config_enforce
Config Enforce ensures that specified configuration cannot be changed in production environments. See the article Introducing Config Enforce.
How it works
The related Config Enforce Devel module provides a convenient UI to specify for each config object on the site whether and how strictly to enforce its configuration, as well as streamlining the writing of config YAML files to the codebase.
Once enforced configuration is deployed to a production codebase, Config Enforce will, depending on the level of enforcement:
- Make specified config forms read-only.
- Interrupt the writing of new config to the database.
- Regularly re-import config from disk.
Installation
Please note:You will need to enable-patching in your root composer.json in order for Config Enforce to work correctly. See the docs site for more details.
composer config extra.enable-patching "true"
composer require drupal/config_enforce
composer require --dev drupal/config_enforce_devel
Background
As Drupal has evolved into an web application development framework, we've seen an ecosystem of configuration management tools and techniques evolve along with it. With dev-stage-prod development practices becoming common-place, the challenges of reliably deploying and applying new or changed configuration has become increasingly complex.
Configuration stored in a production site's database is traditionally considered canonical. We believe that much of this complexity is (at least partially) due to trying to accommodate config drift in production environments.
In order to make Drupal better-suited to SaaS application development, this project intends to flip that paradigm, and instead treat config files as canonical, and treat database storage as essentially a cache.
This project is in active development. Contributions of all sort are welcome, be they documentation, reporting bugs, code and security reviews, automated tests, and so on. If you'd like to help out or see what we're planning, head to #3305516: Config Enforce roadmap