[chef] Re: AWS Security Groups

[Fabien Delpierre < >]

RE: data bags being encrypted on the Chef server and not on your local system, that's correct.
I should say that data bags themselves are not encrypted. There's no difference between a data bag and an encrypted data bag. It's the items within the data bag that are (or aren't) encrypted. Even though they're called "encrypted data bag".

If you find it a problem that what's in your local file system is not encrypted, then what you can do is upload your JSON file with the secret (as seen in your other thread I just replied to), then delete the file from your local file system, and if you want the encrypted file locally, then just download it from the Chef server, it'll be encrypted then.

On Sun, Nov 16, 2014 at 9:11 PM, Douglas Garstang < " target="_blank"> > wrote:

Is there a known public cookbook for creating AWS security groups? I don't know about the security implications, but I'd like to try having the recipes creating the necessary security groups. Otherwise, it's a major hassle to put them into a script. AFAIK chef-metal/provisioner doesn't do security groups yet.

This one https://github.com/SearchSpring/aws_security, wants to use encrypted data bags and, well, that's a pain. I'd prefer to use IAM roles were possible. I'd never noticed before, but it looks like encrypted data bags are only encrypted on the Chef server, not on the local file system? If so, what's the point?

Doug