2015-05-08 13:45:31 +02:00
---
layout: "docs"
2015-05-08 23:25:24 +02:00
page_title: "Provisioner: chef"
sidebar_current: "docs-provisioners-chef"
2015-05-08 13:45:31 +02:00
description: |-
2016-10-09 16:46:31 +02:00
The `chef` provisioner installs, configures and runs the Chef client on a resource.
2015-05-08 13:45:31 +02:00
---
2015-05-08 23:25:24 +02:00
# Chef Provisioner
2015-05-08 13:45:31 +02:00
2017-04-05 17:29:27 +02:00
The `chef` provisioner installs, configures and runs the Chef Client on a remote
resource. The `chef` provisioner supports both `ssh` and `winrm` type
[connections ](/docs/provisioners/connection.html ).
2015-05-08 23:25:24 +02:00
2019-09-06 00:50:04 +02:00
-> **Note:** Provisioners should only be used as a last resort. For most
common situations there are better alternatives. For more information, see
[the main Provisioners page ](./ ).
2015-05-08 23:25:24 +02:00
## Requirements
2016-10-09 16:46:31 +02:00
The `chef` provisioner has some prerequisites for specific connection types:
2018-05-14 01:59:18 +02:00
* For `ssh` type connections, `cURL` must be available on the remote host.
* For `winrm` connections, `PowerShell 2.0` must be available on the remote host.
2016-10-09 16:46:31 +02:00
2019-09-09 20:03:39 +02:00
[Chef end user license agreement ](https://www.chef.io/end-user-license-agreement/ ) must be accepted by setting `chef_license` to `accept` in `client_options` argument unless you are installing an old version of Chef client.
2016-10-09 16:46:31 +02:00
Without these prerequisites, your provisioning execution will fail.
2015-05-08 13:45:31 +02:00
## Example usage
2017-04-05 17:29:27 +02:00
```hcl
2015-05-08 13:45:31 +02:00
resource "aws_instance" "web" {
2017-02-18 23:48:50 +01:00
# ...
2017-04-05 17:29:27 +02:00
2017-02-18 23:48:50 +01:00
provisioner "chef" {
2019-03-21 00:52:01 +01:00
attributes_json = < < EOF
2017-04-05 17:29:27 +02:00
{
"key": "value",
"app": {
"cluster1": {
"nodes": [
"webserver1",
"webserver2"
]
}
2015-05-08 13:45:31 +02:00
}
2017-04-05 17:29:27 +02:00
}
EOF
2017-02-18 23:48:50 +01:00
environment = "_default"
2019-09-09 20:03:39 +02:00
client_options = ["chef_license 'accept'"]
2017-02-18 23:48:50 +01:00
run_list = ["cookbook::recipe"]
node_name = "webserver1"
secret_key = "${file("../encrypted_data_bag_secret")}"
server_url = "https://chef.company.com/organizations/org1"
recreate_client = true
user_name = "bork"
user_key = "${file("../bork.pem")}"
2020-04-30 14:04:54 +02:00
version = "15.10.13"
2017-10-24 23:47:42 +02:00
# If you have a self signed cert on your chef server change this to :verify_none
ssl_verify_mode = ":verify_peer"
2020-04-30 14:04:54 +02:00
# Gracefully handle Chef upgrades, reboots, etc.
retry_on_exit_code = [35, 213]
2017-02-18 23:48:50 +01:00
}
2015-05-08 13:45:31 +02:00
}
```
## Argument Reference
The following arguments are supported:
2016-02-09 11:11:46 +01:00
* `attributes_json (string)` - (Optional) A raw JSON string with initial node attributes
2018-05-14 01:59:18 +02:00
for the new node. These can also be loaded from a file on disk using
[the `file` function ](/docs/configuration/functions/file.html ).
2015-05-08 13:45:31 +02:00
2018-03-20 12:16:17 +01:00
* `channel (string)` - (Optional) The Chef Client release channel to install from. If not
set, the `stable` channel will be used.
