p">,</span> <span class="nx">email</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>The parameter <code>iam_user_access_to_billing</code> controls whether IAM users can access the Billing Console in that account. By default, it’s disabled (DENY), which aligns with AWS’s security best practices.</p> <p>Once an AWS account is created, its name and email can’t be modified via Terraform — trying to do so would trigger a full recreation of the account (which is not allowed). Ignoring these attributes with <code>ignore_changes</code> prevents unnecessary drift and protects against accidental destruction of live accounts.</p> <p>Just like OUs, accounts inherit policies from their parents but can also have additional Service Control Policies (SCPs) applied directly. You can pass one or more existing policy IDs — for example, those defined at the organization or OU level — and they’ll automatically attach to this account:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">variable</span> <span class="s2">"attach_policy_ids"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"List of existing SCP policy IDs to attach to this account"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">list</span><span class="p">(</span><span class="nx">string</span><span class="p">)</span> <span class="nx">default</span> <span class="p">=</span> <span class="p">[]</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_organizations_policy_attachment"</span> <span class="s2">"existing"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="nx">toset</span><span class="p">(</span><span class="nx">var</span><span class="p">.</span><span class="nx">attach_policy_ids</span><span class="p">)</span> <span class="nx">policy_id</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span> <span class="nx">target_id</span> <span class="p">=</span> <span class="nx">aws_organizations_account</span><span class="p">.</span><span class="nx">account</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> </code></pre> </div> <p>The same way, if a specific account requires a unique restriction — for instance, limiting IAM role creation or disabling certain AWS services — you can create and attach a custom SCP directly:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">variable</span> <span class="s2">"create_policy"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Optional custom SCP policy to create and attach to this account"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">object</span><span class="p">({</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">description</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">content</span> <span class="p">=</span> <span class="nx">string</span> <span class="p">})</span> <span class="nx">default</span> <span class="p">=</span> <span class="kc">null</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_organizations_policy"</span> <span class="s2">"custom"</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">create_policy</span> <span class="err">!</span><span class="p">=</span> <span class="kc">null</span> <span class="err">?</span> <span class="mi">1</span> <span class="err">:</span> <span class="mi">0</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">create_policy</span><span class="p">.</span><span class="nx">name</span> <span class="nx">description</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">create_policy</span><span class="p">.</span><span class="nx">description</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"SERVICE_CONTROL_POLICY"</span> <span class="nx">content</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">create_policy</span><span class="p">.</span><span class="nx">content</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_organizations_policy_attachment"</span> <span class="s2">"custom"</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">create_policy</span> <span class="err">!</span><span class="p">=</span> <span class="kc">null</span> <span class="err">?</span> <span class="mi">1</span> <span class="err">:</span> <span class="mi">0</span> <span class="nx">policy_id</span> <span class="p">=</span> <span class="nx">aws_organizations_policy</span><span class="p">.</span><span class="nx">custom</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">id</span> <span class="nx">target_id</span> <span class="p">=</span> <span class="nx">aws_organizations_account</span><span class="p">.</span><span class="nx">account</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> </code></pre> </div> <p>The <code>count</code> condition makes this optional — the policy and its attachment are only created when you pass a create_policy object. This pattern gives the module flexibility while keeping the configuration concise.</p> <p><strong>Module Outputs</strong></p> <p>The module exposes a few key outputs to integrate with the rest of your infrastructure:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">output</span> <span class="s2">"account_id"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_organizations_account</span><span class="p">.</span><span class="nx">account</span><span class="p">.</span><span class="nx">id</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"ID of the account created"</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"email"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">email</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Email of account"</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"custom_policy_id"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">create_policy</span> <span class="err">!</span><span class="p">=</span> <span class="kc">null</span> <span class="err">?</span> <span class="nx">aws_organizations_policy</span><span class="p">.</span><span class="nx">custom</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">id</span> <span class="err">:</span> <span class="kc">null</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"The ID of the custom policy created for this account (if any)"</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"all_attached_policy_ids"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">concat</span><span class="p">(</span> <span class="nx">var</span><span class="p">.</span><span class="nx">attach_policy_ids</span><span class="p">,</span> <span class="nx">var</span><span class="p">.</span><span class="nx">create_policy</span> <span class="err">!</span><span class="p">=</span> <span class="kc">null</span> <span class="err">?</span> <span class="p">[</span><span class="nx">aws_organizations_policy</span><span class="p">.</span><span class="nx">custom</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">id</span><span class="p">]</span> <span class="err">:</span> <span class="p">[]</span> <span class="p">)</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"List of all policy IDs attached to this account"</span> <span class="p">}</span> </code></pre> </div> <p>These outputs allow other modules — such as those that handle IAM Identity Center assignments, logging, or baseline configurations — to reference the account and its governance settings programmatically.</p> <h2> What's Next? </h2> <p>We've built the foundational Terraform modules for AWS governance — Organizations, Organizational Units, and Accounts. Now we need to deploy them.</p> <p>Follow me to get updates about my series <em>IaC Startup on AWS</em>. I'm writing new posts about configuring AWS named profiles, and deploying governance infrastructure with Terragrunt and Terraform.</p> <p>Also, make sure to check my <a href="https://github.com/lucasdecamargo" rel="noopener noreferrer">GitHub profile</a> for new projects and updates.</p> <p>Buy me a coffee if you like this post! :)</p> <p><a href="https://buymeacoffee.com/lucasdecamargo" rel="noopener noreferrer"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fcdn.buymeacoffee.com%2Fbuttons%2Fdefault-orange.png" alt="Buy Me A Coffee" height="41" width="174"></a></p> aws terraform cloud architecture Lucas de Camargo Sat, 23 Aug 2025 02:12:57 +0000 https://dev.to/lucasdecamargo/go-beyond-viper-and-cobra-declarative-field-driven-configuration-for-go-apps-4k4a https://dev.to/lucasdecamargo/go-beyond-viper-and-cobra-declarative-field-driven-configuration-for-go-apps-4k4a <p>Production Go applications constantly require the introduction of new configuration parameters. Based on the Open-Closed Principle, once we define a strategy for managing configuration fields, introducing new values becomes only small extensions. In this article, I'm proposing the definition of a Field structure for declaring configuration settings that are easily integrated with CLI completions and documentation generation.</p> <p>A template is available in my <a href="https://github.com/lucasdecamargo/go-appconfig-example" rel="noopener noreferrer">Github Repository</a>, and it uses three packages:</p> <ol> <li><p><strong>Viper</strong>: A complete configuration solution for Go applications that handles multiple file formats (YAML, JSON, TOML, HCL, ENV), environment variables, and provides a unified interface for accessing configuration values. Viper acts as a registry for all your application's configuration needs, with automatic environment variable binding and a precedence system for value resolution.</p></li> <li><p><strong>Cobra</strong>: A powerful CLI framework that provides a simple interface to create modern command-line applications with sophisticated features like nested subcommands, POSIX-compliant flags, automatic help generation, and shell completions. It's the same framework used by Kubernetes, Docker, and GitHub CLI for building their command-line interfaces.</p></li> <li><p><strong>Go Validator</strong>: A struct and field validation library that enables validation through struct tags, custom validation functions, and cross-field validation. It provides a declarative way to define validation rules directly in your struct definitions, making it easy to ensure data integrity throughout your application.</p></li> </ol> <h2> Table of Contents </h2> <ul> <li> Requirements <ul> <li>Functionalities </li> <li>The App Example </li> <li>Application Fields </li> <li>Network Fields </li> </ul> </li> <li> Implementation <ul> <li> File Structure <ul> <li>Constants </li> </ul> </li> <li>Field-Driven Configuration </li> <li>The Field Structure </li> <li>Field Collection </li> <li> Real Field Definitions <ul> <li>Application Fields </li> <li>Network Fields </li> </ul> </li> <li>Validators </li> <li>Configs Powered by Viper </li> <li>Writing the CLI only once with Cobra </li> <li> The Root Command <ul> <li>Binding Flags </li> </ul> </li> <li> The Config Commands <ul> <li>Generating Completions </li> <li>Listing Configuration Values </li> <li>Setting Configuration Values </li> <li>Auto-Documentation: Describing Parameters </li> </ul> </li> </ul> </li> <li> Results <ul> <li>Building </li> <li>Usage </li> </ul> </li> <li> Conclusion <ul> <li>Extending the Solution </li> <li>Buy me a coffee </li> </ul> </li> </ul> <h1> Requirements <a></a> </h1> <p>Modern production applications need robust configuration management that can adapt to different environments, validate inputs, and provide clear documentation to users. The approach presented here addresses these needs by creating a unified system where configuration metadata lives alongside the configuration values themselves. This creates a single source of truth that eliminates duplication and reduces the chance of documentation drift.</p> <h2> Functionalities <a></a> </h2> <p><strong>Single Source of Truth</strong>: Configuration fields are defined once with all metadata (validation, documentation, defaults); and can be easily extended.</p> <p><strong>Default Value Definition with Build Flags</strong>: Production apps are often built for different environments, therefore some default configuration values must be defined by Go <code>ldflags</code>.</p> <p><strong>Multiple Formats</strong>: Viper support for YAML, JSON, TOML, HCL, and ENV configuration files.</p> <p><strong>Auto CLI Integration</strong>: Seamless integration with Cobra for command-line interfaces, data validation, and auto-completion.</p> <p><strong>Type Safety</strong>: Strongly typed configuration with validation by Go Validator tags, custom functions, and literals.</p> <p><strong>Environment Variables</strong>: Automatic binding with configurable prefix.</p> <p><strong>Documentation</strong>: Built-in help and documentation generation.</p> <h2> The App Example <a></a> </h2> <p>Our application is called <strong><code>confapp</code></strong>, and it uses two groups of configuration: application base parameters, like logging and updates, and network configuration, like proxies. The architecture demonstrates how to organize configuration fields into logical groups, making it easy for users to understand and manage related settings together. Each field carries its complete metadata, ensuring that validation rules, documentation, and defaults are always consistent across the entire application.