Closed
Description
Actually, EnvProcessor allows to manipulate the content of an env variable before allocating the result to a parameter
Most of the time, both (processor and env variable) are used together. But sometime, the env variable does not have to be a variable. In that case, developer uses a fake env variables to get the result.
For instance (from the documentation and blog posts)
parameters:
env(AUTH_FILE): '../config/auth.json'
google:
auth: '%env(file:AUTH_FILE)%'
or
parameters:
env(HEALTH_CHECK_METHOD): 'Symfony\Component\HttpFoundation\Request::METHOD_HEAD'
security:
access_control:
- { path: '^/health-check$', methods: '%env(const:HEALTH_CHECK_METHOD)%' }
My proposal is to decouple env reading from parameter processing. Change the syntax of processor to easily allows several arguments (like key)
foo: '%process(file(env(AUTH_FILE)))%'
bar: '%process(file(../config/auth.json))%'
baz: '%process(const(Symfony\Component\HttpFoundation\Request::METHOD_HEAD))%'
qux: '%process(key(database_password, json(file(env(APP_SECRETS)))))%'
This solution allows to use env variable for the key too
qux: '%process(key(env(USER), json(file(/etc/passwords.json)))))%'
this would also help with #27351
secret: '%process(cache(apc, 30, secret(my_vault, /namespace/key/prod)))%'
But we can imagine something else
secret: '%process(decrypt(env(PRIVATE_KEY_PATH), file(/etc/secrets)))%'
# The file is totally encrypted
secret: '%process(key(password, json(decrypt(env(PRIVATE_KEY_PATH), file(/etc/secrets)))))%'
# The file is clear json, but the value are encrypted
secret: '%process(decrypt(env(PRIVATE_KEY_PATH), key(password, json(file(/etc/secrets)))))%'