Use the macos_admin_control resource to require Admin level privileges to make system-wide changes
New in Chef Infra Client 1.0.
The full syntax for all of the properties that are available to the macos_admin_control resource is:
macos_admin_control 'name' do
action Symbol # defaults to :enable if not specified
endwhere:
macos_admin_control is the resource.name is the name given to the resource block.action identifies which steps Chef Infra Client will take to bring the node into the desired state.The macos_admin_control resource has the following actions:
:disable:enable:nothingThis resource does not have any properties.
Chef resources include common properties, notifications, and resource guards.
The following properties are common to every resource:
compile_timeRuby Type: true, false | Default Value: false
Control the phase during which the resource is run on the node. Set to true to run while the resource collection is being built (the compile phase). Set to false to run while Chef Infra Client is configuring the node (the converge phase).
ignore_failureRuby Type: true, false, :quiet | Default Value: false
Continue running a recipe if a resource fails for any reason. :quiet will not display the full stack trace and the recipe will continue to run if a resource fails.
retriesRuby Type: Integer | Default Value: 0
The number of attempts to catch exceptions and retry the resource.
retry_delayRuby Type: Integer | Default Value: 2
The delay in seconds between retry attempts.
sensitiveRuby Type: true, false | Default Value: false
Ensure that sensitive resource data is not logged by Chef Infra Client.
notifies Ruby Type: Symbol, 'Chef::Resource[String]'
A resource may notify another resource to take action when its state changes. Specify a 'resource[name]', the :action that resource should take, and then the :timer for that action. A resource may notify more than one resource; use a notifies statement for each resource to be notified.
If the referenced resource does not exist, an error is raised. In contrast, subscribes will not fail if the source resource is not found.
A timer specifies the point during a Chef Infra Client run at which a notification is run. The following timers are available:
:beforeSpecifies that the action on a notified resource should be run before processing the resource block in which the notification is located.
:delayedDefault. Specifies that a notification should be queued up, and then executed at the end of a Chef Infra Client run.
:immediate, :immediately
Specifies that a notification should be run immediately, per resource notified.
The syntax for notifies is:
notifies :action, 'resource[name]', :timer
subscribes Ruby Type: Symbol, 'Chef::Resource[String]'
A resource may listen to another resource, and then take action if the state of the resource being listened to changes. Specify a 'resource[name]', the :action to be taken, and then the :timer for that action.
Note that subscribes does not apply the specified action to the resource that it listens to - for example:
file '/etc/nginx/ssl/example.crt' do
mode '0600'
owner 'root'
end
service 'nginx' do
subscribes :reload, 'file[/etc/nginx/ssl/example.crt]', :immediately
end
In this case the subscribes property reloads the nginx service whenever its certificate file, located under /etc/nginx/ssl/example.crt, is updated. subscribes does not make any changes to the certificate file itself, it merely listens for a change to the file, and executes the :reload action for its resource (in this example nginx) when a change is detected.
If the other resource does not exist, the subscription will not raise an error. Contrast this with the stricter semantics of notifies, which will raise an error if the other resource does not exist.
A timer specifies the point during a Chef Infra Client run at which a notification is run. The following timers are available:
:beforeSpecifies that the action on a notified resource should be run before processing the resource block in which the notification is located.
:delayedDefault. Specifies that a notification should be queued up, and then executed at the end of a Chef Infra Client run.
:immediate, :immediately
Specifies that a notification should be run immediately, per resource notified.
The syntax for subscribes is:
subscribes :action, 'resource[name]', :timer
A guard property can be used to evaluate the state of a node during the execution phase of a Chef Infra Client run. Based on the results of this evaluation, a guard property is then used to tell Chef Infra Client if it should continue executing a resource. A guard property accepts either a string value or a Ruby block value:
0, the guard is applied. If the command returns any other value, then the guard property is not applied. String guards in a powershell_script run Windows PowerShell commands and may return true in addition to 0.true or false. If the block returns true, the guard property is applied. If the block returns false, the guard property is not applied.A guard property is useful for ensuring that a resource is idempotent by allowing that resource to test for the desired state as it is being executed, and then if the desired state is present, for Chef Infra Client to do nothing.
PropertiesThe following properties can be used to define a guard that is evaluated during the execution phase of a Chef Infra Client run:
not_ifPrevent a resource from executing when the condition returns true.
only_ifAllow a resource to execute only if the condition returns true.
The following examples demonstrate various approaches for using the macos_admin_control resource in recipes:
Set Admin control to require Admin access:
admin_control 'Require Admin rights to perform system-wide changes' do
action :enable
end
Do not require Admin access for System-Wide changes:
admin_control 'Require Admin rights to perform system-wide changes' do
action :disable
end
Use the macos_app_management resource to configure nodes to use Munki to manage apps
New in Chef Infra Client 1.0.
The full syntax for all of the properties that are available to the macos_app_management resource is:
macos_app_management 'name' do
munki_client_download_url String
munki_password String
munki_repo_url String
munki_user String
action Symbol # defaults to :install if not specified
endwhere:
macos_app_management is the resource.name is the name given to the resource block.action identifies which steps Chef Infra Client will take to bring the node into the desired state.munki_client_download_url, munki_password, munki_repo_url, and munki_user are the properties available to this resource.The macos_app_management resource has the following actions:
:install:nothingThe macos_app_management resource has the following properties:
munki_client_download_url The URL where nodes will download the Munki client from
munki_password The password associated with the munki_user account
munki_repo_url The URL of the repository nodes will use to download apps, settings, etc
munki_user A username used to connect to the munki_repo_url with
Chef resources include common properties, notifications, and resource guards.
The following properties are common to every resource:
compile_timeRuby Type: true, false | Default Value: false
Control the phase during which the resource is run on the node. Set to true to run while the resource collection is being built (the compile phase). Set to false to run while Chef Infra Client is configuring the node (the converge phase).
ignore_failureRuby Type: true, false, :quiet | Default Value: false
Continue running a recipe if a resource fails for any reason. :quiet will not display the full stack trace and the recipe will continue to run if a resource fails.
retriesRuby Type: Integer | Default Value: 0
The number of attempts to catch exceptions and retry the resource.
retry_delayRuby Type: Integer | Default Value: 2
The delay in seconds between retry attempts.
sensitiveRuby Type: true, false | Default Value: false
Ensure that sensitive resource data is not logged by Chef Infra Client.
notifies Ruby Type: Symbol, 'Chef::Resource[String]'
A resource may notify another resource to take action when its state changes. Specify a 'resource[name]', the :action that resource should take, and then the :timer for that action. A resource may notify more than one resource; use a notifies statement for each resource to be notified.
If the referenced resource does not exist, an error is raised. In contrast, subscribes will not fail if the source resource is not found.
A timer specifies the point during a Chef Infra Client run at which a notification is run. The following timers are available:
:beforeSpecifies that the action on a notified resource should be run before processing the resource block in which the notification is located.
:delayedDefault. Specifies that a notification should be queued up, and then executed at the end of a Chef Infra Client run.
:immediate, :immediately
Specifies that a notification should be run immediately, per resource notified.
The syntax for notifies is:
notifies :action, 'resource[name]', :timer
subscribes Ruby Type: Symbol, 'Chef::Resource[String]'
A resource may listen to another resource, and then take action if the state of the resource being listened to changes. Specify a 'resource[name]', the :action to be taken, and then the :timer for that action.
Note that subscribes does not apply the specified action to the resource that it listens to - for example:
file '/etc/nginx/ssl/example.crt' do
mode '0600'
owner 'root'
end
service 'nginx' do
subscribes :reload, 'file[/etc/nginx/ssl/example.crt]', :immediately
end
In this case the subscribes property reloads the nginx service whenever its certificate file, located under /etc/nginx/ssl/example.crt, is updated. subscribes does not make any changes to the certificate file itself, it merely listens for a change to the file, and executes the :reload action for its resource (in this example nginx) when a change is detected.
If the other resource does not exist, the subscription will not raise an error. Contrast this with the stricter semantics of notifies, which will raise an error if the other resource does not exist.
A timer specifies the point during a Chef Infra Client run at which a notification is run. The following timers are available:
:beforeSpecifies that the action on a notified resource should be run before processing the resource block in which the notification is located.
:delayedDefault. Specifies that a notification should be queued up, and then executed at the end of a Chef Infra Client run.
:immediate, :immediately
Specifies that a notification should be run immediately, per resource notified.
The syntax for subscribes is:
subscribes :action, 'resource[name]', :timer
A guard property can be used to evaluate the state of a node during the execution phase of a Chef Infra Client run. Based on the results of this evaluation, a guard property is then used to tell Chef Infra Client if it should continue executing a resource. A guard property accepts either a string value or a Ruby block value:
0, the guard is applied. If the command returns any other value, then the guard property is not applied. String guards in a powershell_script run Windows PowerShell commands and may return true in addition to 0.true or false. If the block returns true, the guard property is applied. If the block returns false, the guard property is not applied.A guard property is useful for ensuring that a resource is idempotent by allowing that resource to test for the desired state as it is being executed, and then if the desired state is present, for Chef Infra Client to do nothing.
PropertiesThe following properties can be used to define a guard that is evaluated during the execution phase of a Chef Infra Client run:
not_ifPrevent a resource from executing when the condition returns true.
only_ifAllow a resource to execute only if the condition returns true.
