Skip to content

Instantly share code, notes, and snippets.

@dhoer

dhoer/Chef templates with sensitive data.md

Last active June 13, 2016 18:13
Show Gist options
  • Save dhoer/09f834d6f1612858b44a50f56c690ff7 to your computer and use it in GitHub Desktop.
Save dhoer/09f834d6f1612858b44a50f56c690ff7 to your computer and use it in GitHub Desktop.
Download ZIP
Chef templates with sensitive data
Raw
Chef templates with sensitive data.md

Here is how to pass sensitive data to a template and yet make it easy to dynamically add non-sensitive attributes. Have non-sensitive attributes follow this pattern: node[‘cookbook’][‘collection’][‘value_1’] = ‘value1’ where collection contains a collection of one or more attributes (one level deep). e.g.,

default['mycookbook']['conf']['db_driver'] = 'com.mysql.jdbc.Driver'
default['mycookbook']['conf']['db_user'] = 'db_user'
default['mycookbook']['conf']['db_pass'] = nil

Next step is create a separate hash, e.g.,

conf = {}.merge(node['mycookbook']['conf']) # a workaround for Chef dsl not supporting clone or deep copy

Then merge sensitive values the separate hash, e.g.,

conf.merge!(
  db_pass: mysql_data_bag[node['mycookbook']['conf']['db_user']],
  ...   
)

Finally pass the separate hash to template:

template "#{app_path}/WEB-INF/application/conf/application.conf" do
  local true
  source "#{app_path}/WEB-INF/application/conf/application.conf.erb"
  variables conf
  mode ‘0600'
  owner user
  group group
  sensitive true
  action :create
end

The erb file has the following values get overwritten:

db.url=<%= @db_url %>
db.user=<%= @db_user %>
db.pass=<%= @db_pass %>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment