Merge pull request #52 from defang-io/lio-sensitive-env

support sensitive env vars

Author: raphaeltm

blog/2024-03-28-slackbot-sample.md

@@ -13,7 +13,7 @@ Before we dive into the details, let's make sure you have everything you need to
 
 1.  **Install Defang CLI:** Simplify your deployment process by installing the Defang CLI tool. Follow the instructions [here](https://docs.defang.io/docs/getting-started/installing) to get it up and running quickly.
 
-2.  **Slack API Token:** Create a Slack App at https://api.slack.com/apps, granting it the necessary permissions, including the bot `chat:write` scope. 
+2.  **Slack API Token:** Create a Slack App at https://api.slack.com/apps, granting it the necessary permissions, including the bot `chat:write` scope.
 ![screenshot of the slack admin UI showing the bot scopes](/img/slackbot-sample/scopes.png)
 
 3. **Install the app in your workspace:** You'll need to install the app in your workspace for it to work. Click the "Install to Workspace" button in the Slack admin UI to do this. Mine says "Reinstall" because I've already installed it.
@@ -36,12 +36,12 @@ cd defang/samples/golang/slackbot
 
 Now that we have everything set up, let's dive into the deployment process. Follow these steps to deploy your Slackbot effortlessly:
 
-1.  **Set Up Secrets:** Prioritize security by configuring environment variables as secrets. Use the Defang CLI's `defang secret set` command to set the `SLACK_TOKEN` and `SLACK_CHANNEL_ID` secrets. 
+1.  **Set Up Secrets:** Prioritize security by configuring environment variables as secrets. Use the Defang CLI's `defang config set` command to set the `SLACK_TOKEN` and `SLACK_CHANNEL_ID` secrets.
     Replace `your_slack_token` and `your_slack_channel_id` with the respective values:
 
     ```bash
-    defang secret set --name SLACK_TOKEN --value your_slack_token
-    defang secret set --name SLACK_CHANNEL_ID --value your_slack_channel_id
+    defang config set --name SLACK_TOKEN --value your_slack_token
+    defang config set --name SLACK_CHANNEL_ID --value your_slack_channel_id
     ```
 
 2.  **Deploy the Slackbot:**  Use the Defang CLI's `defang compose up` command to deploy.

docs/concepts/compose.md

@@ -20,10 +20,10 @@ One thing to keep in mind is that, at the time of this writing, Defang identifie
 
 ## Configuration
 
-If you have a service that depends on a secret like an api key, you can set that [secret](./secrets.md) using the CLI:
+If you have a service that depends on a secret like an api key, you can set that [secret](./configuration.md) using the CLI:
 
 ```
-defang secret set --name MY_API_KEY
+defang config set --name MY_API_KEY
 ```
 
 and then connect it to the service by specifying it in the `compose.yaml`:
@@ -40,5 +40,5 @@ secrets:
 ```
 
 :::info Configuration & Secrets
-Read more about configuration in the [configuration page](./configuration.md) and about secrets in the [secrets page](./secrets.md).
+Read more about configuration in the [configuration page](./configuration.md) and about secrets in the [secrets page](./configuration.md).
 :::

docs/concepts/configuration.md

@@ -1,15 +1,43 @@
 ---
 title: Configuration
-description: Configuring your Defang application.
+description: Configuring your Defang application, including sensitive config values like API keys, passwords, and other credentials.
 sidebar_position: 225
 ---
 
 # Configuration
 
 Defang allows you to configure your application using environment variables. You can set environment variables in your [`compose.yaml` file](./compose.md), or in your [Pulumi program](./pulumi.md). Using Pulumi gives you the advantage of being able to manage your environment variables across different environments using Pulumi stacks.
 
-You can also use [secrets](./secrets.md) to store sensitive information like API keys and database passwords.
-
 :::tip Sample
 You can find a sample of how to set environment variables with Pulumi [here](https://github.com/defang-io/defang/tree/main/samples/nodejs/remix-aiven-postgres).
-:::
+:::
+
+# Sensitive Config aka Secrets
+
+The Defang CLI allows you to securely store sensitive information such as API keys, passwords, and other credentials.
+
+You can use sensitive config by specifying them in the `environment` section of a service in a `compose.yaml` file without any value, or by specifying an environment key with a `null` value in your Pulumi code.
+
+```ts
+services:
+  service1:
+    image: image1:latest
+    environment:
+      - API_KEY
+```
+
+Use the `defang config` command of the Defang CLI to manage the values.
+
+## Connecting Services
+
+If you have created a service before a secret you can connect it by running the `defang compose start` command if using the [`defang compose` workflow](./compose.md). If you are using the [Pulumi-based workflow](./pulumi.md) you will need to redeploy using Pulumi.
+
+:::tip Sample
+You can find a sample of how to set sensitive config values [here](https://github.com/defang-io/defang/tree/main/samples/nodejs/ChatGPT%20API).
+:::
+
+## Providers
+
+Here are the different ways sensitive config values are stored depending on the provider you are using:
+
+    * [AWS](../providers/aws.md#secrets)

docs/concepts/secrets.md

@@ -132,7 +132,7 @@ secrets:
 ```
 
