0

I have a recipe that uses the file resource to grant an active directory group access to a local folder.

I don't have access to AD from my Chef workstation where I am running test kitchen.

I want to be able to converge the kitchen vm (not just spec tests).

So I was planning to use environments

  • Store the group name in an attribute which would be an env attribute
  • The prod env has the AD group set in the attribute
  • The test env has some local group in the attribute
  • Specify the test env in .kitchen.yml

Is this an appropriate use of environments? Is there another Chef mechanism for this purpose?

red888
  • 27,709
  • 55
  • 204
  • 392
  • 1
    I would set the local group as default attribute in the cookbook, and set the AD group in env, hence you will have tests in kitchen ok with cookbook attribute and real world nodes using AD groups. I think this question is too opinion based for SO. – Tensibai Oct 20 '16 at 08:07
  • You could answer the question and I'll accept it – red888 Oct 21 '16 at 15:20
  • Done ;) (But for future reader: this would be better suited on https://discourse.chef.io as there's a lot of options) – Tensibai Oct 21 '16 at 15:25

1 Answers1

1

For this kind of case what I would do is using the cookbook attributes for the default (testing) case.

Then as per attribute precedence documentation environment attributes will replace the cookbook attributes (at the same level) so in real world case you'll set the AD group in environment.

This allow a per environment group to be used.

Caution: any change to the environment will impact all nodes, you'll have to write a wrapper cookbook with an upper level (usually override) if you want to change it for only a subset of an environment's nodes.

Tensibai
  • 15,557
  • 1
  • 37
  • 57
  • I'd urge you to use the node.normal in place of setting it in the environment itself as environment sets are fairly invisible. Speaking from real world experience, when someone comes by to modify your code they'll be mystified for a couple days as to why nothing they do seems to change the values. Data bags are also a decent way to do this as they require code in the recipe to be used, thus leave a hefty breadcrumb trail for those that come after to follow. Just my $0.02 – JackChance Nov 09 '16 at 19:19
  • @Jack never use node.normal or node.set unless you absolutely know what you're doing. This level is permanently written on node object and removing the line from the recipe will not revert to default, this is the cause of plenty of problem. Use node.default if you really want to do it in recipe, they're evaluated after attributes so they take precedence, see the link in my answer. In this specific case, according to Op's description, environment are OK, hence the warning part. But please, don't advocate for node.normal for simple use cases, we spend too much time debugging their previous use. – Tensibai Nov 09 '16 at 19:33