Manage database username and passwords for mysql server and application deployment in hiera
I run a lot of small custom PHP apps and want to store their data in a way that it's easy to change secrets when staff leave. For me, this means updating database user passwords on the MySQL server, and also in the environment variables for our servers running the apps. Since I have multiple app servers, and multiple db servers, I'm having trouble figuring out the best way to store a single source of truth in Hiera that can then be properly provisioned across the infrastructure.
Does anyone have an idea on a good approach for this problem?
I'm thinking something along the lines of data that looks like this:
--- custom_apps: app1: db_user: 'app1account' db_host: 'dbserver1' db_pass: 'password' app2: db_user: 'app2account' db_host: 'dbserver2' db_pass: 'password'
And then telling the app server that it owns app1 and to add it's data to the environment, and the mysql db server that it should create accounts for all apps who have it defined as the db server host.
Does anyone have advice?