I have a python application that contains multible private repos in its requirements.txt file via editable ssh like
-e git+ssh://git#github.com/echweb/echweb-utils.git
now i want to deply this application to heroku , what is the most secure way to do so?
i have read about deploy tokens but i dont know where to put them , in heroku env or git secret or what
Related
I have a nodejs application that I need deploy on Heroku
that Connects with a mongodb Database
Now I need to host this on heroku and have a dot env file which contains the creds (which contains DB_URL, DB_NAME , DB PASS)
So should I add .env into gitignore and the push the code into github repo or don't add it to gitignore and then push. Because I will be connecting this repo into heroku for deployment
I am developing an app using python and Cassandra(Astra provider) and trying to deploy it on Heroku.
The problem is connecting to the database requires the credential zip file to be present locally- https://docs.datastax.com/en/astra/aws/doc/dscloud/astra/dscloudConnectPythonDriver.html
'/path/to/secure-connect-database_name.zip'
and Heroku does not have support for uploading credentials files.
I can configure the username and password as environment variable but the credential zip file can't be configured as an environment variable.
heroku config:set CASSANDRA_USERNAME=cassandra
heroku config:set CASSANDRA_PASSWORD=cassandra
heroku config:set CASSANDRA_KEYSPACE=mykeyspace
Is there any way through which I can use the zip file an environment variable, I thought of extracting all files and configuring each file an environment variable in Heroku.
but I am not sure what to specify instead of Cluster(cloud=cloud_config, auth_provider=auth_provider) if I started using the extracted files from an environment variable?
I know I can check in the credential zip inside my private git repo that way it works but checking credentials does not seem secure.
Another idea that came to my mind was to store it in S3 and get the file during deployment and extract it inside the temp directory for usage.
Any pointers or help is really appreciated.
If you can checkin secure bundle into repo, then it should be easy - you just need to point to it from the cloud config map, and take username/password from the configured secrets via environment variables:
from cassandra.cluster import Cluster
from cassandra.auth import PlainTextAuthProvider
import os
cloud_config = {
'secure_connect_bundle': '/path/to/secure-connect-dbname.zip'
}
auth_provider = PlainTextAuthProvider(
username=os.environ['CASSANDRA_USERNAME'],
password=os.environ['CASSANDRA_PASSWORD'])
cluster = Cluster(cloud=cloud_config, auth_provider=auth_provider)
session = cluster.connect()
Idea about storing the file on S3, and downloading - isn't very bad as well. You can implement it in the script itself, to get file, and you can use environment variables to pass S3 credentials as well, so file won't be accessible in the repository, plus it would be easier to exchange the secure bundles if necessary.
Here is a question about the Heroku CLI.
When I run this command inside my local folder for a given app already on the server:
heroku config
I get a list of my environment variables settings.
But if I run the same command from another folder with the same name it does not work anymore.
This shows that the name of the local folder is not enough for heroku config to know which app I am thinking about.
How does heroku config know which app to query on the server?
By default, Heroku infers the app from your Git remotes:
App commands are typically executed from within an app’s local git clone. The app name is automatically detected by scanning the git remotes for the current working copy, so you don’t have to specify which app to operate on explicitly.
You can also explicitly tell it what app to use:
If you have multiple heroku remotes or want to execute an app command outside of a local working copy, you can specify the remote name or an explicit app name as follows:
heroku apps:info --app example
heroku apps:info --remote production
Or via environment variable:
Alternatively, the app name can be specified by setting the HEROKU_APP environment variable.
I've an existing project that works fine on another machine, but I've just upgraded and from within the project development directory, everytime I run a heroku command I have to post-fix it with --app
I feel like I've missed an application setup stage, but I can't figure out what, as everytime it states:
Run this command from an app folder or specify which app to use with --app APP.
Help appreciated.
You can solve this by adding the Heroku app to your .git/config folder.
If you are in the root of your project, run the following command:
git remote add heroku git#heroku.com:appname.git
This will set a line in your .git/config file which the heroku command line tool uses to figure out what app you're using :)
In other words, your local repo doesn't have Heroku app URL configured against an app name
Similarly what we do with git remote add ( we pass git URL as a destination for push/pulling of code )
that how our git know which repo/URL to hit (push/pull from )
Heroku also follows the same method/process.
All you have to do is add Heroku app URL (so that ur Heroku command have a reference for app URL )
it will know against which URL you are running your command against
To confirm if remote named Heroku has been set for your app:
git remote -v
if not configured or if you want it for an existing app
heroku git:remote -a app_name
it's a way to link your folder to the Heroku app
The Heroku recommended way:
heroku git:remote -a my-heroku-app-id -r what-i-want-to-call-it
Source: https://devcenter.heroku.com/articles/git
Run this command from an app folder or specify which app to use with --app APP
The other answers address the first part of that statement, it is perfectly acceptable to run heroku commands in any directory. For example I have a customer facing front end project /front-end and a rails based /back-end project. I often work in the /front-end directory and if I have to connect to the production database I'll run heroku run rails c -a back-end. After I exit irb then I'm back in my desired directory.
I have a private repo that I'm trying to access when deploying to Heroku. However, Heroku doesn't let me clone the private repo, and gives me the following error (as i would expect):
Host key verification failed.
fatal: The remote end hung up unexpectedly
Git error: command `git clone
'git#github.com:pr/lm-models.git'
"/tmp/build_3r0z0znww0zda/vendor/bundle/ruby/1.9.1/cache/bundler/git/lm-models-aab025aaadbe07202b16e1db7505ae1726f8723a"
--bare --no-hardlinks` in directory /tmp/build_3r0z0znww0zda has failed.
!
! Failed to install gems via Bundler.
!
! Heroku push rejected, failed to compile Ruby/rails app
I have found this, but do not want to display my username/password in clear text:
Linking heroku app to a private(organization) github repo
This worked for me:
Generate a Github Access Token
In requirements.txt list private module as follows:
git+https://your_user_name:your_git_token#github.com/your_company/your_module.git
Heroku only supports HTTP(S) Basic authentication with Git out of the box. That's unfortunate as it means you'd need to add your credentials as part of the installation URL and commit that as plain text in your list of dependencies. For your app to support SSH keys instead, do the following:
Create a new SSH key which will be used by Heroku to access the GitHub repository. Choose a distinct name, e.g. id_rsa_heroku.
Add the public part of the key to your GitHub account (link to settings).
Use the heroku-buildpack-ssh-key: heroku buildpacks:add https://github.com/heroku/heroku-buildpack-ssh-key.git -i 1
Set the private part of the key as an environment variable for your Heroku app: heroku config:set BUILDPACK_SSH_KEY=$(cat ~/.ssh/id_rsa_heroku)
From this moment, Heroku should be able to access and download code from any private repositories you have access to.
You need to use username/password in the Gemfile, or vendor the dependency. You can also use Gemfury (assuming it's a gem):
https://devcenter.heroku.com/articles/git-submodules#vendoring
http://gembundler.com/v1.3/bundle_package.html
https://devcenter.heroku.com/articles/gemfury