Closed simondotm closed 10 months ago
Does anybody use .secret.local
?
If so, please let me know your use cases, so I can figure out how best to integrate support for it in the plugin
We use Gcp's secret manager to store secrets and load them at runtime. During development, we want to run the cloud functions in an emulator, so we use the .secret.local file to provide the secrets during development. These local secrets sometimes grant access to a sandbox, sometimes to a production environment. Every dev who needs access fills this file with the secrets they need/want, so we don't commit it.
Right now our workaround is to cp
the file during the build pipeline.
Thanks @ciriousjoker , thats very useful to know.
Where do you cp
them to - the functions' dist
folder?
It occurs to me that with the v2 plugin allowing multiple function apps per firebase project, it may need to be copied to each function dist
folder, unless the location of the .secret.local
file can be given to the emulator cmd line...
Yes, the file is copied into the dist folder, like this:
{
"command": "npx cpy ./apps/<project>/.secret.local ./dist/apps/<project> --flat"
},
Ok I think I have a solution for this.
I'm going to add an environment
folder to firebase applications, which can contain common files such as:
.env
.env.<project>
.env.local
and.secret.local
(will be git ignored).runtimeconfig.json
(for v1 users and also git ignored)Function project.json
configs will then be updated to have a glob in the assets ruleset, to always copy any files from this folder to dist
for every function. This way every deployed or emulated function has the same common env vars.
"assets": [
"apps/functions/test/src/assets",
{ "glob": "**/*", "input": "apps/firebase/environment", "output": "."}
],
Nx appears to not use .gitignore
or .nxignore
rules for globs, so this seems to work well.
It may mean that .secret.local
gets deployed to cloud functions, but since that is only consumed by the emulator I dont think it will have any effect on deployed runtimes and will be just ignored in the cloud.
@ciriousjoker - do you take any steps to prevent .secret.local
being deployed, since it is in your dist
folder?
Just thinking it might be a security risk having such files deployed as plain text in the cloud container & outside of the secrets API.
Thinking we can add .secret.local
to functions.ignore
in the firebase.json
if its an issue
Fixed in PR #137
Originally posted by @ciriousjoker in https://github.com/simondotm/nx-firebase/issues/37#issuecomment-1151347554