1

过程: 1. 将经过 aws-kms 加密的密码作为默认属性存储在数组中。

  1. 在运行时使用存储在受保护位置 .aws/creds 中的凭据解密

  2. 将明文数组设置回节点数组

  3. 解析模板中的节点数组
  4. 丢弃明文密码

我正在尝试引用在另一个资源的自定义资源中设置的 node.runstate 变量。

自定义资源:

resource_name :secrets_kms

property :password, String, name_property: true
property :region, String, default: 'us-east-1'
property :nodevariable, String
property :path_to_secrets, [String, nil], default: nil

load_current_value do
  if ::File.exist?("/tmp/encryptedpassword")
  password IO.read("/tmp/encryptedpassword")
  end
end

# Setting up the default action to be decrpyt 
action :decrypt do
  file '/tmp/encryptedpassword' do
    content password
    action :create
  end

# Converge only if password is changed
  converge_if_changed :password do

  # Installs Chef Gem aws-sdk
    chef_gem 'aws-sdk' do
      compile_time true
    end

    # Require install aws-sdk
    require 'aws-sdk'

    # Detects platfrom if amazon to use IAM roles vs keys
    if node['platform'] == 'amazon'
      kms = Aws::KMS::Client.new(region: region)
    else
      # Loads secret file and connect using files access_key_id and     secret_access_key provisioned at run time
      creds = YAML.load(::File.read(path_to_secrets))
      kms = Aws::KMS::Client.new(
        region: region,
        access_key_id: creds['access_key_id'],
        secret_access_key: creds['secret_access_key']
      )
    end

    # Decode password into Base64
    value = Base64.strict_decode64(password)
    # Decrypt the encrypted text
    decrypted = kms.decrypt(ciphertext_blob: value)
    node.run_state[:nodevariable] = decrypted.plaintext
  end
end

在此自定义资源运行后。我想让它更新默认属性为纯文本值(它是数组的一部分),然后我想将此变量传递给模板资源。

4

0 回答 0