The Open Resource Broker uses a centralized, type-safe configuration system that supports multiple sources and validation.
The Open Resource Broker uses a sophisticated configuration system that loads settings from multiple sources with clear precedence rules. This enables flexible deployment scenarios while maintaining security and operational best practices.
Configuration is loaded from multiple sources in strict order of precedence:
-
Environment Variables (highest precedence)
ORB_*variables for core application settingsORB_AWS_*variables for AWS provider settingsHF_*variables for HostFactory scheduler compatibility- Automatic type conversion and validation
-
Configuration File (medium precedence)
- JSON configuration file specified via
--configflag - Default locations:
config/config.json,~/.orb/config.json - Comprehensive validation and error reporting
- JSON configuration file specified via
-
Provider Template Defaults (low precedence)
- Infrastructure defaults discovered during
orb init --interactive - Provider-specific defaults from template_defaults section
- Automatically populated subnet IDs, security groups, etc.
- Infrastructure defaults discovered during
-
System Defaults (lowest precedence)
- Built-in default values for all configuration fields
- Ensures system operates with minimal configuration
- Development-friendly defaults
The configuration system follows this loading sequence:
1. Load system defaults
2. Apply configuration file values (if present)
3. Apply provider template defaults (if configured)
4. Apply environment variable overrides
5. Validate complete configuration
6. Report any validation errors
Environment variables always override configuration file values:
# Configuration file contains:
# {"logging": {"level": "INFO"}}
# Environment variable overrides:
export ORB_LOG_LEVEL=DEBUG
# Result: DEBUG level is used (environment variable wins)# Configuration file contains:
# {"provider": {"config": {"region": "us-east-1"}}}
# Environment variable overrides:
export ORB_AWS_REGION=us-west-2
# Result: us-west-2 region is used (environment variable wins)All configuration uses Pydantic BaseSettings with comprehensive validation:
- Type checking: Full mypy support for static analysis
- IDE support: Autocomplete and type hints in development
- Refactoring safety: Type-safe configuration changes
- Pydantic models: Automatic type conversion and validation
- Business rules: Custom validators for complex constraints
- Error reporting: Detailed validation error messages with field paths
# Valid configuration
ORB_LOG_LEVEL=DEBUG # ✅ Valid log level
ORB_AWS_REGION=us-east-1 # ✅ Valid AWS region
ORB_REQUEST_TIMEOUT=300 # ✅ Valid timeout (1-3600 seconds)
ORB_AWS_SUBNET_IDS='["subnet-123"]' # ✅ Valid JSON array
# Invalid configuration (validation errors)
ORB_LOG_LEVEL=INVALID # ❌ Invalid log level
ORB_AWS_REGION=invalid-region # ❌ Invalid AWS region format
ORB_REQUEST_TIMEOUT=-1 # ❌ Negative timeout not allowed
ORB_AWS_SUBNET_IDS='invalid-json' # ❌ Invalid JSON formatCharacteristics:
- Minimal configuration required
- Debug logging enabled
- Local file storage
- Relaxed timeouts and retries
Configuration approach:
# Minimal environment variables
export ORB_ENVIRONMENT=development
export ORB_LOG_LEVEL=DEBUG
export ORB_DEBUG=true
# AWS development account
export ORB_AWS_REGION=us-east-1
export ORB_AWS_PROFILE=development
# Start with defaults
orb system serveCharacteristics:
- Production-like configuration
- Moderate logging
- Shared infrastructure
- Realistic performance settings
Configuration approach:
# Staging environment setup
export ORB_ENVIRONMENT=staging
export ORB_LOG_LEVEL=INFO
# AWS staging account
export ORB_AWS_REGION=us-east-1
export ORB_AWS_PROFILE=staging
export ORB_AWS_SUBNET_IDS='["subnet-staging123", "subnet-staging456"]'
export ORB_AWS_SECURITY_GROUP_IDS='["sg-staging123"]'
# Production-like performance
export ORB_REQUEST_TIMEOUT=300
export ORB_AWS_MAX_RETRIES=3
# Use configuration file for complex settings
orb system serve --config config/staging.jsonCharacteristics:
- Comprehensive configuration
- Structured logging
- High availability settings
- Security-focused configuration
Configuration approach:
# Production environment (environment variables only for sensitive data)
export ORB_ENVIRONMENT=production
export ORB_AWS_ROLE_ARN=arn:aws:iam::123456789012:role/OrbitProductionRole
# All other configuration in secure configuration file
orb system serve --config /etc/orb/production.json{
