/terminus-secrets-manager-plugin

Terminus Secrets Manager Plugin (Early Access)

Primary LanguagePHPMIT LicenseMIT

Terminus Secrets Manager Plugin

CircleCI Early Access

A plugin for managing your Pantheon secrets via Terminus.

NOTE: Secrets Manager is still in Early Access. Customer Support is unable to provide assistance with this feature. Please create an Issue in the GitHub repo to report any issues or bugs.

Installation

To install this plugin using Terminus 3:

terminus self:plugin:install terminus-secrets-manager-plugin

Usage

Listing secrets

Use terminus secret:list to list existing secrets for a given site:

terminus secret:list <site>

 ------------- ------------- ---------------------------
  Secret name   Secret type   Secret value
 ------------- ------------- ---------------------------
  file.json     file          contents of a secret file
  foo           env           bar
 ------------- ------------- ---------------------------

Setting secrets

Use terminus secret:set <site> <secret_name> <secret_value> [--type=TYPE] [--scope=SCOPE] to set a secret for a given site:

terminus secret:set <site> foo bar

[notice] Success

terminus secret:set <site> file.json "{}" --type=file

[notice] Success

terminus secret:set <site> foo bar --scope=user,ic

[notice] Success

Note: If you do not include a type or scope flag, their defaults will be env and ic respectively.

Deleting secrets

Use terminus secret:delete <site> <secret_name> to delete a secret for a given site:

terminus secret:delete <site> foo

[notice] Success

Using secrets with Integrated Composer

Steps

  1. Generate a github token. The Github token needs all of the "repo" permissions (check this box specifically - only checking all the child boxes does not set the proper permissions): image

  2. Set the secret value to the token via terminus: terminus secret:set <site> github-oauth.github.com <github_token> --type=composer --scope=user,ic

  3. Add your private repository to the repositories section of composer.json:

    {
        "type": "vcs",
        "url": "https://github.com/your-organization/your-repository-name"
    }

    Your repository should contain a composer.json that declares a package name in its name field. If it is a WordPress plugin or a Drupal module, it should specify a type of wordpress-plugin or drupal-module respectively. For these instructions, we will assume your package name is your-organization/your-package-name.

  4. Require the package defined by your private repository's composer.json by either adding a new record to the require section of the site's composer.json or with a composer require command:

    composer require your-organization/your-package-name
  5. Commit your changes and push to Pantheon.

github-oauth.github.com is a magic tokenname for composer that authenticates all github url's with the credentials from the token you provide. There are several "magic" variable names, or you can choose "basic authentication" by providing a COMPOSER_AUTH variable.

HTTP basic authentication

For multiple private repositories on multiple private domains, you will need to create a COMPOSER_AUTH json and make it available via the COMPOSER_AUTH environment variable.

Composer has the ability to read private repository access information from the environment variable: COMPOSER_AUTH. The COMPOSER_AUTH variables has to be in a specific JSON format.

That format example is here:

#!/bin/bash

read -e COMPOSER_AUTH_JSON <<< {
    "http-basic": {
        "github.com": {
            "username": "my-username1",
            "password": "my-secret-password1"
        },
        "repo.example2.org": {
            "username": "my-username2",
            "password": "my-secret-password2"
        },
        "private.packagist.org": {
            "username": "my-username2",
            "password": "my-secret-password2"
        }
    }
}
EOF

`terminus secret:set ${SITE_NAME} COMPOSER_AUTH ${COMPOSER_AUTH_JSON} --type=env --scope=user,ic`