</p> <p>Users are expected to use the CLI to configure the application, like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>confapp config <span class="nb">set</span> <span class="nt">--log</span>.level debug <span class="nt">--update</span>.auto <span class="nb">true</span> </code></pre> </div> <h3> Application Fields <a></a> </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Field</th> <th>Type</th> <th>Default</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td><code>environment</code></td> <td>string</td> <td><code>dev</code></td> <td>Application environment (hidden)</td> </tr> <tr> <td><code>log.level</code></td> <td>string</td> <td><code>info</code></td> <td>Logging level (debug, info, warn, error)</td> </tr> <tr> <td><code>log.output</code></td> <td>string</td> <td><code>nil</code></td> <td>Log output file path</td> </tr> <tr> <td><code>update.auto</code></td> <td>bool</td> <td><code>false</code></td> <td>Enable auto-updates</td> </tr> <tr> <td><code>update.period</code></td> <td>duration</td> <td><code>15m</code></td> <td>Update check period</td> </tr> </tbody> </table></div> <h3> Network Fields <a></a> </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Field</th> <th>Type</th> <th>Default</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td><code>proxy.http</code></td> <td>string</td> <td><code>nil</code></td> <td>HTTP proxy</td> </tr> <tr> <td><code>proxy.https</code></td> <td>string</td> <td><code>nil</code></td> <td>HTTPS proxy</td> </tr> </tbody> </table></div> <h1> Implementation <a></a> </h1> <p>The implementation follows a modular approach where each component has a specific responsibility. The configuration module defines the fields and their metadata, Viper handles the actual storage and retrieval of values, and Cobra provides the user interface. This separation of concerns makes the system maintainable and allows each component to evolve independently while maintaining a stable interface between them.</p> <h2> File Structure <a></a> </h2> <p>The project structure reflects the separation between CLI commands and configuration logic. The <code>cmd</code> directory contains all CLI-related code, while the <code>internal/config</code> directory houses the configuration management core. This organization makes it clear where to find specific functionality and ensures that the configuration logic remains independent of the CLI implementation.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>go-appconfig-example/ ├── cmd/ # CLI command implementations │ ├── root.go # Root command and global flags │ └── config.go # Configuration management commands ├── internal/ │ ├── config/ # Configuration management core │ │ ├── fields.go # Field definitions and collections │ │ ├── config.go # Viper integration │ │ └── validators.go # Custom validation functions │ └── consts/ # Application constants │ └── consts.go # Go flags like app name, version, etc. ├── main.go # Application entry point └── go.mod # Go module definition </code></pre> </div> <h4> Constants <a></a> </h4> <p>Application constants define global values that remain consistent throughout the application's lifecycle. These can be overridden at build time using Go's <code>-ldflags</code> feature, allowing you to customize the application name, version, or other constants without modifying the source code. This is particularly useful for CI/CD pipelines where different builds might need different configurations.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// internal/consts/consts.go</span> <span class="k">var</span> <span class="p">(</span> <span class="c">// Application parameters</span> <span class="n">AppName</span> <span class="o">=</span> <span class="s">"confapp"</span> <span class="n">AppVersion</span> <span class="o">=</span> <span class="s">"v0.1.0"</span> <span class="c">// Config parameters</span> <span class="n">ConfigEnvPrefix</span> <span class="o">=</span> <span class="s">"CONFAPP"</span> <span class="p">)</span> </code></pre> </div> <h2> Field-Driven Configuration <a></a> </h2> <p>Field-Driven Configuration is a design pattern where configuration parameters are defined as structured data containing all their metadata. Instead of scattering validation rules, documentation, and default values across different parts of the codebase, each field becomes a self-contained unit that describes everything about a configuration parameter. This approach ensures consistency and makes it trivial to add new configuration options without touching multiple files.</p> <h3> The Field Structure <a></a> </h3> <p>The Field structure is the cornerstone of our configuration system. It encapsulates not just the value of a configuration parameter, but also its type, validation rules, documentation, and any other metadata needed to work with that parameter. This rich metadata enables automatic generation of CLI flags, validation logic, and documentation, all from a single definition.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// internal/config/fields.go</span> <span class="k">type</span> <span class="n">FieldType</span> <span class="kt">string</span> <span class="k">const</span> <span class="p">(</span> <span class="n">FieldTypeString</span> <span class="n">FieldType</span> <span class="o">=</span> <span class="s">"string"</span> <span class="n">FieldTypeBool</span> <span class="n">FieldType</span> <span class="o">=</span> <span class="s">"bool"</span> <span class="n">FieldTypeInt</span> <span class="n">FieldType</span> <span class="o">=</span> <span class="s">"int"</span> <span class="n">FieldTypeFloat</span> <span class="n">FieldType</span> <span class="o">=</span> <span class="s">"float"</span> <span class="n">FieldTypeDuration</span> <span class="n">FieldType</span> <span class="o">=</span> <span class="s">"duration"</span> <span class="p">)</span> <span class="k">type</span> <span class="n">Field</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">Name</span> <span class="kt">string</span> <span class="c">// Configuration key: "log.level"</span> <span class="n">Group</span> <span class="kt">string</span> <span class="c">// Logical grouping: "logging"</span> <span class="n">Type</span> <span class="n">FieldType</span> <span class="c">// Data type: string, bool, duration</span> <span class="n">Default</span> <span class="n">any</span> <span class="c">// Default value</span> <span class="n">Description</span> <span class="kt">string</span> <span class="c">// CLI help text</span> <span class="n">Docstring</span> <span class="kt">string</span> <span class="c">// Detailed documentation</span> <span class="n">ValidValues</span> <span class="p">[]</span><span class="n">any</span> <span class="c">// Allowed values: ["debug", "info", "warn"]</span> <span class="n">ValidateTag</span> <span class="kt">string</span> <span class="c">// Go validator tag: "required,oneof=debug info warn"</span> <span class="n">ValidateFunc</span> <span class="k">func</span><span class="p">(</span><span class="n">any</span><span class="p">)</span> <span class="kt">error</span> <span class="c">// Custom validation function</span> <span class="n">Example</span> <span class="kt">string</span> <span class="c">// Usage example</span> <span class="n">Hidden</span> <span class="kt">bool</span> <span class="c">// Hide from standard listings</span> <span class="n">Deprecated</span> <span class="kt">string</span> <span class="c">// Deprecation message if field is deprecated</span> <span class="p">}</span> <span class="c">// Validate performs validation on a field value using the configured validation rules.</span> <span class="c">// Returns nil if validation passes, or an error describing the validation failure.</span> <span class="k">func</span> <span class="p">(</span><span class="n">f</span> <span class="o">*</span><span class="n">Field</span><span class="p">)</span> <span class="n">Validate</span><span class="p">(</span><span class="n">value</span> <span class="n">any</span><span class="p">)</span> <span class="kt">error</span> <span class="p">{</span> <span class="k">if</span> <span class="n">value</span> <span class="o">==</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="no">nil</span> <span class="p">}</span> <span class="c">// Check against valid values if specified</span> <span class="k">if</span> <span class="n">f</span><span class="o">.</span><span class="n">ValidValues</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">if</span> <span class="n">slices</span><span class="o">.</span><span class="n">Contains</span><span class="p">(</span><span class="n">f</span><span class="o">.</span><span class="n">ValidValues</span><span class="p">,</span> <span class="n">value</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="no">nil</span> <span class="p">}</span> <span class="k">return</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"%s: valid values: %v"</span><span class="p">,</span> <span class="n">f</span><span class="o">.</span><span class="n">Name</span><span class="p">,</span> <span class="n">f</span><span class="o">.</span><span class="n">ValidValues</span><span class="p">)</span> <span class="p">}</span> <span class="c">// Apply validator tag if specified</span> <span class="k">if</span> <span class="n">f</span><span class="o">.</span><span class="n">ValidateTag</span> <span class="o">!=</span> <span class="s">""</span> <span class="p">{</span> <span class="k">if</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">validator</span><span class="o">.</span><span class="n">New</span><span class="p">()</span><span class="o">.</span><span class="n">Var</span><span class="p">(</span><span class="n">value</span><span class="p">,</span> <span class="n">f</span><span class="o">.</span><span class="n">ValidateTag</span><span class="p">);</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"%s: %w"</span><span class="p">,</span> <span class="n">f</span><span class="o">.</span><span class="n">Name</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="c">// Apply custom validation function if specified</span> <span class="k">if</span> <span class="n">f</span><span class="o">.</span><span class="n">ValidateFunc</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">if</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">f</span><span class="o">.</span><span class="n">ValidateFunc</span><span class="p">(</span><span class="n">value</span><span class="p">);</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"%s: %w"</span><span class="p">,</span> <span class="n">f</span><span class="o">.</span><span class="n">Name</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="k">return</span> <span class="no">nil</span> <span class="p">}</span> </code></pre> </div> <h3> Field Collection <a></a> </h3> <p>The FieldCollection acts as a registry for all configuration fields in your application. It provides methods to add new fields dynamically and retrieve them efficiently. This centralized collection ensures that all parts of the application work with the same field definitions, maintaining consistency across CLI commands, validation, and documentation generation.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// internal/config/fields.go</span> <span class="c">// Fields is the global collection of all configuration fields</span> <span class="k">var</span> <span class="n">Fields</span> <span class="o">=</span> <span class="n">FieldCollection</span><span class="p">{}</span> <span class="k">type</span> <span class="n">FieldCollection</span> <span class="p">[]</span><span class="o">*</span><span class="n">Field</span> <span class="k">func</span> <span class="p">(</span><span class="n">fc</span> <span class="o">*</span><span class="n">FieldCollection</span><span class="p">)</span> <span class="n">Add</span><span class="p">(</span><span class="n">fields</span> <span class="o">...*</span><span class="n">Field</span><span class="p">)</span> <span class="p">{</span> <span class="k">for</span> <span class="n">_</span><span class="p">,</span> <span class="n">field</span> <span class="o">:=</span> <span class="k">range</span> <span class="n">fields</span> <span class="p">{</span> <span class="c">// Check if field already exists and replace it</span> <span class="k">for</span> <span class="n">i</span><span class="p">,</span> <span class="n">existingField</span> <span class="o">:=</span> <span class="k">range</span> <span class="o">*</span><span class="n">fc</span> <span class="p">{</span> <span class="k">if</span> <span class="n">existingField</span><span class="o">.</span><span class="n">Name</span> <span class="o">==</span> <span class="n">field</span><span class="o">.</span><span class="n">Name</span> <span class="p">{</span> <span class="p">(</span><span class="o">*</span><span class="n">fc</span><span class="p">)[</span><span class="n">i</span><span class="p">]</span> <span class="o">=</span> <span class="n">field</span> <span class="k">goto</span> <span class="n">nextField</span> <span class="p">}</span> <span class="p">}</span> <span class="c">// Field doesn't exist, append it</span> <span class="o">*</span><span class="n">fc</span> <span class="o">=</span> <span class="nb">append</span><span class="p">(</span><span class="o">*</span><span class="n">fc</span><span class="p">,</span> <span class="n">field</span><span class="p">)</span> <span class="n">nextField</span><span class="o">:</span> <span class="p">}</span> <span class="p">}</span> <span class="c">// Map returns a map for O(1) field lookup by name</span> <span class="k">func</span> <span class="p">(</span><span class="n">fc</span> <span class="o">*</span><span class="n">FieldCollection</span><span class="p">)</span> <span class="n">Map</span><span class="p">()</span> <span class="n">FieldMap</span> <span class="p">{</span> <span class="n">fields</span> <span class="o">:=</span> <span class="nb">make</span><span class="p">(</span><span class="n">FieldMap</span><span class="p">)</span> <span class="k">for</span> <span class="n">_</span><span class="p">,</span> <span class="n">f</span> <span class="o">:=</span> <span class="k">range</span> <span class="o">*</span><span class="n">fc</span> <span class="p">{</span> <span class="n">fields</span><span class="p">[</span><span class="n">f</span><span class="o">.