Environment Configuration Example¶
Complete .env file templates for the New Hires Reporting System.
How to Use¶
- Copy the appropriate template below to a file named
.env - Replace placeholder values with your actual credentials
- Place
.envin the same directory asdocker-compose.prod.yml - Set secure permissions:
chmod 600 .env - Start services:
docker-compose -f docker-compose.prod.yml up -d
Security
Never commit .env files to version control. Add .env to your .gitignore file.
Minimal Production Template¶
This is the minimum configuration needed to run the system:
# ============================================================================
# NEW HIRES REPORTING - MINIMAL PRODUCTION CONFIGURATION
# ============================================================================
# Docker Image Version (REQUIRED)
# Get this from your development team
IMAGE_TAG=sha-a85b396
# AWS Bedrock Configuration (REQUIRED)
AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE
AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
AWS_REGION=us-east-1
# Database Configuration (REQUIRED)
# Change this to a secure password!
POSTGRES_PASSWORD=ChangeThisToSecurePassword123!
Setup Instructions:
1. Replace AKIAIOSFODNN7EXAMPLE with your AWS Access Key ID
2. Replace the example Secret Access Key with your actual key
3. Replace sha-a85b396 with your IMAGE_TAG
4. Create a strong password for POSTGRES_PASSWORD
Complete Production Template¶
This template includes all available configuration options:
# ============================================================================
# NEW HIRES REPORTING - COMPLETE PRODUCTION CONFIGURATION
# ============================================================================
###############################
# Docker Image Configuration
###############################
# Version tag for Docker images from ECR
# Format: sha-XXXXXXX (7-character git commit hash)
# Get this from your development team
IMAGE_TAG=sha-a85b396
###############################
# AWS Bedrock Configuration
###############################
# AWS credentials for invoking Bedrock models
# See: https://docs.aws.amazon.com/bedrock/
AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE
AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
AWS_REGION=us-east-1
# Optional: Override default AI model
# Default: us.anthropic.claude-sonnet-4-5-20250929-v1:0
# Alternative: us.meta.llama4-scout-17b-instruct-v1:0 (cheaper)
# BEDROCK_MODEL_ID=us.anthropic.claude-sonnet-4-5-20250929-v1:0
###############################
# Database Configuration
###############################
# PostgreSQL database settings
POSTGRES_DB=newhires
POSTGRES_USER=newhires
POSTGRES_PASSWORD=ChangeThisToSecurePassword123!
# Best practices for passwords:
# - Minimum 12 characters
# - Mix of uppercase, lowercase, numbers, symbols
# - Avoid dictionary words
# - Unique to this deployment
###############################
# Worker Configuration
###############################
# How often workers check for new jobs (seconds)
# Default: 5
# Range: 1-60
POLL_INTERVAL=5
# Maximum concurrent Bedrock API calls per worker
# Default: 2
# Range: 1-10
# Higher = faster processing but higher AWS costs
MAX_CONCURRENT_BEDROCK_CALLS=2
# Maximum retry attempts for failed correction jobs
# Default: 5
# Range: 1-10
MAX_AI_ATTEMPTS=5
###############################
# Frontend Configuration
###############################
# Backend API URL for frontend
# Default: http://localhost:8000/api/v1
# Change if using reverse proxy or different host
VITE_API_URL=http://localhost:8000/api/v1
# For reverse proxy deployments:
# VITE_API_URL=https://api.your-domain.com/api/v1
Development Environment Template¶
For local development and testing:
# ============================================================================
# NEW HIRES REPORTING - DEVELOPMENT CONFIGURATION
# ============================================================================
# Docker Image
IMAGE_TAG=sha-latest
# AWS Bedrock (use dev/test credentials)
AWS_ACCESS_KEY_ID=AKIA_DEV_KEY_HERE
AWS_SECRET_ACCESS_KEY=dev_secret_key_here
AWS_REGION=us-east-1
# Use cheaper model for development
BEDROCK_MODEL_ID=us.meta.llama4-scout-17b-instruct-v1:0
# Database
POSTGRES_PASSWORD=dev_password
# Worker tuning for development
MAX_CONCURRENT_BEDROCK_CALLS=1
POLL_INTERVAL=10
MAX_AI_ATTEMPTS=3
Staging Environment Template¶
For pre-production testing:
# ============================================================================
# NEW HIRES REPORTING - STAGING CONFIGURATION
# ============================================================================
# Docker Image
IMAGE_TAG=sha-staging-version
# AWS Bedrock (use staging credentials)
AWS_ACCESS_KEY_ID=AKIA_STAGING_KEY
AWS_SECRET_ACCESS_KEY=staging_secret_key
AWS_REGION=us-east-1
# Database
POSTGRES_PASSWORD=staging_secure_password
# Worker Configuration
MAX_CONCURRENT_BEDROCK_CALLS=2
POLL_INTERVAL=5
MAX_AI_ATTEMPTS=5
# Frontend URL (if using reverse proxy)
# VITE_API_URL=https://staging-api.your-domain.com/api/v1
High-Throughput Production Template¶
For processing large volumes of files:
# ============================================================================
# NEW HIRES REPORTING - HIGH THROUGHPUT CONFIGURATION
# ============================================================================
# Docker Image
IMAGE_TAG=sha-a85b396
# AWS Bedrock
AWS_ACCESS_KEY_ID=your_access_key
AWS_SECRET_ACCESS_KEY=your_secret_key
AWS_REGION=us-east-1
# Use faster cheaper model
BEDROCK_MODEL_ID=us.meta.llama4-scout-17b-instruct-v1:0
# Database
POSTGRES_PASSWORD=secure_password
# High throughput settings
MAX_CONCURRENT_BEDROCK_CALLS=5
POLL_INTERVAL=2
MAX_AI_ATTEMPTS=3
# Scale workers: docker-compose up -d --scale workers=3
Cost Warning
High throughput settings significantly increase AWS Bedrock costs. Monitor your AWS billing closely.
