Externalizing properties in a Mule application is a best practice. It provides several benefits that enhance the maintainability, scalability, and security of our Mule application. Here are a few reasons:
Environment-Specific Configurations - Externalizing properties allows us to manage environment-specific configurations (e.g., Dev, QA, Prod) without changing the code. By externalizing properties like database credentials, endpoints, and other configuration details, we can easily adapt our application to different environments.
Security - Sensitive information such as API keys, passwords, and tokens can be stored securely using externalized property management tools or secrets managers (e.g., Anypoint Secure Properties, AWS Secrets Manager, or Azure Key Vault). This minimizes the risk of hardcoding sensitive data in your codebase.Separation of Concerns - Externalized properties allow you to separate the application's logic from its configuration. This makes the code cleaner and easier to understand, as configuration changes don't require code changes.
Ease of Maintenance - Updating properties is simpler when they are externalized. Instead of redeploying the entire application for configuration changes, you can update the property files or configuration management tools.
Reusability - Externalized properties can be reused across multiple applications, promoting consistency and reducing duplication.
How to Externalize Properties in MuleSoft
We’ve got different ways of externalizing a Mule app’s properties:Properties Files - We can define
.properties or .yaml files to store configurations within the app. For environment-specific properties we can define one file per environment like dev.properties, qa.properties, and prod.properties.Runtime Manager Properties - We can use Runtime Manager's application properties feature to set and manage properties directly in for deployed applications.
Secure Property - Sensitive properties can be encrypted using MuleSoft's Secure Properties module and reference them in our configuration.
External Systems - We can decouple and store these properties outside the Mule app using external configuration management systems (e.g., HashiCorp Vault, AWS Secret Manager) to manage properties dynamically.
In this post, we’ll see how we can externalize and manage dynamically properties in AWS Secret Manager.
Prerequisites
An AWS Account with access to Secret ManagerCreate IAM user and access key/secret in AWS
Open the AWS Management Console and go to the IAM service. Then, under the Access Management section click on users and Create User
Provide a name for our secrets reader user (in our example we’ll name it mule-secrets-reader). No need to provide access to the management console. Click Next
Next, in the Set Permissions step, choose the Attach policies directly option and select the SecretsManagerReadWritepolicy. Click Next
In Review and Create click on Create user
Once the user is created, click on the user name on the list of users and, then, click on Create access key
Choose the Application running outside AWS option Click on Next
Provide a tag if you wish. After that click on Create access key
Lastly, take note of the Access key and Secret access key. We’ll use them in the next steps. Click Done
Lastly, take note of the Access key and Secret access key. We’ll use them in the next steps. Click Done
Store Properties in Secrets Manager
Go to the Secrets Manager service in AWS. We’ll define two secrets for our example:- firstName = [YOUR_NAME]
- lastName = [YOUR_LAST_NAME]
After that, provide a name for our first property, in our example firstName. Click Next
Leave the default values for the Configure rotation section for now and click Next. Lastly, click Store in the Review. Repeat the process to create the second secret, lastName. With that, we’ve got the two secrets we’ll retrieve from our Mule app
Create a Mule App
Head over to Anypoint Studio and create a New Mule Project. Then, create a new flow with an HTTP Listener for GET /hello and a Transform Message and a Logger processors
Add the AWS Secrets module
In order for a Mule app to read secrets from AWS we’ll need to add a custom module called AWS Secret Manager Properties Override. That’s what we need to interact with the AWS API. For that, from the Mule Palette, click on Search in Exchange and look for AWS Secret. You’ll see the AWS Secret Manager Properties Provider Override on the left panel. Click on Add to retrieve it for our project. Click on Finish. That will download the dependency.
Use the Secrets Manager properties in the app
Our sample flow we’ll create the response ‘Hello firstName lastName’ where the values of firstName and lastName will be the values of the corresponding Secrets we’ve created in AWS Secret Manager. Click on the Transform Message processor and add the following Dataweave script:%dw 2.0
output application/json
---
{
"message": "Hello " ++ p('aws-secrets::firstName') ++ " " ++ p('aws-secrets::lastName')
}Set up the credentials for the AWS Secret module
The last thing we need to do is to provide credentials to our app to connect to our AWS account and retrieve the secrets from Secret Manager. For that, we’ll use the access key and secret we created in the first step of this tutorial.To do that, from the XML config file of our project, click on the Global Elements tab and click on Create. Search for AWS and select the AWS Secret Manager Properties Override Config. From there, we just need to provide the AWS region and the pair of access key and secret we generated for our mule-secrets-reader user
Click OK and Save the project. Our app is ready
If everything went well we should see the greetings message with our firstName and lastName from AWS in the response
Run the app and test
Time to see if our app can retrieve Secrets from AWS. Run the project in Anypoint Studio and send a request with CURL or Postman to our hello endpoint.If everything went well we should see the greetings message with our firstName and lastName from AWS in the response
Lastly, it’s also interesting to see how we could dynamically change the values of our Secrets in AWS without having to re-build or re-deploy our mule app. Try to change the value of one of the secrets and check that now the hello endpoint picks up the new value.