I was just wondering if someone is running Chef in "pure infrastructure-as-code" mode (couldn't find a better term), i.e. all changes to your infrastructure are done via git only, so that you can trace whatever has been done in 'git log'.
My first naive thought was to keep the Chef Server API port firewalled so that it is not accessible from the outside, then add an after-commit hook to the chef repo (assuming it runs on the Chef Server node) which runs 'rake install' after each commit.
I'm pretty sure this will not work for any cookbooks using search or databags, so I would rather have to keep the Chef Server API port open and use some other means to ensure no modifying operations via the Chef Server API.
As for the after-commit hook, I'm not sure whether 'rake install' in the chef repo (or the backend side) would be smart enough to not introduce lots of artificial changes (guess it would re-upload _all_ cookbooks, roles, databags, nodes, etc even if I change only a tiny bit in a single node json).
Does an approach like that make any sense at all? Or is it against the intended use of Chef?
How else can you get tracability of what has been changed in your infrastructure (e.g. something like 'knife log' or 'knife diff'?
How do you make sure that the state in your chef repo is in sync with the Chef Server?
Please help, I'm confused :-)
Archive powered by MHonArc 2.6.16.