Environment-Specific Variables¶
Required in All Environments¶
| Variable | Description | Example |
|---|---|---|
IMAGE_TAG |
Docker image version | sha-a85b396 |
AWS_ACCESS_KEY_ID |
AWS access key | AKIAIOSFODNN7EXAMPLE |
AWS_SECRET_ACCESS_KEY |
AWS secret key | wJalrXUtnFEMI/K7MDENG/... |
AWS_REGION |
AWS region | us-east-1 |
POSTGRES_PASSWORD |
Database password | SecurePass123! |
Optional (Have Defaults)¶
| Variable | Default | Range | Purpose |
|---|---|---|---|
BEDROCK_MODEL_ID |
Claude Sonnet 4.5 | See docs | AI model selection |
POSTGRES_DB |
newhires |
- | Database name |
POSTGRES_USER |
newhires |
- | Database user |
POLL_INTERVAL |
5 |
1-60 | Worker polling frequency |
MAX_CONCURRENT_BEDROCK_CALLS |
2 |
1-10 | Concurrent API calls |
MAX_AI_ATTEMPTS |
5 |
1-10 | Retry attempts |
VITE_API_URL |
http://localhost:8000/api/v1 |
- | Frontend API URL |
Getting AWS Credentials¶
If you don't have AWS Bedrock credentials yet:
- Read the AWS Bedrock Setup Guide: AWS Bedrock Setup
- Enable Bedrock: In AWS Console → Bedrock → Model access
- Create IAM User: With
bedrock:InvokeModelpermission - Generate Access Key: Save the Access Key ID and Secret Access Key
Security Best Practices¶
File Permissions¶
# Create .env with secure permissions
touch .env
chmod 600 .env
# Verify only owner can read
ls -l .env
# Should show: -rw------- (only owner read/write)
Do Not Commit¶
Add to .gitignore:
Credential Rotation¶
Rotate AWS credentials every 90 days:
1. Create new access key in AWS IAM
2. Update .env with new credentials
3. Restart services: docker-compose -f docker-compose.prod.yml restart
4. Verify services work
5. Delete old access key in AWS IAM
Strong Passwords¶
For POSTGRES_PASSWORD:
- Minimum 12 characters
- Include uppercase, lowercase, numbers, and symbols
- Use a password generator
- Unique per environment
Validation¶
After creating your .env file, verify it:
# Check file exists
ls -la .env
# Check permissions (should be 600)
ls -l .env
# Verify required variables are set
grep -E "IMAGE_TAG|AWS_ACCESS_KEY_ID|AWS_SECRET_ACCESS_KEY|AWS_REGION|POSTGRES_PASSWORD" .env
# Ensure no placeholder values remain
grep -E "EXAMPLE|your_|changeme|your-" .env
# This should return NOTHING (no placeholders)
Next Steps¶
After creating your .env file:
- Deploy with Docker Compose - Start the application
- Environment Variables Reference - Detailed variable documentation
- AWS Bedrock Setup - Get AWS credentials if needed
Troubleshooting¶
"Missing required environment variable"¶
Solution: Ensure all required variables are present in .env:
"Invalid AWS credentials"¶
Solution: Verify credentials in AWS Console → IAM → Users → Security credentials
"Permission denied" when reading .env¶
Solution: Fix file permissions:
Services can't read .env file¶
Solution: Ensure .env is in the same directory as docker-compose.prod.yml:
Complete Example¶
Here's a real example .env file (with fake credentials):
# Production deployment for NewHires Reporting
IMAGE_TAG=sha-a85b396
AWS_ACCESS_KEY_ID=AKIAJ7E4M5XAMPLE123
AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
AWS_REGION=us-east-1
POSTGRES_PASSWORD=Pr0d!2024$SecureDB#Pass
MAX_CONCURRENT_BEDROCK_CALLS=3
POLL_INTERVAL=5
Save this as .env, replace with your actual values, and you're ready to deploy!