Search code examples
rubychef-infrachef-recipedatabags

How do I insert an encrypted data bag item value into a Chef recipe?


I've created an encrypted data bag value that I'm trying to load into a chef recipe.

knife data bag show foo bar --secret_file secret.key                                  
Encrypted data bag detected, decrypting with provided secret. 
id:   bar
pass: p4ssw0rd

I'm trying to get the pass value to load up as a variable in a bash resource, and have the encrypted_data_bag_secret in /etc/chef on the client (hence no secret key show, reverting to default /etc/chef location):

dbag = Chef::EncryptedDataBagItem.load("foo", "bar")
foo_pass = dbag["pass"]

I've also tried using the recipe DSL instead of Chef::EncryptedDataBadItem method:

dbag = data_bag_item('foo', 'bar')
foo_pass = dbag["pass"]

And then loading it into a bash resource:

bash 'install_mysql' do
  code <<-EOC
    ...
    sudo mysqladmin -u root password {foo_pass}
    ...
  EOC
end

I had a few questions regarding this process.

i) Will Chef::EncryptedDataBagItem.load be deprecated and replaced with data_bag_item; should I use one over the other?
ii) Am I pulling the dbag["pass"] using the correct methods; how would I grab the 'pass' value from inside foo (data bag) => bar (item?)
iii) To call the foo_pass variable inside the bash resource, do I just encapsulate the variable in curly braces {}, or am I missing something here?
iv) Is there a better method than what I am trying out?

I've tried adding the following to see if I can see the variable value printed to screen when running the chef-client, but it's not showing me any of the text or values:

puts "foo_pass equals 1:{foo_pass} 2:#{foo_pass}'

I've been hammering away at this for half the day, and was hoping to get some more experienced responses as how to handle this.


Solution

    1. Yes prefer data_bag_item in most cases, it is more correct.
    2. Yes, that is correct.
    3. You need #{foo_pass}, with the leading #.