A plugin for managing your Pantheon secrets via Terminus.
NOTE: Secrets Manager is still in Early Access. Customer Support is unable to provide assistance with this feature. Please create an Issue in the GitHub repo to report any issues or bugs.
To install this plugin using Terminus 3:
terminus self:plugin:install terminus-secrets-manager-plugin
Use terminus secret:list
to list existing secrets for a given site:
terminus secret:list <site>
------------- ------------- ---------------------------
Secret name Secret type Secret value
------------- ------------- ---------------------------
file.json file contents of a secret file
foo env bar
------------- ------------- ---------------------------
Use terminus secret:set <site> <secret_name> <secret_value> [--type=TYPE] [--scope=SCOPE]
to set a secret for a given site:
terminus secret:set <site> foo bar
[notice] Success
terminus secret:set <site> file.json "{}" --type=file
[notice] Success
terminus secret:set <site> foo bar --scope=user,ic
[notice] Success
Note: If you do not include a type
or scope
flag, their defaults will be env
and ic
respectively.
Use terminus secret:delete <site> <secret_name>
to delete a secret for a given site:
terminus secret:delete <site> foo
[notice] Success
-
Generate a github token. The Github token needs all of the "repo" permissions (check this box specifically - only checking all the child boxes does not set the proper permissions):
-
Set the secret value to the token via terminus:
terminus secret:set <site> github-oauth.github.com <github_token> --type=composer --scope=user,ic
-
Add your private repository to the
repositories
section ofcomposer.json
:{ "type": "vcs", "url": "https://github.com/your-organization/your-repository-name" }
Your repository should contain a
composer.json
that declares a package name in itsname
field. If it is a WordPress plugin or a Drupal module, it should specify atype
ofwordpress-plugin
ordrupal-module
respectively. For these instructions, we will assume your package name isyour-organization/your-package-name
. -
Require the package defined by your private repository's
composer.json
by either adding a new record to therequire
section of the site'scomposer.json
or with acomposer require
command:composer require your-organization/your-package-name
-
Commit your changes and push to Pantheon.
github-oauth.github.com
is a magic tokenname for composer that authenticates all github url's with the credentials from the token you provide. There are several "magic" variable names, or you can choose "basic authentication" by providing a COMPOSER_AUTH variable.
HTTP basic authentication
For multiple private repositories on multiple private domains, you will need to create a COMPOSER_AUTH json and make it available via the COMPOSER_AUTH environment variable.
Composer has the ability to read private repository access information from the environment variable: COMPOSER_AUTH. The COMPOSER_AUTH variables has to be in a specific JSON format.
That format example is here:
#!/bin/bash
read -e COMPOSER_AUTH_JSON <<< {
"http-basic": {
"github.com": {
"username": "my-username1",
"password": "my-secret-password1"
},
"repo.example2.org": {
"username": "my-username2",
"password": "my-secret-password2"
},
"private.packagist.org": {
"username": "my-username2",
"password": "my-secret-password2"
}
}
}
EOF
`terminus secret:set ${SITE_NAME} COMPOSER_AUTH ${COMPOSER_AUTH_JSON} --type=env --scope=user,ic`