Hi all and thanks in advance for any help you can provide.
I’ve got an encrypted data bag storing sensitive data (passwords).
I’ve got a recipe which contains a cookbook_file resource which copies myFile.pem to my node, which is the --secret-file used to decrypt the aforementioned data bag - when I add only this cookbook to a node’s run_list, it works perfectly.
I’ve got additional recipes which need to decrypt our encrypted data bag in order to get a PW to use in conjunction with a remote_file resource block.
For those recipes which require the encrypted data bag secret file myFile.pem, I’ve added “include_recipe AddMyFilePem::default” in the recipe, as well as add “depends ‘AddMyFilePem’” to the cookbook’s metadata.rb … and although I see the AddMyFilePem cookbook added to my node’s run list, the Chef client never enters the execute phase because the convergence (or is it compile?) phase fails on this line:
encrypted_vars = data_bag_item(‘encryptedDataBag’, ‘encryptedVars’, IO.read(EDBS))
where the file represented by the EDBS variable is MyFile.pem …
My expectation was that by including the recipe, it would be run before attempting to set the encrypted_vars variable … but that does not seem to be the case.
Is there a way to force the execution of a recipe being included during the convergence/compile phase? I found this link https://docs.chef.io/resource_common.html#run-in-compile-phase - so I tried wrapping my include recipe in a Ruby block like this:
ruby_block “include_AddMyFilePem” do
but this also failed to resolve my problem.
I’ve tried making this file’s creation a custom resource, but run into the now all-too-familiar error:
Recipe Compile Error in C:/chef/cache/cookbooks/DownloadBldTools/recipes/default.rb
Code snippets available if that will help. Thanks.