Last active
August 29, 2015 14:07
-
-
Save maus-/0dca6f41a3611f9c44f5 to your computer and use it in GitHub Desktop.
Sane design patterns for chef data bags. Nice and modular. Using my fork of the splunk cookbook (pull request pending)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#----------------------------------------------------- | |
# So I've noticed there isn't a lot of consistency | |
# when it comes to managing data bags in chef, primarily one | |
# dev will prefer encrypted data bags, another will | |
# want to use plaintext and others chef-vault. | |
# This method of abstracting out data retrevial and | |
# and make these methods attribute driven grants devs | |
# flexibility without having to later refactor for a more | |
# secure method of data retrival. Errybody wins | |
# Here's an example soon to be attached in a pull request | |
# for opscode/chef-splunk | |
#----------------------------------------------------- | |
# Default Attributes | |
#----------------------------------------------------- | |
default['splunk']['databag_type'] = 'encrypted' | |
default['splunk']['secret']['key_path'] = '/vagrant/secret' | |
#----------------------------------------------------- | |
# Helper Library | |
#----------------------------------------------------- | |
def encrypted_data(bag_name, index) | |
key_path = node['splunk']['secret']['key_path'] | |
if key_path.empty? | |
::Chef::Log.error "Keypath not set for encrypted data" | |
end | |
::Chef::Log.info "Loading encrypted databag #{bag_name}.#{index} using key at #{key_path}" | |
secret = ::Chef::EncryptedDataBagItem.load_secret key_path | |
::Chef::EncryptedDataBagItem.load(bag_name, index, secret) | |
end | |
def plaintext_data(bag_name, index) | |
::Chef::Log.info "Loading databag #{bag_name}.#{index}" | |
data = data_bag_item(bag_name, index) | |
return data | |
end | |
def vault_data(bag_name, index) | |
# This has not been tested. | |
chef_vault_item(:vault, bag_name)[index] | |
end | |
def get_databag(bag_name, index) | |
case node['splunk']['databag_type'] | |
when 'plaintext' | |
plaintext_data(bag_name, index) | |
when 'encrypted' | |
encrypted_data(bag_name, index) | |
when 'vault' | |
vault_data(bag_name, index) | |
end | |
end | |
#----------------------------------------------------- | |
# Calling the get databag in a recipe example. | |
#----------------------------------------------------- | |
splunk_auth_info = get_databag('splunk', 'default_user') |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment