From 274550d5d343ec58ded372bb54cc26ebc92925f5 Mon Sep 17 00:00:00 2001 From: Tom Stovall Date: Mon, 1 May 2023 11:26:49 -0700 Subject: [PATCH 1/6] Org Secrets + env Override --- README.md | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 96fa218..19c76b0 100644 --- a/README.md +++ b/README.md @@ -102,11 +102,19 @@ This is a secret set not for a given site but for an organization. This secret w In some cases it will be necessary to have different values for the secret when that secret is accessed in different Pantheon environments. You may set an environment override value for any existing secret value. +```mermaid +flowchart TD + A[Org Secret] -->|name: apipassword // value: ball00n| C{SITE - No site override, use org value} + C -->|no override| D[Runtime Value: ball00n] + C -->|test env override| E[Runtime value: ball00n2] + C -->|live env override| F[Runtime Value: ball00n3] +``` + **Note**: If the secret does not exist, there is no secret environment to override, and you will get an error. ## The life of a secret -When a given runtime (e.g. Integrated Composer runtime or the application runtime) fetches secrets for a given site (and env), the process will be as follows: +When a given runtime (e.g. Integrated Composer or an environment php runtime) fetches secrets for a given site (and env), the process will be as follows: - Fetch secrets for site (of the given type and scopes). @@ -149,7 +157,7 @@ Secrets Manager requires the following: - A Pantheon account - A site that uses [Integrated Composer](https://docs.pantheon.io/guides/integrated-composer) and runs PHP >= 8.0 -- Terminus 3 +- Terminus 3.0+ ### Installation From e950019a5395ea7472ba4e9693d0a73fd9a62c3e Mon Sep 17 00:00:00 2001 From: Tom Stovall Date: Mon, 1 May 2023 11:43:49 -0700 Subject: [PATCH 2/6] adding more diagrams --- README.md | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/README.md b/README.md index 19c76b0..31e2588 100644 --- a/README.md +++ b/README.md @@ -90,16 +90,36 @@ Secrets are currently either owned by a site or an organization. Within that own ### Site-owned secrets +```mermaid +flowchart TD + C{SITE Secret: name: github-oauth.github.com // value: ball00n // scope: ic} + C -->|integrated composer uses default value| D[Runtime Value: ball00n] +``` + This is a secret set for a specific site using the site ID. Based on the type and scope, this secret will be loaded on the different scenarios that will be supported by Secrets in Pantheon. ### Organization-owned secrets +```mermaid +flowchart TD + B{Orgzaniation name: apipassword // value: ball00n // scope: ic} --> C{SITE: no override} + C -->|dev use default value| D[Runtime Value: ball00n] +``` + This is a secret set not for a given site but for an organization. This secret will be inherited by ALL sites OWNED by this organization. **Note**: Secrets owned by [Supporting Organizations](https://docs.pantheon.io/agency-tips#become-a-supporting-organization) won't apply to sites they support. Only the Owner organization's secrets will apply. ### Environment override +```mermaid +flowchart TD + C{SITE Secret: name: apipassword // value: ball00n // scope: runtime} + C -->|dev use default value| D[Runtime Value: ball00n] + C -->|test env override| E[Runtime value: ball00n2] + C -->|live env override| F[Runtime Value: ball00n3] +``` + In some cases it will be necessary to have different values for the secret when that secret is accessed in different Pantheon environments. You may set an environment override value for any existing secret value. ```mermaid From 4c6468c2418dd2284946a3bfcc7cfb3f4ac17469 Mon Sep 17 00:00:00 2001 From: Tom Stovall Date: Mon, 1 May 2023 11:44:03 -0700 Subject: [PATCH 3/6] ignore mac files --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index f6a8e1c..811d0d9 100644 --- a/.gitignore +++ b/.gitignore @@ -3,3 +3,4 @@ vendor .phpunit.result.cache reports /.idea +/.DS_Store From 823d44304761f1ebc0aefb2cb812b2b0f8669463 Mon Sep 17 00:00:00 2001 From: Tom Stovall Date: Mon, 1 May 2023 11:46:08 -0700 Subject: [PATCH 4/6] changing variable name --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 31e2588..f614459 100644 --- a/README.md +++ b/README.md @@ -102,7 +102,7 @@ This is a secret set for a specific site using the site ID. Based on the type an ```mermaid flowchart TD - B{Orgzaniation name: apipassword // value: ball00n // scope: ic} --> C{SITE: no override} + B{Orgzaniation name: github-oauth.github.com // value: ball00n // scope: ic} --> C{SITE: no override} C -->|dev use default value| D[Runtime Value: ball00n] ``` From 2c407808c457b1329fb4b874b349a0607d09a010 Mon Sep 17 00:00:00 2001 From: Tom Stovall Date: Mon, 1 May 2023 15:04:03 -0700 Subject: [PATCH 5/6] removing all but one illustration --- README.md | 28 ---------------------------- 1 file changed, 28 deletions(-) diff --git a/README.md b/README.md index f614459..65cc684 100644 --- a/README.md +++ b/README.md @@ -90,46 +90,18 @@ Secrets are currently either owned by a site or an organization. Within that own ### Site-owned secrets -```mermaid -flowchart TD - C{SITE Secret: name: github-oauth.github.com // value: ball00n // scope: ic} - C -->|integrated composer uses default value| D[Runtime Value: ball00n] -``` - This is a secret set for a specific site using the site ID. Based on the type and scope, this secret will be loaded on the different scenarios that will be supported by Secrets in Pantheon. ### Organization-owned secrets -```mermaid -flowchart TD - B{Orgzaniation name: github-oauth.github.com // value: ball00n // scope: ic} --> C{SITE: no override} - C -->|dev use default value| D[Runtime Value: ball00n] -``` - This is a secret set not for a given site but for an organization. This secret will be inherited by ALL sites OWNED by this organization. **Note**: Secrets owned by [Supporting Organizations](https://docs.pantheon.io/agency-tips#become-a-supporting-organization) won't apply to sites they support. Only the Owner organization's secrets will apply. ### Environment override -```mermaid -flowchart TD - C{SITE Secret: name: apipassword // value: ball00n // scope: runtime} - C -->|dev use default value| D[Runtime Value: ball00n] - C -->|test env override| E[Runtime value: ball00n2] - C -->|live env override| F[Runtime Value: ball00n3] -``` - In some cases it will be necessary to have different values for the secret when that secret is accessed in different Pantheon environments. You may set an environment override value for any existing secret value. -```mermaid -flowchart TD - A[Org Secret] -->|name: apipassword // value: ball00n| C{SITE - No site override, use org value} - C -->|no override| D[Runtime Value: ball00n] - C -->|test env override| E[Runtime value: ball00n2] - C -->|live env override| F[Runtime Value: ball00n3] -``` - **Note**: If the secret does not exist, there is no secret environment to override, and you will get an error. ## The life of a secret From 1dab410518147cb678c50a963c761c0b782bba4c Mon Sep 17 00:00:00 2001 From: Tom Stovall Date: Mon, 1 May 2023 15:18:17 -0700 Subject: [PATCH 6/6] merging all graphs into a single one describing env overrides --- README.md | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/README.md b/README.md index 65cc684..887e6f1 100644 --- a/README.md +++ b/README.md @@ -104,6 +104,32 @@ In some cases it will be necessary to have different values for the secret when **Note**: If the secret does not exist, there is no secret environment to override, and you will get an error. +```mermaid +classDiagram +OrgzaniationSecretAPIPassword --> SiteSecretAPIPassword +SiteSecretAPIPassword --> IntegratedComposerAPIPassword : no overrides +OrgzaniationSecretAPIPassword : string name apipassword +OrgzaniationSecretAPIPassword : string value ball00n +SiteSecretAPIPassword : Inherits value from Org +SiteSecretAPIPassword : No Overrides +IntegratedComposerAPIPassword: value ball00n + +OrgzaniationSecretOverrideExample --> SiteSecretOverrideExample +SiteSecretOverrideExample --> SiteSecretOverrideExampleDev : default value +SiteSecretOverrideExample --> SiteSecretOverrideExampleTest : env override value +SiteSecretOverrideExample --> SiteSecretOverrideExampleLive : env override value +OrgzaniationSecretOverrideExample : string name apipassword +OrgzaniationSecretOverrideExample : string value ball00n +SiteSecretOverrideExample : Inherits value from Org +SiteSecretOverrideExample : No Site Overrides +SiteSecretOverrideExampleDev: value ball00n +SiteSecretOverrideExampleDev: defaultValue() +SiteSecretOverrideExampleTest: value ball00n2 +SiteSecretOverrideExampleTest: overridden() +SiteSecretOverrideExampleLive: value ball00n3 +SiteSecretOverrideExampleLive: overridden() +``` + ## The life of a secret When a given runtime (e.g. Integrated Composer or an environment php runtime) fetches secrets for a given site (and env), the process will be as follows: