Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Pantheon Secrets local config #9330

Merged
merged 7 commits into from
Nov 27, 2024
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
94 changes: 71 additions & 23 deletions source/content/guides/secrets/07-local.md
Original file line number Diff line number Diff line change
Expand Up @@ -21,10 +21,24 @@ The [Pantheon Secrets SDK](https://github.com/pantheon-systems/customer-secrets-

To get this file, you should use the [plugin](https://github.com/pantheon-systems/terminus-secrets-manager-plugin/) `secret:site:local-generate` command and then set an environment variable into your local environment (or docker container if you are running a docker-ized environment) with name `CUSTOMER_SECRETS_FAKE_FILE` and use the absolute path to the file as the value.

1. To get generate this file, run `terminus secret:site:local-generate` in your terminal in your project root:

### LANDO example
```bash
terminus secret:site:local-generate <site>
```

Replace `<site>` with your Pantheon site name. The `secrets.json` file will be generated in your project root.
jazzsequence marked this conversation as resolved.
Show resolved Hide resolved

1. Once you have the `secrets.json`, add it to your `.gitignore` so you do not accidentally commit it to your repository.

```text
# Ignore Pantheon local secrets file
secrets.json
```

### Lando configuration

1. To setup this using lando, you should modify your `.lando.yml` like this:
1. Modify your `.lando.yml`:
```yaml
services:
appserver:
Expand All @@ -33,38 +47,72 @@ To get this file, you should use the [plugin](https://github.com/pantheon-system
CUSTOMER_SECRETS_FAKE_FILE: /app/secrets.json
```

2. Generate the secrets file like this:
```bash{promptUser: user}
terminus secret:site:local-generate --filepath=./secrets.json
```

3. And rebuild lando application:
1. Rebuild your Lando application:
```bash{promptUser: user}
lando rebuild -y
```

Now, you will be able to use your secrets through the SDK.


### DDEV example

1. CD to your ddev root directory.
### DDEV configuration

2. To setup using DDEV, add the following to your `~/.ddev/config.yml`
1. CD to your DDEV root directory
1. Add to your `.ddev/config.yml`:
```yaml
web_environment:
- CUSTOMER_SECRETS_FAKE_FILE=./secrets.json
- CUSTOMER_SECRETS_FAKE_FILE=/var/www/html/secrets.json
```

3. Generate the secrets file
```bash{promptUser: user}
terminus secret:site:local-generate --filepath=./secrets.json
```

4. Restart your ddev environment
1. Restart your DDEV environment:
```bash{promptUser: user}
ddev restart
```

## Verifying Secrets Access

### Local Development Function

The `pantheon_get_secret()` function only works on Pantheon's infrastructure, not in local development. For local development, you can create a helper function that mimics the `pantheon_get_secret()` function. To do this, you can use the [Pantheon Customer Secrets SDK](https://github.com/pantheon-systems/customer-secrets-php-sdk). This SDK mirrors the code that is already integrated into the platform. The easiest way to install the Customer Secrets SDK locally is via Composer:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is awesome!

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

❤️


```bash{promptUser: user}
composer require-dev pantheon-systems/customer-secrets-php-sdk
```

Once you have the SDK locally, you can create a local version of `pantheon_get_secret` using the SDK:

```php
if ( ! function_exists( 'pantheon_get_secret' ) ) {
function pantheon_get_secret( $token = '' ) {
// Check if SDK class exists, if not try to load the Composer autoloader.
if ( ! class_exists( '\PantheonSystems\CustomerSecrets\CustomerSecrets' ) ) {
$autoloader = __DIR__ . '/vendor/autoload.php';
if ( file_exists( $autoloader ) ) {
require_once $autoloader;
} else {
// Autoloader not found - handle appropriately for your application.
return null;
}
}

// Create SDK client for local development
try {
$client = \PantheonSystems\CustomerSecrets\CustomerSecrets::create()->getClient();
$secret = $client->getSecret( $token );
return $secret ? $secret->getValue() : null;
} catch ( \Exception $e ) {
// Handle errors appropriately for your application
return null;
}
}
}
```

This approach allows your code to work seamlessly both on Pantheon (where `pantheon_get_secret()` is natively available) and in local development (where you provide your own implementation).

### Drupal-Specific
If using Drupal with the Key module and Pantheon Secrets module:
1. Go to the Key module configuration
2. Click the "Sync Pantheon Secrets" tab
3. Click the "Sync Keys" button
4. Your secrets from the JSON file should appear in the available list of keys

## Restrictions
For secrets that do not have the "user" scope, the `secret:site:local-generate` command will set the value of the secret to "null". Edit this file and replace the null values with appropriate test values for local development.
For secrets without "user" scope, the `secret:site:local-generate` command will set the value of the secret to "null". You must manually set test values in your local `secrets.json` file.