</span><span class="n">Name</span><span class="p">]</span> <span class="o">=</span> <span class="n">f</span> <span class="p">}</span> <span class="k">return</span> <span class="n">fields</span> <span class="p">}</span> </code></pre> </div> <h3> Real Field Definitions <a></a> </h3> <p>With the Field structure and FieldCollection in place, we can now define actual configuration parameters. Each field definition becomes a single source of truth that contains everything needed to work with that configuration value. The use of init() functions ensures that fields are automatically registered when the package is imported, eliminating the need for manual registration and reducing the chance of forgetting to register a field.</p> <h4> Application Fields <a></a> </h4> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// internal/config/fields.go</span> <span class="k">const</span> <span class="n">GroupApplication</span> <span class="o">=</span> <span class="s">"Application"</span> <span class="k">func</span> <span class="n">init</span><span class="p">()</span> <span class="p">{</span> <span class="n">Fields</span><span class="o">.</span><span class="n">Add</span><span class="p">(</span> <span class="n">FieldAppEnvironment</span><span class="p">,</span> <span class="n">FieldAppLogLevel</span><span class="p">,</span> <span class="n">FieldAppLogOutput</span><span class="p">,</span> <span class="n">FieldAppUpdateAuto</span><span class="p">,</span> <span class="n">FieldAppUpdatePeriod</span><span class="p">,</span> <span class="p">)</span> <span class="p">}</span> <span class="k">var</span> <span class="n">FieldAppEnvironment</span> <span class="o">=</span> <span class="o">&amp;</span><span class="n">Field</span><span class="p">{</span> <span class="n">Name</span><span class="o">:</span> <span class="s">"environment"</span><span class="p">,</span> <span class="n">Group</span><span class="o">:</span> <span class="n">GroupApplication</span><span class="p">,</span> <span class="n">Type</span><span class="o">:</span> <span class="n">FieldTypeString</span><span class="p">,</span> <span class="n">Default</span><span class="o">:</span> <span class="s">"dev"</span><span class="p">,</span> <span class="n">Description</span><span class="o">:</span> <span class="s">"The environment in which the application runs."</span><span class="p">,</span> <span class="n">Example</span><span class="o">:</span> <span class="s">"prod, test, dev"</span><span class="p">,</span> <span class="n">Hidden</span><span class="o">:</span> <span class="no">true</span><span class="p">,</span> <span class="c">// This field is not shown in the config list</span> <span class="p">}</span> <span class="k">var</span> <span class="n">FieldAppLogLevel</span> <span class="o">=</span> <span class="o">&amp;</span><span class="n">Field</span><span class="p">{</span> <span class="n">Name</span><span class="o">:</span> <span class="s">"log.level"</span><span class="p">,</span> <span class="n">Group</span><span class="o">:</span> <span class="n">GroupApplication</span><span class="p">,</span> <span class="n">Type</span><span class="o">:</span> <span class="n">FieldTypeString</span><span class="p">,</span> <span class="n">Default</span><span class="o">:</span> <span class="s">"info"</span><span class="p">,</span> <span class="n">Description</span><span class="o">:</span> <span class="s">"The log level to use for the application."</span><span class="p">,</span> <span class="n">ValidValues</span><span class="o">:</span> <span class="p">[]</span><span class="n">any</span><span class="p">{</span><span class="s">"debug"</span><span class="p">,</span> <span class="s">"info"</span><span class="p">,</span> <span class="s">"warn"</span><span class="p">,</span> <span class="s">"error"</span><span class="p">},</span> <span class="p">}</span> <span class="k">var</span> <span class="n">FieldAppLogOutput</span> <span class="o">=</span> <span class="o">&amp;</span><span class="n">Field</span><span class="p">{</span> <span class="n">Name</span><span class="o">:</span> <span class="s">"log.output"</span><span class="p">,</span> <span class="n">Group</span><span class="o">:</span> <span class="n">GroupApplication</span><span class="p">,</span> <span class="n">Type</span><span class="o">:</span> <span class="n">FieldTypeString</span><span class="p">,</span> <span class="n">Default</span><span class="o">:</span> <span class="no">nil</span><span class="p">,</span> <span class="n">Description</span><span class="o">:</span> <span class="s">"The output file to use for the application logs, if set."</span><span class="p">,</span> <span class="n">ValidateTag</span><span class="o">:</span> <span class="s">"filepath"</span><span class="p">,</span> <span class="n">Example</span><span class="o">:</span> <span class="s">"/var/log/app.log"</span><span class="p">,</span> <span class="p">}</span> <span class="k">var</span> <span class="n">FieldAppUpdateAuto</span> <span class="o">=</span> <span class="o">&amp;</span><span class="n">Field</span><span class="p">{</span> <span class="n">Name</span><span class="o">:</span> <span class="s">"update.auto"</span><span class="p">,</span> <span class="n">Group</span><span class="o">:</span> <span class="n">GroupApplication</span><span class="p">,</span> <span class="n">Type</span><span class="o">:</span> <span class="n">FieldTypeBool</span><span class="p">,</span> <span class="n">Default</span><span class="o">:</span> <span class="no">false</span><span class="p">,</span> <span class="n">Description</span><span class="o">:</span> <span class="s">"Automatically update the application when a new version is available."</span><span class="p">,</span> <span class="p">}</span> <span class="k">var</span> <span class="n">FieldAppUpdatePeriod</span> <span class="o">=</span> <span class="o">&amp;</span><span class="n">Field</span><span class="p">{</span> <span class="n">Name</span><span class="o">:</span> <span class="s">"update.period"</span><span class="p">,</span> <span class="n">Group</span><span class="o">:</span> <span class="n">GroupApplication</span><span class="p">,</span> <span class="n">Type</span><span class="o">:</span> <span class="n">FieldTypeDuration</span><span class="p">,</span> <span class="n">Default</span><span class="o">:</span> <span class="s">"15m"</span><span class="p">,</span> <span class="n">Description</span><span class="o">:</span> <span class="s">"The period to check for updates, if enabled."</span><span class="p">,</span> <span class="n">Docstring</span><span class="o">:</span> <span class="s">`The period can be a number of seconds, or a valid duration string.`</span><span class="p">,</span> <span class="n">ValidateFunc</span><span class="o">:</span> <span class="n">validateDuration</span><span class="p">,</span> <span class="n">Example</span><span class="o">:</span> <span class="s">"1h, 15m, 10 (seconds)"</span><span class="p">,</span> <span class="p">}</span> </code></pre> </div> <h4> Network Fields <a></a> </h4> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// fields.go</span> <span class="k">const</span> <span class="n">GroupNetwork</span> <span class="o">=</span> <span class="s">"Network"</span> <span class="k">func</span> <span class="n">init</span><span class="p">()</span> <span class="p">{</span> <span class="n">Fields</span><span class="o">.</span><span class="n">Add</span><span class="p">(</span> <span class="n">FieldNetworkProxyHttp</span><span class="p">,</span> <span class="n">FieldNetworkProxyHttps</span><span class="p">,</span> <span class="p">)</span> <span class="p">}</span> <span class="k">var</span> <span class="n">FieldNetworkProxyHttp</span> <span class="o">=</span> <span class="o">&amp;</span><span class="n">Field</span><span class="p">{</span> <span class="n">Name</span><span class="o">:</span> <span class="s">"proxy.http"</span><span class="p">,</span> <span class="n">Group</span><span class="o">:</span> <span class="n">GroupNetwork</span><span class="p">,</span> <span class="n">Type</span><span class="o">:</span> <span class="n">FieldTypeString</span><span class="p">,</span> <span class="n">Default</span><span class="o">:</span> <span class="no">nil</span><span class="p">,</span> <span class="n">Description</span><span class="o">:</span> <span class="s">"Set a proxy server for HTTP traffic"</span><span class="p">,</span> <span class="n">ValidateTag</span><span class="o">:</span> <span class="s">"url"</span><span class="p">,</span> <span class="n">Example</span><span class="o">:</span> <span class="s">"http://user:password@host:port"</span><span class="p">,</span> <span class="p">}</span> <span class="k">var</span> <span class="n">FieldNetworkProxyHttps</span> <span class="o">=</span> <span class="o">&amp;</span><span class="n">Field</span><span class="p">{</span> <span class="n">Name</span><span class="o">:</span> <span class="s">"proxy.https"</span><span class="p">,</span> <span class="n">Group</span><span class="o">:</span> <span class="n">GroupNetwork</span><span class="p">,</span> <span class="n">Type</span><span class="o">:</span> <span class="n">FieldTypeString</span><span class="p">,</span> <span class="n">Default</span><span class="o">:</span> <span class="no">nil</span><span class="p">,</span> <span class="n">Description</span><span class="o">:</span> <span class="s">"Set a proxy server for HTTPS traffic"</span><span class="p">,</span> <span class="n">ValidateTag</span><span class="o">:</span> <span class="s">"url"</span><span class="p">,</span> <span class="n">Example</span><span class="o">:</span> <span class="s">"http://user:password@host:port"</span><span class="p">,</span> <span class="p">}</span> </code></pre> </div> <h3> Validators <a></a> </h3> <p>Validation is handled through the <a href="https://github.com/go-playground/validator" rel="noopener noreferrer">Go Validator library</a>, which provides a declarative way to define validation rules using struct tags. The library supports a wide range of built-in validators like <code>required</code>, <code>email</code>, <code>url</code>, <code>min</code>, <code>max</code>, and many more. You can combine multiple validators using commas (AND logic) or pipes (OR logic). For example, <code>validate:"required,email"</code> ensures a field is both present and a valid email, while <code>validate:"rgb|rgba"</code> accepts either RGB or RGBA color formats.</p> <p>In our Field structure, we use the ValidateTag field to specify these validation rules, allowing us to leverage the full power of the validator library without writing repetitive validation code.</p> <p>Beyond the built-in validators, the system supports custom validation functions for complex business logic that can't be expressed through tags alone. These functions receive the value to validate and return an error if validation fails, providing complete flexibility for domain-specific rules.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// internal/config/validators.go</span> <span class="k">func</span> <span class="n">validateDuration</span><span class="p">(</span><span class="n">v</span> <span class="n">any</span><span class="p">)</span> <span class="kt">error</span> <span class="p">{</span> <span class="k">switch</span> <span class="n">v</span> <span class="o">:=</span> <span class="n">v</span><span class="o">.</span><span class="p">(</span><span class="k">type</span><span class="p">)</span> <span class="p">{</span> <span class="k">case</span> <span class="kt">int</span><span class="p">,</span> <span class="kt">int64</span><span class="p">,</span> <span class="kt">int32</span><span class="p">,</span> <span class="kt">int16</span><span class="p">,</span> <span class="kt">int8</span><span class="p">,</span> <span class="kt">uint</span><span class="p">,</span> <span class="kt">uint64</span><span class="p">,</span> <span class="kt">uint32</span><span class="p">,</span> <span class="kt">uint16</span><span class="p">,</span> <span class="kt">uint8</span><span class="o">:</span> <span class="c">// Numeric values are valid (interpreted as seconds)</span> <span class="k">return</span> <span class="no">nil</span> <span class="k">case</span> <span class="kt">float32</span><span class="p">,</span> <span class="kt">float64</span><span class="o">:</span> <span class="c">// Float values are valid (interpreted as seconds)</span> <span class="k">return</span> <span class="no">nil</span> <span class="k">case</span> <span class="kt">string</span><span class="o">:</span> <span class="k">if</span> <span class="n">v</span> <span class="o">==</span> <span class="s">""</span> <span class="p">{</span> <span class="k">return</span> <span class="no">nil</span> <span class="c">// empty value is allowed</span> <span class="p">}</span> <span class="n">_</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">time</span><span class="o">.