Combining secrets and environment variables

[jdevinemt]

I have a legacy app that I've migrated to the Symfony framework and am slowly taking advantage of more features of the framework. I'm starting to use Doctrine for new database tables and migrated tables, but still have to use a legacy PDO interface for some legacy databases. I'm trying to break up my database environment variables a bit so I don't have to edit values in multiple places for Doctrine and my legacy PDO interface.

I'm attempting to use secrets for variables that need to be secret, and .env files for variables that are not sensitive. Here's the setup I'm trying to achieve:

# .env
MYSQL_DB_DSN="mysql:host=${MYSQL_DB_HOST};"
MYSQL_DB_URL="mysql://${MYSQL_DB_USER}:${MYSQL_DB_PASSWORD}@${MYSQL_DB_HOST}"
DATABASE_URL="${MYSQL_DB_URL}/main"

# secrets
MYSQL_DB_HOST=hostname
MYSQL_DB_USER=username
MYSQL_DB_PASSWORD=password

The issue is that the variables defined in .env are not resolving with the values from the secrets. So when outputting the value of MYSQL_DB_DSN in my app I get a value of mysql:host=;. I've also tried using the %env(<variable>)% syntax instead of ${<variable>} in the .env file. I tried to find mention of the order in which secrets are assigned vs .env variables, but didn't see mention of it in the documentation. Is what I'm trying to do possible, or should I just add the variables I'm assigning in .env as secrets (even though they don't contain sensitive values)?

Edit: Maybe I'm approaching this wrong and should just be assigning the variables in my .env as parameters instead of environment variables?

[michaoj]

Why don't you store the full MYSQL_DB_DSN as a secret and reference it in your config file just like the docs use it

https://symfony.com/doc/current/configuration/secrets.html#referencing-secrets-in-configuration-files

Secrets can be referenced just like other env vars in config file but not in the .env file from my understanding

[Adambean]

This turned out to be the best approach for me. This also allows for different DB back-ends per deployment.

[jdevinemt]

I decided to just use parameters for the non-sensitive values. Here is the setup I went with:

# config/services.yaml
properties:
    app.db.mysql.dsn: mysql:host=%env(MYSQL_DB_HOST)%;
    app.db.mysql.url: mysql://%env(MYSQL_DB_USER)%:%env(MYSQL_DB_PASSWORD)%@%env(MYSQL_DB_HOST)%

# config/packages/doctrine.yaml
doctrine:
    dbal:
        url: %app.db.mysql.url%/main

# secrets
MYSQL_DB_HOST=hostname
MYSQL_DB_USER=username
MYSQL_DB_PASSWORD=password