LOPS-741 - PantheonSecrets Documentation (#8975)

* adding secret guide * building out the guide * WIP * Update permalink for intro page * Debug builds * Secret Values can be no larger than 16k * odd line break * small additions to key concepts * adding plugin documentation * adding use cases and terminal plugin install * fixing plugin install page * disambiguation * Removing deprecated code examples * drupal migration and updates * Update source/content/guides/secrets/01-introduction.md Co-authored-by: Chris Reynolds <[email protected]> * governable * Update source/content/guides/secrets/01-introduction.md Co-authored-by: Chris Reynolds <[email protected]> * bolding * Update source/content/guides/secrets/02-basic-concepts.md Co-authored-by: Chris Reynolds <[email protected]> * Update source/content/guides/secrets/02-basic-concepts.md Co-authored-by: Chris Reynolds <[email protected]> * links to other resources * Update source/content/guides/secrets/02-basic-concepts.md Co-authored-by: Chris Reynolds <[email protected]> * fixing scope * Update source/content/guides/secrets/02-basic-concepts.md Co-authored-by: Chris Reynolds <[email protected]> * primary/supporting orgs * remove footnote add mermaid diagram * Update source/content/guides/secrets/02-basic-concepts.md Co-authored-by: Chris Reynolds <[email protected]> * plugin information update * use cases * Update source/content/guides/secrets/04-use-cases.md Co-authored-by: Chris Reynolds <[email protected]> * missed one * fixing command quoting * adding tabbed conent * updating use cases * Update source/content/guides/secrets/04-use-cases.md Co-authored-by: Chris Reynolds <[email protected]> * multiple corrections * Update source/content/guides/secrets/04-use-cases.md Co-authored-by: Chris Reynolds <[email protected]> * fixing buncha stuff * adding command explanation * removing copy pasta * Whitespace changes, or unordered list formatting? * Convert mermaid code to image * Don't use 'user' scope in examples * Fix tabs for git hosting providers * Wording tweaks * Gather guide images in their own folder * Wording around composer package types * Reformatting troubleshooting page * making a whitespace change to try retriggering a build * Formatting.. * Update source/content/guides/secrets/04-use-cases.md Co-authored-by: Chris Reynolds <[email protected]> * Update source/content/guides/secrets/04-use-cases.md Co-authored-by: Chris Reynolds <[email protected]> * Update source/content/guides/secrets/02-basic-concepts.md Co-authored-by: Chris Reynolds <[email protected]> * Update source/content/guides/secrets/04-use-cases.md Co-authored-by: Chris Reynolds <[email protected]> * Improve support section * Remove a secrets.json reference * Whitespace to hopefully rebuild all pages * More whitespace trigger * Update source/content/guides/secrets/01-introduction.md Co-authored-by: Greg Anderson <[email protected]> * Update source/content/guides/secrets/02-basic-concepts.md Co-authored-by: Greg Anderson <[email protected]> * Introduction page wording * Updates to support section of introduction * Update source/content/guides/secrets/02-basic-concepts.md Co-authored-by: Greg Anderson <[email protected]> * Update source/content/guides/secrets/02-basic-concepts.md Co-authored-by: Greg Anderson <[email protected]> * Update source/content/guides/secrets/02-basic-concepts.md Co-authored-by: Greg Anderson <[email protected]> * Update source/content/guides/secrets/02-basic-concepts.md Co-authored-by: Greg Anderson <[email protected]> * Update source/content/guides/secrets/04-use-cases.md Co-authored-by: Greg Anderson <[email protected]> * pantheon_get_secret() example * Update source/content/guides/secrets/04-use-cases.md Co-authored-by: Greg Anderson <[email protected]> * Language change for pantheon_get_secret * More Resources section in introduction is redundant * Update source/content/guides/secrets/02-basic-concepts.md Co-authored-by: Greg Anderson <[email protected]> * Update source/content/guides/secrets/02-basic-concepts.md Co-authored-by: Greg Anderson <[email protected]> * Update source/content/guides/secrets/02-basic-concepts.md Co-authored-by: Greg Anderson <[email protected]> * Name drop pantheon_get_secret() in the description of runtime secret type * Update source/content/guides/secrets/06-troubleshooting.md Co-authored-by: Greg Anderson <[email protected]> * Update source/content/guides/secrets/06-troubleshooting.md Co-authored-by: Chris Reynolds <[email protected]> * Update source/content/guides/secrets/06-troubleshooting.md Co-authored-by: Chris Reynolds <[email protected]> * Use note alert instead of sup tag * Styling edits * Pantheon Secrets guide: Improve information architecture (#9148) * Restructuring content for the first few pages, add life of a secret copy * copy edit * Break out usage how-to