Generate list of updated resources

We’re looking for ways to satisfy audit compliance requirements.

Is there a way to generate a list of resources that actually changed state
during a Chef run, e.g., in a report handler? Better still would be a list
containing the before-and-after states. Parsing the log is not an
especially appetizing option…

Thanks,

–Michael

We took this repo as a starting point; it just logs the updated resources:

On Thu, Feb 12, 2015 at 8:15 AM, Michael Fischer mfischer@zendesk.com
wrote:

We're looking for ways to satisfy audit compliance requirements.

Is there a way to generate a list of resources that actually changed state
during a Chef run, e.g., in a report handler? Better still would be a list
containing the before-and-after states. Parsing the log is not an
especially appetizing option...

Thanks,

--Michael

The premium reporting and auditing features do exactly this. If you
look at lib/chef/resource_reporter.rb you can see where our client code
is. What we do is slightly complicated and at the start of the run we
hit the server to get a run id (and see if reporting is enabled on the
server), then at the end we construct a POST with all the information we
need as JSON. You can probably take a similar approach with a
chef_handler that plagiarizes what we do to assemble the data in the
resource_reporter.rb and then dumps the information where ever you like.

On 2/12/15 8:15 AM, Michael Fischer wrote:

We're looking for ways to satisfy audit compliance requirements.

Is there a way to generate a list of resources that actually changed
state during a Chef run, e.g., in a report handler? Better still would
be a list containing the before-and-after states. Parsing the log is
not an especially appetizing option...

Thanks,

--Michael

On Thursday, February 12, 2015 at 8:23 AM, Lamont Granquist wrote:

The premium reporting and auditing features do exactly this. If you
look at lib/chef/resource_reporter.rb you can see where our client code
is. What we do is slightly complicated and at the start of the run we
hit the server to get a run id (and see if reporting is enabled on the
server), then at the end we construct a POST with all the information we
need as JSON. You can probably take a similar approach with a
chef_handler that plagiarizes what we do to assemble the data in the
resource_reporter.rb and then dumps the information where ever you like.

I’ve never used it but the foreman project is sort of a generic config management reporting system. It has a Chef plugin based on the resource reporter that Lamont referenced.

--
Daniel DeLeo