</span><span class="n">ParseDuration</span><span class="p">(</span><span class="n">v</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"invalid duration format: %s (examples: 1h30m, 15m, 10s)"</span><span class="p">,</span> <span class="n">v</span><span class="p">)</span> <span class="p">}</span> <span class="k">return</span> <span class="no">nil</span> <span class="k">default</span><span class="o">:</span> <span class="k">return</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"duration must be a string or numeric value"</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Configs Powered by Viper <a></a> </h2> <p>Viper provides the backbone for our configuration management system. It handles the complexity of merging configuration from multiple sources according to a well-defined precedence order: command-line flags override environment variables, which override config file values, which override defaults. This layered approach allows users to define base configurations in files while still being able to override specific values through environment variables in production or flags during development. Viper also manages the serialization and deserialization of configuration files in various formats, making it easy to work with YAML, JSON, TOML, or any other supported format without changing your code.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// internal/config/config.go</span> <span class="k">func</span> <span class="n">Init</span><span class="p">()</span> <span class="kt">error</span> <span class="p">{</span> <span class="c">// Enable automatic environment variable binding</span> <span class="n">viper</span><span class="o">.</span><span class="n">AutomaticEnv</span><span class="p">()</span> <span class="n">viper</span><span class="o">.</span><span class="n">SetEnvPrefix</span><span class="p">(</span><span class="n">consts</span><span class="o">.</span><span class="n">ConfigEnvPrefix</span><span class="p">)</span> <span class="c">// Replace dots with underscores in environment variable names</span> <span class="n">viper</span><span class="o">.</span><span class="n">SetEnvKeyReplacer</span><span class="p">(</span><span class="n">strings</span><span class="o">.</span><span class="n">NewReplacer</span><span class="p">(</span><span class="s">"."</span><span class="p">,</span> <span class="s">"_"</span><span class="p">))</span> <span class="c">// Set default values for all defined fields</span> <span class="k">for</span> <span class="n">_</span><span class="p">,</span> <span class="n">field</span> <span class="o">:=</span> <span class="k">range</span> <span class="n">Fields</span> <span class="p">{</span> <span class="k">if</span> <span class="n">field</span><span class="o">.</span><span class="n">Default</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">viper</span><span class="o">.</span><span class="n">SetDefault</span><span class="p">(</span><span class="n">field</span><span class="o">.</span><span class="n">Name</span><span class="p">,</span> <span class="n">field</span><span class="o">.</span><span class="n">Default</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="c">// Validate and process config file if specified</span> <span class="n">cfgFile</span> <span class="o">:=</span> <span class="n">viper</span><span class="o">.</span><span class="n">GetString</span><span class="p">(</span><span class="n">FieldFlagConfig</span><span class="o">.</span><span class="n">Name</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">FieldFlagConfig</span><span class="o">.</span><span class="n">Validate</span><span class="p">(</span><span class="n">cfgFile</span><span class="p">);</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"config file validation failed: %w"</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="k">if</span> <span class="n">cfgFile</span> <span class="o">!=</span> <span class="s">""</span> <span class="p">{</span> <span class="k">if</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">loadConfigFile</span><span class="p">(</span><span class="n">cfgFile</span><span class="p">);</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"failed to load config file: %w"</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="k">return</span> <span class="no">nil</span> <span class="p">}</span> <span class="c">// The file extension determines the format (yaml, json, toml, etc.).</span> <span class="k">func</span> <span class="n">loadConfigFile</span><span class="p">(</span><span class="n">cfgFile</span> <span class="kt">string</span><span class="p">)</span> <span class="kt">error</span> <span class="p">{</span> <span class="n">cfgFileDir</span> <span class="o">:=</span> <span class="n">path</span><span class="o">.</span><span class="n">Dir</span><span class="p">(</span><span class="n">cfgFile</span><span class="p">)</span> <span class="n">cfgFileBase</span> <span class="o">:=</span> <span class="n">path</span><span class="o">.</span><span class="n">Base</span><span class="p">(</span><span class="n">cfgFile</span><span class="p">)</span> <span class="n">cfgFileExt</span> <span class="o">:=</span> <span class="n">path</span><span class="o">.</span><span class="n">Ext</span><span class="p">(</span><span class="n">cfgFile</span><span class="p">)</span> <span class="n">cfgFileName</span> <span class="o">:=</span> <span class="n">strings</span><span class="o">.</span><span class="n">TrimSuffix</span><span class="p">(</span><span class="n">cfgFileBase</span><span class="p">,</span> <span class="n">cfgFileExt</span><span class="p">)</span> <span class="n">viper</span><span class="o">.</span><span class="n">SetConfigName</span><span class="p">(</span><span class="n">cfgFileName</span><span class="p">)</span> <span class="n">viper</span><span class="o">.</span><span class="n">SetConfigType</span><span class="p">(</span><span class="n">cfgFileExt</span><span class="p">[</span><span class="m">1</span><span class="o">:</span><span class="p">])</span> <span class="n">viper</span><span class="o">.</span><span class="n">AddConfigPath</span><span class="p">(</span><span class="n">cfgFileDir</span><span class="p">)</span> <span class="c">// Attempt to read the config file, but don't fail if it doesn't exist</span> <span class="k">if</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">viper</span><span class="o">.</span><span class="n">ReadInConfig</span><span class="p">();</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="o">&amp;&amp;</span> <span class="o">!</span><span class="n">errors</span><span class="o">.</span><span class="n">As</span><span class="p">(</span><span class="n">err</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">viper</span><span class="o">.</span><span class="n">ConfigFileNotFoundError</span><span class="p">{})</span> <span class="p">{</span> <span class="k">return</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"failed to read config file: %w"</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="k">return</span> <span class="no">nil</span> <span class="p">}</span> <span class="k">func</span> <span class="n">ReadField</span><span class="p">(</span><span class="n">f</span> <span class="o">*</span><span class="n">Field</span><span class="p">)</span> <span class="n">any</span> <span class="p">{</span> <span class="k">return</span> <span class="n">viper</span><span class="o">.</span><span class="n">Get</span><span class="p">(</span><span class="n">f</span><span class="o">.</span><span class="n">Name</span><span class="p">)</span> <span class="p">}</span> <span class="k">func</span> <span class="n">WriteField</span><span class="p">(</span><span class="n">f</span> <span class="o">*</span><span class="n">Field</span><span class="p">,</span> <span class="n">value</span> <span class="n">any</span><span class="p">)</span> <span class="kt">error</span> <span class="p">{</span> <span class="k">if</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">f</span><span class="o">.</span><span class="n">Validate</span><span class="p">(</span><span class="n">value</span><span class="p">);</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"validation failed: %w"</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="n">viper</span><span class="o">.</span><span class="n">Set</span><span class="p">(</span><span class="n">f</span><span class="o">.</span><span class="n">Name</span><span class="p">,</span> <span class="n">value</span><span class="p">)</span> <span class="k">return</span> <span class="no">nil</span> <span class="p">}</span> <span class="k">func</span> <span class="n">Save</span><span class="p">()</span> <span class="kt">error</span> <span class="p">{</span> <span class="n">cfgFile</span> <span class="o">:=</span> <span class="n">viper</span><span class="o">.</span><span class="n">GetString</span><span class="p">(</span><span class="n">FieldFlagConfig</span><span class="o">.</span><span class="n">Name</span><span class="p">)</span> <span class="k">if</span> <span class="n">cfgFile</span> <span class="o">==</span> <span class="s">""</span> <span class="p">{</span> <span class="k">return</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"no config file specified"</span><span class="p">)</span> <span class="p">}</span> <span class="c">// Try to write the config file</span> <span class="k">if</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">viper</span><span class="o">.</span><span class="n">WriteConfigAs</span><span class="p">(</span><span class="n">cfgFile</span><span class="p">);</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">if</span> <span class="n">errors</span><span class="o">.</span><span class="n">Is</span><span class="p">(</span><span class="n">err</span><span class="p">,</span> <span class="n">os</span><span class="o">.</span><span class="n">ErrNotExist</span><span class="p">)</span> <span class="p">{</span> <span class="c">// Create directory structure and file if they don't exist</span> <span class="k">return</span> <span class="n">createAndWriteConfigFile</span><span class="p">(</span><span class="n">cfgFile</span><span class="p">)</span> <span class="p">}</span> <span class="k">return</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"failed to write config file %s: %w"</span><span class="p">,</span> <span class="n">cfgFile</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="k">return</span> <span class="no">nil</span> <span class="p">}</span> <span class="k">func</span> <span class="n">createAndWriteConfigFile</span><span class="p">(</span><span class="n">cfgFile</span> <span class="kt">string</span><span class="p">)</span> <span class="kt">error</span> <span class="p">{</span> <span class="c">// Create the directory structure</span> <span class="k">if</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">os</span><span class="o">.</span><span class="n">MkdirAll</span><span class="p">(</span><span class="n">path</span><span class="o">.</span><span class="n">Dir</span><span class="p">(</span><span class="n">cfgFile</span><span class="p">),</span> <span class="m">0755</span><span class="p">);</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"failed to create config directory: %w"</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="c">// Create an empty config file</span> <span class="k">if</span> <span class="n">f</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">os</span><span class="o">.</span><span class="n">Create</span><span class="p">(</span><span class="n">cfgFile</span><span class="p">);</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"failed to create config file %s: %w"</span><span class="p">,</span> <span class="n">cfgFile</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="n">f</span><span class="o">.</span><span class="n">Close</span><span class="p">()</span> <span class="p">}</span> <span class="c">// Write the configuration to the file</span> <span class="k">if</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">viper</span><span class="o">.</span><span class="n">WriteConfigAs</span><span class="p">(</span><span class="n">cfgFile</span><span class="p">);</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"failed to write configuration: %w"</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="k">return</span> <span class="no">nil</span> <span class="p">}</span> </code></pre> </div> <h2> Writing the CLI only once with Cobra <a></a> </h2> <p>The beauty of our Field-Driven approach truly shines when building the CLI with Cobra. Instead of manually defining flags for each configuration parameter and keeping them in sync with validation rules and documentation, our CLI commands automatically derive everything they need from the Field definitions. This means you write the CLI structure once, and it automatically adapts as you add new configuration fields. The commands can iterate through the FieldCollection to generate flags, completions, and documentation dynamically, ensuring that the CLI always reflects the current state of your configuration schema.</p> <h3> The Root Command <a></a> </h3> <p>The root command serves as the entry point for your CLI application. While you can generate the initial structure using <code>cobra-cli init</code> for the root command and <code>cobra-cli add</code> for subcommands, the real power comes from integrating it with our Field system. The root command sets up global flags and initializes the configuration system before any subcommand runs, ensuring that all parts of the application work with properly loaded and validated configuration.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// cmd/root.go</span> <span class="c">// rootCmd represents the base command when called without any subcommands.</span> <span class="c">// It serves as the entry point for the CLI application.</span> <span class="k">var</span> <span class="n">rootCmd</span> <span class="o">=</span> <span class="o">&amp;</span><span class="n">cobra</span><span class="o">.