The following examples demonstrate various approaches for using the macos_app_management resource in recipes:
Set up managed app management for clients:
macos_app_management 'Configure Munki on the node' do
munki_client_download_url 'https://github.com/munki/munki/releases/download/v5.0.0/munkitools-5.0.0.4034.pkg'
munki_repo_url 'https://something.something.tld'
munki_user 'munki'
munki_password 'ILoveMunki'
action :install
end
Use the macos_automatic_logout resource to set the system to automatically logout after a set time.
New in Chef Infra Client 1.0.
The full syntax for all of the properties that are available to the macos_automatic_logout resource is:
macos_automatic_logout 'name' do
autologout_time Integer # default value: 3600
action Symbol # defaults to :enable if not specified
endwhere:
macos_automatic_logout is the resource.name is the name given to the resource block.action identifies which steps Chef Infra Client will take to bring the node into the desired state.autologout_time is the property available to this resource.The macos_automatic_logout resource has the following actions:
:disable:enable:nothingThe macos_automatic_logout resource has the following properties:
autologout_time 3600 The amount of time in seconds to elapse before logging the system out. Defaults to 1 hour
Chef resources include common properties, notifications, and resource guards.
The following properties are common to every resource:
compile_timeRuby Type: true, false | Default Value: false
Control the phase during which the resource is run on the node. Set to true to run while the resource collection is being built (the compile phase). Set to false to run while Chef Infra Client is configuring the node (the converge phase).
ignore_failureRuby Type: true, false, :quiet | Default Value: false
Continue running a recipe if a resource fails for any reason. :quiet will not display the full stack trace and the recipe will continue to run if a resource fails.
retriesRuby Type: Integer | Default Value: 0
The number of attempts to catch exceptions and retry the resource.
retry_delayRuby Type: Integer | Default Value: 2
The delay in seconds between retry attempts.
sensitiveRuby Type: true, false | Default Value: false
Ensure that sensitive resource data is not logged by Chef Infra Client.
notifies Ruby Type: Symbol, 'Chef::Resource[String]'
A resource may notify another resource to take action when its state changes. Specify a 'resource[name]', the :action that resource should take, and then the :timer for that action. A resource may notify more than one resource; use a notifies statement for each resource to be notified.
If the referenced resource does not exist, an error is raised. In contrast, subscribes will not fail if the source resource is not found.
A timer specifies the point during a Chef Infra Client run at which a notification is run. The following timers are available:
:beforeSpecifies that the action on a notified resource should be run before processing the resource block in which the notification is located.
:delayedDefault. Specifies that a notification should be queued up, and then executed at the end of a Chef Infra Client run.
:immediate, :immediately
Specifies that a notification should be run immediately, per resource notified.
The syntax for notifies is:
notifies :action, 'resource[name]', :timer
subscribes Ruby Type: Symbol, 'Chef::Resource[String]'
A resource may listen to another resource, and then take action if the state of the resource being listened to changes. Specify a 'resource[name]', the :action to be taken, and then the :timer for that action.
Note that subscribes does not apply the specified action to the resource that it listens to - for example:
file '/etc/nginx/ssl/example.crt' do
mode '0600'
owner 'root'
end
service 'nginx' do
subscribes :reload, 'file[/etc/nginx/ssl/example.crt]', :immediately
end
In this case the subscribes property reloads the nginx service whenever its certificate file, located under /etc/nginx/ssl/example.crt, is updated. subscribes does not make any changes to the certificate file itself, it merely listens for a change to the file, and executes the :reload action for its resource (in this example nginx) when a change is detected.
If the other resource does not exist, the subscription will not raise an error. Contrast this with the stricter semantics of notifies, which will raise an error if the other resource does not exist.
A timer specifies the point during a Chef Infra Client run at which a notification is run. The following timers are available:
:beforeSpecifies that the action on a notified resource should be run before processing the resource block in which the notification is located.
:delayedDefault. Specifies that a notification should be queued up, and then executed at the end of a Chef Infra Client run.
:immediate, :immediately
Specifies that a notification should be run immediately, per resource notified.
The syntax for subscribes is:
subscribes :action, 'resource[name]', :timer
A guard property can be used to evaluate the state of a node during the execution phase of a Chef Infra Client run. Based on the results of this evaluation, a guard property is then used to tell Chef Infra Client if it should continue executing a resource. A guard property accepts either a string value or a Ruby block value:
0, the guard is applied. If the command returns any other value, then the guard property is not applied. String guards in a powershell_script run Windows PowerShell commands and may return true in addition to 0.true or false. If the block returns true, the guard property is applied. If the block returns false, the guard property is not applied.A guard property is useful for ensuring that a resource is idempotent by allowing that resource to test for the desired state as it is being executed, and then if the desired state is present, for Chef Infra Client to do nothing.
PropertiesThe following properties can be used to define a guard that is evaluated during the execution phase of a Chef Infra Client run:
not_ifPrevent a resource from executing when the condition returns true.
only_ifAllow a resource to execute only if the condition returns true.
The following examples demonstrate various approaches for using the macos_automatic_logout resource in recipes:
Setup Automatic Logouts:
automatic_logout 'Automatically logout for inactivity' do
autologout_time 900
action :enable
end
Disable Automatic Logouts:
automatic_logout 'Automatically logout for inactivity' do
action :disable
end
Use the macos_automatic_software_updates resource to configure system and application updates on macOS systems.
New in Chef Infra Client 1.0.
The full syntax for all of the properties that are available to the macos_automatic_software_updates resource is:
macos_automatic_software_updates 'name' do
check true, false
download true, false
install_app_store true, false
install_critical true, false
install_os true, false
action Symbol # defaults to :set if not specified
endwhere:
macos_automatic_software_updates is the resource.name is the name given to the resource block.action identifies which steps Chef Infra Client will take to bring the node into the desired state.check, download, install_app_store, install_critical, and install_os are the properties available to this resource.The macos_automatic_software_updates resource has the following actions:
:nothing:setThe macos_automatic_software_updates resource has the following properties:
check Tell the OS to check for updates
download Tell the OS to download updates
install_app_store Set this to add app updates
install_critical Set this to install critical updates
install_os Set to update the OS
Chef resources include common properties, notifications, and resource guards.
The following properties are common to every resource:
compile_timeRuby Type: true, false | Default Value: false
Control the phase during which the resource is run on the node. Set to true to run while the resource collection is being built (the compile phase). Set to false to run while Chef Infra Client is configuring the node (the converge phase).
ignore_failureRuby Type: true, false, :quiet | Default Value: false
Continue running a recipe if a resource fails for any reason. :quiet will not display the full stack trace and the recipe will continue to run if a resource fails.
retriesRuby Type: Integer | Default Value: 0
The number of attempts to catch exceptions and retry the resource.
retry_delayRuby Type: Integer | Default Value: 2
The delay in seconds between retry attempts.
sensitiveRuby Type: true, false | Default Value: false
Ensure that sensitive resource data is not logged by Chef Infra Client.
notifies Ruby Type: Symbol, 'Chef::Resource[String]'
A resource may notify another resource to take action when its state changes. Specify a 'resource[name]', the :action that resource should take, and then the :timer for that action. A resource may notify more than one resource; use a notifies statement for each resource to be notified.
If the referenced resource does not exist, an error is raised. In contrast, subscribes will not fail if the source resource is not found.
A timer specifies the point during a Chef Infra Client run at which a notification is run. The following timers are available:
:beforeSpecifies that the action on a notified resource should be run before processing the resource block in which the notification is located.
:delayedDefault. Specifies that a notification should be queued up, and then executed at the end of a Chef Infra Client run.
:immediate, :immediately
Specifies that a notification should be run immediately, per resource notified.
The syntax for notifies is:
notifies :action, 'resource[name]', :timer
subscribes Ruby Type: Symbol, 'Chef::Resource[String]'
A resource may listen to another resource, and then take action if the state of the resource being listened to changes. Specify a 'resource[name]', the :action to be taken, and then the :timer for that action.
Note that subscribes does not apply the specified action to the resource that it listens to - for example:
file '/etc/nginx/ssl/example.crt' do
mode '0600'
owner 'root'
end
service 'nginx' do
subscribes :reload, 'file[/etc/nginx/ssl/example.crt]', :immediately
end
In this case the subscribes property reloads the nginx service whenever its certificate file, located under /etc/nginx/ssl/example.crt, is updated. subscribes does not make any changes to the certificate file itself, it merely listens for a change to the file, and executes the :reload action for its resource (in this example nginx) when a change is detected.
If the other resource does not exist, the subscription will not raise an error. Contrast this with the stricter semantics of notifies, which will raise an error if the other resource does not exist.
A timer specifies the point during a Chef Infra Client run at which a notification is run. The following timers are available:
:beforeSpecifies that the action on a notified resource should be run before processing the resource block in which the notification is located.
:delayedDefault. Specifies that a notification should be queued up, and then executed at the end of a Chef Infra Client run.
:immediate, :immediately
Specifies that a notification should be run immediately, per resource notified.
The syntax for subscribes is:
subscribes :action, 'resource[name]', :timer
A guard property can be used to evaluate the state of a node during the execution phase of a Chef Infra Client run. Based on the results of this evaluation, a guard property is then used to tell Chef Infra Client if it should continue executing a resource. A guard property accepts either a string value or a Ruby block value:
0, the guard is applied. If the command returns any other value, then the guard property is not applied. String guards in a powershell_script run Windows PowerShell commands and may return true in addition to 0.true or false. If the block returns true, the guard property is applied. If the block returns false, the guard property is not applied.A guard property is useful for ensuring that a resource is idempotent by allowing that resource to test for the desired state as it is being executed, and then if the desired state is present, for Chef Infra Client to do nothing.
