Databags encrypted decrypted

configs-dev/users.json
{
  "id": "users",
  "acl": {
    "readwrite": [
      "example@example"
    ],
  "readonly": [
    "intern@example",
  ]
}

# id is required
# The id parameter is required by chef for parsing the json data bag item

recipes/default.rb
bag_name = "configs-#{node[:example][:environment]}"
data_bag(bag_name).each do |item|
  template "/example/config/#{item}.json" do
    source "config.json.erb"
    mode "644"
    owner "example"
    group "example"
    if Chef::Config[:solo]
      variables(
        :data => Chef::DataBagItem.load(bag_name, item).to_hash
      )
    else
      variables(
        :data => Chef::EncryptedDataBagItem.load(bag_name, item).to_hash
      )
    end
  end
end


templates/config.json.erb
<% require 'json' -%>
<%= JSON.pretty_generate(@data) -%>

Chef Encrypted Data Bag
knife data bag list
knife data bag show configs-dev
knife data bag edit configs-dev example --secret-file ops/chef/DEV/encrypted_data_bag_secret_dev
decrypted data bag
{
  "id": "example",
  "outgoing_user": "some-user",
  "outgoing_password": "DUMMYPASSWORD",
  "some_hostname": "some.server.com",
  "incoming_user": "some-incoming-user",
  "incoming_password": "dummypassword"
}

knife data bag show configs-dev
knife data bag create configs-dev example --secret-file ops/chef/DEV/encrypted_data_bag_secret_dev      
# now prompted in an editor (export EDITOR=vi) to actually enter the plaintext json
# After saving it gives a funny warning that the Data bag already exists but no worries, it just adds the new item

knife data bag show configs-dev                                                                    # yup there it is our new encrypted data bag
knife data bag show configs-dev example --secret-file ops/chef/DEV/encrypted_data_bag_secret_dev   # contents decrypted look fine
knife data bag edit configs-dev example --secret-file ops/chef/DEV/encrypted_data_bag_secret_dev   # edit the contents interactively