guides * Syntax highlighting * Update source/content/guides/secrets/01-introduction.md Co-authored-by: Chris Reynolds <[email protected]> * Update source/content/guides/secrets/01-introduction.md Co-authored-by: Chris Reynolds <[email protected]> * Update source/content/guides/secrets/01-introduction.md Co-authored-by: Chris Reynolds <[email protected]> * Update source/content/guides/secrets/02-secrets-overview.md Co-authored-by: Chris Reynolds <[email protected]> * Update source/content/guides/secrets/05-integrated-composer.md Co-authored-by: Chris Reynolds <[email protected]> * Update source/content/guides/secrets/05-integrated-composer.md Co-authored-by: Chris Reynolds <[email protected]> * Update source/content/guides/secrets/05-integrated-composer.md Co-authored-by: Chris Reynolds <[email protected]> * Update source/content/guides/secrets/05-integrated-composer.md Co-authored-by: Chris Reynolds <[email protected]> * Update source/content/guides/secrets/05-integrated-composer.md Co-authored-by: Chris Reynolds <[email protected]> * Update source/content/guides/secrets/02-secrets-overview.md Co-authored-by: Chris Reynolds <[email protected]> * Update source/content/guides/secrets/02-secrets-overview.md Co-authored-by: Chris Reynolds <[email protected]> * Update source/content/guides/secrets/02-secrets-overview.md Co-authored-by: Chris Reynolds <[email protected]> * Update source/content/guides/secrets/04-php.md Co-authored-by: Chris Reynolds <[email protected]> * Update source/content/guides/secrets/04-php.md Co-authored-by: Chris Reynolds <[email protected]> * Update source/content/guides/secrets/04-php.md Co-authored-by: Chris Reynolds <[email protected]> * Update source/content/guides/secrets/04-php.md Co-authored-by: Chris Reynolds <[email protected]> * Update source/content/guides/secrets/04-php.md Co-authored-by: Chris Reynolds <[email protected]> * Update source/content/guides/secrets/04-php.md Co-authored-by: Chris Reynolds <[email protected]> * Update source/content/guides/secrets/04-php.md Co-authored-by: Chris Reynolds <[email protected]> * Update source/content/guides/secrets/04-php.md Co-authored-by: Chris Reynolds <[email protected]> * Update source/content/guides/secrets/05-drupal.md Co-authored-by: Chris Reynolds <[email protected]> * Update source/content/guides/secrets/05-drupal.md Co-authored-by: Chris Reynolds <[email protected]> * Update source/content/guides/secrets/05-drupal.md Co-authored-by: Chris Reynolds <[email protected]> * Update source/content/guides/secrets/05-drupal.md Co-authored-by: Chris Reynolds <[email protected]> * Update source/content/guides/secrets/05-drupal.md Co-authored-by: Chris Reynolds <[email protected]> * Update source/content/guides/secrets/05-drupal.md Co-authored-by: Chris Reynolds <[email protected]> * Update source/content/guides/secrets/05-drupal.md Co-authored-by: Chris Reynolds <[email protected]> * Update source/content/guides/secrets/05-drupal.md Co-authored-by: Chris Reynolds <[email protected]> * Update source/content/guides/secrets/05-drupal.md Co-authored-by: Chris Reynolds <[email protected]> * Update source/content/guides/secrets/05-drupal.md Co-authored-by: Chris Reynolds <[email protected]> * Update source/content/guides/secrets/05-drupal.md Co-authored-by: Chris Reynolds <[email protected]> * Update source/content/guides/secrets/05-drupal.md Co-authored-by: Chris Reynolds <[email protected]> * Update source/content/guides/secrets/05-drupal.md Co-authored-by: Chris Reynolds <[email protected]> * Update source/content/guides/secrets/05-drupal.md Co-authored-by: Chris Reynolds <[email protected]> * Update source/content/guides/secrets/05-drupal.md Co-authored-by: Chris Reynolds <[email protected]> * Swap run for work * Copy edits * Correct filenames and urls * Release note first draft * Add docs tag to release note * Copy edits * Add step to configure default mail system * Update last reviewed date --------- Co-authored-by: Chris Reynolds <[email protected]> * Update 2024-08-15-pantheon-secrets-limited-availability.md * Copy edits * Typo * Key type config was already set in previous step * Fix typos * Clarify 3 options for adding key entity * Apply suggestions from earlier review round * Delete img per recommendation from Mel, update published dates throughout --------- Co-authored-by: Rachel Whitton <[email protected]> Co-authored-by: Chris Reynolds <[email protected]> Co-authored-by: Brian Weaver <[email protected]> Co-authored-by: Steve Persch <[email protected]> Co-authored-by: Brian Weaver <[email protected]> Co-authored-by: Greg Anderson <[email protected]> Co-authored-by: Ingrid <[email protected]>
pantheon-systems · Aug 22, 2024 · 5c1a428 · 5c1a428
1 parent 6070e59
commit 5c1a428
Show file tree

Hide file tree

Showing 16 changed files with 712 additions and 153 deletions.
