Pantheon Community

Drupal 8 Configuration Management - secure sensitive files & pull config down

Hi,

I have just migrated my site over to Pantheon. I previously had a separate git repo for managing config changes that i wanted to move from dev to test/live or back the other way.

I can use these steps to move config from dev https://pantheon.io/docs/drupal-8-configuration-management#workflow-example. This however leaves me with two shortfalls:

  1. The above model (and all discussions i have seen wrt to pantheon) involve committing all config to git including config containing tokens/auth details for 3rd party services. I would not normally be happy leaving these in version control. As I understand drush 10 is not recommended for a composer based site, according to the pantheon docs, to benefit from the $settings[‘config_exclude_modules’] feature. I am currently thinking perhaps the key module might help https://www.drupal.org/docs/contributed-modules/key/concepts-and-terminology. But interested in whether anybody has a slick approach to this already?

  2. I can’t export config using the above approach to move changes back from live/test to dev, so i can push config up but not down. This typically is fine, however there are sometimes scenarios where I have to make a change to live and want the config to update test and dev. Is there a CLI way around this without doing a UI download of the config and manual merge?

Thanks in advance
Mathew