Metadata String Replacements

[mshanemc]

Let's discuss a new feature I'll be working on soon.

Background

Jason Venable asking for this on twitter https://twitter.com/TehNrd/status/1552655461790257158
hooks blog: https://developer.salesforce.com/blogs/2022/02/we-broke-deploy-retrieve-hooks
Credit also to the sfdx folks at Picnic for some of the ideas/requirements.

Idea: replace placeholder strings in metadata during a deployment

Primary use cases

1. secrets sometimes live in metadata. You want to read these out of the environment or files and write to the org, but never have them stored in the local project
2. dynamic endpoints (ex: named credentials). dev/test points to some dev/test endpoint, but a deployment to prod points to the prod endpoint
3. dynamic reuse: you do business in several countries and need to make a nearly-but-not-quite-identical unlocked package for each one
4. values that have to be hardcoded in metadata but vary between environments (ex: org-wide email addresses)

Location

This feature should go into SDR so that it's invoked from sfdx's and sf's deploy/push commands, from vscode, and from the new packaging commands (which use SDR).

An sfdx plugin alone would not allow Salesforce's vscode extensions to inherit the behavior.

Use via SDR would allow custom plugins using the SDR library to inherit the behavior, too.

Constraints

For perf reasons, we do NOT want to read every file looking for strings. So we want you to indicate by filename or glob what the target files are.

Configuration

Adds a new replacements property to sfdx-project.json

Ex 1: replace a string in a file with a value from the env

{
  replacements: [{
    // find a string in a file, replace with a value from the environment
    "file": "force-app/main/default/namedCredentials/myNC.namedCredential-meta.xml",
    // use any syntax you want, or none at all
    "replaceString": "{{placeholder}}",
    "replaceWithEnv": "myEnv"
  }]
}

Ex 1b: regex

{
    "file": "force-app/main/default/namedCredentials/myNC.namedCredential-meta.xml",
    "replaceRegex": "/.*@.*\..*/gi",
    "replaceWithEnv": "QA_USERNAME"
  

Ex 2: target multiple files via a glob.

{
    // glob version
    "file": "*.namedCredential-meta.xml",
    "replaceString": "@@username@@,"
    "replaceWithEnv": "myEnv"
}

Sometimes its not a secret, so you can store them in separate file the you could check in.

{
    "file": "force-app/main/default/namedCredentials/myNC.namedCredential-meta.xml",
    "replaceString": "oldValue",
    "replaceWithFile": "replacements/foo.txt"
},

Ex 3: conditionally replacing from a file based on one or more envs matching. Here, the test-endpoint gets replaced with the country-appropriate prod endpoint during a deployment. Imagine one of these for each country

{
    "file": "*.namedCredential-meta.xml",
    "replaceString": "https://test-endpoint.com",
    // only do the replacement if all envs match the `whenEnv` condition
    "replaceWithFile": "replacements/endpoints/prod-us.xml"  
    "whenEnv": {
        target: production,
        country: US
    }
}

Placeholder format

Rather than dictating a format (ex: {{ foo }}) we will leave it up to the users. You can use a string or regex. Why?

• you can write valid, lintable, deployable metadata for any current or future metadata type
• you can have a base/default value (either a test or prod value) and only replace it when going to the other environment

Behaviors

No match for a file

• this is ok, not a fail, no warnings. You’ll often be deploying only a few files and not the files that are targeted

File matches, but no match for the toReplace string

• warning: you said to replace foo in bar-meta.xml but it’s not there. Check your sfdx-project.json for wrong or unnecessary replacements
• this is likely to fail to deploy if there is a placeholder but your replacement didn't hit (unless the placeholder is valid metadata!)

File matches, toReplace string is found, but the env doesn’t exist

• do not replace
• error: you said to replace x in y with the value from env, but the env was not set. Check your sfdx-project.json for wrong or unnecessary replacements

❓ would you want the filenames/placeholders to show up in the deploy/push output so you can confirm that what you expected to happen did?

Challenges

Retrieves

1. you make a change to something in the org via the UI and pull the source
2. you retrieve the project (via CLI or the VSCode org browser)

In either case, the metadata retrieve would not contain your placeholders, but whatever concretized value you were using placeholders to avoid.

❓ We could give you a warning that your placeholder just got overwritten? Is that enough?