diff --git a/source/content/drupal-updates.md b/source/content/drupal-updates.md
@@ -53,7 +53,9 @@ The critical commands are:
 terminus drush my-drupal-8-site.dev -- migrate-upgrade --legacy-db-key=drupal_7 --configure-only --legacy-root=https://drupal7.example.com
 ```
 
-This command configures (but does not run) the migrations from Drupal 7 to Drupal 8. In this example, the Drupal 8 site is named `my-drupal-8-site` and the command is running on the `dev` environment. The `--legacy-db-key` parameter indicates how to get the login credentials to the source Drupal 7 database. In our example, we use the [Terminus secrets](https://github.com/pantheon-systems/terminus-secrets-plugin) plugin to supply the connection info. [See our blog post for more information on how this flag is used](https://pantheon.io/blog/running-drupal-8-data-migrations-pantheon-through-drush). The `--legacy-root` flag lets Drupal 8 know from where it can grab images and other uploaded media assets.
+This command configures (but does not run) the migrations from Drupal 7 to Drupal 8. In this example, the Drupal 8 site is named `my-drupal-8-site` and the command is running on the `dev` environment. The `--legacy-db-key` parameter indicates how to get the login credentials to the source Drupal 7 database. 
+
+In our example, we use the [Terminus secrets Manager Plugin](https://github.com/pantheon-systems/terminus-secrets-manager-plugin) plugin to supply the connection info. [See our blog post for more information on how this flag is used](https://pantheon.io/blog/running-drupal-8-data-migrations-pantheon-through-drush). The `--legacy-root` flag lets Drupal 8 know from where it can grab images and other uploaded media assets.
 
 The following command generates a report on how many items have been imported by each migration:
 

diff --git a/source/content/guides/environment-configuration/02-read-environment-config.md b/source/content/guides/environment-configuration/02-read-environment-config.md
@@ -168,122 +168,11 @@ array(63) {
 
 It is not possible to set environment variables on Pantheon. However, there are three common solutions you can use instead.
 
-### Terminus Secrets Plugin
+### Terminus Secrets Manager Plugin
 
-You can use the [Terminus Secrets Plugin](https://github.com/pantheon-systems/terminus-secrets-plugin) to write the secrets to a JSON file in the private file system. Your PHP will look similar to the code example below. This example will help you get started, however, you must modify the third line for the key you want to configure. You can also modify the `secrets.json` file name, although we recommend you provide the file with a name you will recognize for secrets management.
+You can use the [Terminus Secrets Manager Plugin](https://github.com/pantheon-systems/terminus-secrets-manager-plugin) to write the secrets to Pantheon's secure storage system. The secrets are encrypted at rest and follow all standard practices for the storing of sensitive values. 
 
-<TabList>
-
-<Tab title="WordPress" id="wp-example" active={true}>
-
-1. Modify and use the code example below to write secrets.
-
-```bash
-$secrets_json_text = file_get_contents('/files/private/secrets.json');
-$secrets_data = json_decode($secrets_json_text, TRUE);
-define('EXAMPLE_API_KEY', $secrets_data['example_api_key']);
-```
-
-</Tab>
-
-<Tab title="Drupal" id="drupal-example">
-
-1. Modify and use the code example below to write secrets.
-
-```bash
-$secrets_json_text = file_get_contents('/files/private/secrets.json');
-$secrets_data = json_decode($secrets_json_text, TRUE);
-$config['example_integration.settings']['apikey'] = $secrets_data['example_api_key'];
-```
-
-</Tab>
-
-</TabList>
-
-### Manual File Creation
-
-You can manually create and add files to the `/files/private` directory for scenarios that are not supported by the Terminus Secrets plugin. For example, when secrets in the Dev and Live environments are different.
