{"id":23903264,"url":"https://github.com/chef-boneyard/chef-vault","last_synced_at":"2025-04-11T00:31:48.764Z","repository":{"id":10545514,"uuid":"12742787","full_name":"chef-boneyard/chef-vault","owner":"chef-boneyard","description":"chef-vault cookbook","archived":false,"fork":false,"pushed_at":"2021-08-26T21:58:17.000Z","size":169,"stargazers_count":60,"open_issues_count":10,"forks_count":53,"subscribers_count":15,"default_branch":"main","last_synced_at":"2025-03-24T21:13:03.138Z","etag":null,"topics":["chef","cookbook","data-bag","encryption","hacktoberfest","security"],"latest_commit_sha":null,"homepage":"https://supermarket.chef.io/cookbooks/chef-vault","language":"Ruby","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/chef-boneyard.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":null,"support":null}},"created_at":"2013-09-10T23:09:09.000Z","updated_at":"2025-01-14T04:13:46.000Z","dependencies_parsed_at":"2022-08-31T13:41:42.479Z","dependency_job_id":null,"html_url":"https://github.com/chef-boneyard/chef-vault","commit_stats":null,"previous_names":[],"tags_count":28,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chef-boneyard%2Fchef-vault","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chef-boneyard%2Fchef-vault/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chef-boneyard%2Fchef-vault/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chef-boneyard%2Fchef-vault/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/chef-boneyard","download_url":"https://codeload.github.com/chef-boneyard/chef-vault/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248322219,"owners_count":21084333,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["chef","cookbook","data-bag","encryption","hacktoberfest","security"],"created_at":"2025-01-04T22:52:59.671Z","updated_at":"2025-04-11T00:31:48.743Z","avatar_url":"https://github.com/chef-boneyard.png","language":"Ruby","funding_links":[],"categories":[],"sub_categories":[],"readme":"# chef-vault Cookbook\n\n[![Build Status](https://travis-ci.org/chef-cookbooks/chef-vault.svg?branch=master)](https://travis-ci.org/chef-cookbooks/chef-vault) [![Cookbook Version](https://img.shields.io/cookbook/v/chef-vault.svg)](https://supermarket.chef.io/cookbooks/chef-vault)\n\nThis cookbook provides helper methods to load encrypted data bags that are in\nThe Vault. It also provides a resource that can be used to store secrets as\na Chef Vault item in a recipe.\n\nAs of version 4.0 of the cookbook, we no longer install the chef-vault\ngem as this is included in chef-client 13.4+.\n\nChef Vault is a library originally written by Nordstrom's infrastructure\noperations team that helps manage encrypted data bags.\n\n* https://github.com/chef/chef-vault\n\n## Deprecation\n\nThe chef-vault gem resources and helpers from this cookbook now ship natively in Chef Infra Client 16 and later. With this functionality now built in this cookbook is no longer receiving updates. Please upgrade to a release of Chef Infra Client with this functionality built in so you can remove this dependency from your infrastructure.\n\n## Requirements\n\nThis cookbook should work on any system/platform that is supported by\nChef Infra.\n\nThis cookbook is specifically tested on Ubuntu and CentOS platforms\nusing Test Kitchen. See `.kitchen.yml` for platforms and test suites.\n\n## Helper Methods\n\nThis cookbook provides a nice helper method for the Chef Recipe DSL so\nyou can write:\n\n    chef_vault_item(\"secrets\", \"dbpassword\")\n\nInstead of:\n\n    ChefVault::Item.load(\"secrets\", \"dbpassword\")\n\nThis has logic in place to fall back to using data bags if the desired item\nisn't encrypted. If the vault item fails to load because of missing vault\nmetadata (a `vaultname_keys` data bag), then `chef_vault_item` will attempt to\nload the specified item as a regular Data Bag Item with\n`Chef::DataBagItem.load`. This is intended to be used only for testing, and\nnot as a fall back to avoid issues loading encrypted items.\n\nThis cookbook also provides a handy wrapper if you are storing multiple\nenvironment settings within your encrypted items. Using this following\nhelper:\n```ruby\nitem = chef_vault_item_for_environment('secrets', 'passwords')\n```\n\nInstead of (or any combination of such expression):\n```ruby\nitem = chef_vault_item('secrets', 'passwords')[node.chef_environment]\n```\n\nIn addition, you can list the items in a vault using the `chef_vault()` method.\nIt is advised to use this method instead of `data_bag()`, because the latter\nreturns the keys in addition to the items themselves. This method prevents you\nfrom having to parse out the keys.\n```ruby\nitems = chef_vault('secrets')\nitem = chef_vault_item('secrets',item[0])\n```\n\n## Attributes\n\n* `node['chef-vault']['version']` - Specify a version of the\n  chef-vault gem if required. Default is `~\u003e 2.2`, as that version was\n  used for testing.\n\n## Resources\n\n### chef_vault_secret\n\nThe `chef_vault_secret` resource can be used in recipes to store\nsecrets in Chef Vault items. Where possible and relevant, this\nresource attempts to map behavior and functionality to the `knife\nvault` sub-commands.\n\n#### Actions\n\nThe actions generally map to the `knife vault` sub-commands, with an\nexception that `create` does an update, because the resource enforces\ndeclarative state. To get the `knife vault create` behavior, use\n`create_if_missing`.