This cookbook gives you the ability to store environment and node configuration in data bags (including encrypted ones).
No cookbook would then need changing to support getting credentials from data bag, as it will be able to read the merged attributes from the data bag.
Encrypting sensitive environment and node configuration is important, as you shouldn't allow anyone to access this information, including VCS (Version control systems)
The encryption secret key can then be stored elsewhere, and data bags decrypted by it at the point of chef converge.
Key | Type | Description | Default |
---|---|---|---|
['data-bag-merge']['environments']['data_bag_name'] | String | Name of the data bag to fetch environment data from | environments |
['data-bag-merge']['environments']['encrypted'] | String | Flag to determine whether to try to access as an encrypted data bag | true |
['data-bag-merge']['environments']['bag_format'] | String | Option to change style of attributes (default/override/default_override)', | default_override |
['data-bag-merge']['environments']['secret_path'] | String | Optional path to the secret file that decrypts the encrypted data bag, nil will use the path supplied in the chef config | nil |
Key | Type | Description | Default |
---|---|---|---|
['data-bag-merge']['nodes']['data_bag_name'] | String | Name of the data bag to fetch node data from | nodes |
['data-bag-merge']['nodes']['encrypted'] | String | Flag to determine whether to try to access as an encrypted data bag | true |
['data-bag-merge']['nodes']['bag_format'] | String | Option to change style of attributes (default/override/default_override)', | default_override |
['data-bag-merge']['nodes']['secret_path'] | String | Optional path to the secret file that decrypts the encrypted data bag, nil will use the path supplied in the chef config | nil |
Include data-bag-merge::environment
in your node's run_list
at the very top
of the run-list and define the node's environment
Node
{
"name":"my_node",
"environment": "production",
"run_list": [
"recipe[data-bag-merge::environment]"
],
"item_with_normal": "normal value",
"item_with_override": "normal value"
}
Encrypted Data Bag environments/production
{
"id": "production",
"default_attributes": {
"item_with_default": "default value",
"item_with_normal": "default value"
},
"override_attributes": {
"item_with_override": "override value"
}
}
Result
{
"item_with_default": "default value",
"item_with_normal": "normal value",
"item_with_override": "override value"
}
This will access the data bag environments/production
, merging it's data into
the node's defaults.
Include data-bag-merge::node
in your node's run_list
at the very top of the
run-list and define the node's environment
Node
{
"name":"my_node",
"environment": "production",
"run_list": [
"recipe[data-bag-merge::node]"
],
"item_with_normal": "normal value",
"item_with_override": "normal value"
}
Encrypted Data Bag nodes/my_node
{
"id": "production",
"default_attributes": {
"item_with_default": "default value",
"item_with_normal": "default value"
},
"override_attributes": {
"item_with_override": "override value"
}
}
Result
{
"item_with_default": "default value",
"item_with_normal": "normal value",
"item_with_override": "override value"
}
This will access the data bag nodes/my_node
, merging it's data into the node's
defaults.
Chef definitions are provided for additionally providing custom data bag merges
e.g.
data_bag_merge "my-custom-bag/my-bag-item"
encrypted_data_bag_merge "my-custom-bag/my-bag-item"
The following additional attributes are supported:
data_bag_merge "custom" do
data_bag "my-custom-bag" # The data bag to get the data from
item 'my-bag-item' # The data bag item to get the data from
bag_format 'default' # The format of the data
# 'default' - merge all keys into node.default
# 'override' - merge all keys into node.override
# 'default_override'
# - merge all keys in 'default_attributes'
# into node.default
# - merge all keys in 'override_attributes'
# into node.override
end
encrypted_data_bag_merge "custom" do
data_bag "my-custom-bag" # The data bag to get the data from
item 'my-bag-item' # The data bag item to get the data from
secret_path nil # The path to the secret key.
# nil - default chef encrypted_data_bag_key setting
bag_format 'default' # The format of the data
# 'default' - merge all keys into node.default
# 'override' - merge all keys into node.override
# 'default_override'
# - merge all keys in 'default_attributes'
# into node.default
# - merge all keys in 'override_attributes'
# into node.override
end
- Fork the repository on Github
- Create a named feature branch (like
add_component_x
) - Write your change
- Write tests for your change (if applicable)
- Run the tests, ensuring they all pass
- Submit a Pull Request using Github
License: MIT Authors: Andy Thompson