💡 We could try to be really clever and check the replacements on the way down (basically doing it backwards since you've supplied a list of files and envs). I can see this getting confusing if you've changed the environment values or are working on a different org.

Out of scope for now

1. integration with some external credential vault

---

Changes

1. 2022-10-17 changed the ambiguous toReplace to replaceString` and replaceRegex and added a regex example
2. 2022-10-18 added Placeholder format section to communicate decision

[codefriar]

@mshanemc this looks amazing. Might it make sense to standardize on a single token syntax? ie: {{ }} rather than supporting arbitrary tokens? I love a good regex, but I'm concerned that arbitrary tokens are going to make the s/r/g operation dangerous. I can envision crafting a token delimiter that confused the hell out of it.

Also, would you consider shell completion ? Imagine

{
    // glob version
    "file": "*.namedCredential-meta.xml",
    "toReplace": "@@username@@,"
    "replaceWithEnv": "$(my shell command)"
}

This would effectively enable external vault support with no-per-vault cost. This might only work for people on sane shells.

[mshanemc]

Shell expansion--I can see the downside for teams where users don't share OS/shell behavior.

[mshanemc]

My biggest worry on choosing a token syntax is that some new feature decides to use that syntax in its metadata.

The practical downside is that it would preclude example 3, where you want a valid value that goes to most environments that can conditionally be replaced for other environments (ex: prod).

[mshanemc]

OK, this is decided. See Placeholder format section

[codefriar]

@mshanemc - while not perfect, I have verified that WSL2 enables bash, zsh, fish and others. Meaning Shell expansion is available on all platforms - so long as you choose the appropriate shell. Shell expansion would be amazing here.

[rody]

Since most of the metadata is XML, it could be useful to support XPath as well. This would allow to target specific fields easily, based on the metadata structure. Targeting a specific field with Regexp can be very tricky if not impossible.

[imTachu]

@mshanemc Excited to see this is coming to life!

1. Following to what @codefriar mentioned about token syntax and with the intention to make the mechanism more robust: If we're not going to scan the contents of each file matching a given "placeholder format" but rather having devs introducing the target files explicitly, it becomes error prone as one could change a particular value and not include it in the list of files to be changed. I understand the performance reasoning behind not scanning the entire project but how about something in the middle?

• if just one file is going to be deployed: scans just that one file for replacements
• if a folder, e.g force-app/main/default/classes is deployed: scans only that one folder
• for package version creation: scans the entire project to ensure no placeholders are left behind

2. I believe for the pulling from org use case, if the company uses git, it will be quite clear that there's a change in that value. I would say that a warning here would do (Could it be even something configurable? Then one could define how severe a change not being taken into account is: WARN / ERROR)

3. Do I understand correctly that the location for replacements will be sfdx-project.json file? If that's the case, I would say it can get out of hand quite quickly 😅 as you know we have our in-house version of properties replacement, there we have mappings for 5 environments (3 production orgs, 2 sandboxes and scratch orgs) and each one has about 150 property values to replace! Our approach which I deem organized, follows this structure:

package-name/
├─ force-app/
├─ config/
   ├─ resources/
      ├─ country-1/
         ├─ prod/
         ├─ sandbox/
      ├─ country-2/
         ├─ prod/
         ├─ sandbox/
      ├─ global/
         ├─ scratch/

[mshanemc]

The scan would always be limited to the files being deployed. I'd like a full deploy (ex: pushing to a scratch org) to have the same behavior as the packaging operation. Those large deploys are where I'm more concerned about perf than the smaller ones.

Having the filenames explicit would help prevent unintended replacements (typo where you accidentally used {{foo}} instead of {!foo} in an email template.

I think if you want full project scans, you could just provide a very greedy glob (**/*) like example 2? Would that work?

[mshanemc]

I'm really not sure how to do your tree design where it's always the same file, but relative to a different path based on envs without it getting out of hand.

[rody]

@imTachu @mshanemc the suggestion of using something like dotenv (see below in the discussion thread) would work for this use case. To select which mapping file to use, we would just have to symlink the mapping file to .env at the root of the project.

[davidbrowaeys]

@mshanemc I had that for a while in my sfdx plugin DXB.

sfdx dxb:org:data --config config/data-env-def.json --environment SIT

This came quite early when sfdx plugin was made available and for 2 main reasons: scratch org creation was a bit of a pain back in the days ( can we say that now?) and also because many of my clients have metadata specific requirement.

