Compile vs. Converge Time Encrypted Databag Read

Sean Horn -

Method calls always run at compile time. Examples: search, databag, etc
Chef-client resources always run at converge time. Examples:
 cookbook_file, file, directory, etc

The chef-client runs through recipes top to bottom, with two layers
or phases, always in the following order.

* Compile-time
* Converge-time

Let's say you have a cookbook_file resource run that is supposed to
provide a decryption key for an encrypted databag. Then, you want to
use that decryption key to decrypt and read a databag.

#Unintuitively, these steps happen last in the recipe, as they
#occur by default at Converge time

cookbook_file secret_file_path do
source 'encrypted_data_bag_secret'
action :nothing
end
#The following three steps happen first, because they run at Compile time

secret
= File.open(
secret_file_path)
keyname = data_bag('keyname') #=> ['encryption_key'] 
data_bag_item('key_content', keyname, secret) #=> "encryption key material"

The order of operations you will see with no changes is first, all
Compile-time calls. Second, all Converge-time calls

1. Compile-time: databag read using an encryption key that is not downloaded yet
2. Converge-time: cookbook_file download of the encryption key we
needed to make the previous step successful

The above disconnect means that the recipe as presented can never
decrypt the contents of the encrypted databag, because the key for
the decryption has not yet become available to the data_bag_item method
call.

The quickest way to fix the problem outlined is by defining the cookbook_file
resource at Compile time, rather than Converge time, like this

cookbook_file secret_file_path do 
source 'encrypted_data_bag_secret'
action :nothing
end.run_action(:create)
Have more questions? Submit a request

Comments

Powered by Zendesk