Interactive console authentication for 3rd party repository on deploy

trellis
2

I was hoping a wpmu dev free trial would let me test a solution for you, but wpmu points out that “this [composer] feature is not available to members on our 14-day trial” (ref). Rather than pay $49 USD to test, I’ll just post what I would have tried. I haven’t tested the tasks or templates below, so they may need some tweaking.

Presumably the presence of an auth.json will skirt around the interactive console requirement (see related composer docs and wpmu members-only mention of auth.json).

I’d add your wpmu dev API key to one of your group_vars/<environment>/vault.yml files. Suppose you use the same key for all environments and all sites. In such a case you could add the key to group_vars/all/vault.yml:

  # Documentation: https://roots.io/trellis/docs/vault/
  vault_mail_password: smtp_password
+ vault_wpmudev_api_key: 6wvmdak7kkdrmzcaygqyat2x9y57s2q8dpfxfzh9

Then I’d add a template task to deploy-hooks/build-before.yml:

- name: Create compose auth.json for wpmu dev
  template:
    src: "{{ playbook_dir }}/deploy-hooks/auth.json.j2"
    dest: "/home/{{ ansible_user }}/.composer/auth.json"
    mode: "0600"

Then I’d create the deploy-hooks/auth.json.j2 template on my local machine in my trellis project :

{
    "http-basic": {
        "premium.wpmudev.org": {
            "username": "{{ vault_wpmudev_api_key }}",
            "password": ""
        }
    }
}

Now, each deploy should create the auth.json before the composer install, if it isn’t already there.

In case you need to use a different API key per site and per environment, you could add the key to vault_wordpress_sites instead:

  vault_wordpress_sites:
    example.com:
+     wpmudev_api_key: 6wvmdak7kkdrmzcaygqyat2x9y57s2q8dpfxfzh9
      env:
        db_password: example_dbpassword
        ...

In that case, your deploy-hooks/auth.json.j2 would need an adjustment like this:

- "username": "{{ vault_wpmudev_api_key }}",
+ "username": "{{ vault_wordpress_sites[site].wpmudev_api_key }}",

An alternative would be to go ahead and allow interactions instead of trying to skirt them via the auth.json above.

This would be a more involved implementation of Trellis deploy hooks. You could try replacing the deploy_build_after definition to reference your own version of the hooked file.

- deploy_build_after: "{{ playbook_dir }}/roles/deploy/hooks/build-after.yml"
+ deploy_build_after: "{{ playbook_dir }}/deploy-hooks/build-after.yml"

You’d copy roles/deploy/hooks/build-after.yml to a new file at deploy-hooks/build-after.yml then replace the composer task with a task using Ansible’s expect module, where the command is a manual composer install command.

7 Likes