What you suggested is pretty much what I did, exact file path, the regex and what value to replace it with.

My dxb command just require you to pass the json definition file and I would run the command before a deployment. You could have 2 approaches : one file per env or one single file for all environment but in that case you have to pass the alias of the environment which was used as a key property.

Example dxb def file:

{
    "ST": [
        {
            "pagePath": "force-app/main/default/workflow/Account.workflow-meta.xml",
            "replacerules" : [
                {

                    "source": "{{username}}",
                    "target": "[email protected]"
                }
            ]
        }
    ],
    "SIT": [
        {
            "pagePath": "force-app/main/default/workflow/Account.workflow-meta.xml",
            "replacerules" : [
                {

                    "source": "{{username}}",
                    "target": "[email protected]"
                }
            ]
        }
    ]
}

Quick example of use in azure pipeline:

  - script: |
      if [[-s "$(sfdx-env-mapping)"]]
      then
        sfdx dxb:org:data --config $(sfdx-env-mapping) --environment "${{ parameters.TARGETENV }}"
      fi
    displayName: "Set specific org data"

I like the idea to target multiple files using the wildcard maybe I should improve my command 🤣 or just wait for you to do it.

[RupertBarrow]

@imTachu Did you consider using a templating solution such as Nunjucks for your use case ? It's much more flexible, because metadata templates can include conditions, formulas, variables etc. And, it's very quick.

[osieckiAdam]

It looks like https://github.com/jayree created something similar, which is flexible and functional from my perspective, (see sfdx jayree:org:configure command here https://github.com/jayree/sfdx-jayree-plugin and configuration example here: https://github.com/jayree/sfdx-jayree-plugin/blob/v4.4.3/.sfdx-jayree-example.json)

[julianduque]

@mshanemc this is a great feature, currently we rely on deployment scripts and sed commands to perform the replacements which sometimes can be destructive (https://github.com/trailheadapps/ecars/blob/main/scripts/ecarsDeploy.js#L194-L211)

1. Please, before replacing having a prompt to confirm would be ideal
2. Keeping a local backup of the original files and a way to rollback if something goes wrong
3. Using custom tokens will be a good idea, we not only replace values on metadata but also on .js and .cls files

[codefriar]

@julianduque - Maybe I mis understood something here, but @mshanemc I really want to encourage you to build this in such a way that the metadata replacement is ephemeral. Ie: making a push or deploy should result in no-new-change to the existing codebase. Rather it should modify a deploy-only copy of the metadata. When the deploy(or push, simply saying deploy from now on) completes, that version is eliminated from disk - if it has to be on disk. Ideally, the modified files would be in memory only.

[julianduque]

@codefriar yes, that's a better approach. I'm comparing to my current approach in ecars where my scripts are destructive, they modify the source code before deploy.

[mshanemc]

we do not want to put anything on disks. these "changes" shouldn't show up in git (which might be committed), or in local source tracking, or your computer's tmpDir or trash folders given that secrets is one of the use cases.

[julianduque]

@mshanemc fantastic then!

[daveespo]

Regarding the behavior for Retrieve: Spurious changes to metadata because of a retrieve are a perennial source of frustration -- depending on the care/ability of the engineer, things often get committed to source that should've been reverted because they just don't know better or the breadth of the diff that came down from the server makes it hard to spot the one line that shouldn't have been changed. (i.e. if you pull down a Perm Set, there might be dozens of lines changed because of a new field/object that were added .. it would be easy to overlook that the placeholder was overwritten with a concrete value when doing code review)

I really think that the extra work to effectively "reverse" the merge is necessary. I'd expect that when the new metadata comes down, it's compared with the local file and any of the placeholder values are replaced in the source file before it's written to disk.

[aheber]

Call me a cynic, I like the idea of this feature a lot; however; I don't want the SDR library to build/own it directly.

I want the SDR library to provide the hooks so that another tool can be built. I'm totally fine with the CLI tools team building the first pass at that "modify source in flight" tool, and aside from some edge cases the designs look pretty good. I would really like others to be able to come along and do something awesome with the same hooks. Baking it into the SDR feels like crossing responsibilities somewhat and limiting what the community could do here.

