Hey everyone,
We have a great new release of Chef Infra Client out today. Chef Infra Client 17.4 includes tons of improvements to Infra Client Compliance Phase, enhancements to our new secrets manager integration, and improvements to built-in resources. Be sure to check it out.
What's New in 17.4
Compliance Phase Improvements
Chef InSpec 4.41.2
Chef InSpec has been updated from 4.38.3 to 4.41.2 with the following improvements for Compliance Phase
- New Open Policy Agent resources
opa_cli
andopa_api
- New
mongodb_session
resource - The
mssql_session
resource now allows named connections by no longer forcing a port. - The PostgreSQL resources (
postgres_session
,postgres_conf
,postgres_hba_conf
, andpostgres_ident_conf
) now work with Windows. - Fixed a bug where the year in an expiration date was misinterpreted in waiver files
json-file Reporter Off By Default
The InSpec json-file
reporter is no longer enabled by default in Compliance Phase. Outputting compliance data to file by default potentially exposed sensitive data to the filesystem, without much upside. If you rely on this file for processing by external systems you can produce it by setting the reporter attribute node['audit']['reporter']
to %w{json-file cli}
.
Chef Attribute Integration
The chef_node_attribute_enabled
configuration option for Compliance Phase is now enabled by default. This provides a chef_node
object in InSpec profiles containing all attributes from the Chef Infra Client including Ohai configuration attributes.
Compliance Phase Inputs Attribute
In 2019 we renamed InSpec attributes to inputs to avoid confusion between InSpec attributes and Chef Infra attributes. Compliance Phase is now updated to use the updated inputs name. Instead of passing node['audit']['attributes']
you can now use node['audit']['inputs']
. Don't worry about rushing to update your code though because Compliance Phase will still work with the existing attributes, giving you time to migrate to the new name.
Secrets Manager Integration
We've updated our beta secrets management integration helper to improve the experience of fetching secrets from AWS Secrets Manager and Azure Key Vault. We'd still love to hear from you if you are integrating Chef Infra with a secrets management system or you'd like to do so in the future. E-mail us at secrets_management_beta@progress.com.
Simpler Azure Key Vault Names Declaration
The secrets
helper has been updated to allow specifying the Azure Key Vault to fetch a secret using the name instead of the config hash:
Specifying the Vault in the Name:
secret(name: "test-chef-infra-secrets/test-secret-1", service: :azure_key_vault)
Specifying the Vault in the Options Hash:
secret(name: "test-secret-1", service: :azure_key_vault, config: {vault: "test-chef-infra-secrets" })
AWS Default to Node's Region in AWS Secrets Manager
When fetching secrets from AWS Secrets Manager, the secrets
helper now defaults to fetching secrets from the region where the node resides. If you need to fetch secrets from another region, you can use the region config option:
Specifying AWS Region:
secret(name: 'test1', service: :aws_secrets_manager, config: { region: 'us-west-2' })
Using the Node's Region:
secret(name: 'test1', service: :aws_secrets_manager)
Resource Updates
group
The group
resource has been updated to prevent failures on macOS systems when passing the GID as an Integer. Thanks for reporting this @rb2k!
homebrew_cask
The homebrew_cask
resource now supports Homebrew Casks with '-' or '@' in their name. Thanks for this fix @byplayer!
rhsm_subscription
The rhsm_subscription
resource now flushes all DNF or YUM caches after adding a new subscription so that subsequent package installs can use packages from the subscription. Thanks for fixing this @jasonwbarnett!
systemd_unit
The systemd_unit
resource now generates valid unit files when passing a hash of data. Thanks for reporting this issue @gregkare
user
The user
resource on macOS no longer fails if the shell
or hidden
fields are not present for the user being updated.
yum_repository
The yum_repository
has been refactored to better flush cache on RHEL and Fedora derivatives Linux distributions.
Packaging
Arm64 Docker Containers
Chef Infra Client Docker containers are now published for the arm64
architecture on DockerHub at Docker Hub. These containers can be used for testing Chef Infra Client on arm64
architecture Linux distributions with Test Kitchen.
Get the Build
As always, you can download binaries directly from downloads.chef.io or by using the mixlib-install
command-line utility:
$ mixlib-install download chef -v 17.4.25
Alternatively, you can install Chef Infra Client using one of the following command options:
# In Shell
$ curl https://omnitruck.chef.io/install.sh | sudo bash -s -- -P chef -v 17.4.25
# In Windows Powershell
. { iwr -useb https://omnitruck.chef.io/install.ps1 } | iex; install -project chef -version 17.4.25
If you want to give this version a spin in Test Kitchen, create or add the following to your kitchen.yml
file:
provisioner:
product_name: chef
product_version: 17.4.25
Enjoy,
Tim