"provider": {
"type": "aws",
"config": {
"region": "us-east-1",
"profile": "default"
}
}
}{
"provider": {
"type": "aws",
"config": {
"region": "us-east-1",
"profile": "production",
"max_retries": 5,
"timeout": 120
},
"template_defaults": {
"subnet_ids": ["subnet-12345678", "subnet-87654321"],
"security_group_ids": ["sg-abcdef12"],
"key_name": "production-key-pair",
"instance_type": "t3.medium"
}
},
"scheduler": {
"type": "hostfactory",
"config_dir": "/etc/hostfactory/config",
"work_dir": "/var/lib/hostfactory/work",
"log_dir": "/var/log/hostfactory"
},
"logging": {
"level": "INFO",
"file_path": "/var/log/orb/app.log",
"console_enabled": false,
"max_size": 104857600,
"backup_count": 10
},
"storage": {
"strategy": "json",
"config": {
"base_path": "/var/lib/orb/data",
"backup_enabled": true,
"backup_count": 5
}
}
}- Environment variables for secrets: Never store credentials in configuration files
- IAM roles preferred: Use IAM roles instead of access keys when possible
- File permissions: Restrict configuration file permissions (600 or 640)
- Version control: Never commit sensitive configuration to version control
- Environment separation: Separate configuration files for dev/staging/prod
- Configuration validation: Always validate configuration before deployment
- Documentation: Document custom configuration values and their purposes
- Change tracking: Track configuration changes through version control
- Appropriate timeouts: Balance reliability and performance based on workload
- Retry strategies: Configure retries based on expected failure patterns
- Resource limits: Set appropriate limits for concurrent operations
- Monitoring integration: Configure logging and metrics for operational visibility
Configuration file not found:
# Check default locations
ls -la config/config.json ~/.orb/config.json
# Specify explicit path
orb system serve --config /path/to/config.jsonEnvironment variable not taking effect:
# Verify environment variable is set
env | grep ORB_
# Check configuration loading with debug
ORB_LOG_LEVEL=DEBUG orb system healthValidation errors:
# Validate configuration
orb system validate-config
# Test specific provider configuration
orb providers health aws_production_us-east-1Enable debug logging to see configuration loading process:
export ORB_LOG_LEVEL=DEBUG
orb system serve --config config.jsonThis will show:
- Configuration sources checked
- Values loaded from each source
- Environment variable overrides applied
- Validation results and any errors
- Final merged configuration
{
"provider": {
"type": "aws",
"region": "us-east-1",
"profile": "default",
"max_retries": 3,
"timeout": 30,
"access_key_id": null,
"secret_access_key": null,
"session_token": null
},
"logging": {
"level": "INFO",
"file_path": "logs/app.log",
"console_enabled": true,
"format": "%(asctime)s - %(name)s - %(levelname)s - %(message)s",
"max_size": 10485760,
"backup_count": 5
},
"database": {
"type": "sqlite",
"host": "",
"port": 0,
"name": "database.db",
"username": null,
"password": null
},
"template": {
"default_image_id": "ami-12345678",
"default_instance_type": "t2.micro",
"subnet_ids": ["subnet-12345678"],
"security_group_ids": ["sg-12345678"],
"key_name": null,
"user_data": null
},
"repository": {
"type": "json",
"json": {
"storage_type": "single_file",
"base_path": "data",
"filenames": {
"single_file": "request_database.json"
}
},
"sql": {
"connection_string": "sqlite:///database.db",
"table_prefix": "hf_"
},
"dynamodb": {
"table_name": "host_factory",
"region": "us-east-1"
}
}
}orb init creates configuration files in a directory determined by your install type. The resolution order is:
ORB_CONFIG_DIRenvironment variable — always wins if setORB_ROOT_DIRenvironment variable —{ORB_ROOT_DIR}/config/- Virtual environment —
{venv_parent}/config/(standard venvs and symlink venvs like uv/mise) - Development mode —
{project_root}/config/(detected bypyproject.tomlin parent directories) - User install (
pip install --user) —~/.orb/config/ - System install —
{sys.prefix}/orb/config/ - Fallback —
{cwd}/config/
Set ORB_ROOT_DIR to anchor all subdirectories under a single root:
export ORB_ROOT_DIR=/opt/orb
# Results in:
# config → /opt/orb/config
# work → /opt/orb/work
# logs → /opt/orb/logs
# health → /opt/orb/health
# scripts → /opt/orb/scriptsPer-directory overrides (ORB_CONFIG_DIR, ORB_WORK_DIR, ORB_LOG_DIR, ORB_HEALTH_DIR) always take precedence over ORB_ROOT_DIR for that subdirectory only.
Without ORB_ROOT_DIR, work, logs, health, and scripts directories are siblings of the config directory (e.g. {venv_parent}/work/, {venv_parent}/logs/).
ORB requires the following IAM permissions for the AWS provider. Scope the Resource field to your account/region as needed.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeVpcs",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups",
"ec2:DescribeImages",
"ec2:DescribeInstances",
"ec2:DescribeInstanceTypes",
"ec2:RunInstances",
"ec2:TerminateInstances",
"ec2:CreateFleet",
"ec2:DeleteFleet",
"ec2:DescribeFleets",
"ec2:RequestSpotFleet",
"ec2:CancelSpotFleetRequests",
"ec2:DescribeSpotFleetRequests",
"ec2:DescribeSpotFleetInstances",
"ec2:CreateTags",
"autoscaling:CreateAutoScalingGroup",
"autoscaling:UpdateAutoScalingGroup",
"autoscaling:DeleteAutoScalingGroup",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:CreateLaunchConfiguration",
"autoscaling:DeleteLaunchConfiguration",
"ec2:CreateLaunchTemplate",
"ec2:DeleteLaunchTemplate",
"ec2:DescribeLaunchTemplates",
"iam:PassRole"
],
"Resource": "*"
}
]
}For SpotFleet, you also need the AWSServiceRoleForEC2SpotFleet service-linked role. Create it if it doesn't exist:
aws iam create-service-linked-role --aws-service-name spotfleet.amazonaws.comControls cloud provider settings and authentication.
{
"provider": {
"type": "aws",
"region": "us-east-1",
"profile": "default",
"max_retries": 3,
"timeout": 30,
"access_key_id": null,
"secret_access_key": null,
"session_token": null
}
}Fields:
type: Cloud provider type (aws, future:provider1,provider2)region: Cloud region for API callsprofile: Credential profile to usemax_retries: Number of API call retries (0-10)timeout: API call timeout in seconds (1-300)access_key_id: Direct access key (optional)secret_access_key: Direct secret key (optional)session_token: Session token for temporary credentials (optional)
Comprehensive logging system with multiple outputs.
{
"logging": {
"level": "INFO",
"file_path": "logs/app.log",
"console_enabled": true,
"format": "%(asctime)s - %(name)s - %(levelname)s - %(message)s",
"max_size": 10485760,
"backup_count": 5
}
}Fields:
level: Logging level (DEBUG,INFO,WARNING,ERROR,CRITICAL)file_path: Path to log file (supports rotation)console_enabled: Enable console logging (boolean)format: Log message format stringmax_size: Maximum log file size in bytesbackup_count: Number of backup log files to keep
Database settings for different storage backends.
{
"database": {
"type": "sqlite",
"host": "localhost",
"port": 5432,
"name": "hostfactory",
"username": "user",
"password": "password"
}
}Supported Types:
sqlite: File-based SQLite databasepostgresql: PostgreSQL databasemysql: MySQL database
Fields:
type: Database typehost: Database host (for networked databases)port: Database portname: Database name or file pathusername: Database username (optional)password: Database password (optional)
Default template settings and overrides.
{
"template": {
"default_image_id": "ami-12345678",
"default_instance_type": "t2.micro",
"subnet_ids": ["subnet-12345678"],
"security_group_ids": ["sg-12345678"],
"key_name": "my-key-pair",
"user_data": "#!/bin/bash\necho 'Hello World'"
}
}Fields:
default_image_id: Default VM image identifierdefault_instance_type: Default instance typesubnet_ids: List of subnet identifierssecurity_group_ids: List of security group identifierskey_name: SSH key pair name (optional)user_data: Instance initialization script (optional)
Data persistence strategy configuration.