We have some metadata that we keep "scratch org ready" in source control but we run a pre-deploy process to manipulate that metadata when deploying to production, those manipulations are not committed. We have some processes that do that, a simple config file that understands how to blow out into the necessary multi-node XML changes ( I don't store the full XML replacement text, only the variable portions). I would love to change that process to only impact in-flight records, but the proposed solution, while possible, would be more cumbersome to manage because I'd possibly have a lot of per-rule replacements. I could see that section of the sfdx-project.json file getting quite large in this scenario.

If SDR created a hooks-like extension point I don't know how we "register" extensions, probably another node in the sfdx-project.json file. Maybe matching on file patterns "I'm a manipulation extension and I run on .workflow files..." which adds available hooks in a pre-defined order which can then be invoked as needed.

If you've already evaluated and shot down this idea, I'd love to understand that decision.

[mshanemc]

The CLI is hooks-friendly, and used to support this kind of thing (see blog). That model would work fine if everything was always done via the CLI.

This design targets SDR because the Salesforce VSCode Extensions' deploy action doesn't use the CLI. The explanation behind that: they got faster perf, especially on small operations, by not having the CLI do all the stuff it usually does (loading help, flag validation, etc) and getting to calling SDR to deploy stuff sooner. Without the CLI, custom plugins' hooks aren't called.

It's potentially possible to rearchitect how the vscode extensions work to register hooks as a more flexible alternative, but not something CLI can do alone.

Aside from that, SDR works in a highly optimized, pipes/streams way. We still emit hooks (blog, again), but I'm not sure we could make hooks works as you describe.

[aheber]

I'm thinking about just having a plugin system for SDR. Everything else around that is details. Plugins would have lifecycle injection points that gives the name of the file, the type of metadata, and the contents en-route to the deployment. They can manipulate those contents as part of the stream.

I'm thinking something closer to middleware in an HTTPS server.

Registering those plugins would need a home. Depending on how SDR is setup, it would be nice to load them only as the library is initialized, not have to load them from disk for every action.

Would it be helpful if I mocked something on a fork of the library? Or is the book closed on this one and I should move on? (No hurt feeling if this just isn't the direction)

[mshanemc]

I want a configuration-only option for replacements, and plan to work on that next week, but I'd be very interested in a DIY-hooks model for the "everything else" and appreciate the help.

[mitchspano]

I really like this idea @mshanemc, thanks for bringing this to everyone's attention!

Issues With the Status Quo

The lack of environment variable support for Salesforce projects has led to a terrible consequence within the ecosystem; the proliferation of multiple long-lived branches which correspond to sandboxes. This multi-branch strategy makes the act of a git merge pretty much impossible, so teams choose which components to selectively promote between branches. This leads to divergence and is a stark contrast of how Git is supposed to work; I think Linus Torvalds might curse out Codey Bear and Astro if he found how Git was being used within the Salesforce ecosystem. Metadata string management is necessary prerequisite to safely deploy the contents of one branch to multiple Salesforce environments.

Generally speaking I think there are a few types of metadata we want to treat differently:

1. Secrets
2. Usernames
3. URLs
4. Email addresses

The value stored in these types often need to support different values based on where the sfdx project is being deployed to. These values are used in a whole bunch of metadata types throughout the entire platform:

1. Custom Labels
2. Custom metadata rows
3. Workflow Outbound Message endpoint URLs
4. Workflow Email Alert sender and CC addresses
5. Queue members
6. Approval Processes
7. Platform Event Subscriber Config
8. ...

What We've Done So Far

My team has tried to solve part of this and we shared our findings at Dreamforce 2022 - here is our presentation, pages 26 and 27 are of the most relevance.

What we've done is define a protocol buffer which has the schema definition for an "Environment" object. The environment proto has values such as an array of CustomLabel objects, each with properties for apiName and value. We store a example.environment.textproto file for each of our target environments in a top level environments folder within the project's repository. Each Salesforce environment that the project will be deployed to has a corresponding textproto representation such as qa.environment.textproto and production.environment.textproto.

environments/qa.environment.textproto

custom_labels: [
 {
 api_name: "America_Service_Email"
 value: "[email protected]"
 }
]

This naming scheme and folder structure enable us to identify all of the environment specific string metadata overrides from a single environment variable injected into our build tool; environment => 'qa' or environment => 'production'.

When defining the object model for the schema replacement, the structure must support all necessary identifiers to find the metadata you are trying to replace and the replacement value for the metadata. Custom Label is an easy example with apiName and value, but for other XML types such as Approval Process, the identifying criteria might be complex.

Within the runtime of our build tool's VM, we execute a command line script which roughly looks something like this:

some/path/to/some/executable setSalesforceEnvironmentVariables --environment=$TARGET_SALESFORCE_ENVIRONMENT

This will read the environment value, use it to identify the .environment.textproto file which matches for the target environment, then swap out the XML node values before the sfdx force:source:deploy command is executed:

<labels>
  <fullName>America_Service_Email</fullName>
  <language>en_US</language>
  <protected>false</protected>
  <shortDescription>America Service Email Address</shortDescription>
  <value>[email protected]</value>
</labels>

<!–--XML is updated right before deployment to QA environment–-->

<labels>
  <fullName>America_Service_Email</fullName>
  <language>en_US</language>
  <protected>false</protected>
  <shortDescription>America Service Email Address</shortDescription>
  <value>[email protected]</value>
</labels>

This mechanism allows for the safe deployment of a single branch to multiple target Salesforce environments. It doesn't introduce much noise or overhead within the repository itself, as these node value swaps are made in our build tool's ephemeral runtime, then expire.

Regarding Placeholders - ex: {{placeholder_abc}}

When building new features, the act of deploying, modifying, and retrieving metadata in a scratch org or sandbox will require modification of the raw XML. If an XML file contains placeholders, they will need to be swapped before building new features, and restored before committing. The act of keeping track of the lost placeholder text position is a confusing addition to the development workflow, especially after retrieving a file which has many placeholders such as .workflow or CustomLabels.labels-meta.xml.

I also believe that the usage of placeholder text has a negative effect on readability when regularly reading a codebase to help troubleshoot production issues. These things considered, I tend to prefer that the value stored in the metadata file should be the value which eventually to be deployed to production. This is supported in our current model with a workflow that looks roughly like this:

# *pseudo-code* - this will not work as is

# swap environment variables and deploy
some/path/to/some/executable setSalesforceEnvironmentVariables --environment="mySandbox"
sfdx force:source:deploy

# retrieve and create/update `environment.textproto` files
sfdx force:source:retrieve
vi environment/mySandbox.environment.textproto
vi environment/qa.environment.textproto
vi environment/production.environment.textproto

# swap environment back and commit
some/path/to/some/executable setSalesforceEnvironmentVariables --environment="production"
git add .
git commit -m "Hello World!"

Regarding Scratch orgs

Scratch orgs throw a couple of unique wrenches into this setup. First, we cannot deploy workflow email alerts with org-wide sender addresses that have not been confirmed, so we need to modify these files no matter what when building in a scratch org.
Secondly, all username need to be swapped out for the scratch org usernames - and you don't know the usernames of users in a scratch org until they are created. The second is particularly challenging because we cannot proactively create an environment.textproto file with these values in it. We have resolved the first by adding CLI flag which will set all workflow email alerts to being sent from the current user. We are looking to set user references dynamically off of the users in the scratch org.

Summary

There are a lot of gotchas with metadata string variable management. Our team has invested a lot of effort and learned quite a bit on this journey. Hopefully our documented findings offer something insightful. I would love to offer whatever help I can to help make environment variable management easier for all Salesforce customers and partners.

[mshanemc]

thanks for the insights!

These things considered, I tend to prefer that the value stored in the metadata file should be the value which eventually to be deployed to production

I definitely want to preserve that option. I'm going to modify the proposal to explain the rationale for keeping it user-defined. See Placeholder format

[tehnrd]

How are variables loaded?
This feature would read from environment variables, but how do these get loaded? I would ❤️ LOOOVVVVEEEE ❤️ support for dotenv. This is a super popular tool and makes setting environment variables so easy. Drop in a .env file in the directory of the project, and it should read from here (.env files are git ignored). I understand there is a strong case for saying this is outside the scope of this feature...but please add this...I really don't want to have to figure out how to load/update/modify env vars in some shell, just let me edit a text file. I have probably wasted days of my life at this point futzing around getting this all set up on new machines (or when Apple decides to completely change the underlying shell). This will make the dx in sfdx so much nicer.