PropertiesThe following properties can be used to define a guard that is evaluated during the execution phase of a Chef Infra Client run:
not_ifPrevent a resource from executing when the condition returns true.
only_ifAllow a resource to execute only if the condition returns true.
The following examples demonstrate various approaches for using the macos_automatic_software_updates resource in recipes:
Setup automatic patch management:
macos_automatic_software_updates 'Settings for OS and Patch updates' do
check true
download true
install_os true
install_app_store true
install_critical true
action :set
end
Use the macos_desktop_screensaver resource to configure secure screensaver settings on macOS systems.
New in Chef Infra Client 1.0.
The full syntax for all of the properties that are available to the macos_desktop_screensaver resource is:
macos_desktop_screensaver 'name' do
delay_before_password_prompt Integer
idle_time Integer # default value: 20
require_password true, false
action Symbol # defaults to :set if not specified
endwhere:
macos_desktop_screensaver is the resource.name is the name given to the resource block.action identifies which steps Chef Infra Client will take to bring the node into the desired state.delay_before_password_prompt, idle_time, and require_password are the properties available to this resource.The macos_desktop_screensaver resource has the following actions:
:disable:nothing:setThe macos_desktop_screensaver resource has the following properties:
delay_before_password_prompt Time in seconds for screensaver to be active before the system will prompt for password input
New in Chef Client 2.0
idle_time 20 Allowed Values: 0, 1, 2, 5, 10, 20, 30, 60 Time in minutes before the the Screensaver comes on. Must be one of these values: 1, 2, 5, 10, 20, 30, 60
require_password Require a password when waking from the screensaver.
Chef resources include common properties, notifications, and resource guards.
The following properties are common to every resource:
compile_timeRuby Type: true, false | Default Value: false
Control the phase during which the resource is run on the node. Set to true to run while the resource collection is being built (the compile phase). Set to false to run while Chef Infra Client is configuring the node (the converge phase).
ignore_failureRuby Type: true, false, :quiet | Default Value: false
Continue running a recipe if a resource fails for any reason. :quiet will not display the full stack trace and the recipe will continue to run if a resource fails.
retriesRuby Type: Integer | Default Value: 0
The number of attempts to catch exceptions and retry the resource.
retry_delayRuby Type: Integer | Default Value: 2
The delay in seconds between retry attempts.
sensitiveRuby Type: true, false | Default Value: false
Ensure that sensitive resource data is not logged by Chef Infra Client.
notifies Ruby Type: Symbol, 'Chef::Resource[String]'
A resource may notify another resource to take action when its state changes. Specify a 'resource[name]', the :action that resource should take, and then the :timer for that action. A resource may notify more than one resource; use a notifies statement for each resource to be notified.
If the referenced resource does not exist, an error is raised. In contrast, subscribes will not fail if the source resource is not found.
A timer specifies the point during a Chef Infra Client run at which a notification is run. The following timers are available:
:beforeSpecifies that the action on a notified resource should be run before processing the resource block in which the notification is located.
:delayedDefault. Specifies that a notification should be queued up, and then executed at the end of a Chef Infra Client run.
:immediate, :immediately
Specifies that a notification should be run immediately, per resource notified.
The syntax for notifies is:
notifies :action, 'resource[name]', :timer
subscribes Ruby Type: Symbol, 'Chef::Resource[String]'
A resource may listen to another resource, and then take action if the state of the resource being listened to changes. Specify a 'resource[name]', the :action to be taken, and then the :timer for that action.
Note that subscribes does not apply the specified action to the resource that it listens to - for example:
file '/etc/nginx/ssl/example.crt' do
mode '0600'
owner 'root'
end
service 'nginx' do
subscribes :reload, 'file[/etc/nginx/ssl/example.crt]', :immediately
end
In this case the subscribes property reloads the nginx service whenever its certificate file, located under /etc/nginx/ssl/example.crt, is updated. subscribes does not make any changes to the certificate file itself, it merely listens for a change to the file, and executes the :reload action for its resource (in this example nginx) when a change is detected.
If the other resource does not exist, the subscription will not raise an error. Contrast this with the stricter semantics of notifies, which will raise an error if the other resource does not exist.
A timer specifies the point during a Chef Infra Client run at which a notification is run. The following timers are available:
:beforeSpecifies that the action on a notified resource should be run before processing the resource block in which the notification is located.
:delayedDefault. Specifies that a notification should be queued up, and then executed at the end of a Chef Infra Client run.
:immediate, :immediately
Specifies that a notification should be run immediately, per resource notified.
The syntax for subscribes is:
subscribes :action, 'resource[name]', :timer
A guard property can be used to evaluate the state of a node during the execution phase of a Chef Infra Client run. Based on the results of this evaluation, a guard property is then used to tell Chef Infra Client if it should continue executing a resource. A guard property accepts either a string value or a Ruby block value:
0, the guard is applied. If the command returns any other value, then the guard property is not applied. String guards in a powershell_script run Windows PowerShell commands and may return true in addition to 0.true or false. If the block returns true, the guard property is applied. If the block returns false, the guard property is not applied.A guard property is useful for ensuring that a resource is idempotent by allowing that resource to test for the desired state as it is being executed, and then if the desired state is present, for Chef Infra Client to do nothing.
PropertiesThe following properties can be used to define a guard that is evaluated during the execution phase of a Chef Infra Client run:
not_ifPrevent a resource from executing when the condition returns true.
only_ifAllow a resource to execute only if the condition returns true.
The following examples demonstrate various approaches for using the macos_desktop_screensaver resource in recipes:
Turn on the Screensaver:
desktop_screensaver 'Sets up the screensaver to come on after 30 minutes of idle time and require a password' do
idle_time 30
require_password true
delay_before_password_prompt 5
action :set
end
Use the macos_disk_encryption resource to enforce FileVault encryption on macOS systems.
New in Chef Infra Client 1.0.
The full syntax for all of the properties that are available to the macos_disk_encryption resource is:
macos_disk_encryption 'name' do
action Symbol # defaults to :enable if not specified
endwhere:
macos_disk_encryption is the resource.name is the name given to the resource block.action identifies which steps Chef Infra Client will take to bring the node into the desired state.The macos_disk_encryption resource has the following actions:
:enable:nothingThis resource does not have any properties.
Chef resources include common properties, notifications, and resource guards.
The following properties are common to every resource:
compile_timeRuby Type: true, false | Default Value: false
Control the phase during which the resource is run on the node. Set to true to run while the resource collection is being built (the compile phase). Set to false to run while Chef Infra Client is configuring the node (the converge phase).
ignore_failureRuby Type: true, false, :quiet | Default Value: false
Continue running a recipe if a resource fails for any reason. :quiet will not display the full stack trace and the recipe will continue to run if a resource fails.
retriesRuby Type: Integer | Default Value: 0
The number of attempts to catch exceptions and retry the resource.
retry_delayRuby Type: Integer | Default Value: 2
The delay in seconds between retry attempts.
sensitiveRuby Type: true, false | Default Value: false
Ensure that sensitive resource data is not logged by Chef Infra Client.
notifies Ruby Type: Symbol, 'Chef::Resource[String]'
A resource may notify another resource to take action when its state changes. Specify a 'resource[name]', the :action that resource should take, and then the :timer for that action. A resource may notify more than one resource; use a notifies statement for each resource to be notified.
If the referenced resource does not exist, an error is raised. In contrast, subscribes will not fail if the source resource is not found.
A timer specifies the point during a Chef Infra Client run at which a notification is run. The following timers are available:
:beforeSpecifies that the action on a notified resource should be run before processing the resource block in which the notification is located.
:delayedDefault. Specifies that a notification should be queued up, and then executed at the end of a Chef Infra Client run.
:immediate, :immediately
Specifies that a notification should be run immediately, per resource notified.
The syntax for notifies is:
notifies :action, 'resource[name]', :timer
subscribes Ruby Type: Symbol, 'Chef::Resource[String]'
A resource may listen to another resource, and then take action if the state of the resource being listened to changes. Specify a 'resource[name]', the :action to be taken, and then the :timer for that action.
Note that subscribes does not apply the specified action to the resource that it listens to - for example:
file '/etc/nginx/ssl/example.crt' do
mode '0600'
owner 'root'
end
service 'nginx' do
subscribes :reload, 'file[/etc/nginx/ssl/example.crt]', :immediately
end
In this case the subscribes property reloads the nginx service whenever its certificate file, located under /etc/nginx/ssl/example.crt, is updated. subscribes does not make any changes to the certificate file itself, it merely listens for a change to the file, and executes the :reload action for its resource (in this example nginx) when a change is detected.
If the other resource does not exist, the subscription will not raise an error. Contrast this with the stricter semantics of notifies, which will raise an error if the other resource does not exist.
A timer specifies the point during a Chef Infra Client run at which a notification is run. The following timers are available:
:beforeSpecifies that the action on a notified resource should be run before processing the resource block in which the notification is located.
:delayedDefault. Specifies that a notification should be queued up, and then executed at the end of a Chef Infra Client run.
:immediate, :immediately
Specifies that a notification should be run immediately, per resource notified.
