chef provisioning recipe to make AWS security groups, how to run from server vs chef client

Question

I need to keep track of my AWS security groups better.

The recipes that use chef/provisioning/aws_driver would let me make recipes per SG and track IPs added/etc.

I can run them just fine locally with chef-client -z -r

What I really want is to upload the cookbook to my chef server and run it any time I need to change a SG. But chef seems to require recipes apply to nodes, not to AWS cloudiness.

Basically I want to run chef-client from my workstation and have it execute a cookbook that doesn't impact any running servers, or create them, but rather hits AWS and converges the resources specified.

Answer 1

If you create a client.rb for your workstation with the chef server URL and keys:

chef_server_url "http://servername/organizations/myorg"
validation_key  "path/to/validation/key"
client_key      "path/to/client/key"

you should be able to run provisioning recipes that have been uploaded to the server. Eg if they're in a 'provisioning' cookbook:

chef-client -c client.rb -o provisioning::myrecipe

Answer 2

You probably want to create a provisioning node. Chef Server is essentially a glorified database and isn't intended to be an active controller. There is Chef Push Jobs, but even that is pushing to nodes.

Instead, create a node that is essentially a proxy for the resource that can't run chef client itself, and have that run chef client as a CRON service. Of course you don't need to create a separate node for every resource, one node can easily manage many of them. If you have a very large number you might have to start partitioning these resources. Or you might partition for security causes.

If everything is a declarative resource that behaves idempotently (as all good Chef things should be), then you can have two nodes with the same recipes to provide redundancy.