klg71
commented
4 years ago Hey sideisra,
this issue should be resolved with version 0.1.0. Parameter substitution can now be used in any yaml changelog file:
Example
id: initial-keycloak
author: klg71
realm: master
changes:
- addUser:
name: test
enabled: true
emailVerified: true
attributes:
test:
- ${JAVA_HOME}
- test2This will replace ${JAVA_HOME} with the system variable JAVA_HOME present at runtime
Some resources contain secrets such as passwords. At the moment these secrets have to be set directly and in plain text into the migration file. It would be more secure and convenient to be able to set these secrets from outside. Tha hash of the migration should still be calculated based on the data in the migration file, e.g. a change of the password should not change the hash.
Idea 1: use environment variables In the migration file the secrets could be replaceds by a placeholder that defines the environment variable to use. Example: ${env:USER1_PASSWORD}
Idea 2: use a plugable loading mechanism In the migration file the secret could be replaced by a placeholder that defines the loading plugin to use and some data for that plugin. Example: ${aws.parameterStore:/secrets/user1/password} Explanation: Plugin "aws.parameterStore" should be used to load the value and it gets the attribute "/secrets/user1/password" to know which parameter store value it should load.