The syntax for subscribes is:
subscribes :action, 'resource[name]', :timer
A guard property can be used to evaluate the state of a node during the execution phase of a Chef Infra Client run. Based on the results of this evaluation, a guard property is then used to tell Chef Infra Client if it should continue executing a resource. A guard property accepts either a string value or a Ruby block value:
0, the guard is applied. If the command returns any other value, then the guard property is not applied. String guards in a powershell_script run Windows PowerShell commands and may return true in addition to 0.true or false. If the block returns true, the guard property is applied. If the block returns false, the guard property is not applied.A guard property is useful for ensuring that a resource is idempotent by allowing that resource to test for the desired state as it is being executed, and then if the desired state is present, for Chef Infra Client to do nothing.
PropertiesThe following properties can be used to define a guard that is evaluated during the execution phase of a Chef Infra Client run:
not_ifPrevent a resource from executing when the condition returns true.
only_ifAllow a resource to execute only if the condition returns true.
This resource does not have any examples.
Use the macos_firewall resource to enable the firewall on macOS systems.
The full syntax for all of the properties that are available to the macos_firewall resource is:
macos_firewall 'name' do
action Symbol # defaults to :enable if not specified
endwhere:
macos_firewall is the resource.name is the name given to the resource block.action identifies which steps Chef Infra Client will take to bring the node into the desired state.The macos_firewall resource has the following actions:
:disable:enable:nothingThis resource does not have any properties.
Chef resources include common properties, notifications, and resource guards.
The following properties are common to every resource:
compile_timeRuby Type: true, false | Default Value: false
Control the phase during which the resource is run on the node. Set to true to run while the resource collection is being built (the compile phase). Set to false to run while Chef Infra Client is configuring the node (the converge phase).
ignore_failureRuby Type: true, false, :quiet | Default Value: false
Continue running a recipe if a resource fails for any reason. :quiet will not display the full stack trace and the recipe will continue to run if a resource fails.
retriesRuby Type: Integer | Default Value: 0
The number of attempts to catch exceptions and retry the resource.
retry_delayRuby Type: Integer | Default Value: 2
The delay in seconds between retry attempts.
sensitiveRuby Type: true, false | Default Value: false
Ensure that sensitive resource data is not logged by Chef Infra Client.
notifies Ruby Type: Symbol, 'Chef::Resource[String]'
A resource may notify another resource to take action when its state changes. Specify a 'resource[name]', the :action that resource should take, and then the :timer for that action. A resource may notify more than one resource; use a notifies statement for each resource to be notified.
If the referenced resource does not exist, an error is raised. In contrast, subscribes will not fail if the source resource is not found.
A timer specifies the point during a Chef Infra Client run at which a notification is run. The following timers are available:
:beforeSpecifies that the action on a notified resource should be run before processing the resource block in which the notification is located.
:delayedDefault. Specifies that a notification should be queued up, and then executed at the end of a Chef Infra Client run.
:immediate, :immediately
Specifies that a notification should be run immediately, per resource notified.
The syntax for notifies is:
notifies :action, 'resource[name]', :timer
subscribes Ruby Type: Symbol, 'Chef::Resource[String]'
A resource may listen to another resource, and then take action if the state of the resource being listened to changes. Specify a 'resource[name]', the :action to be taken, and then the :timer for that action.
Note that subscribes does not apply the specified action to the resource that it listens to - for example:
file '/etc/nginx/ssl/example.crt' do
mode '0600'
owner 'root'
end
service 'nginx' do
subscribes :reload, 'file[/etc/nginx/ssl/example.crt]', :immediately
end
In this case the subscribes property reloads the nginx service whenever its certificate file, located under /etc/nginx/ssl/example.crt, is updated. subscribes does not make any changes to the certificate file itself, it merely listens for a change to the file, and executes the :reload action for its resource (in this example nginx) when a change is detected.
If the other resource does not exist, the subscription will not raise an error. Contrast this with the stricter semantics of notifies, which will raise an error if the other resource does not exist.
A timer specifies the point during a Chef Infra Client run at which a notification is run. The following timers are available:
:beforeSpecifies that the action on a notified resource should be run before processing the resource block in which the notification is located.
:delayedDefault. Specifies that a notification should be queued up, and then executed at the end of a Chef Infra Client run.
:immediate, :immediately
Specifies that a notification should be run immediately, per resource notified.
The syntax for subscribes is:
subscribes :action, 'resource[name]', :timer
A guard property can be used to evaluate the state of a node during the execution phase of a Chef Infra Client run. Based on the results of this evaluation, a guard property is then used to tell Chef Infra Client if it should continue executing a resource. A guard property accepts either a string value or a Ruby block value:
0, the guard is applied. If the command returns any other value, then the guard property is not applied. String guards in a powershell_script run Windows PowerShell commands and may return true in addition to 0.true or false. If the block returns true, the guard property is applied. If the block returns false, the guard property is not applied.A guard property is useful for ensuring that a resource is idempotent by allowing that resource to test for the desired state as it is being executed, and then if the desired state is present, for Chef Infra Client to do nothing.
PropertiesThe following properties can be used to define a guard that is evaluated during the execution phase of a Chef Infra Client run:
not_ifPrevent a resource from executing when the condition returns true.
only_ifAllow a resource to execute only if the condition returns true.
The following examples demonstrate various approaches for using the macos_firewall resource in recipes:
Turn on the macOS Firewall:
macos_firewall 'Enable Firewall Protection' do
action :enable
end
Turn off the macOS Firewall:
macos_firewall 'Disable Firewall Protection' do
action :disable
end
Use the macos_password_policy resource to set password complexity, password length, etc on macOS systems.
New in Chef Infra Client 1.0.
The full syntax for all of the properties that are available to the macos_password_policy resource is:
macos_password_policy 'name' do
exempt_user String
lockout_time Integer
max_failed_logins Integer
maximum_password_age Integer # default value: 365
minimum_lowercase_letters Integer # default value: 0
minimum_numeric_characters Integer # default value: 0
minimum_password_length Integer # default value: 12
minimum_special_characters Integer # default value: 0
minimum_uppercase_letters Integer # default value: 0
remember_how_many_passwords Integer # default value: 3
action Symbol # defaults to :set if not specified
endwhere:
macos_password_policy is the resource.name is the name given to the resource block.action identifies which steps Chef Infra Client will take to bring the node into the desired state.exempt_user, lockout_time, max_failed_logins, maximum_password_age, minimum_lowercase_letters, minimum_numeric_characters, minimum_password_length, minimum_special_characters, minimum_uppercase_letters, and remember_how_many_passwords are the properties available to this resource.The macos_password_policy resource has the following actions:
:nothing:setThe macos_password_policy resource has the following properties:
exempt_user A user to whom the password policy is not applied
lockout_time The amount of time your account is locked out after you exceed max failed logins
max_failed_logins The maximum number of failed logins before you are locked out
maximum_password_age 365 The maximum age in days for a password before it must be changed, defaults to 365
minimum_lowercase_letters 0 The minimum number of lower case letters that must be in a password
minimum_numeric_characters 0 The minimum number of numbers that must be in a password
minimum_password_length 12 The minimum length a password must be
minimum_special_characters 0 The minimum number of special characters that must be in a password. Eg. *&^%
minimum_uppercase_letters 0 The minimum number of upper case letters that must be in a password
remember_how_many_passwords 3 The number of previous passwords to remember to prevent users for keeping stale passwords
Chef resources include common properties, notifications, and resource guards.
The following properties are common to every resource:
compile_timeRuby Type: true, false | Default Value: false
Control the phase during which the resource is run on the node. Set to true to run while the resource collection is being built (the compile phase). Set to false to run while Chef Infra Client is configuring the node (the converge phase).
ignore_failureRuby Type: true, false, :quiet | Default Value: false
Continue running a recipe if a resource fails for any reason. :quiet will not display the full stack trace and the recipe will continue to run if a resource fails.
retriesRuby Type: Integer | Default Value: 0
The number of attempts to catch exceptions and retry the resource.
retry_delayRuby Type: Integer | Default Value: 2
The delay in seconds between retry attempts.
sensitiveRuby Type: true, false | Default Value: false
Ensure that sensitive resource data is not logged by Chef Infra Client.
notifies Ruby Type: Symbol, 'Chef::Resource[String]'
A resource may notify another resource to take action when its state changes. Specify a 'resource[name]', the :action that resource should take, and then the :timer for that action. A resource may notify more than one resource; use a notifies statement for each resource to be notified.
If the referenced resource does not exist, an error is raised. In contrast, subscribes will not fail if the source resource is not found.
A timer specifies the point during a Chef Infra Client run at which a notification is run. The following timers are available:
:beforeSpecifies that the action on a notified resource should be run before processing the resource block in which the notification is located.
:delayedDefault. Specifies that a notification should be queued up, and then executed at the end of a Chef Infra Client run.
:immediate, :immediately
Specifies that a notification should be run immediately, per resource notified.
The syntax for notifies is:
notifies :action, 'resource[name]', :timer
subscribes Ruby Type: Symbol, 'Chef::Resource[String]'
A resource may listen to another resource, and then take action if the state of the resource being listened to changes. Specify a 'resource[name]', the :action to be taken, and then the :timer for that action.
Note that subscribes does not apply the specified action to the resource that it listens to - for example:
file '/etc/nginx/ssl/example.crt' do
mode '0600'
owner 'root'
end
service 'nginx' do
subscribes :reload, 'file[/etc/nginx/ssl/example.crt]', :immediately
end
In this case the subscribes property reloads the nginx service whenever its certificate file, located under /etc/nginx/ssl/example.crt, is updated. subscribes does not make any changes to the certificate file itself, it merely listens for a change to the file, and executes the :reload action for its resource (in this example nginx) when a change is detected.
