search

pantheon-systems / terminus-secrets-plugin

A simple secrets management plugin for Terminus
MIT License
24 stars 14 forks source link

Use environment to differentiate secrets #21

Closed markhalliwell closed 4 years ago

markhalliwell commented 4 years ago

Problem

Also, be aware that your secrets may be overwritten by filesystem sync operations. For instance, if you check the "pull files and database from Live" option when deploying to TEST, that will overwrite the TEST env with secrets (or a lack thereof) in LIVE. If you intend to use secrets.json for production, make sure you set the same file in all environments to avoid confusion.

Not trying to be negative here, but this is a really bad design/workflow.

  1. The Pantheon Dashboard already has both the database and files checked when one decides to clone from live down to dev/test.
  2. There's absolutely no messaging on the Dashboard that indicates syncing files could be disastrous to the current workflow.
  3. Devs may not know (new) or even remember (old) the special caveat of how syncing down files will overwrite these secrets that were painfully setup.
  4. Completely prevents the legitimate need to sync files downstream to other instances.
  5. All it takes it one accidental mistake to destroy absolutely everything.

Solution

It's really simple: include the environment in the filename: secrets.{PANTHEON_ENV}.json

secrets.custom-multidev.json
secrets.dev.json
secrets.test.json
secrets.live.json

That way, even if they are synced down, they don't overwrite each other and the plugin always choses the correct one based on the environment being targeted.

sugaroverflow commented 4 years ago

👋 @markcarver we would love to solve this with environment variables on the dashboard, but that's not possible at this time.

As started in the readme, you can use Lockr for secrets that are sensitive and in different environments. Alternatively, if you have a complicated workflow, you can create your secrets file in live and pull it down.

markhalliwell commented 4 years ago

@sugaroverflow I think you misunderstand. I'm not talking about shell environment variables. I'm talking about Pantheon environment names (i.e. dev/test/live/multidev).

greg-1-anderson commented 4 years ago

@markcarver Note that this plugin already allows you to choose your filename when you write your secrets file. You could make it a policy to always write your secrets to the live environment with a file-naming scheme of your choice. Of course it is up to your code to decide how to select and read the secrets files.

Note that your proposal to call the Terminus secrets plugin to write secrets to the dev environment is not a reliable way to keep your secrets persistent. If you sync your filesystem from live to a multidev environment, any file not present in the live environment will be erased in the target environment. This plugin was designed for writing secrets to short-lived PR multidevs where it is presumed that you will not sync the filesystem from another environment. If you need more than that, you should use Lockr.

Closing, as the current behavior is already about as close as I think we can get for the scope of what this plugin was intended to cover.