过程: 1. 将经过 aws-kms 加密的密码作为默认属性存储在数组中。
在运行时使用存储在受保护位置 .aws/creds 中的凭据解密
将明文数组设置回节点数组
- 解析模板中的节点数组
- 丢弃明文密码
我正在尝试引用在另一个资源的自定义资源中设置的 node.runstate 变量。
自定义资源:
resource_name :secrets_kms
property :password, String, name_property: true
property :region, String, default: 'us-east-1'
property :nodevariable, String
property :path_to_secrets, [String, nil], default: nil
load_current_value do
if ::File.exist?("/tmp/encryptedpassword")
password IO.read("/tmp/encryptedpassword")
end
end
# Setting up the default action to be decrpyt
action :decrypt do
file '/tmp/encryptedpassword' do
content password
action :create
end
# Converge only if password is changed
converge_if_changed :password do
# Installs Chef Gem aws-sdk
chef_gem 'aws-sdk' do
compile_time true
end
# Require install aws-sdk
require 'aws-sdk'
# Detects platfrom if amazon to use IAM roles vs keys
if node['platform'] == 'amazon'
kms = Aws::KMS::Client.new(region: region)
else
# Loads secret file and connect using files access_key_id and secret_access_key provisioned at run time
creds = YAML.load(::File.read(path_to_secrets))
kms = Aws::KMS::Client.new(
region: region,
access_key_id: creds['access_key_id'],
secret_access_key: creds['secret_access_key']
)
end
# Decode password into Base64
value = Base64.strict_decode64(password)
# Decrypt the encrypted text
decrypted = kms.decrypt(ciphertext_blob: value)
node.run_state[:nodevariable] = decrypted.plaintext
end
end
在此自定义资源运行后。我想让它更新默认属性为纯文本值(它是数组的一部分),然后我想将此变量传递给模板资源。