Module: Chef::DSL::Secret

Included in:
Universal
Defined in:
lib/chef/dsl/secret.rb

Instance Method Summary collapse

Instance Method Details

#default_secret_config(**config) ⇒ Hash<Symbol,Object>

This allows you to set the default secret config that is used when fetching secrets.

Examples:


default_secret_config region: "us-west-1"
val1 = secret(name: "test1", service: :hashi_vault)

default_secret_config #=> {}
default_secret_service region: "us-west-1"
default_secret_service #=> { region: "us-west-1" }

Parameters:

  • config (Hash<Symbol,Object>)

    The default configuration options to apply when fetching secrets

Returns:


103
104
105
106
107
# File 'lib/chef/dsl/secret.rb', line 103

def default_secret_config(**config)
  return run_context.default_secret_config if config.empty?

  run_context.default_secret_config = config
end

#default_secret_service(service = nil) ⇒ Symbol?

This allows you to set the default secret service that is used when fetching secrets.

Examples:


default_secret_service :hashi_vault
val1 = secret(name: "test1", config: { region: "us-west-1" })

default_secret_service #=> nil
default_secret_service :hashi_vault
default_secret_service #=> :hashi_vault

Parameters:

  • service (Symbol) (defaults to: nil)

    default secret service to use when fetching secrets

Returns:

  • (Symbol, nil)

    default secret service to use when fetching secrets

Raises:


42
43
44
45
46
47
# File 'lib/chef/dsl/secret.rb', line 42

def default_secret_service(service = nil)
  return run_context.default_secret_service if service.nil?
  raise Chef::Exceptions::Secret::InvalidFetcherService.new("Unsupported secret service: #{service.inspect}", Chef::SecretFetcher::SECRET_FETCHERS) unless Chef::SecretFetcher::SECRET_FETCHERS.include?(service)

  run_context.default_secret_service = service
end

#secret(name: nil, version: nil, service: default_secret_service, config: default_secret_config) ⇒ Object

Helper method which looks up a secret using the given service and configuration, and returns the retrieved secret value. This DSL providers a wrapper around [Chef::SecretFetcher]

Use of the secret helper in the context of a resource block will automatically mark that resource as 'sensitive', preventing resource data from being logged. See [Chef::Resource#sensitive].

See individual fetcher documentation to know what to expect for a given service.

This example uses the built-in :example secret manager service, which accepts a hash of secrets.

value = secret(name: "test1", service: :example, config: { "test1" => "value1" }) log "My secret is #value"

value = secret(name: "test1", service: :aws_secrets_manager, version: "v1", config: { region: "us-west-1" }) log "My secret is #value"

Parameters:

  • name (Hash) (defaults to: nil)

    a customizable set of options

  • version (Hash) (defaults to: nil)

    a customizable set of options

  • service (Hash) (defaults to: default_secret_service)

    a customizable set of options

  • config (Hash) (defaults to: default_secret_config)

    a customizable set of options

Options Hash (name:):

  • The (Object)

    identifier or name for this secret

Options Hash (version:):

  • The (Object)

    secret version. If a service supports versions and no version is provided, the latest version will be fetched.

Options Hash (service:):

  • The (Symbol)

    service identifier for the service that will perform the secret lookup. See [Chef::SecretFetcher::SECRET_FETCHERS]

Options Hash (config:):

  • The (Hash)

    configuration that the named service expects


164
165
166
167
168
169
170
171
# File 'lib/chef/dsl/secret.rb', line 164

def secret(name: nil, version: nil, service: default_secret_service, config: default_secret_config)
  Chef::Log.warn <<~EOM.gsub("\n", " ")
    The secrets Chef Infra language helper is currently in beta. If you have feedback or you would
    like to be part of the future design of this helper e-mail us at [email protected]"
  EOM
  sensitive(true) if is_a?(Chef::Resource)
  Chef::SecretFetcher.for_service(service, config, run_context).fetch(name, version)
end

#with_secret_config(**config) ⇒ Object

This allows you to set the secret config for the scope of the block passed into this method.

Examples:


with_secret_config region: "us-west-1" do
  val1 = secret(name: "test1", service: :hashi_vault)
  val2 = secret(name: "test2", service: :hashi_vault)
end

Parameters:

  • config (Hash<Symbol,Object>)

    The default configuration options to use when fetching secrets

Raises:

  • (ArgumentError)

122
123
124
125
126
127
128
129
130
131
132
133
134
# File 'lib/chef/dsl/secret.rb', line 122

def with_secret_config(**config)
  raise ArgumentError, "You must pass a block to #with_secret_config" unless block_given?

  begin
    old_config = default_secret_config
    # Use "public" API for input validation
    default_secret_config(**config)
    yield
  ensure
    # Use "private" API so we can set back to nil
    run_context.default_secret_config = old_config
  end
end

#with_secret_service(service) ⇒ Object

This allows you to set the secret service for the scope of the block passed into this method.

Examples:


with_secret_service :hashi_vault do
  val1 = secret(name: "test1", config: { region: "us-west-1" })
  val2 = secret(name: "test2", config: { region: "us-west-1" })
end

Combine with #with_secret_config


with_secret_service :hashi_vault do
  with_secret_config region: "us-west-1" do
    val1 = secret(name: "test1")
    val2 = secret(name: "test2")
  end
end

Parameters:

  • service (Symbol)

    The default secret service to use when fetching secrets

Raises:

  • (ArgumentError)

71
72
73
74
75
76
77
78
79
80
81
82
83
# File 'lib/chef/dsl/secret.rb', line 71

def with_secret_service(service)
  raise ArgumentError, "You must pass a block to #with_secret_service" unless block_given?

  begin
    old_service = default_secret_service
    # Use "public" API for input validation
    default_secret_service(service)
    yield
  ensure
    # Use "private" API so we can set back to nil
    run_context.default_secret_service = old_service
  end
end