 ### "unsupported secret …: not marked external:true"
-- This message is displayed when you run `defang compose up` and the Compose file declares a `secret` that is not marked `external:true`. Defang only supports external secrets, managed by the `defang secret` command. To silence the warning, mark the secret as `external:true` in the top-level `secrets` section:
+- This message is displayed when you run `defang compose up` and the Compose file declares a `secret` that is not marked `external:true`. Defang only supports external secrets, managed by the `defang config` command. To silence the warning, mark the secret as `external:true` in the top-level `secrets` section:
 ```
 …
 secrets:

docs/faq.md

@@ -25,7 +25,7 @@ Defang provides a streamlined experience to develop, deploy, observe, and update
 - Automated [Dockerfile builds](./concepts/deployments.md)
 - Support for [pre-built Docker containers](./tutorials/deploy-container-using-the-cli.mdx), from public or private image registries
 - Ability to express your project configuration using a [Docker Compose YAML](./concepts/compose.md) file
-- Ability to manage encrypted [secrets](./concepts/secrets.md) and [configuration](./concepts/configuration.md)
+- Ability to manage [encrypted configuration values](./concepts/configuration.md)
 - Pre-configured environments with built-in [security](./concepts/security.md), [networking](./concepts/networking.mdx), and [observability](./concepts/observability.md)
 - [One-command deployments](./getting-started/installing.md)
 - Support for [GPUs](./concepts/resources.md)

docs/intro.md

@@ -21,7 +21,7 @@ If you have the aws CLI installed, you should be able to successfully run `aws s
 :::
 
 :::warning
-The Defang CLI does not depend on the AWS CLI. It uses the [AWS SDK for Go](https://aws.amazon.com/sdk-for-go/) to interact with your AWS account. In most cases, if you can run the `aws sts get-caller-identity` from the tip above, you should be good to go. However, due to a difference between the AWS CLI and the AWS SDK for Go, there is at least one case where they behave differently: if you are using `aws sso login` and have clashing profiles in your `.aws/config` and `.aws/credentials` files, the AWS CLI will prioritize SSO profiles and caches over regular profiles, but the AWS SDK for Go will prioritize the credentials file, and it may fail. 
+The Defang CLI does not depend on the AWS CLI. It uses the [AWS SDK for Go](https://aws.amazon.com/sdk-for-go/) to interact with your AWS account. In most cases, if you can run the `aws sts get-caller-identity` from the tip above, you should be good to go. However, due to a difference between the AWS CLI and the AWS SDK for Go, there is at least one case where they behave differently: if you are using `aws sso login` and have clashing profiles in your `.aws/config` and `.aws/credentials` files, the AWS CLI will prioritize SSO profiles and caches over regular profiles, but the AWS SDK for Go will prioritize the credentials file, and it may fail.
 :::
 
 ## Region
@@ -34,7 +34,7 @@ Defang uses resources that are native to the cloud provider you are using. The f
 
 ### Secrets
 
-Defang allows you to configure your services with secrets. Secrets are stored in AWS Systems Manager Parameter Store, and are encrypted.
+Defang allows you to configure your services with sensitive config values. Sensitive values are stored in AWS Systems Manager Parameter Store, and are encrypted.
 
 ### Deployment