Chef Infra Client 17.4 Released!

Hey everyone,

We have a great new release of Chef Infra Client out today. Chef Infra Client 17.4 includes tons of improvements to Infra Client Compliance Phase, enhancements to our new secrets manager integration, and improvements to built-in resources. Be sure to check it out.

What's New in 17.4

Compliance Phase Improvements

Chef InSpec 4.41.2

Chef InSpec has been updated from 4.38.3 to 4.41.2 with the following improvements for Compliance Phase

  • New Open Policy Agent resources opa_cli and opa_api
  • New mongodb_session resource
  • The mssql_session resource now allows named connections by no longer forcing a port.
  • The PostgreSQL resources (postgres_session, postgres_conf, postgres_hba_conf, and postgres_ident_conf) now work with Windows.
  • Fixed a bug where the year in an expiration date was misinterpreted in waiver files

json-file Reporter Off By Default

The InSpec json-file reporter is no longer enabled by default in Compliance Phase. Outputting compliance data to file by default potentially exposed sensitive data to the filesystem, without much upside. If you rely on this file for processing by external systems you can produce it by setting the reporter attribute node['audit']['reporter'] to %w{json-file cli}.

Chef Attribute Integration

The chef_node_attribute_enabled configuration option for Compliance Phase is now enabled by default. This provides a chef_node object in InSpec profiles containing all attributes from the Chef Infra Client including Ohai configuration attributes.

Compliance Phase Inputs Attribute

In 2019 we renamed InSpec attributes to inputs to avoid confusion between InSpec attributes and Chef Infra attributes. Compliance Phase is now updated to use the updated inputs name. Instead of passing node['audit']['attributes'] you can now use node['audit']['inputs']. Don't worry about rushing to update your code though because Compliance Phase will still work with the existing attributes, giving you time to migrate to the new name.

Secrets Manager Integration

We've updated our beta secrets management integration helper to improve the experience of fetching secrets from AWS Secrets Manager and Azure Key Vault. We'd still love to hear from you if you are integrating Chef Infra with a secrets management system or you'd like to do so in the future. E-mail us at secrets_management_beta@progress.com.

Simpler Azure Key Vault Names Declaration

The secrets helper has been updated to allow specifying the Azure Key Vault to fetch a secret using the name instead of the config hash:

Specifying the Vault in the Name:

secret(name: "test-chef-infra-secrets/test-secret-1", service: :azure_key_vault)

Specifying the Vault in the Options Hash:

secret(name: "test-secret-1", service: :azure_key_vault, config: {vault: "test-chef-infra-secrets" })

AWS Default to Node's Region in AWS Secrets Manager

When fetching secrets from AWS Secrets Manager, the secrets helper now defaults to fetching secrets from the region where the node resides. If you need to fetch secrets from another region, you can use the region config option:

Specifying AWS Region:

secret(name: 'test1', service: :aws_secrets_manager, config: { region: 'us-west-2' })

Using the Node's Region:

secret(name: 'test1', service: :aws_secrets_manager)

Resource Updates

group

The group resource has been updated to prevent failures on macOS systems when passing the GID as an Integer. Thanks for reporting this @rb2k!

homebrew_cask

The homebrew_cask resource now supports Homebrew Casks with '-' or '@' in their name. Thanks for this fix @byplayer!

rhsm_subscription

The rhsm_subscription resource now flushes all DNF or YUM caches after adding a new subscription so that subsequent package installs can use packages from the subscription. Thanks for fixing this @jasonwbarnett!

systemd_unit

The systemd_unit resource now generates valid unit files when passing a hash of data. Thanks for reporting this issue @gregkare

user

The user resource on macOS no longer fails if the shell or hidden fields are not present for the user being updated.

yum_repository

The yum_repository has been refactored to better flush cache on RHEL and Fedora derivatives Linux distributions.

Packaging

Arm64 Docker Containers

Chef Infra Client Docker containers are now published for the arm64 architecture on DockerHub at Docker Hub. These containers can be used for testing Chef Infra Client on arm64 architecture Linux distributions with Test Kitchen.

Get the Build

As always, you can download binaries directly from downloads.chef.io or by using the mixlib-install command-line utility:

$ mixlib-install download chef -v 17.4.25

Alternatively, you can install Chef Infra Client using one of the following command options:

# In Shell
$ curl https://omnitruck.chef.io/install.sh | sudo bash -s -- -P chef -v 17.4.25
# In Windows Powershell
. { iwr -useb https://omnitruck.chef.io/install.ps1 } | iex; install -project chef -version 17.4.25

If you want to give this version a spin in Test Kitchen, create or add the following to your kitchen.yml file:

provisioner:
  product_name: chef
  product_version: 17.4.25

Enjoy,
Tim