If the other resource does not exist, the subscription will not raise an error. Contrast this with the stricter semantics of notifies, which will raise an error if the other resource does not exist.
A timer specifies the point during a Chef Infra Client run at which a notification is run. The following timers are available:
:beforeSpecifies that the action on a notified resource should be run before processing the resource block in which the notification is located.
:delayedDefault. Specifies that a notification should be queued up, and then executed at the end of a Chef Infra Client run.
:immediate, :immediately
Specifies that a notification should be run immediately, per resource notified.
The syntax for subscribes is:
subscribes :action, 'resource[name]', :timer
A guard property can be used to evaluate the state of a node during the execution phase of a Chef Infra Client run. Based on the results of this evaluation, a guard property is then used to tell Chef Infra Client if it should continue executing a resource. A guard property accepts either a string value or a Ruby block value:
0, the guard is applied. If the command returns any other value, then the guard property is not applied. String guards in a powershell_script run Windows PowerShell commands and may return true in addition to 0.true or false. If the block returns true, the guard property is applied. If the block returns false, the guard property is not applied.A guard property is useful for ensuring that a resource is idempotent by allowing that resource to test for the desired state as it is being executed, and then if the desired state is present, for Chef Infra Client to do nothing.
PropertiesThe following properties can be used to define a guard that is evaluated during the execution phase of a Chef Infra Client run:
not_ifPrevent a resource from executing when the condition returns true.
only_ifAllow a resource to execute only if the condition returns true.
The following examples demonstrate various approaches for using the macos_password_policy resource in recipes:
Set the local password policy:
macos_password_policy 'Setup appropriate password complexity and rules' do
max_failed_logins 5
lockout_time 2
maximum_password_age 365
minimum_password_length 12
minimum_numeric_characters 0
minimum_lowercase_letters 0
minimum_uppercase_letters 0
minimum_special_characters 0
remember_how_many_passwords 3
exempt_user 'MyAdmin'
action :set
end
Use the macos_power_management resource to set the power settings of a kiosk-style device when you need it always-on
New in Chef Infra Client 1.0.
The full syntax for all of the properties that are available to the macos_power_management resource is:
macos_power_management 'name' do
computer_sleep_time String # default value: "never"
disk_sleep_time String # default value: "never"
display_sleep_time String # default value: "never"
action Symbol # defaults to :set if not specified
endwhere:
macos_power_management is the resource.name is the name given to the resource block.action identifies which steps Chef Infra Client will take to bring the node into the desired state.computer_sleep_time, disk_sleep_time, and display_sleep_time are the properties available to this resource.The macos_power_management resource has the following actions:
:nothing:setThe macos_power_management resource has the following properties:
computer_sleep_time never A time value between 1-60 minutes or “never” to use to set the computer to sleep after. Defaults to never
disk_sleep_time never A time value between 1-60 minutes or “never” to use to set the hard disk to sleep after. Defaults to never
display_sleep_time never A time value between 1-60 minutes or “never” to use to set the display to sleep after. Defaults to never
Chef resources include common properties, notifications, and resource guards.
The following properties are common to every resource:
compile_timeRuby Type: true, false | Default Value: false
Control the phase during which the resource is run on the node. Set to true to run while the resource collection is being built (the compile phase). Set to false to run while Chef Infra Client is configuring the node (the converge phase).
ignore_failureRuby Type: true, false, :quiet | Default Value: false
Continue running a recipe if a resource fails for any reason. :quiet will not display the full stack trace and the recipe will continue to run if a resource fails.
retriesRuby Type: Integer | Default Value: 0
The number of attempts to catch exceptions and retry the resource.
retry_delayRuby Type: Integer | Default Value: 2
The delay in seconds between retry attempts.
sensitiveRuby Type: true, false | Default Value: false
Ensure that sensitive resource data is not logged by Chef Infra Client.
notifies Ruby Type: Symbol, 'Chef::Resource[String]'
A resource may notify another resource to take action when its state changes. Specify a 'resource[name]', the :action that resource should take, and then the :timer for that action. A resource may notify more than one resource; use a notifies statement for each resource to be notified.
If the referenced resource does not exist, an error is raised. In contrast, subscribes will not fail if the source resource is not found.
A timer specifies the point during a Chef Infra Client run at which a notification is run. The following timers are available:
:beforeSpecifies that the action on a notified resource should be run before processing the resource block in which the notification is located.
:delayedDefault. Specifies that a notification should be queued up, and then executed at the end of a Chef Infra Client run.
:immediate, :immediately
Specifies that a notification should be run immediately, per resource notified.
The syntax for notifies is:
notifies :action, 'resource[name]', :timer
subscribes Ruby Type: Symbol, 'Chef::Resource[String]'
A resource may listen to another resource, and then take action if the state of the resource being listened to changes. Specify a 'resource[name]', the :action to be taken, and then the :timer for that action.
Note that subscribes does not apply the specified action to the resource that it listens to - for example:
file '/etc/nginx/ssl/example.crt' do
mode '0600'
owner 'root'
end
service 'nginx' do
subscribes :reload, 'file[/etc/nginx/ssl/example.crt]', :immediately
end
In this case the subscribes property reloads the nginx service whenever its certificate file, located under /etc/nginx/ssl/example.crt, is updated. subscribes does not make any changes to the certificate file itself, it merely listens for a change to the file, and executes the :reload action for its resource (in this example nginx) when a change is detected.
If the other resource does not exist, the subscription will not raise an error. Contrast this with the stricter semantics of notifies, which will raise an error if the other resource does not exist.
A timer specifies the point during a Chef Infra Client run at which a notification is run. The following timers are available:
:beforeSpecifies that the action on a notified resource should be run before processing the resource block in which the notification is located.
:delayedDefault. Specifies that a notification should be queued up, and then executed at the end of a Chef Infra Client run.
:immediate, :immediately
Specifies that a notification should be run immediately, per resource notified.
The syntax for subscribes is:
subscribes :action, 'resource[name]', :timer
A guard property can be used to evaluate the state of a node during the execution phase of a Chef Infra Client run. Based on the results of this evaluation, a guard property is then used to tell Chef Infra Client if it should continue executing a resource. A guard property accepts either a string value or a Ruby block value:
0, the guard is applied. If the command returns any other value, then the guard property is not applied. String guards in a powershell_script run Windows PowerShell commands and may return true in addition to 0.true or false. If the block returns true, the guard property is applied. If the block returns false, the guard property is not applied.A guard property is useful for ensuring that a resource is idempotent by allowing that resource to test for the desired state as it is being executed, and then if the desired state is present, for Chef Infra Client to do nothing.
PropertiesThe following properties can be used to define a guard that is evaluated during the execution phase of a Chef Infra Client run:
not_ifPrevent a resource from executing when the condition returns true.
only_ifAllow a resource to execute only if the condition returns true.
The following examples demonstrate various approaches for using the macos_power_management resource in recipes:
Configure Power Management settings:
macos_power_management 'Set the Device to a defined power level' do
computer_sleep_time 'never'
display_sleep_time 'never'
disk_sleep_time 'never'
action :set
end
Use the rescue_account resource to provide Administrators with a rescue account.
New in Chef Infra Client 1.0.
The full syntax for all of the properties that are available to the rescue_account resource is:
rescue_account 'name' do
account_name String
password String
action Symbol # defaults to :create if not specified
endwhere:
rescue_account is the resource.name is the name given to the resource block.action identifies which steps Chef Infra Client will take to bring the node into the desired state.account_name and password are the properties available to this resource.The rescue_account resource has the following actions:
:create:delete:disable:enable:nothingThe rescue_account resource has the following properties:
account_name REQUIRED Name of the user to be created as a rescue account
password REQUIRED Corresponding password for that user
Chef resources include common properties, notifications, and resource guards.
The following properties are common to every resource:
compile_timeRuby Type: true, false | Default Value: false
Control the phase during which the resource is run on the node. Set to true to run while the resource collection is being built (the compile phase). Set to false to run while Chef Infra Client is configuring the node (the converge phase).
ignore_failureRuby Type: true, false, :quiet | Default Value: false
Continue running a recipe if a resource fails for any reason. :quiet will not display the full stack trace and the recipe will continue to run if a resource fails.
retriesRuby Type: Integer | Default Value: 0
The number of attempts to catch exceptions and retry the resource.
retry_delayRuby Type: Integer | Default Value: 2
The delay in seconds between retry attempts.
sensitiveRuby Type: true, false | Default Value: false
Ensure that sensitive resource data is not logged by Chef Infra Client.
notifies Ruby Type: Symbol, 'Chef::Resource[String]'
A resource may notify another resource to take action when its state changes. Specify a 'resource[name]', the :action that resource should take, and then the :timer for that action. A resource may notify more than one resource; use a notifies statement for each resource to be notified.
If the referenced resource does not exist, an error is raised. In contrast, subscribes will not fail if the source resource is not found.
A timer specifies the point during a Chef Infra Client run at which a notification is run. The following timers are available:
:beforeSpecifies that the action on a notified resource should be run before processing the resource block in which the notification is located.
:delayedDefault. Specifies that a notification should be queued up, and then executed at the end of a Chef Infra Client run.
:immediate, :immediately
Specifies that a notification should be run immediately, per resource notified.
