Skip to main content
Secrets and config values are handled differently in production than in local development. During deployment, specific deploy ensures every required value is set for the target environment.

Setting values during deployment

When you run specific deploy, the CLI checks for any secrets or config values that have not been set for the target environment. If any are missing, you are prompted to enter them interactively. You can enter values while builds are still running — there is no need to wait for builds to finish first.

Generated secrets

Secrets declared with generated = true are auto-created in production, just like in local development. A random string is generated and stored securely. You do not need to enter a value for these. 
secret "jwt_secret" {
  generated = true
}
You can optionally set length to control the generated string length (default: 64).

Config with environment overrides

Config values use their default unless overridden by an environment block in specific.hcl. 
config "log_level" {
  default = "info"
}

environment "production" {
  config = {
    log_level = "warn"
  }
}

specific.local is not used in production

The specific.local file is exclusively for local development. It is gitignored and never included in deployments. Production secrets and config are managed separately through the deployment flow.

Security

  • Secrets are stored securely and never logged during deployment
  • Secret values are injected into services as environment variables at runtime
  • Secrets are scoped to a specific environment — setting a secret for staging does not affect production

Updating secrets

To update a secret after the initial deploy, run specific deploy again. You will be prompted to re-enter values for any secrets you need to change.