2016-01-09 00:42:02 +01:00
* `client_options (array)` - (Optional) A list of optional Chef Client configuration
2016-10-09 16:46:31 +02:00
options. See the [Chef Client ](https://docs.chef.io/config_rb_client.html ) documentation
for all available options.
2016-01-09 00:42:02 +01:00
2016-10-09 16:46:31 +02:00
* `disable_reporting (boolean)` - (Optional) If `true` the Chef Client will not try to send
reporting data (used by Chef Reporting) to the Chef Server (defaults to `false` ).
2016-01-09 00:42:02 +01:00
2015-05-08 13:45:31 +02:00
* `environment (string)` - (Optional) The Chef environment the new node will be joining
2016-10-09 16:46:31 +02:00
(defaults to `_default` ).
2015-05-08 13:45:31 +02:00
2016-10-09 16:46:31 +02:00
* `fetch_chef_certificates (boolean)` (Optional) If `true` the SSL certificates configured
on your Chef Server will be fetched and trusted. See the knife [ssl_fetch ](https://docs.chef.io/knife_ssl_fetch.html )
2016-02-04 15:31:24 +01:00
documentation for more details.
2016-10-09 16:46:31 +02:00
* `log_to_file (boolean)` - (Optional) If `true` , the output of the initial Chef Client run
2015-05-08 13:45:31 +02:00
will be logged to a local file instead of the console. The file will be created in a
subdirectory called `logfiles` created in your current directory. The filename will be
the `node_name` of the new node.
2016-12-01 19:42:36 +01:00
* `use_policyfile (boolean)` - (Optional) If `true` , use the policy files to bootstrap the
node. Setting `policy_group` and `policy_name` are required if this is `true` . (defaults to
`false` ).
* `policy_group (string)` - (Optional) The name of a policy group that exists on the Chef
server. Required if `use_policyfile` is set; `policy_name` must also be specified.
* `policy_name (string)` - (Optional) The name of a policy, as identified by the `name`
setting in a Policyfile.rb file. Required if `use_policyfile` is set; `policy_group`
must also be specified.
2015-05-08 13:45:31 +02:00
* `http_proxy (string)` - (Optional) The proxy server for Chef Client HTTP connections.
* `https_proxy (string)` - (Optional) The proxy server for Chef Client HTTPS connections.
2020-04-30 14:04:54 +02:00
* `max_retries (integer)` - (Optional) The number of times to retry the provisioning process after receiving an exit code in the `retry_on_error` list. Defaults to `1`
2017-01-19 09:03:45 +01:00
* `named_run_list (string)` - (Optional) The name of an alternate run-list to invoke during the
initial Chef Client run. The run-list must already exist in the Policyfile that defines
`policy_name` . Only applies when `use_policyfile` is `true` .
2015-05-08 13:45:31 +02:00
* `no_proxy (array)` - (Optional) A list of URLs that should bypass the proxy.
* `node_name (string)` - (Required) The name of the node to register with the Chef Server.
2015-06-25 15:48:54 +02:00
* `ohai_hints (array)` - (Optional) A list with
[Ohai hints ](https://docs.chef.io/ohai.html#hints ) to upload to the node.
2015-06-25 14:29:48 +02:00
* `os_type (string)` - (Optional) The OS type of the node. Valid options are: `linux` and
2016-10-09 16:46:31 +02:00
`windows` . If not supplied, the connection type will be used to determine the OS type (`ssh`
2015-09-11 20:56:20 +02:00
will assume `linux` and `winrm` will assume `windows` ).
2015-06-25 14:29:48 +02:00
2016-10-09 16:46:31 +02:00
* `prevent_sudo (boolean)` - (Optional) Prevent the use of the `sudo` command while installing, configuring
2015-05-08 13:45:31 +02:00
and running the initial Chef Client run. This option is only used with `ssh` type
[connections ](/docs/provisioners/connection.html ).