The syntax for notifies is:
notifies :action, 'resource[name]', :timer
subscribes Ruby Type: Symbol, 'Chef::Resource[String]'
A resource may listen to another resource, and then take action if the state of the resource being listened to changes. Specify a 'resource[name]', the :action to be taken, and then the :timer for that action.
Note that subscribes does not apply the specified action to the resource that it listens to - for example:
file '/etc/nginx/ssl/example.crt' do
mode '0600'
owner 'root'
end
service 'nginx' do
subscribes :reload, 'file[/etc/nginx/ssl/example.crt]', :immediately
end
In this case the subscribes property reloads the nginx service whenever its certificate file, located under /etc/nginx/ssl/example.crt, is updated. subscribes does not make any changes to the certificate file itself, it merely listens for a change to the file, and executes the :reload action for its resource (in this example nginx) when a change is detected.
If the other resource does not exist, the subscription will not raise an error. Contrast this with the stricter semantics of notifies, which will raise an error if the other resource does not exist.
A timer specifies the point during a Chef Infra Client run at which a notification is run. The following timers are available:
:beforeSpecifies that the action on a notified resource should be run before processing the resource block in which the notification is located.
:delayedDefault. Specifies that a notification should be queued up, and then executed at the end of a Chef Infra Client run.
:immediate, :immediately
Specifies that a notification should be run immediately, per resource notified.
The syntax for subscribes is:
subscribes :action, 'resource[name]', :timer
A guard property can be used to evaluate the state of a node during the execution phase of a Chef Infra Client run. Based on the results of this evaluation, a guard property is then used to tell Chef Infra Client if it should continue executing a resource. A guard property accepts either a string value or a Ruby block value:
0, the guard is applied. If the command returns any other value, then the guard property is not applied. String guards in a powershell_script run Windows PowerShell commands and may return true in addition to 0.true or false. If the block returns true, the guard property is applied. If the block returns false, the guard property is not applied.A guard property is useful for ensuring that a resource is idempotent by allowing that resource to test for the desired state as it is being executed, and then if the desired state is present, for Chef Infra Client to do nothing.
PropertiesThe following properties can be used to define a guard that is evaluated during the execution phase of a Chef Infra Client run:
not_ifPrevent a resource from executing when the condition returns true.
only_ifAllow a resource to execute only if the condition returns true.
The following examples demonstrate various approaches for using the rescue_account resource in recipes:
Create a managed user account:
rescue_account 'Configure an Admin level account for IT to use' do
account_name 'MyAdmin'
password '123Opscode!!'
action :create
end
Delete a managed user account:
rescue_account 'Delete an Admin level account for IT to use' do
account_name 'MyAdmin'
action :delete
end
Enable an existing managed user account:
rescue_account 'Enable an Admin level account for IT to use' do
account_name 'MyAdmin'
action :enable
end
Disable an existing managed user account:
rescue_account 'Disable an Admin level account' do
account_name 'MyAdmin'
action :disable
end
Use the windows_admin_control resource to enforce Admin level access for system-wide changes.
New in Chef Infra Client 1.0.
The full syntax for all of the properties that are available to the windows_admin_control resource is:
windows_admin_control 'name' do
action Symbol # defaults to :enable if not specified
endwhere:
windows_admin_control is the resource.name is the name given to the resource block.action identifies which steps Chef Infra Client will take to bring the node into the desired state.The windows_admin_control resource has the following actions:
:disable:enable:nothingThis resource does not have any properties.
Chef resources include common properties, notifications, and resource guards.
The following properties are common to every resource:
compile_timeRuby Type: true, false | Default Value: false
Control the phase during which the resource is run on the node. Set to true to run while the resource collection is being built (the compile phase). Set to false to run while Chef Infra Client is configuring the node (the converge phase).
ignore_failureRuby Type: true, false, :quiet | Default Value: false
Continue running a recipe if a resource fails for any reason. :quiet will not display the full stack trace and the recipe will continue to run if a resource fails.
retriesRuby Type: Integer | Default Value: 0
The number of attempts to catch exceptions and retry the resource.
retry_delayRuby Type: Integer | Default Value: 2
The delay in seconds between retry attempts.
sensitiveRuby Type: true, false | Default Value: false
Ensure that sensitive resource data is not logged by Chef Infra Client.
notifies Ruby Type: Symbol, 'Chef::Resource[String]'
A resource may notify another resource to take action when its state changes. Specify a 'resource[name]', the :action that resource should take, and then the :timer for that action. A resource may notify more than one resource; use a notifies statement for each resource to be notified.
If the referenced resource does not exist, an error is raised. In contrast, subscribes will not fail if the source resource is not found.
A timer specifies the point during a Chef Infra Client run at which a notification is run. The following timers are available:
:beforeSpecifies that the action on a notified resource should be run before processing the resource block in which the notification is located.
:delayedDefault. Specifies that a notification should be queued up, and then executed at the end of a Chef Infra Client run.
:immediate, :immediately
Specifies that a notification should be run immediately, per resource notified.
The syntax for notifies is:
notifies :action, 'resource[name]', :timer
subscribes Ruby Type: Symbol, 'Chef::Resource[String]'
A resource may listen to another resource, and then take action if the state of the resource being listened to changes. Specify a 'resource[name]', the :action to be taken, and then the :timer for that action.
Note that subscribes does not apply the specified action to the resource that it listens to - for example:
file '/etc/nginx/ssl/example.crt' do
mode '0600'
owner 'root'
end
service 'nginx' do
subscribes :reload, 'file[/etc/nginx/ssl/example.crt]', :immediately
end
In this case the subscribes property reloads the nginx service whenever its certificate file, located under /etc/nginx/ssl/example.crt, is updated. subscribes does not make any changes to the certificate file itself, it merely listens for a change to the file, and executes the :reload action for its resource (in this example nginx) when a change is detected.
If the other resource does not exist, the subscription will not raise an error. Contrast this with the stricter semantics of notifies, which will raise an error if the other resource does not exist.
A timer specifies the point during a Chef Infra Client run at which a notification is run. The following timers are available:
:beforeSpecifies that the action on a notified resource should be run before processing the resource block in which the notification is located.
:delayedDefault. Specifies that a notification should be queued up, and then executed at the end of a Chef Infra Client run.
:immediate, :immediately
Specifies that a notification should be run immediately, per resource notified.
The syntax for subscribes is:
subscribes :action, 'resource[name]', :timer
A guard property can be used to evaluate the state of a node during the execution phase of a Chef Infra Client run. Based on the results of this evaluation, a guard property is then used to tell Chef Infra Client if it should continue executing a resource. A guard property accepts either a string value or a Ruby block value:
0, the guard is applied. If the command returns any other value, then the guard property is not applied. String guards in a powershell_script run Windows PowerShell commands and may return true in addition to 0.true or false. If the block returns true, the guard property is applied. If the block returns false, the guard property is not applied.A guard property is useful for ensuring that a resource is idempotent by allowing that resource to test for the desired state as it is being executed, and then if the desired state is present, for Chef Infra Client to do nothing.
PropertiesThe following properties can be used to define a guard that is evaluated during the execution phase of a Chef Infra Client run:
not_ifPrevent a resource from executing when the condition returns true.
only_ifAllow a resource to execute only if the condition returns true.
The following examples demonstrate various approaches for using the windows_admin_control resource in recipes:
Turns on UAC to enforce Admin access for changes:
admin_control 'Require Admin rights to perform system-wide changes' do
action :enable
end
Turns off UAC:
admin_control 'Do Not Require Admin rights to perform system-wide changes' do
action :disable
end
Use the windows_app_management resource to configure nodes to use Gorilla for application management.
New in Chef Infra Client 1.0.
The full syntax for all of the properties that are available to the windows_app_management resource is:
windows_app_management 'name' do
update_check_frequency String
action Symbol # defaults to :enable if not specified
endwhere:
windows_app_management is the resource.name is the name given to the resource block.action identifies which steps Chef Infra Client will take to bring the node into the desired state.update_check_frequency is the property available to this resource.The windows_app_management resource has the following actions:
:disable:enablehow_often_to_check_for_updates.:nothingThe windows_app_management resource has the following properties:
update_check_frequency "daily", "minute", "monthly", "none", "on_idle", "on_logon", "once", "onstart", "weekly" How often should the Gorilla client check for updates.
Chef resources include common properties, notifications, and resource guards.
The following properties are common to every resource:
compile_timeRuby Type: true, false | Default Value: false
Control the phase during which the resource is run on the node. Set to true to run while the resource collection is being built (the compile phase). Set to false to run while Chef Infra Client is configuring the node (the converge phase).
ignore_failureRuby Type: true, false, :quiet | Default Value: false
Continue running a recipe if a resource fails for any reason. :quiet will not display the full stack trace and the recipe will continue to run if a resource fails.
retriesRuby Type: Integer | Default Value: 0
The number of attempts to catch exceptions and retry the resource.
retry_delayRuby Type: Integer | Default Value: 2
The delay in seconds between retry attempts.
sensitiveRuby Type: true, false | Default Value: false
Ensure that sensitive resource data is not logged by Chef Infra Client.
notifies Ruby Type: Symbol, 'Chef::Resource[String]'
A resource may notify another resource to take action when its state changes. Specify a 'resource[name]', the :action that resource should take, and then the :timer for that action. A resource may notify more than one resource; use a notifies statement for each resource to be notified.
