rewrite of the users cookbook

unencrypted portion if needed.json

{
  "id": "212477770",
  "comment": "212477770",
  "home": "/home/212477770",
  "action": "remove",
  "shell": "/bin/bash",
  "ssh_keys": [
    "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDHn3gAaYLt23e8mZcb2XZ3rXSxqD+1w+44lAM+hpZV7T34CFz7EhPNlno+QLFHk8CE5pTPzYNQmfjxkCSe3D93tIEV2XkOV/sCdT/XuCZa0tZf4k1JKcky+Z/fsTJp7ML+BjvPpFj00ZccRAUX9OWuXP02dl3K6bTgstWJKys6El05PuwJZQk14XkJ9TWUnFwdFar4yfapa4xcMmF0XDqs8SYmxHedvxl1+hCV1PCcJ1c9RxX9Qfomwyx2QTlbirEyw9FzE/rMRujj3dEZS+ExHY0Gy4yAjM8N3tq6gqoYe5jWQUekbujuu+txUKQcUmnB55x5NZHgqEG6S+p30QVhFri8Vgh+Gc4J0CZc3Wl1qe+eyAtB3X+wdFDuEIamsZfEAXmgxAecEMmbqw4unk4sDcjeiQ7cveghGEBkXk09vbRigyhLqNsfUSm6KYm0KkolQHmLAqH2SZ5oETKsXv9wi8Gt0RjrVWD9XHZ8E4QFKTYHrXMuEeK3HEbw2BC3AiagcfHggxIZ3ScHVDVgB/LqW2G+/BYy3mEt3EBrUz/OozuU2tmE/Oug6XkxadwQj8aIjURVGIw+aOoH1XFmAJxfzJMh+Iv94rmy2z3v/RxVan8WDI8dFbEiidI6oyQ4hB9MA57t7zDWMlGkSvxhlRNtyaKYyPyU1Qki+8YVDqEipw== 212477770@SFO1212477770M"
  ],
  "groups": [
    "ic-admins"
  ],
  "access_to_regions": ["US", "EU", "APAC", "kitchen"]
}

users cookbook .rb

#
# Cookbook Name:: svops_exportc_usermgmt_linux
# Recipe:: default
#
# Copyright 2016, YOUR_COMPANY_NAME
#
# All rights reserved - Do Not Redistribute
#

# loading ge_chef-vault recipe - may not be necessary.
include_recipe 'geip_chef_vault'

users_db_name = 'users'
users_vault_name = 'users_secrets'

db = data_bag(users_db_name)

# not using the users cookbook because it's a mess of a cookbook.
db.each do |username|
  user = data_bag_item(users_db_name, username)

  # skip user if he hasnt been granted access to environment, he'll fail decrypting the vault anyway
  next unless user['access_to_regions'].include?(node['region'])

  # If user does not have access to the Region, he will not/should not have access to the Vault
  user_secrets = get_vault_item(users_vault_name, username)

  # Set home to location in data bag,
  # or a reasonable default ($home_basedir/$user).
  home_basedir = '/home'
  # home_dir = (user['home'] ? user['home'] : "#{home_basedir}/#{username}") #if defined?(user['home'])
  home_dir = defined?(user['home']) ? user['home'] : "#{home_basedir}/#{username}" #if defined?(user['home'])

  # Not currently in use - no edgecase for this (yet)
  # check whether home dir is null
  # manage_home = (home_dir == '/dev/null' ? false : true)

  # not necessary
  # creating or deleting group
  # group username do
  #   gid user['gid'] if user['gid']
  #   action user['action']
  # end

  # creating or deleting users
  user "managing user per data_bag - #{username} - #{user['action']}" do
    username username
    action user['action']
    ## other parameters on create
    uid user['uid'] if user['uid']
    gid user['gid'] if user['gid']
    shell user['shell'] if user['shell']
    comment user['comment'] if user['comment']
    password user_secrets['secrets']['linux_shadow_password'] if user_secrets['secrets']['linux_shadow_password'] && user_secrets['console_access'] == true
    salt user['salt'] if user['salt']
    manage_home user['manage_home'] if user['manage_home']
    home user['home'] if user['home']
  end

  # creating or cleaning up user folder structure
  directory "#{home_dir}/.ssh" do
    recursive true
    owner user['uid'] # ? validate_id(u['uid']) : u['username']
    group user['gid'] if user['gid']
    mode '0700'
    only_if { user['ssh_keys'] || user['ssh_private_key'] || user['ssh_public_key'] }
  end

  template "#{home_dir}/.ssh/authorized_keys" do
    source 'authorized_keys.erb'
    # cookbook new_resource.cookbook
    owner user['uid'] # ? validate_id(u['uid']) : u['username']  # i dont understand the benefit of this method
    group user['gid'] #validate_id(u['gid']) if u['gid']         # i dont understand the benefit of this method
    mode '0600'
    variables ssh_keys: user['ssh_keys']
    # only_if { defined?(user['ssh_keys']) }  # not sure which implementation is best
    only_if { user['ssh_keys'] }
  end

  # not implemented because public keys shouldnt be sent as unencrypted data
  if user['ssh_private_key']
    raise "public keys should not be transmitted as clear text"
  end

  # u['ssh_public_key'] # not implemented

  user['groups'].each do |group|
    group "managing user for group - #{group} - #{user['action']}" do
      group_name group
      members username if user['action'] != 'delete'
      # action username['action'] == 'delete' ? :delete : :manage   # use whatever's in the databag
      action :manage
      excluded_members username if user['action'] == 'delete'
      append true
    end
  end
end

#sudo -E /opt/chef/bin/chef-client --local-mode --config /tmp/kitchen/client.rb --log_level auto --force-formatter --no-color --json-attributes /tmp/kitchen/dna.json --chef-zero-port 8889

vaulted or encrypted portion if needed.json

{
  "id": "212477770",
  "secrets":{
    "linux_shadow_password": "$1$WvaIpOFs$7xf3o6wupY.Vpo1unUI9Y0",
    "windows_clearpass": "Password123",
    "console_access": true
  }
}