2016-10-09 16:46:31 +02:00
* `recreate_client (boolean)` - (Optional) If `true` , first delete any existing Chef Node and
2016-09-15 14:20:18 +02:00
Client before registering the new Chef Client.
2020-04-30 14:04:54 +02:00
* `retry_on_error (list of integers)` - (Optional) The error codes upon which Terraform should gracefully retry the provisioning process. Intended for use with [Chef RFC062 codes. ](https://github.com/chef-boneyard/chef-rfc/blob/69a19f632cceffe965bafaad6765e3376068fd5b/rfc062-exit-status.md )
2017-01-19 09:03:45 +01:00
* `run_list (array)` - (Optional) A list with recipes that will be invoked during the initial
2015-05-08 13:45:31 +02:00
Chef Client run. The run-list will also be saved to the Chef Server after a successful
2017-01-19 09:03:45 +01:00
initial run. Required if `use_policyfile` is `false` ; ignored when `use_policyfile` is `true`
(see `named_run_list` to specify a run-list defined in a Policyfile).
2015-05-08 13:45:31 +02:00
2015-11-12 22:17:51 +01:00
* `secret_key (string)` - (Optional) The contents of the secret key that is used
2016-10-09 16:46:31 +02:00
by the Chef Client to decrypt data bags on the Chef Server. The key will be uploaded to the remote
2018-05-14 01:59:18 +02:00
machine. This can also be loaded from a file on disk using
[the `file` function ](/docs/configuration/functions/file.html ).
2015-07-09 16:12:56 +02:00
2015-05-08 13:45:31 +02:00
* `server_url (string)` - (Required) The URL to the Chef server. This includes the path to
the organization. See the example.
* `skip_install (boolean)` - (Optional) Skip the installation of Chef Client on the remote
2015-05-08 23:25:24 +02:00
machine. This assumes Chef Client is already installed when you run the `chef`
2015-05-08 13:45:31 +02:00
provisioner.
2016-09-29 15:37:48 +02:00
* `skip_register (boolean)` - (Optional) Skip the registration of Chef Client on the remote
2016-10-01 09:43:23 +02:00
machine. This assumes Chef Client is already registered and the private key (`client.pem`)
is available in the default Chef configuration directory when you run the `chef`
2016-09-29 15:37:48 +02:00
provisioner.
2016-10-09 16:46:31 +02:00
* `ssl_verify_mode (string)` - (Optional) Used to set the verify mode for Chef Client HTTPS
2017-10-24 23:47:42 +02:00
requests. The options are `:verify_none` , or `:verify_peer` which is default.
2015-05-08 13:45:31 +02:00
2016-10-09 16:46:31 +02:00
* `user_name (string)` - (Required) The name of an existing Chef user to register
the new Chef Client and optionally configure Chef Vaults.
2015-05-08 13:45:31 +02:00
2016-09-29 15:37:48 +02:00
* `user_key (string)` - (Required) The contents of the user key that will be used to
2018-05-14 01:59:18 +02:00
authenticate with the Chef Server. This can also be loaded from a file on disk using
[the `file` function ](/docs/configuration/functions/file.html ).
2015-05-08 13:45:31 +02:00
2016-10-09 16:46:31 +02:00
* `vault_json (string)` - (Optional) A raw JSON string with Chef Vaults and Items to which the new node
2018-05-14 01:59:18 +02:00
should have access. These can also be loaded from a file on disk using
[the `file` function ](/docs/configuration/functions/file.html ).
2016-09-15 14:20:18 +02:00
2015-05-08 13:45:31 +02:00
* `version (string)` - (Optional) The Chef Client version to install on the remote machine.
2016-10-09 16:46:31 +02:00
If not set, the latest available version will be installed.
2020-04-30 14:04:54 +02:00
* `wait_for_retry (integer)` - (Optional) - Amount of time in seconds to wait before retrying the provisionining process after receiving an exit code in the `retry_on_error` list. Defaults to `30` .