Reputation: 2144
I'm writing a cookbook that deals with private keys. In case of anything going wrong, Chef dumps the whole resource to log to show end user what has happened. However, this would print private key to log as well, and this is unacceptable. Is there any way to adopt sensitive
resource functionality to prevent sensitive data logging?
Upvotes: 2
Views: 2168
Reputation: 2144
It's always one google query away:
As of Chef client 12.14, individual resource properties can be marked as sensitive: true, which suppresses the value of that property when exporting the resource’s state.
So to mark specific property of custom resource as sensitive, just add sensitive: true
to property definition:
resource_name :ssh_private_key
default_action :create
property :private_key, String, required: true, sensitive: true
^^^^^^^^^^^^^^^
After that output will be suppressed for that property:
ssh_private_key("invalid_passphrase") do
action [:create]
default_guard_interpreter :default
declared_type :ssh_private_key
cookbook_name "ama-ssh-private-keys-integration"
user "root"
private_key "*sensitive value suppressed*"
public_key "AAAAB3NzaC1yc2EAAAADAQABAAAAYQDCLY+8qnsrW/RrjDgz1b026hg9Lb78KV2c00sA4v6iSHVZoRKdnoIFr3dnWwV5Urt1U9fJJVy0fPLDWnAdYtI7U37k0GLpZhPS3ps/W9j1ZgslEQMQpvAD19yuJG/NXzk="
passphrase "*sensitive value suppressed*"
Upvotes: 6