Login/Register
How do I access Chef data_bags in InSpec
Asked Answered
rubychef-infratest-kitchenchef-zeroinspec
T

2

6

I am writing InSpec tests for some new Chef recipes I am working on. I would like to utilise the data_bags used by the cookbooks to iterate through the data bag items. I can't figure out how to access them in my InSpec tests! The recipes are using the search, data_bag and data_bag_item methods. But these methods don't appear to be available in my InSpec test. I suspect these are Chef DSL specific methods? The source for the data_bags is under source control so I have access to the json for them on my local file system.

How do I access these data_bags in Chef_zero using InSpec syntax?

I found a couple of examples online but I don't see how the data_bags are actually loaded by chef_zero so that they can be used in the tests e.g. https://github.com/charlesjohnson/fundamentals-with-tests/blob/master/chef-repo/cookbooks/users/test/integration/default/serverspec/default_spec.rb and https://github.com/chef/chef/blob/master/kitchen-tests/test/integration/webapp/default_spec.rb

I am using a Windows server 2012R2 box on a Vagrant test-kitchen. This is an example of an data bag items from one of the data bags:

{
  "User": "mcummins",
  "FullName": "Martin Cummins",
  "id": "mcummins"
}

This particular data bag lists Windows Active Directory users added to the administrators group.

I have set the data_bag_path in my .kitchen.yml (I set it in suites and provisioner) but I haven't got to a point where I can see which one is correct:

---
driver:
  name: vagrant
  customize:
   natdnshostresolver1: "on"

provisioner:
  name: chef_zero
  data_bags_path: ../../../data_bags
#  client_rb:
#    audit_mode: :audit_only

verifier:
  name: inspec

platforms:
   - name: mwrock/Windows2012R2
     transport:
      name: winrm

suites:
  - name: default
    data_bags_path: ../../../data_bags
    run_list:
      - recipe[SPMWindowsBuilder::default]
    verifier:
      inspec_tests:
        - test/integration
    attributes:
Triviality answered 2/11, 2016 at 9:29 Comment(2)
inspec.io/docs/reference/ruby_usage might help you out.Droughty
Thanks, that looks like what I need I had hoped there was a more straightforward way.Triviality
O
0

This is not possible. InSpec runs totally separately from Chef and has nothing to do with Chef internally. You would have to write the bag items as files from the Chef side and then read them in via your InSpec code, which would be tricky, something like this perhaps (untested):

item = JSON.parse(command('cat /tmp/item.json').stdout)
Ozmo answered 18/11, 2016 at 16:19 Comment(2)
Thanks coderanger, I had expected it would be different as the approach used uses the Chef DSL. Will try your suggestion thanks!Triviality
@Ozmo Why do you suggest to use command and not ruby native IO.read?Precarious
G
0

there are many ways to execute inspec -- local, SSH, WinRM, or Dockerit -- and isn't clear from the question how do you execute inspec.

assuming that:

  1. you execute inspec locally on a node connected to the chef server (install inspec on the node itself and then invoke it)
  2. the node holds the client configuration (assuming it is located in /etc/chef/client.rb, client key and the encrypted data bag secret key

  3. the inspec embedded ruby has the chef rubygem installed. here is a hint:

    $ /opt/inspec/embedded/bin/gem install chef

then you can use inspec to read the data bag content by using ruby.

require 'chef'
Chef::Config.from_file '/etc/chef/client.rb'
data_bag = Chef::DataBagItem.load 'data_bag_name'
item = data_bag['item']
Geny answered 17/1, 2019 at 9:5 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.