Removing all secrets from the repo
- Deployment to production is from CircleCI.
- The deployment command is configured in
circle.yml, which is checked into the repo and cannot contain any secrets.
- CircleCI can have env vars configured
circle.ymlis passed through
ERB[check], so we can add secret parameters to the deployment command using erb, e.g.
foreplay deploy production -u <%= ENV['DEPLOYMENT_USERNAME'] %> -p <%= ENV['DEPLOYMENT_PASSWORD'] %>
- The secret credentials can be used to connect to a remote service and download the remainder of the production secrets.
- The secrets can be included in the
.envfile created by Foreplay and become part of the production runtime environment.