\n\n* `:create` - *Default action*. Creates the item, or updates it if it\n  already exists.\n* `:create_if_missing` - Calls the `create` action unless it exists.\n* `:delete` - Deletes the item *and* the item's keys (\"id\"_keys).\n\n#### Attributes\n\n* `id` - *Name attribute*. The name of the data bag item.\n* `data_bag` - *Required*. The data bag that contains the item.\n* `admins` - A list of admin users who should have access to the item.\n  Corresponds to the \"admin\" option when using the chef-vault knife\n  plugin. Can be specified as a comma separated string or an array.\n  See examples, below.\n* `clients` - A search query for the nodes' API clients that should\n  have access to the item.\n* `search` - Search query that would match the same used for the\n  clients, gets stored as a field in the item.\n* `raw_data` - The raw data, as a Ruby Hash, that will be stored in\n  the item. See examples, below.\n\nAt least one of `admins` or `clients` should be specified, otherwise\nnothing will have access to the item.\n\n#### Examples\n\nFrom the test cookbook embedded in this repository.\n\n```ruby\nchef_vault_secret 'clean-energy' do\n  data_bag 'green'\n  raw_data({'auth' =\u003e 'Forged in a mold'})\n  admins 'hydroelectric'\n  search '*:*'\nend\n```\n\nAssuming that the `green` data bag exists, this will create the\n`clean-energy` item as a ChefVault encrypted item, which also creates\n`clean-energy_keys` that has the list of admins, clients, and the\nshared secrets. For example, the content looks like this in plaintext:\n\n```json\n{\n  \"id\": \"clean-energy\",\n  \"auth\": {\n    \"encrypted_data\": \"y+l7H4okLu4wisryCaIT+7XeAgomcdgFo3v3p6RKWnXvgvimdzjFGMUfdGId\\nq+pP\\n\",\n    \"iv\": \"HLr0uyy9BrieTDmS0TbbmA==\\n\",\n    \"version\": 1,\n    \"cipher\": \"aes-256-cbc\"\n  }\n}\n```\n\nAnd the encrypted data decrypted using the specified client:\n\n```sh\n$ knife vault show green clean-energy -z -u hydroelectric -k clients/hydroelectric.pem\nauth: Forged in a mold\nid:   clean-energy\n```\n\nAnother example, showing multiple admins allowed access to an item\nusing a comma-separated string, or an array:\n\n```ruby\nchef_vault_secret 'root-password' do\n  admins 'jtimberman,paulmooring'\n  data_bag 'secrets'\n  raw_data({'auth' =\u003e 'DontUseThisPasswordForRoot'})\n  search '*:*'\nend\nchef_vault_secret 'root-password' do\n  admins ['jtimberman', 'paulmooring']\n  data_bag 'secrets'\n  raw_data({'auth' =\u003e 'DontUseThisPasswordForRoot'})\n  search '*:*'\nend\n```\n\nInternally, the provider will convert the admins array to a\ncomma-delimited string.\n\nWhen using the `chef_vault_secret` resource, the `data_bag` must exist\nfirst. If it doesn't, you can create it in your recipe with a\n`ruby_block`:\n\n```ruby\nbegin\n  data_bag('secrets')\nrescue\n  ruby_block \"create-data_bag-secrets\" do\n    block do\n      Chef::DataBag.validate_name!('secrets')\n      databag = Chef::DataBag.new\n      databag.name('secrets')\n      databag.save\n    end\n    action :create\n  end\nend\n```\n\nOr, use the `cheffish` gem, which provides resources for Chef objects\n(nodes, roles, data bags, etc):\n\n```ruby\nchef_data_bag 'secrets'\n```\n\nNote that there is a bug in versions of cheffish prior to 0.5.beta.3.\nAlso, cheffish requires the `openssl-pkcs8` gem, which has C\nextensions, so openssl development headers and C build tools need to\nbe installed. To use this, you can create a recipe like the one in\nthe [test cookbook](test/fixtures/cookbooks/test/recipes/chef_vault_secret.rb).\n\n## Usage\n\nInclude the recipe before using the Chef Vault library in recipes.\n\n    include_recipe 'chef-vault'\n    secret_stuff = ChefVault::Item.load(\"secrets\", \"a_secret\")\n\nOr, use the helper library method:\n\n    secret_stuff = chef_vault_item(\"secrets\", \"a_secret\")\n\nIf you need a specific version of the `chef-vault` RubyGem, then\nspecify it with the attribute, `node['chef-vault']['version']`.\n\nTo use the `chef_vault_secret` resource in your cookbooks' recipes,\ndeclare a dependency on this cookbook, and then use the resource as\ndescribed in the Examples above.\n\n## Contributing\n\nThis repository contains a `CONTRIBUTING` file that describes the\ncontribution process for Chef cookbooks.\n\n## License and Authors\n\n- Author: Joshua Timberman \u003cjoshua@chef.io\u003e\n- Copyright (c) 2013-2019 Chef Software, Inc. \u003clegal@chef.io\u003e\n- Copyright (c) 2014, 2015 Bloomberg Finance L.P.\n\nLicense:: Apache License, Version 2.0\n\nLicensed under the Apache License, Version 2.0 (the \"License\");\nyou may not use this file except in compliance with the License.\nYou may obtain a copy of the License at\n\n   http://www.apache.org/licenses/LICENSE-2.0\n\nUnless required by applicable law or agreed to in writing, software\ndistributed under the License is distributed on an \"AS IS\" BASIS,\nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\nSee the License for the specific language governing permissions and\nlimitations under the License.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fchef-boneyard%2Fchef-vault","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fchef-boneyard%2Fchef-vault","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fchef-boneyard%2Fchef-vault/lists"}