If the referenced resource does not exist, an error is raised. In contrast, subscribes will not fail if the source resource is not found.
A timer specifies the point during a Chef Infra Client run at which a notification is run. The following timers are available:
:beforeSpecifies that the action on a notified resource should be run before processing the resource block in which the notification is located.
:delayedDefault. Specifies that a notification should be queued up, and then executed at the end of a Chef Infra Client run.
:immediate, :immediately
Specifies that a notification should be run immediately, per resource notified.
The syntax for notifies is:
notifies :action, 'resource[name]', :timer
subscribes Ruby Type: Symbol, 'Chef::Resource[String]'
A resource may listen to another resource, and then take action if the state of the resource being listened to changes. Specify a 'resource[name]', the :action to be taken, and then the :timer for that action.
Note that subscribes does not apply the specified action to the resource that it listens to - for example:
file '/etc/nginx/ssl/example.crt' do
mode '0600'
owner 'root'
end
service 'nginx' do
subscribes :reload, 'file[/etc/nginx/ssl/example.crt]', :immediately
end
In this case the subscribes property reloads the nginx service whenever its certificate file, located under /etc/nginx/ssl/example.crt, is updated. subscribes does not make any changes to the certificate file itself, it merely listens for a change to the file, and executes the :reload action for its resource (in this example nginx) when a change is detected.
If the other resource does not exist, the subscription will not raise an error. Contrast this with the stricter semantics of notifies, which will raise an error if the other resource does not exist.
A timer specifies the point during a Chef Infra Client run at which a notification is run. The following timers are available:
:beforeSpecifies that the action on a notified resource should be run before processing the resource block in which the notification is located.
:delayedDefault. Specifies that a notification should be queued up, and then executed at the end of a Chef Infra Client run.
:immediate, :immediately
Specifies that a notification should be run immediately, per resource notified.
The syntax for subscribes is:
subscribes :action, 'resource[name]', :timer
A guard property can be used to evaluate the state of a node during the execution phase of a Chef Infra Client run. Based on the results of this evaluation, a guard property is then used to tell Chef Infra Client if it should continue executing a resource. A guard property accepts either a string value or a Ruby block value:
0, the guard is applied. If the command returns any other value, then the guard property is not applied. String guards in a powershell_script run Windows PowerShell commands and may return true in addition to 0.true or false. If the block returns true, the guard property is applied. If the block returns false, the guard property is not applied.A guard property is useful for ensuring that a resource is idempotent by allowing that resource to test for the desired state as it is being executed, and then if the desired state is present, for Chef Infra Client to do nothing.
PropertiesThe following properties can be used to define a guard that is evaluated during the execution phase of a Chef Infra Client run:
not_ifPrevent a resource from executing when the condition returns true.
only_ifAllow a resource to execute only if the condition returns true.
The following examples demonstrate various approaches for using the windows_app_management resource in recipes:
Configure managed application management:
windows_app_management 'Use Gorilla to manage Apps' do
update_check_frequency 'daily'
action :enable
end
Disable managed application management:
windows_app_management 'Do Not Use Gorilla to manage Apps' do
action :disable
end
Use the windows_automatic_logout resource to set the system to automatically logout after a set time.
New in Chef Infra Client 1.0.
The full syntax for all of the properties that are available to the windows_automatic_logout resource is:
windows_automatic_logout 'name' do
autologout_time Integer # default value: 3600
action Symbol # defaults to :enable if not specified
endwhere:
windows_automatic_logout is the resource.name is the name given to the resource block.action identifies which steps Chef Infra Client will take to bring the node into the desired state.autologout_time is the property available to this resource.The windows_automatic_logout resource has the following actions:
:nothing:setThe windows_automatic_logout resource has the following properties:
autologout_time 3600 The amount of time in seconds to elapse before logging the system out. Defaults to 3600s (1 hour)
Chef resources include common properties, notifications, and resource guards.
The following properties are common to every resource:
compile_timeRuby Type: true, false | Default Value: false
Control the phase during which the resource is run on the node. Set to true to run while the resource collection is being built (the compile phase). Set to false to run while Chef Infra Client is configuring the node (the converge phase).
ignore_failureRuby Type: true, false, :quiet | Default Value: false
Continue running a recipe if a resource fails for any reason. :quiet will not display the full stack trace and the recipe will continue to run if a resource fails.
retriesRuby Type: Integer | Default Value: 0
The number of attempts to catch exceptions and retry the resource.
retry_delayRuby Type: Integer | Default Value: 2
The delay in seconds between retry attempts.
sensitiveRuby Type: true, false | Default Value: false
Ensure that sensitive resource data is not logged by Chef Infra Client.
notifies Ruby Type: Symbol, 'Chef::Resource[String]'
A resource may notify another resource to take action when its state changes. Specify a 'resource[name]', the :action that resource should take, and then the :timer for that action. A resource may notify more than one resource; use a notifies statement for each resource to be notified.
If the referenced resource does not exist, an error is raised. In contrast, subscribes will not fail if the source resource is not found.
A timer specifies the point during a Chef Infra Client run at which a notification is run. The following timers are available:
:beforeSpecifies that the action on a notified resource should be run before processing the resource block in which the notification is located.
:delayedDefault. Specifies that a notification should be queued up, and then executed at the end of a Chef Infra Client run.
:immediate, :immediately
Specifies that a notification should be run immediately, per resource notified.
The syntax for notifies is:
notifies :action, 'resource[name]', :timer
subscribes Ruby Type: Symbol, 'Chef::Resource[String]'
A resource may listen to another resource, and then take action if the state of the resource being listened to changes. Specify a 'resource[name]', the :action to be taken, and then the :timer for that action.
Note that subscribes does not apply the specified action to the resource that it listens to - for example:
file '/etc/nginx/ssl/example.crt' do
mode '0600'
owner 'root'
end
service 'nginx' do
subscribes :reload, 'file[/etc/nginx/ssl/example.crt]', :immediately
end
In this case the subscribes property reloads the nginx service whenever its certificate file, located under /etc/nginx/ssl/example.crt, is updated. subscribes does not make any changes to the certificate file itself, it merely listens for a change to the file, and executes the :reload action for its resource (in this example nginx) when a change is detected.
If the other resource does not exist, the subscription will not raise an error. Contrast this with the stricter semantics of notifies, which will raise an error if the other resource does not exist.
A timer specifies the point during a Chef Infra Client run at which a notification is run. The following timers are available:
:beforeSpecifies that the action on a notified resource should be run before processing the resource block in which the notification is located.
:delayedDefault. Specifies that a notification should be queued up, and then executed at the end of a Chef Infra Client run.
:immediate, :immediately
Specifies that a notification should be run immediately, per resource notified.
The syntax for subscribes is:
subscribes :action, 'resource[name]', :timer
A guard property can be used to evaluate the state of a node during the execution phase of a Chef Infra Client run. Based on the results of this evaluation, a guard property is then used to tell Chef Infra Client if it should continue executing a resource. A guard property accepts either a string value or a Ruby block value:
0, the guard is applied. If the command returns any other value, then the guard property is not applied. String guards in a powershell_script run Windows PowerShell commands and may return true in addition to 0.true or false. If the block returns true, the guard property is applied. If the block returns false, the guard property is not applied.A guard property is useful for ensuring that a resource is idempotent by allowing that resource to test for the desired state as it is being executed, and then if the desired state is present, for Chef Infra Client to do nothing.
PropertiesThe following properties can be used to define a guard that is evaluated during the execution phase of a Chef Infra Client run:
not_ifPrevent a resource from executing when the condition returns true.
only_ifAllow a resource to execute only if the condition returns true.
The following examples demonstrate various approaches for using the windows_automatic_logout resource in recipes:
Set the node to auto-logout when not being used:
automatic_logout 'Automatically logout for inactivity' do
autologout_time 900
action :enable
end
Disable auto-logout:
automatic_logout 'Disable automatic inactivity logout' do
autologout_time 900
action :disable
end
Use the windows_choco_installer resource to install the Chocolatey package manager on Windows clients.
New in Chef Infra Client 2.0.
The full syntax for all of the properties that are available to the windows_choco_installer resource is:
windows_choco_installer 'name' do
action Symbol # defaults to :install if not specified
endwhere:
windows_choco_installer is the resource.name is the name given to the resource block.action identifies which steps Chef Infra Client will take to bring the node into the desired state.The windows_choco_installer resource has the following actions:
:install:nothingThis resource does not have any properties.
Chef resources include common properties, notifications, and resource guards.
The following properties are common to every resource:
compile_timeRuby Type: true, false | Default Value: false
Control the phase during which the resource is run on the node. Set to true to run while the resource collection is being built (the compile phase). Set to false to run while Chef Infra Client is configuring the node (the converge phase).
ignore_failureRuby Type: true, false, :quiet | Default Value: false
Continue running a recipe if a resource fails for any reason. :quiet will not display the full stack trace and the recipe will continue to run if a resource fails.
retriesRuby Type: Integer | Default Value: 0
The number of attempts to catch exceptions and retry the resource.
retry_delayRuby Type: Integer | Default Value: 2
The delay in seconds between retry attempts.
sensitiveRuby Type: true, false | Default Value: false
Ensure that sensitive resource data is not logged by Chef Infra Client.
notifies Ruby Type: Symbol, 'Chef::Resource[String]'
A resource may notify another resource to take action when its state changes. Specify a 'resource[name]', the :action that resource should take, and then the :timer for that action. A resource may notify more than one resource; use a notifies statement for each resource to be notified.
