Variables not rendering in a chef template


#1

hiya. i’m having some trouble with rendering some variables in a chef
template. not only do i need help on this specific problem, but i’d also
appreciate feedback on my style of solving the issue of distributing ec2
credentials in a secure, elegant manner.

there are 2 kinds of items i want to render in the template: one comes
from an encrypted data bag, the other comes from an attributes setting.
it’s the latter that is giving me fits.

first, the template looks like so:

#!/bin/bash

Generated by Chef for <%= node[:fqdn] %>

Environment: <%= node[:environment] %> … <-- blank til i fix it

User: <%= @grab_user %>

export AWS_ACCESS_KEY_ID="<%= @aws_access_key_id %>“
export AWS_SECRET_ACCESS_KEY=”<%= @aws_secret_access_key %>“
export AWS_x509_CERT=”<% node[:aws][:aws_x509_cert_path] %>“
export AWS_x509_KEY=”<% node.aws.aws_x509_key_path %>“
export AWS_ACCOUNT_ID=”<%= @aws_account_id %>"

the rendered file looks like this:

[root@admin4-dev ]# cat /etc/ec2/credz
#!/bin/bash

Generated by Chef for admin4.dev.nosopa.com

Environment: … <-- blank til i fix it

User: root

export AWS_ACCESS_KEY_ID="rootaccesskeyderpderpderp"
export AWS_SECRET_ACCESS_KEY=“rootsecretkeyderpderpderp"
export AWS_x509_CERT=”“
export AWS_x509_KEY=”"
export AWS_ACCOUNT_ID=“7776-6666-5150”

missing are values for AWS_x509_CERT and AWS_x509_KEY.

as an aside, environment isn’t rendering. how do i get that to render?

[chef-repo]$ knife node show admin4.dev.nosopa.com | grep ^Env
Environment: dev

i’m setting the values for AWS_x509_CERT and AWS_x509_KEY in this attributes file:

chef-repo/site-cookbooks/aws-test/attributes/default.rb looks like so:
default[:aws_x509_cert_path] = "/etc/ec2/certs/servercert.pem"
default[:aws_x509_key_path] = “/etc/ec2/certs/privatekey.pem”

but these values aren’t rendering.

for the heck of it i’ve tried different syntatic styles, to no avail. are both of the below correct and equivalent?

export AWS_x509_CERT="<% node[:aws_x509_cert_path] %>“
export AWS_x509_KEY=”<% node.aws_x509_key_path %>"

in the recipe, i tried setting these as variables within the template
resource, to no avail (see the note in the recipe).

and finally, the recipe that ties it together:

Cookbook Name:: aws-test

Recipe:: aws-creds

TODO: pem files need to be distributed … in an encrypted data bag?

if node[:ec2][:userdata] =~ /-e dev/
aws_creds = Chef::EncryptedDataBagItem.load(“hush”,“aws-creds-dev”)
elsif node[:ec2][:userdata] =~ /-e prod/
aws_creds = Chef::EncryptedDataBagItem.load(“hush”,“aws-creds-prod”)
end

TODO: is there a better way to determine which user ID to use?

if node[:ec2][:userdata] =~ /-r admin/
grab_access = "ROOT_AWS_ACCESS_KEY_ID"
grab_secret = "ROOT_AWS_SECRET_ACCESS_KEY"
grab_user = "root"
else
grab_access = "DORQ_AWS_ACCESS_KEY_ID"
grab_secret = "DORQ_AWS_SECRET_ACCESS_KEY"
grab_user = "dorq"
end
grab_account = “AWS_ACCOUNT_ID”

directory “/etc/ec2” do
action :create
mode 0700
owner "root"
group "root"
end

directory “/etc/ec2/certs” do
action :create
mode 0700
owner "root"
group "root"
end

template “/etc/ec2/credz” do
source “aws-creds.erb"
mode 0600
owner “root"
group “root"
variables(:aws_access_key_id => aws_creds[”#{grab_access}”],
:aws_secret_access_key => aws_creds[”#{grab_secret}"],
:aws_account_id => aws_creds["#{grab_account}"],
:grab_user => “#{grab_user}”)
end

i also tried placing these within the above variable set:

:aws_x509_cert_path => node[:aws_x509_cert_path],

:aws_x509_key_path => node[:aws_x509_key_path],

then tried accessing them in the template like so, but to no avail:

export AWS_x509_CERT="<% @aws_x509_cert_path %>"

export AWS_x509_KEY="<% @aws_x509_key_path %>"

thanks!
kallen


#2

On Thu, Jan 5, 2012 at 7:03 PM, kallen@groknaut.net wrote:

export AWS_x509_CERT="<% node[:aws][:aws_x509_cert_path] %>“
export AWS_x509_KEY=”<% node.aws.aws_x509_key_path %>"

These 2 lines are missing the equals character in “<%=”

The environment can be accessed off of the node with node.chef_environment.

Thanks,
Matt Ray
Senior Technical Evangelist | Opscode Inc.
matt@opscode.com | (512) 731-2218
Twitter, IRC, GitHub: mattray


#3

On Thu, 05 Jan 2012, Matt Ray wrote:

On Thu, Jan 5, 2012 at 7:03 PM, kallen@groknaut.net wrote:

export AWS_x509_CERT="<% node[:aws][:aws_x509_cert_path] %>“
export AWS_x509_KEY=”<% node.aws.aws_x509_key_path %>"

These 2 lines are missing the equals character in “<%=”

::headdesk:: THANK YOU!

The environment can be accessed off of the node with node.chef_environment.