module Chef::DSL::Secret

Public Instance Methods

default_secret_config(**config) click to toggle source

This allows you to set the default secret config that is used when fetching secrets.

@example

default_secret_config region: "us-west-1"
val1 = secret(name: "test1", service: :hashi_vault)

@example

default_secret_config #=> {}
default_secret_service region: "us-west-1"
default_secret_service #=> { region: "us-west-1" }

@param [Hash<Symbol,Object>] config The default configuration options to apply when fetching secrets @return [Hash<Symbol,Object>]

# File lib/chef/dsl/secret.rb, line 103
def default_secret_config(**config)
  return run_context.default_secret_config if config.empty?

  run_context.default_secret_config = config
end
default_secret_service(service = nil) click to toggle source

This allows you to set the default secret service that is used when fetching secrets.

@example

default_secret_service :hashi_vault
val1 = secret(name: "test1", config: { region: "us-west-1" })

@example

default_secret_service #=> nil
default_secret_service :hashi_vault
default_secret_service #=> :hashi_vault

@param [Symbol] service default secret service to use when fetching secrets @return [Symbol, nil] default secret service to use when fetching secrets

# File lib/chef/dsl/secret.rb, line 42
def default_secret_service(service = nil)
  return run_context.default_secret_service if service.nil?
  raise Chef::Exceptions::Secret::InvalidFetcherService.new("Unsupported secret service: #{service.inspect}", Chef::SecretFetcher::SECRET_FETCHERS) unless Chef::SecretFetcher::SECRET_FETCHERS.include?(service)

  run_context.default_secret_service = service
end
secret(name: nil, version: nil, service: default_secret_service, config: default_secret_config) click to toggle source

Helper method which looks up a secret using the given service and configuration, and returns the retrieved secret value. This DSL providers a wrapper around [Chef::SecretFetcher]

Use of the secret helper in the context of a resource block will automatically mark that resource as ‘sensitive’, preventing resource data from being logged. See [Chef::Resource#sensitive].

@option name [Object] The identifier or name for this secret @option version [Object] The secret version. If a service supports versions

and no version is provided, the latest version will be fetched.

@option service [Symbol] The service identifier for the service that will

perform the secret lookup. See
[Chef::SecretFetcher::SECRET_FETCHERS]

@option config [Hash] The configuration that the named service expects

@return result [Object] The response object type is determined by the fetcher but will usually be a string or a hash. See individual fetcher documentation to know what to expect for a given service.

@example

This example uses the built-in :example secret manager service, which accepts a hash of secrets.

value = secret(name: "test1", service: :example, config: { "test1" => "value1" })
log "My secret is #{value}"

value = secret(name: "test1", service: :aws_secrets_manager, version: "v1", config: { region: "us-west-1" })
log "My secret is #{value}"
# File lib/chef/dsl/secret.rb, line 164
def secret(name: nil, version: nil, service: default_secret_service, config: default_secret_config)
  sensitive(true) if is_a?(Chef::Resource)
  Chef::SecretFetcher.for_service(service, config, run_context).fetch(name, version)
end
with_secret_config(**config) { || ... } click to toggle source

This allows you to set the secret config for the scope of the block passed into this method.

@example

with_secret_config region: "us-west-1" do
  val1 = secret(name: "test1", service: :hashi_vault)
  val2 = secret(name: "test2", service: :hashi_vault)
end

@param [Hash<Symbol,Object>] config The default configuration options to use when fetching secrets

# File lib/chef/dsl/secret.rb, line 122
def with_secret_config(**config)
  raise ArgumentError, "You must pass a block to #with_secret_config" unless block_given?

  begin
    old_config = default_secret_config
    # Use "public" API for input validation
    default_secret_config(**config)
    yield
  ensure
    # Use "private" API so we can set back to nil
    run_context.default_secret_config = old_config
  end
end
with_secret_service(service) { || ... } click to toggle source

This allows you to set the secret service for the scope of the block passed into this method.

@example

with_secret_service :hashi_vault do
  val1 = secret(name: "test1", config: { region: "us-west-1" })
  val2 = secret(name: "test2", config: { region: "us-west-1" })
end

@example Combine with with_secret_config

with_secret_service :hashi_vault do
  with_secret_config region: "us-west-1" do
    val1 = secret(name: "test1")
    val2 = secret(name: "test2")
  end
end

@param [Symbol] service The default secret service to use when fetching secrets

# File lib/chef/dsl/secret.rb, line 71
def with_secret_service(service)
  raise ArgumentError, "You must pass a block to #with_secret_service" unless block_given?

  begin
    old_service = default_secret_service
    # Use "public" API for input validation
    default_secret_service(service)
    yield
  ensure
    # Use "private" API so we can set back to nil
    run_context.default_secret_service = old_service
  end
end