Chef Data Bags are another example of how OpsCode Chef tries to modularize everything, http://docs.opscode.com/essentials_data_bags.html
Encrypted data bags are best practice for handling credentials, passwords, keys, etc.
Chef Data Bag Example
Simple usage example of a databag named config-devs with an item named users which when deployed will create a config.json (if branch on chef-solo)
configs-dev/users.json
{
"id": "users",
"acl": {
"readwrite": [
"example@example"
],
"readonly": [
"intern@example",
]
}
# id is required
# The id parameter is required by chef for parsing the json data bag item
recipes/default.rb
bag_name = "configs-#{node[:example][:environment]}"
data_bag(bag_name).each do |item|
template "/example/config/#{item}.json" do
source "config.json.erb"
mode "644"
owner "example"
group "example"
if Chef::Config[:solo]
variables(
:data => Chef::DataBagItem.load(bag_name, item).to_hash
)
else
variables(
:data => Chef::EncryptedDataBagItem.load(bag_name, item).to_hash
)
end
end
end
templates/config.json.erb
<% require 'json' -%>
<%= JSON.pretty_generate(@data) -%>
Chef Encrypted Data Bag
knife data bag list
knife data bag show configs-dev
knife data bag edit configs-dev example --secret-file ops/chef/DEV/encrypted_data_bag_secret_dev
decrypted data bag
{
"id": "example",
"outgoing_user": "some-user",
"outgoing_password": "DUMMYPASSWORD",
"some_hostname": "some.server.com",
"incoming_user": "some-incoming-user",
"incoming_password": "dummypassword"
}
Adding an Item to a Chef Encrypted Data Bag
knife data bag show configs-dev
knife data bag create configs-dev example --secret-file ops/chef/DEV/encrypted_data_bag_secret_dev
# now prompted in an editor (export EDITOR=vi) to actually enter the plaintext json
# After saving it gives a funny warning that the Data bag already exists but no worries, it just adds the new item
knife data bag show configs-dev # yup there it is our new encrypted data bag
knife data bag show configs-dev example --secret-file ops/chef/DEV/encrypted_data_bag_secret_dev # contents decrypted look fine
knife data bag edit configs-dev example --secret-file ops/chef/DEV/encrypted_data_bag_secret_dev # edit the contents interactively