{
"repository": {
"type": "json",
"json": {
"storage_type": "single_file",
"base_path": "data",
"filenames": {
"single_file": "database.json"
}
}
}
}{
"repository": {
"type": "sql",
"sql": {
"connection_string": "postgresql://user:pass@localhost:5432/hostfactory",
"table_prefix": "hf_"
}
}
}{
"repository": {
"type": "dynamodb",
"dynamodb": {
"table_name": "host_factory_prod",
"region": "us-east-1"
}
}
}The Open Resource Broker provides comprehensive environment variable support using Pydantic BaseSettings for automatic type conversion, validation, and configuration management.
Environment variables follow a hierarchical naming pattern:
- Core settings:
ORB_<FIELD_NAME> - AWS provider:
ORB_AWS_<FIELD_NAME> - Nested objects:
ORB_<SECTION>__<FIELD_NAME>(double underscore)
ORB_LOG_LEVEL=DEBUG # Logging level: DEBUG, INFO, WARNING, ERROR, CRITICAL
ORB_DEBUG=true # Enable debug mode (boolean)
ORB_ENVIRONMENT=production # Environment identifier (string)
ORB_REQUEST_TIMEOUT=600 # Global request timeout in seconds (integer)
ORB_MAX_MACHINES_PER_REQUEST=200 # Maximum machines per single request (integer)ORB_ROOT_DIR=/opt/orb # Base directory for all subdirectories
ORB_CONFIG_DIR=/opt/orb/config # Configuration files directory (overrides ORB_ROOT_DIR)
ORB_WORK_DIR=/opt/orb/work # Working directory for temporary files (overrides ORB_ROOT_DIR)
ORB_LOG_DIR=/opt/orb/logs # Log files directory (overrides ORB_ROOT_DIR)
ORB_HEALTH_DIR=/opt/orb/health # Health check output directory (overrides ORB_ROOT_DIR)
ORB_SCRIPTS_DIR=/opt/orb/scripts # Override scripts directory location (overrides ORB_ROOT_DIR)ORB_AWS_REGION=us-west-2 # AWS region (string)
ORB_AWS_PROFILE=production # AWS credential profile name (string)
ORB_AWS_ROLE_ARN=arn:aws:iam::123456789012:role/OrbitRole # IAM role ARN (string)
ORB_AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE # AWS access key ID (string)
ORB_AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY # AWS secret access key (string)
ORB_AWS_SESSION_TOKEN=AQoEXAMPLEH4aoAH0gNCAPyJxz4ARKDHxyP5XpAa # Session token (string)
ORB_AWS_ENDPOINT_URL=https://ec2.us-west-2.amazonaws.com # Custom endpoint URL (string)# Infrastructure discovered during 'orb init --interactive'
ORB_AWS_SUBNET_IDS='["subnet-12345678", "subnet-87654321"]' # JSON array of subnet IDs
ORB_AWS_SECURITY_GROUP_IDS='["sg-abcdef12", "sg-34567890"]' # JSON array of security group IDs
ORB_AWS_KEY_NAME=my-production-key # EC2 key pair name (string)
ORB_AWS_IMAGE_ID=ami-0abcdef1234567890 # Default AMI ID (string)
ORB_AWS_INSTANCE_TYPE=t3.medium # Default instance type (string)ORB_AWS_MAX_RETRIES=5 # Maximum API retry attempts (integer, 0-10)
ORB_AWS_TIMEOUT=120 # AWS API timeout in seconds (integer, 1-300)
ORB_AWS_USE_SSL=true # Use SSL for AWS API calls (boolean)
ORB_AWS_VERIFY_SSL=true # Verify SSL certificates (boolean)For complex configuration objects, use double underscores (__) to separate levels:
ORB_CIRCUIT_BREAKER__ENABLED=true # Enable circuit breaker (boolean)
ORB_CIRCUIT_BREAKER__FAILURE_THRESHOLD=10 # Failures before opening circuit (integer)
ORB_CIRCUIT_BREAKER__RECOVERY_TIMEOUT=120 # Recovery timeout in seconds (integer)
ORB_CIRCUIT_BREAKER__HALF_OPEN_MAX_CALLS=3 # Max calls in half-open state (integer)ORB_RETRY__MAX_ATTEMPTS=5 # Maximum retry attempts (integer)
ORB_RETRY__BACKOFF_MULTIPLIER=2.0 # Exponential backoff multiplier (float)
ORB_RETRY__MAX_DELAY=60 # Maximum delay between retries in seconds (integer)
ORB_RETRY__JITTER=true # Add random jitter to delays (boolean)ORB_RATE_LIMIT__REQUESTS_PER_MINUTE=100 # Requests per minute limit (integer)