-
-1. Create your files manually in the `/files/private` directory for each case required, for example:
-
-    - `/files/private/dev.secrets.json`
-    - `/files/private/test.secrets.json`
-    - `/files/private/live.secrets.json`
-
-1. Update your PHP file using the code examples below as a reference.
-
-    - Note that the code below uses SendGrid as an example. You will need to modify the code for the specific key you are configuring.
-
-<TabList>
-
-<Tab title="WordPress" id="wp-example" active={true}>
-
-1. Add the code to your `wp-config.php` file and modify it as necessary for the specific key you are configuring:
-
-```php
-if ( ! empty( $_ENV['PANTHEON_ENVIRONMENT'] ) ) {
-	switch( $_ENV['PANTHEON_ENVIRONMENT'] ) {
-    case 'live':
-      // keys for production env
-      $secrets_filename = 'live.secrets.json';
-      break;
-    case 'test':
-      // keys for staging env
-      $secrets_filename = 'test.secrets.json';
-      break;
-    default:
-      // keys for dev and multidev envs
-      $secrets_filename = 'dev.secrets.json';
-      break;
-  }
-  if (isset($secrets_filename)) {
-    $secrets_json_text = file_get_contents('/files/private/' . $secrets_filename);
-    $secrets_data = json_decode($secrets_json_text, TRUE);
-
-    define('SENDGRID_API_KEY', $secrets_data['sendgrid_api_key']);
-    define('SOME_OTHER_OPTION', $secrets_data['other_key_example']);
-}
-```
-
-</Tab>
-
-<Tab title="Drupal" id="drupal-example">
-
-1. Add the code below to your `settings.php` file and modify it as necessary for the specific key you are configuring:
-
-```php
-        if ( ! empty( $_ENV['PANTHEON_ENVIRONMENT'] ) ) {
-	    switch( $_ENV['PANTHEON_ENVIRONMENT'] ) {
-      case 'live':
-      // keys for production env
-      $secrets_filename = 'live.secrets.json';
-      break;
-      case 'test':
-      // keys for staging env
-      $secrets_filename = 'test.secrets.json';
-      break;
-      default:
-      // keys for dev and multidev envs
-      $secrets_filename = 'dev.secrets.json';
-      break;
-    }
-    if (isset($secrets_filename)) {
-    $secrets_json_text = file_get_contents('/files/private/' . $secrets_filename);
-    $secrets_data = json_decode($secrets_json_text, TRUE);
-
-    $config['sendgrid_integration.settings']['apikey'] = $secrets_data['sendgrid_api_key'];
-    $config['some_other_config_override']['value'] = $secrets_data['other_key_example'];
-    }
-    ```
-```
-
-</Tab>
-
-</TabList>
-
-### Lockr
-
-You can use [Lockr](/guides/lockr) for maximum site security. Lockr provides a simple-to-use developer interface with a scalable cloud key management system. Review the [Install Lockr via the Lockr Terminus Plugin](/guides/lockr#install-lockr-via-the-lockr-terminus-plugin) guide section for installation steps.
+Please see the README in the plugin's repository for the most up-to-date code examples.
 
 ## More Resources
 

diff --git a/source/content/guides/secrets/01-introduction.md b/source/content/guides/secrets/01-introduction.md
@@ -0,0 +1,67 @@
+---
+title: Pantheon Secrets Guide
+subtitle: Introduction
+description: Securely store secrets in the Pantheon Platform.
+contributors: [stovak]
+contenttype: [guide]
+innav: [true]
+categories: [secrets]
+cms: [drupal, wordpress]
+audience: [development]
+product: [secrets]
+integration: [--]
+tags: [reference, cli, local, terminus, workflow]
+permalink: docs/guides/secrets
+reviewed: "2024-08-22"
+showtoc: true
+---
+Pantheon Secrets is key to maintaining industry best practices for secure builds and application implementation. This feature provides a convenient mechanism for you to manage your secrets and API keys directly on the Pantheon platform.
+
+This guide covers features and use cases of the Pantheon Secrets feature; it could also be referred as Secrets Manager because that is the Terminus plugin name.
+
+## Features
+Key features include:
+* **Secure**: Secrets are encrypted at rest and securely hosted on Pantheon.
+* **Easy to use**: Create and update secrets via Terminus.