Behaviors
I want this to fail with an error all the time. These replacements can be critical to the packaging process, and there can be major issues if you release a package and the string replacement did not work as expected. For example, the following is perfectly valid metadata:

<CustomMetadata
  xmlns="http://soap.sforce.com/2006/04/metadata"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xmlns:xsd="http://www.w3.org/2001/XMLSchema"
>
  <label>Org</label>
  <protected>true</protected>
  <values>
    <field>Stripe_API_Key__c</field>
    <value xsi:type="xsd:string">{{STRIPE_SECRET_KEY}}</value>
  </values>
</CustomMetadata>

...and would deploy fine in the "warning" scenario, but I don't want it to deploy. I want it...need it... to fail. These packaging scrips often run in Github Actions, and there isn't a human monitoring for warnings. An error would/should stop the deployment and packaging script from continuing.

Challenges - Retrieve
I wouldn't even try to solve this issue. It is complicated and will always be a pain to maintain with edge cases. And really...best practices say that version control should be the source of truth, not the salesforce org. So if you pull changes, you should see this in git and can simply discard the changes. You could also create separate git hooks with husky or something to make sure the files you care about include the replacement tokens. I think this is all best handled outside the scope of this feature.

[tehnrd]

It will inject secrets on deployment but won't modify the files on the field system. Pulling server-side change would then pull down and overwrite files, potentially with secret values, but this is an existing problem today with all toolsets.

I just don't think it is this tool's responsibility to control what does or does not get committed in version control. Other options and tools are available today to prevent secrets from being committed.

I agree it'd be cool to maintain the placeholders on the retrieve, but I'd prefer to have something rather than nothing. I can address the accidentally committing secrets issue myself with husky...I can't address this secret inject issue without SDR enhancements.

[mshanemc]

@tehnrd returning to the dotenv idea, I'd rather not introduce more dependencies into SDR.

Would the dotenv cli be sufficient to let you read some .env file(s) so that SDR's responsibility is to check the env and you're free to set them however?

ex: dotenv -e .env3 -e .env4 sfdx force:source:push

[tehnrd]

@mshanemc ...but how would that work if I am in VSCode, save a file, and the push command automatically runs? I don't have control of this. I really don't want to create a custom command to save/deploy, I want to save the file in VSCode (CMD+S) and it "just works." This is how my plugin worked before it broke and was a great UX.

Admittedly, without something like dotenv I probably won't use this feature. I have a lot of different projects on my machine, and they all have different environment variables, some with the same name, so setting these in some global .zsh config file isn't an option either as the env vars are project specific.

I understand not want to add a dependency, but dotenv is one of the most popular and well-maintained packages. It is almost becoming the industry standard to use in JS/TS projects. If you want to avoid a dependency, you could also just replicate the basic functionality to read from .env files in the project as it is not a terribly complex package/code.

[rody]

Using dotenv (or something equivalent) would reduce the configuration footprint since it should cover the cases where we substitute from the environment or from a file (i.e. we don't need a separate "replaceWithEnv" and "replaceWithFile").
It also has the advantage of having a clearly defined priority between a value which would be defined in the .env file and in the runtime environment.

And as @tehnrd said, using .env files is a well-known process which exist for many different languages and tools. It also has some integration like dotenv-vault and dotenv-vscode.

[rody]

I forgot to mention that dotenv itself doesn't have any runtime dependency.

[rody]

For perf reasons, we do NOT want to read every file looking for strings. So we want you to indicate by filename or glob what the target files are.

We could use a cache file to allow the discovering of files with placeholders without having to explicitly configure the file in sfdx-project.json. The first run would go through each file to detect the presence of a placeholder and store the checksum of each file in a cache file. Subsequent retrieve/push could just use that cache file to see which files have changed and need to be parsed again to detect added/removed placeholders. This cache file could safely be shared by adding it to the git repository.

PMD uses a similar mechanism to run the analysis only on changed files.

[mshanemc]

interesting. We'd also have to deal with the other scenario where replacement config changes (new/modified placeholders, etc) ...just toss out the cache?

[mshanemc]

We shipped this (today's release where latest/stable is 7.176.1 . There's some preliminary docs in the release notes and "real docs" for the dev guide coming eventually.

I didn't add .dotenv yet, but of the requests in this discussion, that's my favorite.

