hiya. i’m having some trouble with rendering some variables in a chef
template. not only do i need help on this specific problem, but i’d also
appreciate feedback on my style of solving the issue of distributing ec2
credentials in a secure, elegant manner.
there are 2 kinds of items i want to render in the template: one comes
from an encrypted data bag, the other comes from an attributes setting.
it’s the latter that is giving me fits.
first, the template looks like so:
#!/bin/bash
Generated by Chef for <%= node[:fqdn] %>
Environment: <%= node[:environment] %> … <-- blank til i fix it
User: <%= @grab_user %>
export AWS_ACCESS_KEY_ID="<%= @aws_access_key_id %>“
export AWS_SECRET_ACCESS_KEY=”<%= @aws_secret_access_key %>“
export AWS_x509_CERT=”<% node[:aws][:aws_x509_cert_path] %>“
export AWS_x509_KEY=”<% node.aws.aws_x509_key_path %>“
export AWS_ACCOUNT_ID=”<%= @aws_account_id %>"
the rendered file looks like this:
[root@admin4-dev ]# cat /etc/ec2/credz
#!/bin/bash
Generated by Chef for admin4.dev.nosopa.com
Environment: … <-- blank til i fix it
User: root
export AWS_ACCESS_KEY_ID="rootaccesskeyderpderpderp"
export AWS_SECRET_ACCESS_KEY=“rootsecretkeyderpderpderp"
export AWS_x509_CERT=”“
export AWS_x509_KEY=”"
export AWS_ACCOUNT_ID=“7776-6666-5150”
missing are values for AWS_x509_CERT and AWS_x509_KEY.
as an aside, environment isn’t rendering. how do i get that to render?
[chef-repo]$ knife node show admin4.dev.nosopa.com | grep ^Env
Environment: dev
i’m setting the values for AWS_x509_CERT and AWS_x509_KEY in this attributes file:
chef-repo/site-cookbooks/aws-test/attributes/default.rb looks like so:
default[:aws_x509_cert_path] = "/etc/ec2/certs/servercert.pem"
default[:aws_x509_key_path] = “/etc/ec2/certs/privatekey.pem”
but these values aren’t rendering.
for the heck of it i’ve tried different syntatic styles, to no avail. are both of the below correct and equivalent?
export AWS_x509_CERT="<% node[:aws_x509_cert_path] %>“
export AWS_x509_KEY=”<% node.aws_x509_key_path %>"
in the recipe, i tried setting these as variables within the template
resource, to no avail (see the note in the recipe).
and finally, the recipe that ties it together:
Cookbook Name:: aws-test
Recipe:: aws-creds
TODO: pem files need to be distributed … in an encrypted data bag?
if node[:ec2][:userdata] =~ /-e dev/
aws_creds = Chef::EncryptedDataBagItem.load(“hush”,“aws-creds-dev”)
elsif node[:ec2][:userdata] =~ /-e prod/
aws_creds = Chef::EncryptedDataBagItem.load(“hush”,“aws-creds-prod”)
end
TODO: is there a better way to determine which user ID to use?
if node[:ec2][:userdata] =~ /-r admin/
grab_access = "ROOT_AWS_ACCESS_KEY_ID"
grab_secret = "ROOT_AWS_SECRET_ACCESS_KEY"
grab_user = "root"
else
grab_access = "DORQ_AWS_ACCESS_KEY_ID"
grab_secret = "DORQ_AWS_SECRET_ACCESS_KEY"
grab_user = "dorq"
end
grab_account = “AWS_ACCOUNT_ID”
directory “/etc/ec2” do
action :create
mode 0700
owner "root"
group "root"
end
directory “/etc/ec2/certs” do
action :create
mode 0700
owner "root"
group "root"
end
template “/etc/ec2/credz” do
source “aws-creds.erb"
mode 0600
owner “root"
group “root"
variables(:aws_access_key_id => aws_creds[”#{grab_access}”],
:aws_secret_access_key => aws_creds[”#{grab_secret}"],
:aws_account_id => aws_creds["#{grab_account}"],
:grab_user => “#{grab_user}”)
end
i also tried placing these within the above variable set:
:aws_x509_cert_path => node[:aws_x509_cert_path],
:aws_x509_key_path => node[:aws_x509_key_path],
then tried accessing them in the template like so, but to no avail:
export AWS_x509_CERT="<% @aws_x509_cert_path %>"
export AWS_x509_KEY="<% @aws_x509_key_path %>"
thanks!
kallen