</span><span class="n">Command</span><span class="p">{</span> <span class="n">Use</span><span class="o">:</span> <span class="n">consts</span><span class="o">.</span><span class="n">AppName</span><span class="p">,</span> <span class="n">Short</span><span class="o">:</span> <span class="s">"Go application with structured configuration example"</span><span class="p">,</span> <span class="n">Long</span><span class="o">:</span> <span class="s">`A demonstration of production-ready configuration management in Go using Viper and Cobra.`</span><span class="p">,</span> <span class="n">Version</span><span class="o">:</span> <span class="n">consts</span><span class="o">.</span><span class="n">AppVersion</span><span class="p">,</span> <span class="p">}</span> <span class="c">// Execute adds all child commands to the root command and sets flags appropriately.</span> <span class="c">// This is called by main.main(). It only needs to happen once to the rootCmd.</span> <span class="k">func</span> <span class="n">Execute</span><span class="p">()</span> <span class="p">{</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">rootCmd</span><span class="o">.</span><span class="n">Execute</span><span class="p">()</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">os</span><span class="o">.</span><span class="n">Exit</span><span class="p">(</span><span class="m">1</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h4> Binding Flags <a></a> </h4> <p>Cobra provides three types of flags: local flags (specific to a command), persistent flags (available to a command and all its subcommands), and the special PFlags type that integrates with Viper. When you bind a flag to Viper using <code>viper.BindPFlag()</code>, Viper automatically reads the flag value if it's set, allowing seamless integration between command-line arguments and your configuration system. This binding creates a unified interface where users can set values through flags, environment variables, or config files, and your application code doesn't need to know which source provided the value.</p> <p>Our implementation uses persistent flags for global options like the config file path and verbosity level, ensuring these are available to all subcommands. The initialization happens in Cobra's <code>OnInitialize</code> hook, which runs before any command execution, guaranteeing that configuration is properly loaded before your command logic runs.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// cmd/root.go</span> <span class="k">var</span> <span class="p">(</span> <span class="n">FlagConfig</span> <span class="kt">string</span> <span class="c">// Path to the configuration file</span> <span class="n">FlagVerbose</span> <span class="kt">bool</span> <span class="c">// Enable verbose output</span> <span class="p">)</span> <span class="k">func</span> <span class="n">init</span><span class="p">()</span> <span class="p">{</span> <span class="c">// Initialize configuration before any command is executed</span> <span class="n">cobra</span><span class="o">.</span><span class="n">OnInitialize</span><span class="p">(</span><span class="n">initConfig</span><span class="p">)</span> <span class="c">// Set up persistent flags that are available to all commands</span> <span class="n">setupPersistentFlags</span><span class="p">()</span> <span class="p">}</span> <span class="k">func</span> <span class="n">setupPersistentFlags</span><span class="p">()</span> <span class="p">{</span> <span class="c">// Determine default config file location</span> <span class="n">configDir</span><span class="p">,</span> <span class="n">_</span> <span class="o">:=</span> <span class="n">os</span><span class="o">.</span><span class="n">UserConfigDir</span><span class="p">()</span> <span class="n">defaultConfig</span> <span class="o">:=</span> <span class="n">path</span><span class="o">.</span><span class="n">Join</span><span class="p">(</span><span class="n">configDir</span><span class="p">,</span> <span class="n">consts</span><span class="o">.</span><span class="n">AppName</span><span class="p">,</span> <span class="s">"config.yaml"</span><span class="p">)</span> <span class="c">// Config file flag</span> <span class="n">rootCmd</span><span class="o">.</span><span class="n">PersistentFlags</span><span class="p">()</span><span class="o">.</span><span class="n">StringVarP</span><span class="p">(</span> <span class="o">&amp;</span><span class="n">FlagConfig</span><span class="p">,</span> <span class="n">config</span><span class="o">.</span><span class="n">FieldFlagConfig</span><span class="o">.</span><span class="n">Name</span><span class="p">,</span> <span class="n">config</span><span class="o">.</span><span class="n">FieldFlagConfig</span><span class="o">.</span><span class="n">Shorthand</span><span class="p">,</span> <span class="n">defaultConfig</span><span class="p">,</span> <span class="n">config</span><span class="o">.</span><span class="n">FieldFlagConfig</span><span class="o">.</span><span class="n">Description</span><span class="p">,</span> <span class="p">)</span> <span class="n">viper</span><span class="o">.</span><span class="n">BindPFlag</span><span class="p">(</span> <span class="n">config</span><span class="o">.</span><span class="n">FieldFlagConfig</span><span class="o">.</span><span class="n">Name</span><span class="p">,</span> <span class="n">rootCmd</span><span class="o">.</span><span class="n">PersistentFlags</span><span class="p">()</span><span class="o">.</span><span class="n">Lookup</span><span class="p">(</span><span class="n">config</span><span class="o">.</span><span class="n">FieldFlagConfig</span><span class="o">.</span><span class="n">Name</span><span class="p">),</span> <span class="p">)</span> <span class="c">// Verbose flag</span> <span class="n">rootCmd</span><span class="o">.</span><span class="n">PersistentFlags</span><span class="p">()</span><span class="o">.</span><span class="n">BoolVarP</span><span class="p">(</span> <span class="o">&amp;</span><span class="n">FlagVerbose</span><span class="p">,</span> <span class="n">config</span><span class="o">.</span><span class="n">FieldFlagVerbose</span><span class="o">.</span><span class="n">Name</span><span class="p">,</span> <span class="n">config</span><span class="o">.</span><span class="n">FieldFlagVerbose</span><span class="o">.</span><span class="n">Shorthand</span><span class="p">,</span> <span class="no">false</span><span class="p">,</span> <span class="n">config</span><span class="o">.</span><span class="n">FieldFlagVerbose</span><span class="o">.</span><span class="n">Description</span><span class="p">,</span> <span class="p">)</span> <span class="n">viper</span><span class="o">.</span><span class="n">BindPFlag</span><span class="p">(</span> <span class="n">config</span><span class="o">.</span><span class="n">FieldFlagVerbose</span><span class="o">.</span><span class="n">Name</span><span class="p">,</span> <span class="n">rootCmd</span><span class="o">.</span><span class="n">PersistentFlags</span><span class="p">()</span><span class="o">.</span><span class="n">Lookup</span><span class="p">(</span><span class="n">config</span><span class="o">.</span><span class="n">FieldFlagVerbose</span><span class="o">.</span><span class="n">Name</span><span class="p">),</span> <span class="p">)</span> <span class="p">}</span> <span class="k">func</span> <span class="n">initConfig</span><span class="p">()</span> <span class="p">{</span> <span class="k">if</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">config</span><span class="o">.</span><span class="n">Init</span><span class="p">();</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Printf</span><span class="p">(</span><span class="s">"Configuration error: %v</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="n">os</span><span class="o">.</span><span class="n">Exit</span><span class="p">(</span><span class="m">1</span><span class="p">)</span> <span class="p">}</span> <span class="k">if</span> <span class="n">FlagVerbose</span> <span class="p">{</span> <span class="n">printConfigInfo</span><span class="p">()</span> <span class="p">}</span> <span class="p">}</span> <span class="k">func</span> <span class="n">printConfigInfo</span><span class="p">()</span> <span class="p">{</span> <span class="n">cfgFile</span> <span class="o">:=</span> <span class="n">config</span><span class="o">.</span><span class="n">ReadFieldString</span><span class="p">(</span><span class="n">config</span><span class="o">.</span><span class="n">FieldFlagConfig</span><span class="p">)</span> <span class="k">if</span> <span class="n">cfgFile</span> <span class="o">!=</span> <span class="s">""</span> <span class="p">{</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Printf</span><span class="p">(</span><span class="s">"# Using config file: %s</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">cfgFile</span><span class="p">)</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Printf</span><span class="p">(</span><span class="s">"# No config file found, using default values</span><span class="se">\n</span><span class="s">"</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> The Config Commands <a></a> </h3> <p>The configuration commands provide users with a powerful interface to interact with your application's settings. The beauty of this implementation is that these commands automatically work with any fields you define in your FieldCollection. The <code>list</code> command shows current values, <code>describe</code> provides detailed documentation, and <code>set</code> allows modification - all without hardcoding any specific field names. This generic approach means that adding a new configuration field automatically makes it available in all these commands without any additional code changes.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// cmd/config.go</span> <span class="k">var</span> <span class="n">configCmd</span> <span class="o">=</span> <span class="o">&amp;</span><span class="n">cobra</span><span class="o">.</span><span class="n">Command</span><span class="p">{</span> <span class="n">Use</span><span class="o">:</span> <span class="s">"config"</span><span class="p">,</span> <span class="n">Short</span><span class="o">:</span> <span class="s">"Configuration management commands"</span><span class="p">,</span> <span class="n">Example</span><span class="o">:</span> <span class="s">`confapp config list confapp config describe confapp config set --log.level debug`</span><span class="p">,</span> <span class="p">}</span> <span class="k">var</span> <span class="n">configListCmd</span> <span class="o">=</span> <span class="o">&amp;</span><span class="n">cobra</span><span class="o">.</span><span class="n">Command</span><span class="p">{</span> <span class="n">Use</span><span class="o">:</span> <span class="s">"list [prefix] ..."</span><span class="p">,</span> <span class="n">Short</span><span class="o">:</span> <span class="s">"List configuration values"</span><span class="p">,</span> <span class="n">RunE</span><span class="o">:</span> <span class="n">listConfig</span><span class="p">,</span> <span class="n">ValidArgsFunction</span><span class="o">:</span> <span class="n">generateFieldCompletions</span><span class="p">,</span> <span class="n">Example</span><span class="o">:</span> <span class="s">`confapp config list confapp config list log confapp config list proxy confapp config list --hidden`</span><span class="p">,</span> <span class="p">}</span> <span class="k">var</span> <span class="n">configSetCmd</span> <span class="o">=</span> <span class="o">&amp;</span><span class="n">cobra</span><span class="o">.</span><span class="n">Command</span><span class="p">{</span> <span class="n">Use</span><span class="o">:</span> <span class="s">"set"</span><span class="p">,</span> <span class="n">Short</span><span class="o">:</span> <span class="s">"Set configuration values"</span><span class="p">,</span> <span class="n">Long</span><span class="o">:</span> <span class="s">`For more information about the configuration values, use the "describe" command.`</span><span class="p">,</span> <span class="n">Args</span><span class="o">:</span> <span class="n">cobra</span><span class="o">.</span><span class="n">NoArgs</span><span class="p">,</span> <span class="n">RunE</span><span class="o">:</span> <span class="n">setConfig</span><span class="p">,</span> <span class="n">Example</span><span class="o">:</span> <span class="s">`confapp config set --log.level info confapp config set --log.level debug --log.output /var/log/app.log confapp config set --update.auto true --update.period 1h confapp config set --proxy.http http://proxy:8080`</span><span class="p">,</span> <span class="n">ValidArgsFunction</span><span class="o">:</span> <span class="n">generateSetCompletions</span><span class="p">,</span> <span class="p">}</span> <span class="k">var</span> <span class="n">configDescribeCmd</span> <span class="o">=</span> <span class="o">&amp;</span><span class="n">cobra</span><span class="o">.</span><span class="n">Command</span><span class="p">{</span> <span class="n">Use</span><span class="o">:</span> <span class="s">"describe [prefix] ..."