0

In my chef recipe, I am basically decrypting a couple of data bags:

1. test.json 2. sample.json

The data obtained after decryption will next be used to create files on my kitchen node. Basically, test.json and sample.json are encrypted using a secret key I have (test.json was obtained from test.txt and sample.json was obtained from sample.txt which are both plaintext files), within a script called gendatabags.rb that creates these files and puts them in their respective places. Note that the gendatabags.rb takes the secret key path and input file path as input parameters. Now as I want to integration-test this flow, I am looking forward to using a test secret key that I've generated. I would like to provide test versions of both test.txt and sample.txt which contain some dummy strings. The catch is, now I'd like to run this script automatically during compile time of my recipe. Can someone please provide some info on how to achieve this?

Thank you!

Sasanka Panguluri
  • 3,058
  • 4
  • 32
  • 54

1 Answers1

0

Strongly wouldn't recommend this. Technically you could do this with the execute resource but you'd have all sorts of timing issues and it would defeat the purpose of having the encrypted data bag anyway.

Now, if you're trying to test a dummy encrypted databag that is easy. You'll make a data bag as normal but with the addition of the -z switch

knife data bag create <data bag name> -z
knife data bag from file <data bag name> <path to .json file> --secret-file <path to encryption key file> -z

This will make a local directory with the name of your data bag and place the encrypted data bag item inside of it, with the name of the "id" value of the json file.

-z defaults to putting the data bag and items in /users//data_bags

From there you can edit your .kitchen.yml to point towards both your data bag and secret key thusly

Suites:
  - name: default
  run_list:
  data_bags_path: <path to data_bags dir>
  encrypted_data_bag_secret_key_path: <path to secret_file>

and if you have multiple suites using the same data_bags path you can move the declaration to

provisioner:
  name: chef_zero
  data_bags_path: <path to data_bags dir>
  encrypted_data_bag_secret_key_path: <path to secret_file>

Hope this helps.

JackChance
  • 520
  • 3
  • 11