I'm trying to figure out how to have a single source of truth for environment variables for my project.
By putting my env vars in an .env file, I can use the EnvFile plugin to load them into my IntelliJ run configurations.
And by installing direnv and having an .envrc file with the following content:
for line in $(cat .env); do
eval "export $line"
, I can ensure that every time I cd into my project directory, my terminal will load in the relevant environment variables (and unload them when I cd out).
So far, so good! Environment variables are the same in IntelliJ and the terminal.
However, I'd like to source my secrets from some other file than the .env file. That way, I (or someone else developing on my project, using a similar method) can't accidentally commit secrets.
In a normal .sh script, or in the .envrc file, I could call out to my secrets store to bind secret values to environment variables, thus keeping them outside the lexical scope of my project. However, I cannot do this in my .env file, which is basically a key-value document, with no scripting powers.
Has anyone else tackled this problem somehow? Perhaps there is a way that I can just call a script to load in environment vars into my IntelliJ runtime environment, rather than use the "dumb" .env file.
EDIT: Just putting the env vars file in .gitignore is a solution, but I don't feel it's strong enough. I'd like my secrets to be outside of the lexical scope of my project, and maybe encrypted at rest, which they can be if I used something like https://www.passwordstore.org/