[pgonzaleznetwork]

@mshanemc is this live? I'm on 7.181.1 (Dec 15, 2022) [stable] and when I create a replacements object inside sfdx-project.json , I get an error property replacements is not allowed

{
  "packageDirectories": [
    {
      "path": "force-app",
      "default": true
    }
  ],
  "name": "trailhead-org",
  "namespace": "",
  "sfdcLoginUrl": "https://login.salesforce.com",
  "sourceApiVersion": "52.0",
  "replacements": [
    {
      "filename": "force-app/main/default/classes/BatchApexRecipes.cls",
      "stringToReplace": "SELECT Id, Name FROM Account",
      "replaceWithEnv": "SELECT Id, Name FROM Account LIMIT 100"  
    }
  ]
}

[tehnrd]

You can replace values from environment variables or text in a file. Not sure why'd you want to do a straight-up string replacement like that. The feature is primary for secrets and other environment-level configs.

https://developer.salesforce.com/docs/atlas.en-us.sfdx_dev.meta/sfdx_dev/sfdx_dev_ws_string_replace.htm

[pgonzaleznetwork]

No reason, I was just playing with it.

[tehnrd]

Cool cool, saw adding Limit 100 and thought might be trying to use it to implement best practices. Might have better luck using Apex PMD which I think raises alerts like that in VSCode.

[RupertBarrow]

It would be interesting to be able to replace (conditionnally) by a straight string (or current username) when deployibg EmailFolder and EmailTemplateFolder to scratch org, to change shares or org-wide email addresses in queues etc.

[amtrack]

It would be interesting to be able to replace (conditionnally) by a straight string (or current username) when deployibg EmailFolder and EmailTemplateFolder to scratch org, to change shares or org-wide email addresses in queues etc.

@RupertBarrow I have recently developed a plugin with a predeploy hook that could be interesting for you:
https://github.com/amtrack/sfdx-predeploy-hook-org-env

Please let me know if this works for you or if you've found another solution in the meantime.

[tehnrd]

@mshanemc This doesn't appear to work on file saves or source pushes in VSCode. Is this expected? I thought this being a first-party feature built into the core CLI would cause it to be run everywhere.

I created an issue here forcedotcom/salesforcedx-vscode#4629

[TWood-IRL]

@mshanemc Is it possible to utilize this in unlocked packaging ? or any future plans for unlocked packaging. (Could be a different team entirely)
https://developer.salesforce.com/docs/atlas.en-us.sfdx_dev.meta/sfdx_dev/sfdx_dev_ws_string_replace.htm

Example.
You create your package version but has values specific to an environment, when you deploy your package to a test environment up a stack.
You then have to update it to be the correct value for that environment, everytime a subsequent package install, you have to repeat this.

This feature sounds like it would be ideal, but wasnt sure how to work it, if at all with unlocked packaging.

[mshanemc]

you can set the env SF_APPLY_REPLACEMENTS_ON_CONVERT=true and it'll end up in your package.

If you're using sensitive info in replacements, set the env on the command itself (don't export and leave it in the env) to avoid accidentally writing secrets to the filesytem.

[mshanemc]

closing this since we've gotten the MVP shipped (and windows path stuff resolved).

Please open any feature requests as new discussions!

[paustint]

@mshanemc @tehnrd - Do string replacement run prior to packaging a 2gp managed package? The docs only mention about deploying to an org and I have a custom solution I built as a node script that runs before an after my packaging process, but would love to throw that out if this works for packaging of 2gp managed packages. (I have some protected custom metadata where I don't want secrets in the repo).

[shetzel]

Yes, see #1755 (reply in thread)
The docs will be updated soon to state this explicitly.

[paustint]

@shetzel - I have not been able to get this to work with packaging sfdx package version create, I don't think it is supported.

When deploying to a scratch org, the command errors out based on the replacements configuration - but the same such error does not happen during packaging, which tells me that the replacements are not being considered.

I am using a protected custom metadata component, so I cannot see the value in the target org to 100% confirm - but authentication is broken, so I am sure the replacement did not get included in the deployment.

EDIT: Got it working, I had to set SF_APPLY_REPLACEMENTS_ON_CONVERT to true for 2gp packaging replacements to be applied. (At least I think it is working since I got an error message about invalid replacement config that I purposefully did as a signal)

[shetzel]

@paustint - you have good timing! As you discovered, the way to get this supported is to set SF_APPLY_REPLACEMENTS_ON_CONVERT=true before/during the package version create. However, we just merged a PR to the packaging plugin that will set this for you automatically so you don't have to worry about it. See: salesforcecli/plugin-packaging#566

In fact, if you want to test it out just install the latest packaging plugin explicitly and you'll get that change. You should probably uninstall it after testing though so you stick with the packaging plugin built with the CLI version (uninstalling takes you back to the "core" version).