Managing state and tunablesΒΆ

There are parts of your cloud configuration that are fixed parts of your design. Firewalls rules that isolate your subnets. That you have a database and some autoscaling clusters. But there are other settings that are more fluid, such as the size of the instances started by your autoscaling. These are your tunables.

There are some API’s that don’t allow Touchdown to store enough state to achieve idempotence. An example of this is an ElasticIp. You can allocate an IP for your deployment, but there is no way to tag or name it. In order to remember which IP was allocated for which purpose metadata needs to be stored out of band. This is state.

Touchdown has a mechanism for declaring these up front, defining validation and even allowing some tunables to be automatically generated the first time you deploy an environment. Using this you never need to manually generate SSH keys or a new django secret key for a new build again.

You can define a config file to store your state in from the workspace:

config = workspace.add_ini_file(

This config will be stored in the folder foo/bar relative to your Touchdownfile.

You may have tunables such as passwords that you wish to store. For these you can add encryption. To use GPG encryption:

gpg = workspace.add_gpg(symmetric=True)
config = workspace.add_ini_file(

The gpg object just represents a set of ‘goals’ for the GPG wrappers. In this case the goal is to prompt for a passphrase to use for symmetric encryption. Using gpg.add_cipher the local file is acquired, but it is filtered by the GPG engine. The config component can operate on the local file as normally, but GPG encryption and decryption is transparently applied as required.

Other systems can be plugged in as required. For example, you can use Kms. This uses the fernet encryption backend, with a secret key backed by HSM at Amazon.

You can use tunables to generate secret keys and pass them to an instance:

django_secret_key = config.add_string(

lc = aws.add_launch_configuration(
        "DJANGO_SECRET_KEY": django_secret_key,
    ... snip ....,

You can use tunables to manage the capacity of an autoscaling group:

    ... snip ...,