</span><span class="p">,</span> <span class="n">Short</span><span class="o">:</span> <span class="s">"Describe configuration parameters"</span><span class="p">,</span> <span class="n">RunE</span><span class="o">:</span> <span class="n">describeConfig</span><span class="p">,</span> <span class="n">ValidArgsFunction</span><span class="o">:</span> <span class="n">generateFieldCompletions</span><span class="p">,</span> <span class="n">Example</span><span class="o">:</span> <span class="s">`confapp config describe confapp config describe log confapp config describe update confapp config describe --hidden`</span><span class="p">,</span> <span class="p">}</span> </code></pre> </div> <h4> Generating Completions <a></a> </h4> <p>Shell completion is one of Cobra's most powerful features, dramatically improving the user experience by providing intelligent suggestions as users type. The completion system works through <code>ValidArgsFunction</code> callbacks that receive the current command state and return possible completions. The <code>args</code> parameter contains arguments already provided, while <code>toComplete</code> holds the partial text being typed. The function returns a list of completion suggestions and a directive that controls shell behavior (like whether to also suggest files).</p> <p>Our implementation leverages the Field definitions to provide context-aware completions. When users type <code>config list lo</code>, the system suggests <code>log</code> as a completion. When setting values with valid options, like <code>--log.level</code>, the completion can even suggest the valid values (debug, info, warn, error) defined in the field. This deep integration between the configuration schema and the CLI ensures users always have helpful guidance when interacting with your application.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// cmd/config.go</span> <span class="k">func</span> <span class="n">generateFieldCompletions</span><span class="p">(</span><span class="n">cmd</span> <span class="o">*</span><span class="n">cobra</span><span class="o">.</span><span class="n">Command</span><span class="p">,</span> <span class="n">args</span> <span class="p">[]</span><span class="kt">string</span><span class="p">,</span> <span class="n">toComplete</span> <span class="kt">string</span><span class="p">)</span> <span class="p">([]</span><span class="kt">string</span><span class="p">,</span> <span class="n">cobra</span><span class="o">.</span><span class="n">ShellCompDirective</span><span class="p">)</span> <span class="p">{</span> <span class="k">var</span> <span class="n">completions</span> <span class="p">[]</span><span class="kt">string</span> <span class="k">for</span> <span class="n">key</span> <span class="o">:=</span> <span class="k">range</span> <span class="n">config</span><span class="o">.</span><span class="n">Fields</span><span class="o">.</span><span class="n">Map</span><span class="p">()</span> <span class="p">{</span> <span class="k">if</span> <span class="nb">len</span><span class="p">(</span><span class="n">toComplete</span><span class="p">)</span> <span class="o">==</span> <span class="m">0</span> <span class="o">||</span> <span class="p">(</span><span class="nb">len</span><span class="p">(</span><span class="n">key</span><span class="p">)</span> <span class="o">&gt;=</span> <span class="nb">len</span><span class="p">(</span><span class="n">toComplete</span><span class="p">)</span> <span class="o">&amp;&amp;</span> <span class="n">key</span><span class="p">[</span><span class="o">:</span><span class="nb">len</span><span class="p">(</span><span class="n">toComplete</span><span class="p">)]</span> <span class="o">==</span> <span class="n">toComplete</span><span class="p">)</span> <span class="p">{</span> <span class="n">completions</span> <span class="o">=</span> <span class="nb">append</span><span class="p">(</span><span class="n">completions</span><span class="p">,</span> <span class="n">key</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="k">return</span> <span class="n">completions</span><span class="p">,</span> <span class="n">cobra</span><span class="o">.</span><span class="n">ShellCompDirectiveNoFileComp</span> <span class="p">}</span> <span class="k">func</span> <span class="n">generateSetCompletions</span><span class="p">(</span><span class="n">cmd</span> <span class="o">*</span><span class="n">cobra</span><span class="o">.</span><span class="n">Command</span><span class="p">,</span> <span class="n">args</span> <span class="p">[]</span><span class="kt">string</span><span class="p">,</span> <span class="n">toComplete</span> <span class="kt">string</span><span class="p">)</span> <span class="p">([]</span><span class="kt">string</span><span class="p">,</span> <span class="n">cobra</span><span class="o">.</span><span class="n">ShellCompDirective</span><span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="nb">len</span><span class="p">(</span><span class="n">args</span><span class="p">)</span> <span class="o">==</span> <span class="m">0</span> <span class="p">{</span> <span class="n">completions</span> <span class="o">:=</span> <span class="nb">make</span><span class="p">([]</span><span class="kt">string</span><span class="p">,</span> <span class="m">0</span><span class="p">,</span> <span class="nb">len</span><span class="p">(</span><span class="n">config</span><span class="o">.</span><span class="n">Fields</span><span class="p">))</span> <span class="k">for</span> <span class="n">_</span><span class="p">,</span> <span class="n">field</span> <span class="o">:=</span> <span class="k">range</span> <span class="n">config</span><span class="o">.</span><span class="n">Fields</span> <span class="p">{</span> <span class="k">if</span> <span class="n">field</span><span class="o">.</span><span class="n">Hidden</span> <span class="p">{</span> <span class="k">continue</span> <span class="p">}</span> <span class="n">completions</span> <span class="o">=</span> <span class="nb">append</span><span class="p">(</span><span class="n">completions</span><span class="p">,</span> <span class="s">"--"</span><span class="o">+</span><span class="n">field</span><span class="o">.</span><span class="n">Name</span><span class="p">)</span> <span class="p">}</span> <span class="k">return</span> <span class="n">completions</span><span class="p">,</span> <span class="n">cobra</span><span class="o">.</span><span class="n">ShellCompDirectiveNoFileComp</span> <span class="p">}</span> <span class="k">return</span> <span class="no">nil</span><span class="p">,</span> <span class="n">cobra</span><span class="o">.</span><span class="n">ShellCompDirectiveNoFileComp</span> <span class="p">}</span> <span class="k">func</span> <span class="n">generateValidValueCompletions</span><span class="p">(</span><span class="n">validValues</span> <span class="p">[]</span><span class="n">any</span><span class="p">,</span> <span class="n">toComplete</span> <span class="kt">string</span><span class="p">)</span> <span class="p">([]</span><span class="kt">string</span><span class="p">,</span> <span class="n">cobra</span><span class="o">.</span><span class="n">ShellCompDirective</span><span class="p">)</span> <span class="p">{</span> <span class="n">completions</span> <span class="o">:=</span> <span class="nb">make</span><span class="p">([]</span><span class="kt">string</span><span class="p">,</span> <span class="m">0</span><span class="p">,</span> <span class="nb">len</span><span class="p">(</span><span class="n">validValues</span><span class="p">))</span> <span class="k">for</span> <span class="n">_</span><span class="p">,</span> <span class="n">value</span> <span class="o">:=</span> <span class="k">range</span> <span class="n">validValues</span> <span class="p">{</span> <span class="k">if</span> <span class="n">strings</span><span class="o">.</span><span class="n">HasPrefix</span><span class="p">(</span><span class="n">value</span><span class="o">.</span><span class="p">(</span><span class="kt">string</span><span class="p">),</span> <span class="n">toComplete</span><span class="p">)</span> <span class="p">{</span> <span class="n">completions</span> <span class="o">=</span> <span class="nb">append</span><span class="p">(</span><span class="n">completions</span><span class="p">,</span> <span class="n">value</span><span class="o">.</span><span class="p">(</span><span class="kt">string</span><span class="p">))</span> <span class="p">}</span> <span class="p">}</span> <span class="k">return</span> <span class="n">completions</span><span class="p">,</span> <span class="n">cobra</span><span class="o">.</span><span class="n">ShellCompDirectiveNoFileComp</span> <span class="p">}</span> </code></pre> </div> <h4> Listing Configuration Values <a></a> </h4> <p>The list command provides users with a clear view of their current configuration state. By calculating the maximum field name length, the output is neatly aligned, making it easy to scan through settings. The ability to filter by prefix allows users to focus on specific configuration groups, while the hidden flag reveals internal settings that are normally concealed. This command is essential for debugging and verifying that configuration values are being loaded correctly from all sources.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// cmd/config.go</span> <span class="k">func</span> <span class="n">listConfig</span><span class="p">(</span><span class="n">cmd</span> <span class="o">*</span><span class="n">cobra</span><span class="o">.</span><span class="n">Command</span><span class="p">,</span> <span class="n">args</span> <span class="p">[]</span><span class="kt">string</span><span class="p">)</span> <span class="kt">error</span> <span class="p">{</span> <span class="n">selectedFields</span> <span class="o">:=</span> <span class="n">selectFieldsByPrefix</span><span class="p">(</span><span class="n">args</span><span class="p">)</span> <span class="k">if</span> <span class="nb">len</span><span class="p">(</span><span class="n">selectedFields</span><span class="p">)</span> <span class="o">==</span> <span class="m">0</span> <span class="p">{</span> <span class="k">return</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"no configuration fields found"</span><span class="p">)</span> <span class="p">}</span> <span class="c">// Calculate maximum field name length for alignment</span> <span class="n">maxNameLen</span> <span class="o">:=</span> <span class="n">calculateMaxFieldNameLength</span><span class="p">(</span><span class="n">selectedFields</span><span class="p">)</span> <span class="c">// Display each field</span> <span class="k">for</span> <span class="n">_</span><span class="p">,</span> <span class="n">field</span> <span class="o">:=</span> <span class="k">range</span> <span class="n">selectedFields</span> <span class="p">{</span> <span class="k">if</span> <span class="n">field</span><span class="o">.</span><span class="n">Hidden</span> <span class="o">&amp;&amp;</span> <span class="o">!</span><span class="n">FlagShowHidden</span> <span class="p">{</span> <span class="k">continue</span> <span class="p">}</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Printf</span><span class="p">(</span><span class="s">"%-*s = %v</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">maxNameLen</span><span class="o">+</span><span class="m">1</span><span class="p">,</span> <span class="n">field</span><span class="o">.</span><span class="n">Name</span><span class="p">,</span> <span class="n">config</span><span class="o">.</span><span class="n">ReadField</span><span class="p">(</span><span class="n">field</span><span class="p">))</span> <span class="p">}</span> <span class="k">return</span> <span class="no">nil</span> <span class="p">}</span> <span class="k">func</span> <span class="n">selectFieldsByPrefix</span><span class="p">(</span><span class="n">prefixes</span> <span class="p">[]</span><span class="kt">string</span><span class="p">)</span> <span class="n">config</span><span class="o">.</span><span class="n">FieldCollection</span> <span class="p">{</span> <span class="k">if</span> <span class="nb">len</span><span class="p">(</span><span class="n">prefixes</span><span class="p">)</span> <span class="o">==</span> <span class="m">0</span> <span class="p">{</span> <span class="k">return</span> <span class="n">config</span><span class="o">.</span><span class="n">Fields</span> <span class="p">}</span> <span class="n">selectedFields</span> <span class="o">:=</span> <span class="n">config</span><span class="o">.</span><span class="n">FieldCollection</span><span class="p">{}</span> <span class="k">for</span> <span class="n">_</span><span class="p">,</span> <span class="n">prefix</span> <span class="o">:=</span> <span class="k">range</span> <span class="n">prefixes</span> <span class="p">{</span> <span class="k">for</span> <span class="n">_</span><span class="p">,</span> <span class="n">field</span> <span class="o">:=</span> <span class="k">range</span> <span class="n">config</span><span class="o">.</span><span class="n">Fields</span> <span class="p">{</span> <span class="k">if</span> <span class="n">strings</span><span class="o">.</span><span class="n">HasPrefix</span><span class="p">(</span><span class="n">field</span><span class="o">.</span><span class="n">Name</span><span class="p">,</span> <span class="n">prefix</span><span class="p">)</span> <span class="p">{</span> <span class="n">selectedFields</span> <span class="o">=</span> <span class="nb">append</span><span class="p">(</span><span class="n">selectedFields</span><span class="p">,</span> <span class="n">field</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="k">return</span> <span class="n">selectedFields</span> <span class="p">}</span> <span class="k">func</span> <span class="n">calculateMaxFieldNameLength</span><span class="p">(</span><span class="n">fields</span> <span class="n">config</span><span class="o">.