Config file rendering shows plain-text password in diff

[rmoriz]

Currently, each monitor template will throw a diff when converged which includes, e.g. the password in plain text (chef's default).

eg

   --- /etc/dd-agent/conf.d/postgres.yaml   2015-02-06 11:46:53.198260001 +0000
    +++ /tmp/chef-rendered-template20150219-19830-11k7o7q   2015-02-19 13:43:20.518260002 +0000
    @@ -5,6 +5,6 @@
       - host: localhost
         port: 5432
         username: datadog
    -    password: 
    +    password: secretpassphrase
         dbname: postgres

Please consider using sensitive true as resource option. See https://docs.chef.io/resource_common.html

[miketheman]

@rmoriz That's a really good idea! I looked a bit, and that was introduced in Chef 11.10.0.
Since we still support Chef 10.x, and don't want to break backwards functionality, we could wrap the parameter in a case where we only set it for versions higher than when the parameter was introduced.

Something like:

chef > min_ver = Chef::Version.new('11.10.0')
 => 11.10.0
chef > current_ver = Chef::Version.new(Chef::VERSION)
 => 11.16.4
chef > current_ver > min_ver
 => true

How does that sound?

[rmoriz]

How about:

template "…" do
  sensitive true if respond_to?(:sensitive)
end

It's the way the Chef people recommend it, e.g. in this case: https://www.chef.io/blog/2015/02/17/chef-12-1-0-chef_gem-resource-warnings/

[miketheman]

That sounds even better!

[miketheman]

Going to slot this change for Next Major, as the behavior would likely apply unilaterally to all templates generated by the datadog_monitor resource, and this might change expected behaviors.

[PurrBiscuit]

+1 for this...we use jenkins for our chef runs and it logs the output. any way to get that output suppressed from those templates would be great.

[poblahblahblah]

👍

[miketheman]

Resolved via #274.