Here is how to pass sensitive data to a template and yet make it easy to dynamically add non-sensitive attributes.
Have non-sensitive attributes follow this pattern: node[‘cookbook’][‘collection’][‘value_1’] = ‘value1’
where collection contains a collection of one or more attributes (one level deep). e.g.,
default['mycookbook']['conf']['db_driver'] = 'com.mysql.jdbc.Driver'
default['mycookbook']['conf']['db_user'] = 'db_user'
default['mycookbook']['conf']['db_pass'] = nil
Next step is create a separate hash, e.g.,
conf = {}.merge(node['mycookbook']['conf']) # a workaround for Chef dsl not supporting clone or deep copy
Then merge sensitive values the separate hash, e.g.,
conf.merge!(
db_pass: mysql_data_bag[node['mycookbook']['conf']['db_user']],
...
)
Finally pass the separate hash to template:
template "#{app_path}/WEB-INF/application/conf/application.conf" do
local true
source "#{app_path}/WEB-INF/application/conf/application.conf.erb"
variables conf
mode ‘0600'
owner user
group group
sensitive true
action :create
end
The erb file has the following values get overwritten:
db.url=<%= @db_url %>
db.user=<%= @db_user %>
db.pass=<%= @db_pass %>