ORB_RATE_LIMIT__BURST_SIZE=20 # Burst request allowance (integer)
ORB_RATE_LIMIT__ENABLED=true # Enable rate limiting (boolean)Different scheduler strategies support specific environment variables for backward compatibility:
HF_PROVIDER_WORKDIR=/var/lib/hostfactory/work # HostFactory working directory
HF_PROVIDER_CONFDIR=/etc/hostfactory/config # HostFactory configuration directory
HF_PROVIDER_LOGDIR=/var/log/hostfactory # HostFactory log directory
HF_LOGLEVEL=DEBUG # HostFactory-specific log level
HF_LOGGING_CONSOLE_ENABLED=false # Disable console output for JSON-only mode
HF_PROVIDER_ACTION_TIMEOUT=300 # Action timeout for HostFactory operationsDEFAULT_PROVIDER_WORKDIR=/opt/orb/work # Default scheduler working directory
DEFAULT_PROVIDER_CONFDIR=/opt/orb/config # Default scheduler configuration directory
DEFAULT_PROVIDER_LOGDIR=/opt/orb/logs # Default scheduler log directoryEnvironment variables are automatically converted to appropriate types:
# All of these evaluate to True
ORB_DEBUG=true
ORB_DEBUG=True
ORB_DEBUG=TRUE
ORB_DEBUG=1
ORB_DEBUG=yes
ORB_DEBUG=on
# All of these evaluate to False
ORB_DEBUG=false
ORB_DEBUG=False
ORB_DEBUG=FALSE
ORB_DEBUG=0
ORB_DEBUG=no
ORB_DEBUG=off# JSON arrays (automatically parsed)
ORB_AWS_SUBNET_IDS='["subnet-123", "subnet-456", "subnet-789"]'
ORB_AWS_SECURITY_GROUP_IDS='["sg-abc", "sg-def"]'
# JSON objects (for complex nested configuration)
ORB_LAUNCH_TEMPLATE='{"LaunchTemplateName": "my-template", "Version": "1"}'# Integers
ORB_REQUEST_TIMEOUT=300 # Converted to int(300)
ORB_MAX_MACHINES_PER_REQUEST=50 # Converted to int(50)
# Floats
ORB_RETRY__BACKOFF_MULTIPLIER=2.5 # Converted to float(2.5)#!/bin/bash
# Development environment setup
export ORB_ENVIRONMENT=development
export ORB_LOG_LEVEL=DEBUG
export ORB_DEBUG=true
# AWS development account
export ORB_AWS_REGION=us-east-1
export ORB_AWS_PROFILE=development
export ORB_AWS_SUBNET_IDS='["subnet-dev123"]'
export ORB_AWS_SECURITY_GROUP_IDS='["sg-dev456"]'
# Relaxed timeouts for development
export ORB_REQUEST_TIMEOUT=600
export ORB_AWS_MAX_RETRIES=3#!/bin/bash
# Production environment setup
export ORB_ENVIRONMENT=production
export ORB_LOG_LEVEL=INFO
export ORB_DEBUG=false
# AWS production account with IAM role
export ORB_AWS_REGION=us-east-1
export ORB_AWS_ROLE_ARN=arn:aws:iam::123456789012:role/OrbitProductionRole
export ORB_AWS_SUBNET_IDS='["subnet-prod123", "subnet-prod456", "subnet-prod789"]'
export ORB_AWS_SECURITY_GROUP_IDS='["sg-prod123", "sg-prod456"]'
export ORB_AWS_KEY_NAME=production-key-pair
# Production performance settings
export ORB_REQUEST_TIMEOUT=300
export ORB_MAX_MACHINES_PER_REQUEST=100
export ORB_AWS_MAX_RETRIES=5
# Circuit breaker for resilience
export ORB_CIRCUIT_BREAKER__ENABLED=true
export ORB_CIRCUIT_BREAKER__FAILURE_THRESHOLD=5
export ORB_CIRCUIT_BREAKER__RECOVERY_TIMEOUT=60Verify environment variable configuration:
# Test configuration loading
orb system health --verbose
# Validate specific provider configuration
orb providers health aws_production_us-east-1
# Test environment variable precedence
ORB_LOG_LEVEL=DEBUG orb system health
# Validate AWS credentials and configuration
ORB_AWS_REGION=us-west-2 orb providers test awsThe system performs comprehensive validation:
# Configuration is validated on load
config = ConfigurationManager.load_configuration("config.json")
# Validation errors are detailed and actionable
try:
config.validate()
except ValidationError as e:
for error in e.errors():
print(f"Field: {error['loc']}")
print(f"Error: {error['msg']}")
