From a77ee101026192bfa0859b3d721e1fa66ea97efa Mon Sep 17 00:00:00 2001 From: Kevin Porras Date: Tue, 4 Apr 2023 14:09:03 -0600 Subject: [PATCH 1/5] Small adjustments for env overrides. --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 80fc1a7..4d888ee 100644 --- a/README.md +++ b/README.md @@ -84,13 +84,13 @@ When a given runtime (e.g. Integrated Composer runtime or the application runtim - Fetch secrets for site (of the given type and within the given scopes) -- Apply environment overrides (if any). More info on this to come soon. +- Apply environment overrides (if any) based on the requester environment. - If the site is owned by an organization: - Get the organization secrets - - Apply environment overrides (if any). + - Apply environment overrides (if any) based on the requester environment. - Merge the organization secrets with the site secrets @@ -113,7 +113,7 @@ On the other hand, when Integrated Composer attempts to get secrets for `my-site - Only the secrets for the OWNER organization are being merged. If the site has a Supporting Organization, it will be ignored. - Process the resulting secrets to make them available to Composer. -**Note:** Due to platform design, the "environment" for Integrated Composer will always be either `dev` or a multidev. It will never be `test` or `live` so we don't recommend using "environment" overrides for composer access. The primary use-case for environment overrides is for the CMS key-values and environment variables that need to be different between your production and non-production environments. +**Note:** Due to platform design, the "environment" for Integrated Composer will always be either `dev` or a multidev. It will never be `test` or `live` so we don't recommend using environment overrides for composer access. The primary use-case for environment overrides is for the CMS key-values and environment variables that need to be different between your live and non-live environments. ## Plugin Usage From 551fd7119f3bcf0697ff93ca56b623995b464c7b Mon Sep 17 00:00:00 2001 From: Kevin Porras Date: Tue, 4 Apr 2023 14:09:15 -0600 Subject: [PATCH 2/5] Site secrets env overrides. --- README.md | 33 ++++++++++++++++++++++++++++++++- 1 file changed, 32 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 4d888ee..c7454fe 100644 --- a/README.md +++ b/README.md @@ -147,7 +147,7 @@ The secrets `set` command takes the following format: - `One or more scopes` -Run the command below to set a secret in Terminus: +Run the command below to set a new secret in Terminus: ``` terminus secret:site:set @@ -172,6 +172,28 @@ terminus secret:site:set --scope=user,ic Note: If you do not include a `type` or `scope` flag, their defaults will be `runtime` and `user` respectively. +Run the command below to update an existing secret in Terminus: + +``` +terminus secret:site:set + +[notice] Success + +``` + +Note: When updating an existing secret, `type` and `scope` should NOT be passed as they are immutable. You should delete and recreate the secret if you need to update those properties. + +Add or update an environment override for an existing secret in Terminus: + +``` +terminus secret:site:set . + +[notice] Success + +``` + +Note: You can add an environment override only to existing secrets; otherwise, it will fail. + #### List secrets @@ -227,6 +249,15 @@ terminus secret:site:delete ``` +Run the command below to delete an environment override for a secret: + +``` +terminus secret:site:delete . + +[notice] Success + +``` + ### Organization secrets Commands #### Set a secret From d8be0af2b7a8e6f36b9048b52f3a215a2760b05c Mon Sep 17 00:00:00 2001 From: Kevin Porras Date: Tue, 4 Apr 2023 14:12:11 -0600 Subject: [PATCH 3/5] Org secrets env overrides. --- README.md | 33 ++++++++++++++++++++++++++++++++- 1 file changed, 32 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index c7454fe..ee2601e 100644 --- a/README.md +++ b/README.md @@ -269,7 +269,7 @@ The secrets `set` command takes the following format: - `Type` - `One or more scopes` -Run the command below to set a secret in Terminus: +Run the command below to set a new secret in Terminus: ``` terminus secret:org:set @@ -294,6 +294,28 @@ terminus secret:org:set --scope=user,ic Note: If you do not include a `type` or `scope` flag, their defaults will be `runtime` and `user` respectively. +Run the command below to update an existing secret in Terminus: + +``` +terminus secret:org:set + +[notice] Success + +``` + +Note: When updating an existing secret, `type` and `scope` should NOT be passed as they are immutable. You should delete and recreate the secret if you need to update those roperties. + +Add or update an environment override for an existing secret in Terminus: + +``` +terminus secret:org:set --env= + +[notice] Success + +``` + +Note: You can add an environment override only to existing secrets; otherwise, it will fail. + #### List secrets @@ -348,6 +370,15 @@ terminus secret:org:delete ``` +Run the command below to delete an environment override for a secret: + +``` +terminus secret:org:delete --env= + +[notice] Success + +``` + ### Help Run `terminus list secret` for a complete list of available commands. Use terminus help to get help with a specific command. From fb8b3c5f925b36e326c38a9c35e276722ac95f31 Mon Sep 17 00:00:00 2001 From: Kevin Porras Date: Tue, 4 Apr 2023 14:22:48 -0600 Subject: [PATCH 4/5] Consistency and formatting. --- README.md | 47 +++++++++++++++-------------------------------- 1 file changed, 15 insertions(+), 32 deletions(-) diff --git a/README.md b/README.md index ee2601e..6012505 100644 --- a/README.md +++ b/README.md @@ -147,49 +147,46 @@ The secrets `set` command takes the following format: - `One or more scopes` -Run the command below to set a new secret in Terminus: +**Run the command below to set a new secret in Terminus:** ``` terminus secret:site:set [notice] Success - ``` ``` terminus secret:site:set file.json "{}" --type=file [notice] Success - ``` ``` terminus secret:site:set --scope=user,ic [notice] Success - ``` Note: If you do not include a `type` or `scope` flag, their defaults will be `runtime` and `user` respectively. -Run the command below to update an existing secret in Terminus: + +**Run the command below to update an existing secret in Terminus:** ``` terminus secret:site:set [notice] Success - ``` Note: When updating an existing secret, `type` and `scope` should NOT be passed as they are immutable. You should delete and recreate the secret if you need to update those properties. -Add or update an environment override for an existing secret in Terminus: + +**Add or update an environment override for an existing secret in Terminus:** ``` terminus secret:site:set . [notice] Success - ``` Note: You can add an environment override only to existing secrets; otherwise, it will fail. @@ -208,9 +205,8 @@ The secrets `list` command provides a list of all secrets available for a site. Note that the `value` field will contain a placeholder value unless the `user` scope was specified when the secret was set. -Run the command below to list a site’s secrets: +**Run the command below to list a site’s secrets:** -`terminus secret:site:list` ``` terminus secret:site:list @@ -222,8 +218,6 @@ terminus secret:site:list ------------- ------------- --------------------------- ``` -`terminus secret:site:list` - ``` terminus secret:site:list --fields="*" @@ -240,22 +234,20 @@ terminus secret:site:list --fields="*" The secrets `delete` command will remove a secret and all of its overrides. -Run the command below to delete a secret: +**Run the command below to delete a secret:** ``` terminus secret:site:delete [notice] Success - ``` -Run the command below to delete an environment override for a secret: +**Run the command below to delete an environment override for a secret:** ``` terminus secret:site:delete . [notice] Success - ``` ### Organization secrets Commands @@ -269,49 +261,44 @@ The secrets `set` command takes the following format: - `Type` - `One or more scopes` -Run the command below to set a new secret in Terminus: +**Run the command below to set a new secret in Terminus:** ``` terminus secret:org:set [notice] Success - ``` ``` terminus secret:org:set file.json "{}" --type=file [notice] Success - ``` ``` terminus secret:org:set --scope=user,ic [notice] Success - ``` Note: If you do not include a `type` or `scope` flag, their defaults will be `runtime` and `user` respectively. -Run the command below to update an existing secret in Terminus: +**Run the command below to update an existing secret in Terminus:** ``` terminus secret:org:set [notice] Success - ``` -Note: When updating an existing secret, `type` and `scope` should NOT be passed as they are immutable. You should delete and recreate the secret if you need to update those roperties. +Note: When updating an existing secret, `type` and `scope` should NOT be passed as they are immutable. You should delete and recreate the secret if you need to update those properties. -Add or update an environment override for an existing secret in Terminus: +**Add or update an environment override for an existing secret in Terminus:** ``` terminus secret:org:set --env= [notice] Success - ``` Note: You can add an environment override only to existing secrets; otherwise, it will fail. @@ -329,9 +316,8 @@ The secrets `list` command provides a list of all secrets available for an organ Note that the `value` field will contain a placeholder value unless the `user` scope was specified when the secret was set. -Run the command below to list a site’s secrets: +**Run the command below to list a site’s secrets:** -`terminus secret:org:list` ``` terminus secret:org:list @@ -343,7 +329,6 @@ terminus secret:org:list ------------- ------------- --------------------------- ``` -`terminus secret:org:list` ``` terminus secret:org:list --fields="*" @@ -361,22 +346,20 @@ terminus secret:org:list --fields="*" The secrets `delete` command will remove a secret and all of its overrides. -Run the command below to delete a secret: +**Run the command below to delete a secret:** ``` terminus secret:org:delete [notice] Success - ``` -Run the command below to delete an environment override for a secret: +**Run the command below to delete an environment override for a secret:** ``` terminus secret:org:delete --env= [notice] Success - ``` ### Help From 9d7c5167695d6cb2fbaa583d92833b8035c213a7 Mon Sep 17 00:00:00 2001 From: Kevin Porras Date: Tue, 4 Apr 2023 14:29:28 -0600 Subject: [PATCH 5/5] Add ToC. --- README.md | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/README.md b/README.md index 6012505..bfe4a6d 100644 --- a/README.md +++ b/README.md @@ -2,6 +2,31 @@ Pantheon’s Secrets Manager Terminus plugin is key to maintaining industry best practices for secure builds and application implementation. Secrets Manager provides a convenient mechanism for you to manage your secrets and API keys directly on the Pantheon platform. +## Table of Contents + +- [Overview](#overview) + * [Key Features](#key-features) + * [Early Access](#early-access) +- [Concepts](#concepts) + * [Secret](#secret) + * [Secret type](#secret-type) + * [Secret scope](#secret-scope) + * [Owning entity](#owning-entity) + * [Site-owned secrets](#site-owned-secrets) + * [Organization-owned secrets](#organization-owned-secrets) + * [Environment override](#environment-override) +- [The life of a secret](#the-life-of-a-secret) +- [Plugin Usage](#plugin-usage) + * [Secrets Manager Plugin Requirements](#secrets-manager-plugin-requirements) + * [Installation](#installation) + * [Site secrets Commands](#site-secrets-commands) + * [Organization secrets Commands](#organization-secrets-commands) + * [Help](#help) +- [Use Secrets with Integrated Composer](#use-secrets-with-integrated-composer) + * [Mechanism 1: Oauth Composer authentication](#mechanism-1-oauth-composer-authentication) + * [Mechanism 2: HTTP Basic Authentication](#mechanism-2-http-basic-authentication) + + ## Overview ### Key Features