</span><span class="n">FieldCollection</span><span class="p">)</span> <span class="kt">int</span> <span class="p">{</span> <span class="n">maxLen</span> <span class="o">:=</span> <span class="m">0</span> <span class="k">for</span> <span class="n">_</span><span class="p">,</span> <span class="n">field</span> <span class="o">:=</span> <span class="k">range</span> <span class="n">fields</span> <span class="p">{</span> <span class="k">if</span> <span class="nb">len</span><span class="p">(</span><span class="n">field</span><span class="o">.</span><span class="n">Name</span><span class="p">)</span> <span class="o">&gt;</span> <span class="n">maxLen</span> <span class="p">{</span> <span class="n">maxLen</span> <span class="o">=</span> <span class="nb">len</span><span class="p">(</span><span class="n">field</span><span class="o">.</span><span class="n">Name</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="k">return</span> <span class="n">maxLen</span> <span class="p">}</span> </code></pre> </div> <h4> Setting Configuration Values <a></a> </h4> <p>The set command demonstrates the power of our Field-Driven approach by automatically creating flags for all configuration fields. When a user runs <code>config set --log.level debug</code>, Cobra parses the flag, our code validates it against the Field definition, and if valid, updates the value through Viper. The command then saves the configuration to disk, ensuring changes persist across application restarts. The validation happens before any values are saved, preventing invalid configurations from being written to disk and ensuring the application always works with valid settings.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// cmd/config.go</span> <span class="k">func</span> <span class="n">setConfig</span><span class="p">(</span><span class="n">cmd</span> <span class="o">*</span><span class="n">cobra</span><span class="o">.</span><span class="n">Command</span><span class="p">,</span> <span class="n">args</span> <span class="p">[]</span><span class="kt">string</span><span class="p">)</span> <span class="kt">error</span> <span class="p">{</span> <span class="c">// Collect and process all set flags</span> <span class="n">fieldCount</span> <span class="o">:=</span> <span class="m">0</span> <span class="k">for</span> <span class="n">_</span><span class="p">,</span> <span class="n">field</span> <span class="o">:=</span> <span class="k">range</span> <span class="n">config</span><span class="o">.</span><span class="n">Fields</span> <span class="p">{</span> <span class="k">if</span> <span class="n">cmd</span><span class="o">.</span><span class="n">Flags</span><span class="p">()</span><span class="o">.</span><span class="n">Changed</span><span class="p">(</span><span class="n">field</span><span class="o">.</span><span class="n">Name</span><span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">processFieldFlag</span><span class="p">(</span><span class="n">cmd</span><span class="p">,</span> <span class="n">field</span><span class="p">);</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="n">err</span> <span class="p">}</span> <span class="n">fieldCount</span><span class="o">++</span> <span class="p">}</span> <span class="p">}</span> <span class="k">if</span> <span class="n">fieldCount</span> <span class="o">==</span> <span class="m">0</span> <span class="p">{</span> <span class="k">return</span> <span class="n">cmd</span><span class="o">.</span><span class="n">Help</span><span class="p">()</span> <span class="p">}</span> <span class="c">// Save the configuration to file</span> <span class="k">if</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">config</span><span class="o">.</span><span class="n">Save</span><span class="p">();</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Printf</span><span class="p">(</span><span class="s">"Failed to save configuration: %v</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="n">os</span><span class="o">.</span><span class="n">Exit</span><span class="p">(</span><span class="m">1</span><span class="p">)</span> <span class="p">}</span> <span class="k">return</span> <span class="no">nil</span> <span class="p">}</span> <span class="k">func</span> <span class="n">processFieldFlag</span><span class="p">(</span><span class="n">cmd</span> <span class="o">*</span><span class="n">cobra</span><span class="o">.</span><span class="n">Command</span><span class="p">,</span> <span class="n">field</span> <span class="o">*</span><span class="n">config</span><span class="o">.</span><span class="n">Field</span><span class="p">)</span> <span class="kt">error</span> <span class="p">{</span> <span class="n">flag</span> <span class="o">:=</span> <span class="n">cmd</span><span class="o">.</span><span class="n">Flags</span><span class="p">()</span><span class="o">.</span><span class="n">Lookup</span><span class="p">(</span><span class="n">field</span><span class="o">.</span><span class="n">Name</span><span class="p">)</span> <span class="k">if</span> <span class="n">flag</span> <span class="o">==</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"flag not found: %s"</span><span class="p">,</span> <span class="n">field</span><span class="o">.</span><span class="n">Name</span><span class="p">)</span> <span class="p">}</span> <span class="k">if</span> <span class="n">FlagVerbose</span> <span class="p">{</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Printf</span><span class="p">(</span><span class="s">"# Setting: %s: %s</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">field</span><span class="o">.</span><span class="n">Name</span><span class="p">,</span> <span class="n">flag</span><span class="o">.</span><span class="n">Value</span><span class="o">.</span><span class="n">String</span><span class="p">())</span> <span class="p">}</span> <span class="k">if</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">config</span><span class="o">.</span><span class="n">WriteField</span><span class="p">(</span><span class="n">field</span><span class="p">,</span> <span class="n">flag</span><span class="o">.</span><span class="n">Value</span><span class="o">.</span><span class="n">String</span><span class="p">());</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"%s: %w"</span><span class="p">,</span> <span class="n">field</span><span class="o">.</span><span class="n">Name</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="k">return</span> <span class="no">nil</span> <span class="p">}</span> </code></pre> </div> <h4> Auto-Documentation: Describing Parameters <a></a> </h4> <p>The describe command showcases how rich metadata in Field definitions enables automatic documentation generation. Each field's description, type, valid values, examples, and extended documentation are displayed in a structured format that helps users understand not just what a setting does, but how to use it effectively. The grouping feature organizes related fields together, making it easier to understand the relationships between different configuration options. This self-documenting nature ensures that documentation always stays in sync with the actual implementation.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// cmd/config.go</span> <span class="k">func</span> <span class="n">describeConfig</span><span class="p">(</span><span class="n">cmd</span> <span class="o">*</span><span class="n">cobra</span><span class="o">.</span><span class="n">Command</span><span class="p">,</span> <span class="n">args</span> <span class="p">[]</span><span class="kt">string</span><span class="p">)</span> <span class="kt">error</span> <span class="p">{</span> <span class="n">selectedFields</span> <span class="o">:=</span> <span class="n">selectFieldsByPrefix</span><span class="p">(</span><span class="n">args</span><span class="p">)</span> <span class="k">if</span> <span class="nb">len</span><span class="p">(</span><span class="n">selectedFields</span><span class="p">)</span> <span class="o">==</span> <span class="m">0</span> <span class="p">{</span> <span class="k">return</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Errorf</span><span class="p">(</span><span class="s">"no configuration fields found"</span><span class="p">)</span> <span class="p">}</span> <span class="c">// Use a writer to allow extending writing to a Pager</span> <span class="n">w</span> <span class="o">:=</span> <span class="n">os</span><span class="o">.</span><span class="n">Stdout</span> <span class="c">// Display fields grouped by their group name</span> <span class="k">for</span> <span class="n">group</span><span class="p">,</span> <span class="n">fields</span> <span class="o">:=</span> <span class="k">range</span> <span class="n">selectedFields</span><span class="o">.</span><span class="n">GroupIter</span><span class="p">()</span> <span class="p">{</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Fprintf</span><span class="p">(</span><span class="n">w</span><span class="p">,</span> <span class="s">"</span><span class="se">\n</span><span class="s">%s</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">group</span><span class="p">)</span> <span class="k">for</span> <span class="n">_</span><span class="p">,</span> <span class="n">field</span> <span class="o">:=</span> <span class="k">range</span> <span class="n">fields</span> <span class="p">{</span> <span class="k">if</span> <span class="n">field</span><span class="o">.</span><span class="n">Hidden</span> <span class="o">&amp;&amp;</span> <span class="o">!</span><span class="n">FlagShowHidden</span> <span class="p">{</span> <span class="k">continue</span> <span class="p">}</span> <span class="n">writeFieldDescription</span><span class="p">(</span><span class="n">w</span><span class="p">,</span> <span class="n">field</span><span class="p">)</span> <span class="p">}</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Fprintf</span><span class="p">(</span><span class="n">w</span><span class="p">,</span> <span class="s">"</span><span class="se">\n</span><span class="s">"</span><span class="p">)</span> <span class="p">}</span> <span class="k">return</span> <span class="no">nil</span> <span class="p">}</span> <span class="k">func</span> <span class="n">writeFieldDescription</span><span class="p">(</span><span class="n">w</span> <span class="k">interface</span><span class="p">{</span> <span class="n">Write</span><span class="p">([]</span><span class="kt">byte</span><span class="p">)</span> <span class="p">(</span><span class="kt">int</span><span class="p">,</span> <span class="kt">error</span><span class="p">)</span> <span class="p">},</span> <span class="n">field</span> <span class="o">*</span><span class="n">config</span><span class="o">.</span><span class="n">Field</span><span class="p">)</span> <span class="p">{</span> <span class="c">// Field name and deprecation status</span> <span class="k">if</span> <span class="n">field</span><span class="o">.</span><span class="n">Deprecated</span> <span class="o">!=</span> <span class="s">""</span> <span class="p">{</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Fprintf</span><span class="p">(</span><span class="n">w</span><span class="p">,</span> <span class="s">"</span><span class="se">\n</span><span class="s"> %s (deprecated: %s)</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">field</span><span class="o">.</span><span class="n">Name</span><span class="p">,</span> <span class="n">field</span><span class="o">.</span><span class="n">Deprecated</span><span class="p">)</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Fprintf</span><span class="p">(</span><span class="n">w</span><span class="p">,</span> <span class="s">"</span><span class="se">\n</span><span class="s"> %s</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">field</span><span class="o">.</span><span class="n">Name</span><span class="p">)</span> <span class="p">}</span> <span class="c">// Basic field information</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Fprintf</span><span class="p">(</span><span class="n">w</span><span class="p">,</span> <span class="s">" %s</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">field</span><span class="o">.</span><span class="n">Description</span><span class="p">)</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Fprintf</span><span class="p">(</span><span class="n">w</span><span class="p">,</span> <span class="s">" Type: %s</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">field</span><span class="o">.</span><span class="n">Type</span><span class="p">)</span> <span class="c">// Current value (if different from default)</span> <span class="n">val</span> <span class="o">:=</span> <span class="n">config</span><span class="o">.</span><span class="n">ReadField</span><span class="p">(</span><span class="n">field</span><span class="p">)</span> <span class="k">if</span> <span class="n">val</span> <span class="o">!=</span> <span class="no">nil</span> <span class="o">&amp;&amp;</span> <span class="n">val</span> <span class="o">!=</span> <span class="n">field</span><span class="o">.</span><span class="n">Default</span> <span class="p">{</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Fprintf</span><span class="p">(</span><span class="n">w</span><span class="p">,</span> <span class="s">" Value: %v</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">val</span><span class="p">)</span> <span class="p">}</span> <span class="c">// Default value</span> <span class="k">if</span> <span class="n">field</span><span class="o">.