PK
Back to archive

Engineering

Configuration Is a Programming Language

How configuration grows into untyped logic, and how to make it explicit, versioned, and auditable.

Configuration Is a Programming Language

Configuration starts as relief. A value moves out of code. A deployment no longer requires a build. A feature can be adjusted without waking a developer. The system feels more flexible.

Then one day the most important logic in the product is spread across environment variables, YAML files, flags, dashboards, and tribal memory.

The thesis

Configuration is a programming language once it controls behavior. Treating it as "just config" is how teams create an untyped, weakly reviewed, poorly versioned language that can change production faster than code and with less evidence.

Do not hard-code everything. Give configuration the engineering respect we give code: schema, ownership, validation, rollout, and audit.

The principal concern is control. Configuration changes often bypass the review, testing, and release habits that make code changes safer.

The production pattern

The pattern usually begins with reasonable needs. A timeout differs by environment. A limit needs tuning. A feature is released gradually. A tenant or region needs slightly different behavior. A queue worker needs a concurrency setting. None of these justify a new deployment path by themselves.

Over time, conditions accumulate. A flag enables a path only when another flag is off. A YAML file defines routing. An environment variable changes validation. A spreadsheet-like admin surface decides eligibility. A nested block of configuration becomes a decision tree. The code says "load policy," but the policy lives elsewhere and is hard to test in the same way.

When something breaks, the investigation is confusing because the deployed code did not change. The behavior changed anyway. Someone edited a value, inherited a default, copied a block, toggled a flag, or relied on an undocumented precedence rule.

The system now has two programming languages: the code language and the configuration language. Only one of them is treated seriously.

The model

I use a five-part configuration control model.

Schema defines shape and type. Every meaningful configuration surface should declare allowed fields, required fields, defaults, units, ranges, and unknown-field behavior. "Stringly typed" configuration is a tax on every operator and reviewer.

Ownership defines who can change a value and who owns the consequences. Configuration without ownership becomes shared production write access with a friendlier name. Ownership should include review expectations, escalation paths, and cleanup responsibility.

Validation proves the value is coherent before it affects behavior. That includes syntax, referential integrity, dependency checks, mutually exclusive settings, and dry-run evaluation where possible. Validation should fail closed for dangerous ambiguity.

Rollout controls exposure. A configuration change deserves the same questions as a code change: who sees it first, how do we detect harm, how do we roll back, and what state might remain after rollback?

Audit records what changed, who changed it, why, and what evidence supported the change. Audit is not only for compliance. It is how engineers reconstruct causality when behavior changes without a deployment.

The checklist I use:

  • Language boundary: what behavior can this configuration express?
  • Type model: are fields typed, constrained, and documented where they are used?
  • Precedence: if two values disagree, which one wins?
  • Review path: which changes need peer review or owner approval?
  • Runtime visibility: can operators see the effective configuration, not just source files?
  • Rollback: can we revert the value and understand any persisted side effects?

Configuration should make safe variation cheap. It should not make unsafe programming invisible.

Where this goes wrong

The counterpoint is that heavyweight process can destroy the value of configuration. If every flag change requires the same ceremony as a major release, teams will work around the system or stop using configuration for legitimate operational control.

The model has to be proportional to power. A logging verbosity setting does not need the same controls as an eligibility rule, retention setting, access policy, or data migration toggle. The more a value can affect correctness, privacy, cost, or user-visible promises, the more it should look like code.

Another failure mode is schema theater. A schema that proves only that a field is a string is not enough. Dangerous configuration usually fails in relationships: this flag requires that migration, this route assumes that dependency, this percentage interacts with that capacity limit, this policy has no owner after a rollout.

Configuration can also become a political escape hatch. Instead of resolving product or architecture disagreements, teams add knobs. Every knob creates future state space that someone must test, document, operate, and remove.

What I do now

I ask teams to name the configuration language they are creating. If a YAML file defines routing rules, call it routing policy. If flags compose into eligibility decisions, call it an eligibility language. Naming the language makes its power visible.

Then I look for the minimum controls that match that power. For low-risk tuning values, typed defaults and audit may be enough. For behavior policy, I want schema, validation, owner review, staged rollout, observability, and rollback. For configuration that changes data behavior, I want migration-style thinking.

I also prefer generated views of effective configuration. Source fragments are not enough when precedence, inheritance, or environment overlays exist. Operators need to see what the system believes right now.

Finally, I push for cleanup. Old flags and stale config branches are dead code with worse tooling. They keep behavior uncertain and make future changes harder to review.

Closing takeaway

When configuration controls behavior, treat it as a language: define its schema, owner, validation, rollout path, and audit trail before it becomes production logic without code discipline.