print(f"Value: {error['input']}")Beyond type checking, business rules are enforced:
- Provider region: Must be valid for the provider
- Retry counts: Must be reasonable (0-10)
- Timeouts: Must be positive and reasonable
- File paths: Must be accessible and writable
- Database connections: Connection strings must be valid
{
"provider": {
"type": "aws",
"region": "us-east-1",
"profile": "development"
},
"logging": {
"level": "DEBUG",
"console_enabled": true,
"file_path": "logs/dev.log"
},
"database": {
"type": "sqlite",
"name": "dev_database.db"
},
"repository": {
"type": "json",
"json": {
"storage_type": "single_file",
"base_path": "data/dev"
}
}
}{
"provider": {
"type": "aws",
"region": "us-east-1",
"max_retries": 5,
"timeout": 60
},
"logging": {
"level": "INFO",
"console_enabled": false,
"file_path": "/var/log/hostfactory/app.log",
"max_size": 104857600,
"backup_count": 10
},
"database": {
"type": "postgresql",
"host": "db.example.com",
"port": 5432,
"name": "hostfactory",
"username": "hf_user"
},
"repository": {
"type": "sql",
"sql": {
"connection_string": "postgresql://hf_user:${DB_PASSWORD}@db.example.com:5432/hostfactory",
"table_prefix": "hf_prod_"
}
}
}{
"provider": {
"type": "aws",
"region": "us-east-1",
"max_retries": 10,
"timeout": 120
},
"logging": {
"level": "INFO",
"file_path": "/var/log/hostfactory/app.log",
"max_size": 209715200,
"backup_count": 20
},
"repository": {
"type": "dynamodb",
"dynamodb": {
"table_name": "hostfactory_ha",
"region": "us-east-1"
}
}
}The system maintains backward compatibility with existing configuration formats:
{
"region": "us-east-1",
"profile": "default",
"DEBUG": false,
"LOG_LEVEL": "INFO",
"LOG_FILE": "logs/awsprov.log"
}Legacy configurations are automatically converted:
DEBUG->logging.level(DEBUG if true, INFO if false)LOG_FILE->logging.file_pathproviderApi->provider_api(in templates)
from src.config.manager import get_config_manager
# Load from specific file
config = get_config_manager("/path/to/config.json")
# Load from default locations
config = get_config_manager()
# Access configuration sections
aws_config = config.get_provider_config()
logging_config = config.get_logging_config()# Watch for configuration changes
config_manager.watch_for_changes(callback=reload_handler)
# Reload configuration
config_manager.reload()# Validate JSON syntax
python -m json.tool config.json# Use configuration validator
orb config validate# Check environment variables
env | grep HF_
# Test environment override
ORB_LOG_LEVEL=DEBUG orb config validateEnable debug logging to see configuration loading:
export ORB_LOG_LEVEL=DEBUG
orb system serve --config config.jsonThis will show:
- Configuration sources checked
- Values loaded from each source
- Environment variable overrides applied
- Validation results
- Never commit credentials to version control
- Use environment variables for sensitive values
- Restrict file permissions on configuration files
- Use IAM roles when possible instead of access keys
- Separate environments: Different configs for dev/staging/prod
- Version control: Track configuration changes
- Documentation: Document custom configuration values
- Validation: Always validate configuration before deployment
- Appropriate timeouts: Balance reliability and performance
- Retry strategies: Configure retries based on workload
- Logging levels: Use appropriate levels for environment
- Storage strategy: Choose optimal persistence for scale
- Templates: Configure VM templates
- Deployment: Production deployment configuration
- Monitoring: Configure monitoring and alerting
- API Reference: Configuration API reference