</span><span class="n">Default</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Fprintf</span><span class="p">(</span><span class="n">w</span><span class="p">,</span> <span class="s">" Default: %v</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">field</span><span class="o">.</span><span class="n">Default</span><span class="p">)</span> <span class="p">}</span> <span class="c">// Valid values</span> <span class="k">if</span> <span class="n">field</span><span class="o">.</span><span class="n">ValidValues</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Fprintf</span><span class="p">(</span><span class="n">w</span><span class="p">,</span> <span class="s">" Valid values: %v</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">field</span><span class="o">.</span><span class="n">ValidValues</span><span class="p">)</span> <span class="p">}</span> <span class="c">// Validation rules</span> <span class="k">if</span> <span class="n">field</span><span class="o">.</span><span class="n">ValidateTag</span> <span class="o">!=</span> <span class="s">""</span> <span class="p">{</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Fprintf</span><span class="p">(</span><span class="n">w</span><span class="p">,</span> <span class="s">" Validation: %s</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">field</span><span class="o">.</span><span class="n">ValidateTag</span><span class="p">)</span> <span class="p">}</span> <span class="c">// Example value</span> <span class="k">if</span> <span class="n">field</span><span class="o">.</span><span class="n">Example</span> <span class="o">!=</span> <span class="s">""</span> <span class="p">{</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Fprintf</span><span class="p">(</span><span class="n">w</span><span class="p">,</span> <span class="s">" Example: %s</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">field</span><span class="o">.</span><span class="n">Example</span><span class="p">)</span> <span class="p">}</span> <span class="c">// Detailed documentation</span> <span class="k">if</span> <span class="n">field</span><span class="o">.</span><span class="n">Docstring</span> <span class="o">!=</span> <span class="s">""</span> <span class="p">{</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Fprintf</span><span class="p">(</span><span class="n">w</span><span class="p">,</span> <span class="s">" Doc:</span><span class="se">\n</span><span class="s">"</span><span class="p">)</span> <span class="n">lines</span> <span class="o">:=</span> <span class="n">strings</span><span class="o">.</span><span class="n">Split</span><span class="p">(</span><span class="n">field</span><span class="o">.</span><span class="n">Docstring</span><span class="p">,</span> <span class="s">"</span><span class="se">\n</span><span class="s">"</span><span class="p">)</span> <span class="k">for</span> <span class="n">_</span><span class="p">,</span> <span class="n">line</span> <span class="o">:=</span> <span class="k">range</span> <span class="n">lines</span> <span class="p">{</span> <span class="n">fmt</span><span class="o">.</span><span class="n">Fprintf</span><span class="p">(</span><span class="n">w</span><span class="p">,</span> <span class="s">" %s</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">line</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h1> Results <a></a> </h1> <p>The Field-Driven Configuration approach delivers a powerful, user-friendly CLI that adapts automatically as your application evolves. Users benefit from intelligent completions, comprehensive documentation, and robust validation, while developers enjoy a maintainable system where adding new configuration options requires minimal code changes. The integration between Viper and Cobra through our Field abstraction creates a seamless experience where configuration can be managed through files, environment variables, or command-line flags with equal ease.</p> <h2> Building <a></a> </h2> <p>The build process leverages Go's <code>-ldflags</code> feature to inject build-time values into the application. This allows you to customize constants like application name, version, or even default configuration values without modifying source code. This is particularly useful in CI/CD pipelines where different environments might need different defaults, or when building white-labeled versions of your application.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Basic build</span> go build <span class="nt">-o</span> confapp <span class="c"># Build with custom constants</span> go build <span class="nt">-ldflags</span> <span class="s2">"-X github.com/lucasdecamargo/go-appconfig-example/internal/consts.AppName=myapp"</span> <span class="nt">-o</span> myapp </code></pre> </div> <h2> Usage <a></a> </h2> <p>Shell completions transform the user experience by providing context-aware suggestions as users type. Once enabled, users can press Tab to see available options, making it easy to discover configuration fields without consulting documentation. The completion system understands the command structure and provides appropriate suggestions based on context, such as showing only valid values for fields with enumerated options.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># MacOS</span> <span class="nb">source</span> &lt;<span class="o">(</span>./confapp completion zsh<span class="o">)</span> <span class="c"># Linux</span> <span class="nb">source</span> &lt;<span class="o">(</span>./confapp completion bash<span class="o">)</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># List all configuration values</span> ./confapp config list <span class="c"># List specific configuration groups</span> ./confapp config list log ./confapp config list proxy <span class="c"># Describe configuration fields</span> ./confapp config describe <span class="c"># Describe specific fields</span> ./confapp config describe log.level update <span class="c"># Set configuration values</span> ./confapp config <span class="nb">set</span> <span class="nt">--log</span>.level debug ./confapp config <span class="nb">set</span> <span class="nt">--log</span>.level info <span class="nt">--log</span>.output /var/log/app.log <span class="c"># Show hidden fields</span> ./confapp config list <span class="nt">--hidden</span> ./confapp config describe <span class="nt">--hidden</span> <span class="c"># Verbose output</span> ./confapp <span class="nt">--verbose</span> config list </code></pre> </div> <p><strong>Checking the documentation with <code>describe</code></strong><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fr19s6ujyvm49mwyaj8rg.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fr19s6ujyvm49mwyaj8rg.png" alt="Checking out the documentation with describe"></a></p> <p><strong>Retrieving values with <code>list</code></strong><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Faqfdl61avw8lnuhfwpgr.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Faqfdl61avw8lnuhfwpgr.png" alt="Retrieving values with list"></a></p> <p><strong>Generating completions for the list command</strong><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvniupy22062pqu2s99yh.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvniupy22062pqu2s99yh.png" alt="Generating completions for the list command"></a></p> <p><strong>Generating completions for the flags in set command</strong><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmruqdfaiufoqdvl2fwsl.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmruqdfaiufoqdvl2fwsl.png" alt="Generating completions for the flags in set command"></a></p> <p><strong>Generating completions for the flag values in set command</strong><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F74xi9vy2e0wdyiserh3s.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F74xi9vy2e0wdyiserh3s.png" alt="Generating completions for the flag values in set command"></a></p> <h1> Conclusion <a></a> </h1> <p>The Field-Driven Configuration pattern presented in this article demonstrates how thoughtful abstraction can transform configuration management from a maintenance burden into a self-maintaining system. By defining configuration fields as first-class entities with rich metadata, we've created a solution that respects the Open-Closed Principle while providing exceptional developer and user experiences.</p> <p>The integration of Viper, Cobra, and Go Validator through our Field abstraction eliminates the common pain points of configuration management: keeping documentation in sync, maintaining validation rules, and providing good CLI experiences. The result is a system where adding new configuration options is as simple as defining a new Field struct, and everything else - from CLI flags to validation to documentation - automatically adapts.</p> <p>This approach scales elegantly from simple applications with a handful of settings to complex systems with hundreds of configuration parameters organized into logical groups. The automatic generation of completions and documentation ensures that as your application grows, it remains discoverable and user-friendly.</p> <h2> Extending the Solution <a></a> </h2> <p>The architecture presented here provides a solid foundation that can be extended in several ways:</p> <p><strong>Configuration Profiles</strong>: Add support for multiple configuration profiles (development, staging, production) by extending the FieldCollection to support profile-specific overrides while maintaining the same validation and documentation capabilities.</p> <p><strong>Dynamic Reloading</strong>: Implement configuration hot-reloading using Viper's WatchConfig functionality, with the Field definitions providing the validation layer to ensure changes are safe before applying them.</p> <p><strong>API Integration</strong>: Generate OpenAPI specifications or GraphQL schemas from Field definitions, ensuring that API documentation stays synchronized with configuration capabilities.</p> <p><strong>Nested Structures</strong>: Extend the Field structure to support complex nested configurations while maintaining the same validation and documentation benefits.</p> <p>For a complete implementation with additional features like configuration profiles, pager support for long documentation, and more sophisticated validation examples, check out my <a href="https://github.com/lucasdecamargo/go-appconfig-example" rel="noopener noreferrer">GitHub repository</a>. </p> <div class="ltag-github-readme-tag"> <div class="readme-overview"> <h2> <img src="https://assets.dev.to/assets/github-logo-5a155e1f9a670af7944dd5e12375bc76ed542ea80224905ecaf878b9157cdefc.svg" alt="GitHub logo"> <a href="https://github.com/lucasdecamargo" rel="noopener noreferrer"> lucasdecamargo </a> / <a href="https://github.com/lucasdecamargo/go-appconfig-example" rel="noopener noreferrer"> go-appconfig-example </a> </h2> <h3> Guidelines for setting up configuration parameters in large Go applications with Viper and Cobra. </h3> </div> <div class="ltag-github-body"> <div id="readme" class="md"> <div class="markdown-heading"> <h1 class="heading-element">Go Application Configuration Template</h1> </div> <p>A production-ready template for managing configuration parameters in Go applications using <strong>Viper</strong> and <strong>Cobra</strong>. This template demonstrates a clean, maintainable approach to configuration management with a single source of truth for all configuration metadata.</p> <div class="markdown-heading"> <h2 class="heading-element">🎯 Key Features</h2> </div> <ul> <li> <strong>Single Source of Truth</strong>: Configuration fields are defined once with all metadata (validation, documentation, defaults)</li> <li> <strong>Type Safety</strong>: Strongly typed configuration with validation</li> <li> <strong>CLI Integration</strong>: Seamless integration with Cobra for command-line interfaces</li> <li> <strong>Multiple Formats</strong>: Support for YAML, JSON, TOML, HCL, and ENV files</li> <li> <strong>Environment Variables</strong>: Automatic binding with configurable prefix</li> <li> <strong>Shell Completion</strong>: Auto-completion for configuration field names and values</li> <li> <strong>Documentation</strong>: Built-in help and documentation generation</li> <li> <strong>Validation</strong>: Multiple validation strategies (tags, custom functions, valid values)</li> </ul> <div class="markdown-heading"> <h2 class="heading-element">🏗️ Architecture Overview</h2> </div> <div class="markdown-heading"> <h3 class="heading-element">Core Concept: Field-Driven Configuration</h3> </div> <p>The central idea is to define configuration fields as structured data that contains everything needed to:</p> <ul> <li>Validate values</li> <li>Generate CLI…</li> </ul> </div> <br> </div> <br> <div class="gh-btn-container"><a class="gh-btn" href="https://github.com/lucasdecamargo/go-appconfig-example" rel="noopener noreferrer">View on GitHub</a></div> <br> </div> <br> <p>The repository includes comprehensive examples and can serve as a starting template for your own production applications. Feel free to star the repository if you find it useful, and don't hesitate to open issues or contribute improvements!</p> <h2> Buy me a coffee <a></a> </h2> <p><a href="https://buymeacoffee.com/lucasdecamargo" rel="noopener noreferrer"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fcdn.buymeacoffee.com%2Fbuttons%2Fdefault-orange.png" alt="Buy Me A Coffee" height="41" width="174"></a></p> go tooling cli architecture