Module: Chef::DSL::Secret
- Included in:
- Universal
- Defined in:
- lib/chef/dsl/secret.rb
Instance Method Summary collapse
-
#default_secret_config(**config) ⇒ Hash<Symbol,Object>
This allows you to set the default secret config that is used when fetching secrets.
-
#default_secret_service(service = nil) ⇒ Symbol?
This allows you to set the default secret service that is used when fetching secrets.
-
#secret(name: nil, version: nil, service: default_secret_service, config: default_secret_config) ⇒ Object
Helper method which looks up a secret using the given service and configuration, and returns the retrieved secret value.
-
#with_secret_config(**config) ⇒ Object
This allows you to set the secret config for the scope of the block passed into this method.
-
#with_secret_service(service) ⇒ Object
This allows you to set the secret service for the scope of the block passed into this method.
Instance Method Details
#default_secret_config(**config) ⇒ Hash<Symbol,Object>
This allows you to set the default secret config that is used when fetching secrets.
103 104 105 106 107 |
# File 'lib/chef/dsl/secret.rb', line 103 def default_secret_config(**config) return run_context.default_secret_config if config.empty? run_context.default_secret_config = config end |
#default_secret_service(service = nil) ⇒ Symbol?
This allows you to set the default secret service that is used when fetching secrets.
42 43 44 45 46 47 |
# File 'lib/chef/dsl/secret.rb', line 42 def default_secret_service(service = nil) return run_context.default_secret_service if service.nil? raise Chef::Exceptions::Secret::InvalidFetcherService.new("Unsupported secret service: #{service.inspect}", Chef::SecretFetcher::SECRET_FETCHERS) unless Chef::SecretFetcher::SECRET_FETCHERS.include?(service) run_context.default_secret_service = service end |
#secret(name: nil, version: nil, service: default_secret_service, config: default_secret_config) ⇒ Object
Helper method which looks up a secret using the given service and configuration, and returns the retrieved secret value. This DSL providers a wrapper around [Chef::SecretFetcher]
Use of the secret helper in the context of a resource block will automatically mark that resource as 'sensitive', preventing resource data from being logged. See [Chef::Resource#sensitive].
See individual fetcher documentation to know what to expect for a given service.
This example uses the built-in :example secret manager service, which accepts a hash of secrets.
value = secret(name: "test1", service: :example, config: { "test1" => "value1" }) log "My secret is #value"
value = secret(name: "test1", service: :aws_secrets_manager, version: "v1", config: { region: "us-west-1" }) log "My secret is #value"
164 165 166 167 |
# File 'lib/chef/dsl/secret.rb', line 164 def secret(name: nil, version: nil, service: default_secret_service, config: default_secret_config) sensitive(true) if is_a?(Chef::Resource) Chef::SecretFetcher.for_service(service, config, run_context).fetch(name, version) end |
#with_secret_config(**config) ⇒ Object
This allows you to set the secret config for the scope of the block passed into this method.
122 123 124 125 126 127 128 129 130 131 132 133 134 |
# File 'lib/chef/dsl/secret.rb', line 122 def with_secret_config(**config) raise ArgumentError, "You must pass a block to #with_secret_config" unless block_given? begin old_config = default_secret_config # Use "public" API for input validation default_secret_config(**config) yield ensure # Use "private" API so we can set back to nil run_context.default_secret_config = old_config end end |
#with_secret_service(service) ⇒ Object
This allows you to set the secret service for the scope of the block passed into this method.
71 72 73 74 75 76 77 78 79 80 81 82 83 |
# File 'lib/chef/dsl/secret.rb', line 71 def with_secret_service(service) raise ArgumentError, "You must pass a block to #with_secret_service" unless block_given? begin old_service = default_secret_service # Use "public" API for input validation default_secret_service(service) yield ensure # Use "private" API so we can set back to nil run_context.default_secret_service = old_service end end |