Support `.secret.local`

simondotm / nx-firebase

Firebase plugin for Nx Monorepos

https://www.npmjs.com/package/@simondotm/nx-firebase

MIT License

175 stars 31 forks source link

Support `.secret.local` #92

Closed simondotm closed 10 months ago

simondotm commented 1 year ago

Originally posted by @ciriousjoker in https://github.com/simondotm/nx-firebase/issues/37#issuecomment-1151347554

simondotm commented 12 months ago

Does anybody use .secret.local ? If so, please let me know your use cases, so I can figure out how best to integrate support for it in the plugin

ciriousjoker commented 12 months ago

We use Gcp's secret manager to store secrets and load them at runtime. During development, we want to run the cloud functions in an emulator, so we use the .secret.local file to provide the secrets during development. These local secrets sometimes grant access to a sandbox, sometimes to a production environment. Every dev who needs access fills this file with the secrets they need/want, so we don't commit it.

Right now our workaround is to cp the file during the build pipeline.

simondotm commented 12 months ago

Thanks @ciriousjoker , thats very useful to know. Where do you cp them to - the functions' dist folder? It occurs to me that with the v2 plugin allowing multiple function apps per firebase project, it may need to be copied to each function dist folder, unless the location of the .secret.local file can be given to the emulator cmd line...

ciriousjoker commented 11 months ago

Yes, the file is copied into the dist folder, like this:

{
  "command": "npx cpy ./apps/<project>/.secret.local ./dist/apps/<project> --flat"
},

simondotm commented 10 months ago

Ok I think I have a solution for this.

I'm going to add an environment folder to firebase applications, which can contain common files such as:

.env
.env.<project>
.env.local and
.secret.local (will be git ignored)
.runtimeconfig.json (for v1 users and also git ignored)

Function project.json configs will then be updated to have a glob in the assets ruleset, to always copy any files from this folder to dist for every function. This way every deployed or emulated function has the same common env vars.

        "assets": [
          "apps/functions/test/src/assets",
          { "glob": "**/*", "input": "apps/firebase/environment", "output": "."}          
        ],

Nx appears to not use .gitignore or .nxignore rules for globs, so this seems to work well.

It may mean that .secret.local gets deployed to cloud functions, but since that is only consumed by the emulator I dont think it will have any effect on deployed runtimes and will be just ignored in the cloud.

simondotm commented 10 months ago

@ciriousjoker - do you take any steps to prevent .secret.local being deployed, since it is in your dist folder?

Just thinking it might be a security risk having such files deployed as plain text in the cloud container & outside of the secrets API.

simondotm commented 10 months ago

Thinking we can add .secret.local to functions.ignore in the firebase.json if its an issue

simondotm commented 10 months ago

Fixed in PR #137