Automatically sanitize your database on development environments

You’re developing your site on Platform.sh and you love the fact that you get exact copies of your production site for every Git branch that you push.

But now that you think about it, you realize that all those copies used by your development team to implement new features or fixes contain production data (like user emails, user passwords…). And that all the people working on the project will have access to that sensitive data.

So you come up with the idea to write a custom script to automatically sanitize the production data every time you copy the production site or synchronize your development environments. Next you think of a way to automatically run that script. Possibly a custom Jenkins job that you will maintain yourself. But, of course, you will need to update this Jenkins job for every new project you work on. Plus, you will have to figure out the permissions for this script to give proper access to your site.

But wait, what if I told you that all this hassle can be handled in a simple deployment hook that Platform.sh provides?

Indeed, with Platform.sh, every action will trigger specific hooks where you can interact either with the build phase or the deployment phase of the process.

For example with Drupal, you can use the drush sql-sanitize command to sanitize your database and get rid of sensitive live information.

Also you need to make sure that the sanitization only runs on the development environments and never on the master environment (you will hate me if that happens):

type: php:7.0
build:
    flavor: drupal
hooks:
    build: |
    # Whatever you want to do during the build phase.
    deploy: |
        cd /app/public
        if [ $PLATFORM_ENVIRONMENT = "master" ]; then
            # Do whatever you want on the production site.
        else
            drush -y sql-sanitize --sanitize-email=user_%[email protected] --sanitize-password=custompassword
        fi
        drush -y updatedb

If you are not working with Drupal, you can even run your own sanitization script. Read more about build and deployment hooks on our public documentation.

To access the deploy hook logs on the server:

$ platform ssh
web@kjh43kbobssae-development--php:~$ cat /var/log/deploy.log

[2016-05-18 10:14:13.872085] Launching hook 'cd /app/public
if [ $PLATFORM_ENVIRONMENT = "master" ]; then
    # Do whatever you want on the production site. 
else
    drush -y sql-sanitize --sanitize-email=user_%[email protected] --sanitize-password=custompassword
fi
drush -y updatedb

The following operations will be done on the target database:
* Reset passwords and email addresses in users table
* Truncate Drupal's sessions table

Do you really want to sanitize the current database? (y/n): y
No database updates required                                           [success]

That’s it! Sleep well now ;)