+* **Governable**: Secrets can be set at organization level and shared with all the sites owned by that organization.
+* **Overridable**: Secrets can be overridden at environment level when needed.
+
+This feature also supports:
+* The use of private repositories in Integrated Composer builds.
+* The ability to set a `COMPOSER_AUTH` environment variable and/or a Composer `auth.json` authentication file.
+* The ability to define the degree of secrecy for each managed item.
+
+## Access & Availability
+This feature is available for anyone to use today at no additional cost. Currently released for Limited Availability, the [Terminus Secrets Manager Plugin](https://github.com/pantheon-systems/terminus-secrets-manager-plugin) will eventually be merged into Terminus core once released for General Availability in the future.
+
+### Installation
+How to get started and use this feature:
+1. [Install & authenticate Terminus](/terminus/install) if you have not done so already.
+1. Install the [Terminus Secrets Manager Plugin](https://github.com/pantheon-systems/terminus-secrets-manager-plugin):
+
+  ```bash{promptUser: user}
+  terminus self:plugin:install terminus-secrets-manager-plugin
+  ```
+
+1. You can now use the newly installed Terminus commands, such as `secret:site:set`, to manage secrets securely on Pantheon.
+
+To see all available commands added by this plugin, refer to the [plugin's README file](https://github.com/pantheon-systems/terminus-secrets-manager-plugin?tab=readme-ov-file#site-secrets-commands).
+
+### Older plugin now deprecated
+The new [Terminus Secrets Manager Plugin](https://github.com/pantheon-systems/terminus-secrets-manager-plugin) replaces the older [Terminus Secrets Plugin](https://github.com/pantheon-systems/terminus-secrets-plugin).  The key differences are:
+
+- The new Terminus Secrets Manager Plugin stores secrets in an encrypted backend service.
+- The older secrets plugin simply writes unencrypted values to a json file in `/files/private`.
+
+Once the Pantheon Secrets service becomes generally available and merged into Terminus core, the older `terminus-secrets-plugin` will be discontinued. If you use the older plugin to manage secrets today, we strongly encourage you to upgrade your security and experience by adopting this new feature.
+
+## Support
+The [Terminus Secrets Manager Plugin](https://github.com/pantheon-systems/terminus-secrets-manager-plugin), [PHP Secrets SDK](https://github.com/pantheon-systems/customer-secrets-php-sdk), and [Pantheon Secrets](https://github.com/pantheon-systems/pantheon_secrets) Drupal module are open source. You can view the projects, file issues and feature requests, and contribute in their respective repositories on GitHub.
+
+* [Terminus Secrets Manager Plugin](https://github.com/pantheon-systems/terminus-secrets-manager-plugin)
+* [Secrets SDK](https://github.com/pantheon-systems/customer-secrets-php-sdk)
+* Pantheon Secrets Drupal module
+  * [github repo](https://github.com/pantheon-systems/pantheon_secrets) for issues & PRs
+  * [drupal.org](https://www.drupal.org/project/pantheon_secrets) for releases
+
+[Contact Support](https://dashboard.pantheon.io/#support/support/all) if you have questions or need help with Terminus.
diff --git a/source/content/guides/secrets/02-secrets-overview.md b/source/content/guides/secrets/02-secrets-overview.md
@@ -0,0 +1,113 @@
+---
+title: Pantheon Secrets Guide
+subtitle: Secrets Overview
+description: Gaining familiarity with some concepts about Pantheon Secrets will help you make the most of this feature.
+contributors: [stovak]
+contenttype: [guide]
+innav: [true]
+categories: [secrets]
+cms: [drupal, wordpress]
+audience: [development]
+product: [secrets]
+integration: [--]
+tags: [reference, cli, local, terminus, workflow]
+permalink: docs/guides/secrets/overview
+reviewed: "2024-08-22"
+showtoc: true
+---
+
+<p>A <dfn id="secret">secret</dfn> is a key-value pair that should not be exposed to the general public, typically something like a password, API key, or other sensitive information that should not be added to version control.</p>
+
+Each secret's value can be no larger than 16k (16384 Bytes)
+
+## Secret Type
+
+This represents how the secret is used.  A secret can only have one type.
+
+Current types are:
+
+  * `runtime`: This secret type can be retreived directly from your application code using the `pantheon_get_secret()` function.  This is the recommended type if you want your application to be able to use the secret while it's operating.
