> ## Documentation Index
> Fetch the complete documentation index at: https://docs.nuon.co/llms.txt
> Use this file to discover all available pages before exploring further.

# Configuring Inputs & Secrets

> Define and use inputs, variables, and secrets in your app.

## Inputs

Inputs are defined in an `inputs.toml` file in the root of your app directory:

```toml inputs.toml theme={null}
[[group]]
name         = "dns"
description  = "DNS configuration"
display_name = "DNS"

[[input]]
name         = "root_domain"
description  = "The root domain for the install."
default      = "app.example.com"
display_name = "Root Domain"
group        = "dns"
required     = true
```

Use inputs in sandbox or component config:

```toml sandbox.toml theme={null}
[vars]
public_root_domain = "{{ .nuon.inputs.inputs.root_domain }}"
```

### Customer-Facing Inputs

By default, inputs are vendor-facing and set through the dashboard. To allow customers to set an input directly through
the install stack (CloudFormation, Azure Resource Manager (Bicep), Terraform), mark it as `user_configurable`:

```toml inputs.toml theme={null}
[[input]]
name              = "sub_domain"
display_name      = "Sub Domain"
description       = "The sub domain for the service."
default           = "whoami"
user_configurable = true
```

Customer-facing inputs can only be modified by the customer through the install stack. Changes trigger redeployment of
dependent components.

### Input Groups

Inputs can be organized into groups to control how they are displayed in the dashboard during install creation:

```toml inputs.toml theme={null}
[[group]]
name         = "db"
description  = "Database configuration"
display_name = "Database"

[[input]]
name         = "db_password"
description  = "Password for the database."
sensitive    = true
display_name = "Password"
group        = "db"
```

## Variables

Variables are managed through the CLI:

```sh theme={null}
nuon apps variables create --name=external_api_key --value=your-api-key
nuon apps variables list
nuon variables delete --id=app_variable_id
```

Variables are accessed in config using `{{ .nuon.app.variables.<variable-name> }}`.

<Note>
  If you add or update a variable after an install has been created, the install's state must be refreshed before the
  new value is available. Running a deploy or sandbox provision triggers a state update.
</Note>

## Secrets

Secret metadata is defined in a `secrets.toml` file. The actual values are entered by the customer when deploying the
install stack:

```toml secrets.toml theme={null}
[[secret]]
name         = "github_app_key"
display_name = "GitHub App Key"
description  = "Base64 encoded GitHub App Key"
required     = true
format       = "base64"

[[secret.kubernetes_sync_targets]]
namespaces = ["api", "workers"]
name      = "github"
key       = "app-key"
```

Setting `[[secret.kubernetes_sync_targets]]` syncs the secret as a Kubernetes Secret object after sandbox provisioning, using
the details provided. This approach allows for easy definition of secrets in whatever shape is desired and enables
reflection of secrets across different namespaces. We support multiple `[[secret.kubernetes_sync_targets]]` entries.

We also support the following method which is less flexible:

```toml secrets.toml theme={null}
[[secret]]
name         = "github_app_key"
display_name = "GitHub App Key"
description  = "Base64 encoded GitHub App Key"
required     = true
format       = "base64"

kubernetes_sync             = true
kubernetes_secret_namespace = "control-plane"
kubernetes_secret_name      = "github-app-key"
```

This approach creates or upserts the secret into a secret with the secret in a `value` key.

### Using Secrets in Components

Secrets are referenced as outputs from the install stack:

```toml components/database.toml theme={null}
[vars]
secret_arn = "{{ .nuon.install_stack.outputs.rds_secret_arn }}"
```

In Helm charts, reference the synced Kubernetes secret:

```yaml deployment.yaml theme={null}
env:
  - name: API_KEY
    valueFrom:
      secretKeyRef:
        name: vendor-license-key
        key: value
```

### Changing Secrets

If you change a secret value outside of Nuon (e.g., directly in AWS Secrets Manager), Nuon will not detect the change.
You will need to reprovision the install or manually redeploy dependent components. If secrets are configured to sync
with Kubernetes, use the "sync secrets" option in the dashboard.
