I've created an encrypted data bag value that I'm trying to load into a chef recipe.
knife data bag show foo bar --secret_file secret.key
Encrypted data bag detected, decrypting with provided secret.
id: bar
pass: p4ssw0rd
I'm trying to get the pass value to load up as a variable in a bash resource, and have the encrypted_data_bag_secret in /etc/chef on the client (hence no secret key show, reverting to default /etc/chef location):
dbag = Chef::EncryptedDataBagItem.load("foo", "bar")
foo_pass = dbag["pass"]
I've also tried using the recipe DSL instead of Chef::EncryptedDataBadItem method:
dbag = data_bag_item('foo', 'bar')
foo_pass = dbag["pass"]
And then loading it into a bash resource:
bash 'install_mysql' do
code <<-EOC
...
sudo mysqladmin -u root password {foo_pass}
...
EOC
end
I had a few questions regarding this process.
i) Will Chef::EncryptedDataBagItem.load be deprecated and replaced with data_bag_item; should I use one over the other?
ii) Am I pulling the dbag["pass"] using the correct methods; how would I grab the 'pass' value from inside foo (data bag) => bar (item?)
iii) To call the foo_pass variable inside the bash resource, do I just encapsulate the variable in curly braces {}, or am I missing something here?
iv) Is there a better method than what I am trying out?
I've tried adding the following to see if I can see the variable value printed to screen when running the chef-client, but it's not showing me any of the text or values:
puts "foo_pass equals 1:{foo_pass} 2:#{foo_pass}'
I've been hammering away at this for half the day, and was hoping to get some more experienced responses as how to handle this.
data_bag_item in most cases, it is more correct.#{foo_pass}, with the leading #.