+
+  * `env`: This type is used to set environment variables. Environment variables are currently only supported for Integrated Composer builds; setting environment variables on the application server is unsupported.
+
+  * `composer`: This secret type is specifically used for authentication when pulling Composer packages from private repositories.  This is the recommended method for installing private composer packages.
+
+  <Alert title="Note" type="info" >
+
+  You can only set one type per secret and this cannot be changed later (unless you delete and recreate the secret).
+
+  </Alert>
+
+
+## Secret Scope
+
+<p>A <dfn id="secret-scope">secret's scope</dfn> is the answer to the question "Where is the secret's value available?". Once set, a secret's scope cannot be changed. The secret must be deleted and recreated to change its scope.</p>
+
+  * `ic`: This secret will be readable during Integrated Composer builds. You should use this scope to get access to your private repositories.
+
+  * `web`: this secret will be readable by the application runtime.
+
+  * `user`: this secret will be readable by the user. This scope should be set if you want to see the value of your secret displayed when listing site secrets with Terminus. The value for secrets without the the user scope is redacted in the Terminus secrets list.
+
+## Owning Entity
+<p>Secrets are either owned by a site or an organization. Within that <dfn id="secret-owning-entity">owning entity</dfn>, the secret may have zero or more environment overrides.</p>
+
+### Organization-owned secrets
+Organization-owned secrets are available to every site and environment that are associated with the owning organization. A common use-cases is for a CI system and infrastructure that's shared among all sites in an organization. Note that secrets from "Supporting" Organizations are explicitly ***not shared*** with the sites they support. Sites receive secret key/value pairs from their Primary Organization only.
+
+### Site-owned secrets
+Site-owned secrets are available to the site and all of its environments. A common use-case is Github tokens that a site's composer build can use to access private repos referenced in the composer file.
+
+### Environment override
+Environment overrides provide overrides to a secret value for a specific environment. A common use case for this are API keys that are different in production and non-production environments.
+
+<Alert title="Note" type="info" >
+
+Due to platform design, the "environment" for Integrated Composer will always be either `dev` or a multidev. It will never be `test` or `live`. Therefore we do not recommend using environment overrides for Composer access. The primary use-case for environment overrides is for the CMS key-values and environment variables that need to be different between your live and non-live environments.
+
+</Alert>
+
+
+## Value Resolution
+
+1. Organization values have the lowest priority. They form the base value that is used when there is no more specific value provided for the site or environment.
+
+3. Site values will replace the organization values when present. To return the secret to it's organization value, simply delete the site value.
+
+4. Environmental overrides have the highest priority. If the override exists, it will become the value provided to the calling function.
+
+### The life of a secret
+
+When a given runtime (e.g. Integrated Composer or an environment PHP runtime) fetches secrets for a given site (and environment), the process will be as follows:
+
+- Fetch secrets for site (of the given type and scopes).
+
+- Apply environment overrides (if any) based on the requesting site environment.
+
+- If the site is owned by an organization:
+
+    - Fetch the organization secrets.
+
+    - Apply environment overrides (if any) based on the requesting site environment.
+
+    - Merge the organization secrets with the site secrets (the following example will describe this process in more detail).
+
+### Example Value Resolution
+Given you have an integrated composer site named `my-org-site` which belongs to an organization `my-org`, and you also have another integrated composer site named `my-personal-site` which belongs to your personal Pantheon account.
+
+When Integrated Composer attempts to get secrets for `my-personal-site` it will work like this:
+- Get the secrets of scope `ic` for `my-personal-site`.
+- Apply environment overrides for the current environment.
+- Look at `my-personal-site` owner. In this case, it is NOT an organization so there are no organization secrets to merge.
+- Process the resulting secrets to make them available to Composer.
+
+On the other hand, when Integrated Composer attempts to get secrets for `my-org-site`, it will work like this:
+- Fetch the secrets in the scope of `ic` for `my-org-site`.
+- Apply environment overrides for the current environment.
+- Look at the site owner. The organization `my-org` is identified.
+- Fetch the secrets for the organization `my-org` with scope `ic`.
+- Apply the environment overrides to those secrets for the current environment.
+- Merge the resulting organization secrets with the site secrets with the following caveats:
+    - Site secrets take precedence over organization secrets. This means that the value for site-owned secret named `foo` will be used instead of the value for an org-owned secret with the same name `foo`.
+    - Only the secrets for the OWNER organization are being merged. If the site has a Supporting Organization, it will be ignored.
+- Process the resulting secrets to make them available to Composer.