If the referenced resource does not exist, an error is raised. In contrast, subscribes will not fail if the source resource is not found.
A timer specifies the point during a Chef Infra Client run at which a notification is run. The following timers are available:
:beforeSpecifies that the action on a notified resource should be run before processing the resource block in which the notification is located.
:delayedDefault. Specifies that a notification should be queued up, and then executed at the end of a Chef Infra Client run.
:immediate, :immediately
Specifies that a notification should be run immediately, per resource notified.
The syntax for notifies is:
notifies :action, 'resource[name]', :timer
subscribes Ruby Type: Symbol, 'Chef::Resource[String]'
A resource may listen to another resource, and then take action if the state of the resource being listened to changes. Specify a 'resource[name]', the :action to be taken, and then the :timer for that action.
Note that subscribes does not apply the specified action to the resource that it listens to - for example:
file '/etc/nginx/ssl/example.crt' do
mode '0600'
owner 'root'
end
service 'nginx' do
subscribes :reload, 'file[/etc/nginx/ssl/example.crt]', :immediately
end
In this case the subscribes property reloads the nginx service whenever its certificate file, located under /etc/nginx/ssl/example.crt, is updated. subscribes does not make any changes to the certificate file itself, it merely listens for a change to the file, and executes the :reload action for its resource (in this example nginx) when a change is detected.
If the other resource does not exist, the subscription will not raise an error. Contrast this with the stricter semantics of notifies, which will raise an error if the other resource does not exist.
A timer specifies the point during a Chef Infra Client run at which a notification is run. The following timers are available:
:beforeSpecifies that the action on a notified resource should be run before processing the resource block in which the notification is located.
:delayedDefault. Specifies that a notification should be queued up, and then executed at the end of a Chef Infra Client run.
:immediate, :immediately
Specifies that a notification should be run immediately, per resource notified.
The syntax for subscribes is:
subscribes :action, 'resource[name]', :timer
A guard property can be used to evaluate the state of a node during the execution phase of a Chef Infra Client run. Based on the results of this evaluation, a guard property is then used to tell Chef Infra Client if it should continue executing a resource. A guard property accepts either a string value or a Ruby block value:
0, the guard is applied. If the command returns any other value, then the guard property is not applied. String guards in a powershell_script run Windows PowerShell commands and may return true in addition to 0.true or false. If the block returns true, the guard property is applied. If the block returns false, the guard property is not applied.A guard property is useful for ensuring that a resource is idempotent by allowing that resource to test for the desired state as it is being executed, and then if the desired state is present, for Chef Infra Client to do nothing.
PropertiesThe following properties can be used to define a guard that is evaluated during the execution phase of a Chef Infra Client run:
not_ifPrevent a resource from executing when the condition returns true.
only_ifAllow a resource to execute only if the condition returns true.
The following examples demonstrate various approaches for using the windows_choco_installer resource in recipes:
Configure Chocolatey Package Manager:
windows_choco_installer 'Install Chocolatey Package Manager' do
action :install
end
Use the windows_defender resource to enable or disable the Microsoft Windows Defender service.
New in Chef Infra Client 1.0.
The full syntax for all of the properties that are available to the windows_defender resource is:
windows_defender 'name' do
intrusion_protection_system true, false # default value: true
lock_ui true, false # default value: false
realtime_protection true, false # default value: true
scan_archives true, false # default value: true
scan_email true, false # default value: false
scan_mapped_drives true, false # default value: true
scan_network_files true, false # default value: false
scan_removable_drives true, false # default value: false
scan_scripts true, false # default value: false
action Symbol # defaults to :enable if not specified
endwhere:
windows_defender is the resource.name is the name given to the resource block.action identifies which steps Chef Infra Client will take to bring the node into the desired state.intrusion_protection_system, lock_ui, realtime_protection, scan_archives, scan_email, scan_mapped_drives, scan_network_files, scan_removable_drives, and scan_scripts are the properties available to this resource.The windows_defender resource has the following actions:
:disable:enable:nothingThe windows_defender resource has the following properties:
intrusion_protection_system true Enable network protection against exploitation of known vulnerabilities.
New in Chef Client 1.1
lock_ui false Lock the UI to prevent users from changing Windows Defender settings.
New in Chef Client 1.1
realtime_protection true Enable realtime scanning of downloaded files and attachments.
New in Chef Client 1.1
scan_archives true Scan file archives such as .zip or .gz archives.
New in Chef Client 1.1
scan_email false Scan e-mails for malware.
New in Chef Client 1.1
scan_mapped_drives true Scan files on mapped network drives.
New in Chef Client 1.1
scan_network_files false Scan files on a network.
New in Chef Client 1.1
scan_removable_drives false Scan content of removable drives.
New in Chef Client 1.1
scan_scripts false Scan scripts in malware scans.
New in Chef Client 1.1
Chef resources include common properties, notifications, and resource guards.
The following properties are common to every resource:
compile_timeRuby Type: true, false | Default Value: false
Control the phase during which the resource is run on the node. Set to true to run while the resource collection is being built (the compile phase). Set to false to run while Chef Infra Client is configuring the node (the converge phase).
ignore_failureRuby Type: true, false, :quiet | Default Value: false
Continue running a recipe if a resource fails for any reason. :quiet will not display the full stack trace and the recipe will continue to run if a resource fails.
retriesRuby Type: Integer | Default Value: 0
The number of attempts to catch exceptions and retry the resource.
retry_delayRuby Type: Integer | Default Value: 2
The delay in seconds between retry attempts.
sensitiveRuby Type: true, false | Default Value: false
Ensure that sensitive resource data is not logged by Chef Infra Client.
notifies Ruby Type: Symbol, 'Chef::Resource[String]'
A resource may notify another resource to take action when its state changes. Specify a 'resource[name]', the :action that resource should take, and then the :timer for that action. A resource may notify more than one resource; use a notifies statement for each resource to be notified.
If the referenced resource does not exist, an error is raised. In contrast, subscribes will not fail if the source resource is not found.
A timer specifies the point during a Chef Infra Client run at which a notification is run. The following timers are available:
:beforeSpecifies that the action on a notified resource should be run before processing the resource block in which the notification is located.
:delayedDefault. Specifies that a notification should be queued up, and then executed at the end of a Chef Infra Client run.
:immediate, :immediately
Specifies that a notification should be run immediately, per resource notified.
The syntax for notifies is:
notifies :action, 'resource[name]', :timer
subscribes Ruby Type: Symbol, 'Chef::Resource[String]'
A resource may listen to another resource, and then take action if the state of the resource being listened to changes. Specify a 'resource[name]', the :action to be taken, and then the :timer for that action.
Note that subscribes does not apply the specified action to the resource that it listens to - for example:
file '/etc/nginx/ssl/example.crt' do
mode '0600'
owner 'root'
end
service 'nginx' do
subscribes :reload, 'file[/etc/nginx/ssl/example.crt]', :immediately
end
In this case the subscribes property reloads the nginx service whenever its certificate file, located under /etc/nginx/ssl/example.crt, is updated. subscribes does not make any changes to the certificate file itself, it merely listens for a change to the file, and executes the :reload action for its resource (in this example nginx) when a change is detected.
If the other resource does not exist, the subscription will not raise an error. Contrast this with the stricter semantics of notifies, which will raise an error if the other resource does not exist.
A timer specifies the point during a Chef Infra Client run at which a notification is run. The following timers are available:
:beforeSpecifies that the action on a notified resource should be run before processing the resource block in which the notification is located.
:delayedDefault. Specifies that a notification should be queued up, and then executed at the end of a Chef Infra Client run.
:immediate, :immediately
Specifies that a notification should be run immediately, per resource notified.
The syntax for subscribes is:
subscribes :action, 'resource[name]', :timer
A guard property can be used to evaluate the state of a node during the execution phase of a Chef Infra Client run. Based on the results of this evaluation, a guard property is then used to tell Chef Infra Client if it should continue executing a resource. A guard property accepts either a string value or a Ruby block value:
0, the guard is applied. If the command returns any other value, then the guard property is not applied. String guards in a powershell_script run Windows PowerShell commands and may return true in addition to 0.true or false. If the block returns true, the guard property is applied. If the block returns false, the guard property is not applied.A guard property is useful for ensuring that a resource is idempotent by allowing that resource to test for the desired state as it is being executed, and then if the desired state is present, for Chef Infra Client to do nothing.
PropertiesThe following properties can be used to define a guard that is evaluated during the execution phase of a Chef Infra Client run:
not_ifPrevent a resource from executing when the condition returns true.
only_ifAllow a resource to execute only if the condition returns true.
The following examples demonstrate various approaches for using the windows_defender resource in recipes:
Configure Windows Defender AV settings:
windows_defender 'Configure Defender' do
realtime_protection true
intrusion_protection_system true
lock_ui true
scan_archives true
scan_scripts true
scan_email true
scan_removable_drives true
scan_network_files false
scan_mapped_drives false
action :enable
end
Disable Windows Defender AV:
windows_defender 'Disable Defender' do
action :disable
end
Use the windows_defender_exclusion resource to exclude paths, processes, or file types from Windows Defender realtime protection scanning.
New in Chef Infra Client 1.1.
The full syntax for all of the properties that are available to the windows_defender_exclusion resource is:
windows_defender_exclusion 'name' do
extensions String, Array # default value: []
paths String, Array # default value: []
process_paths String, Array # default value: []
action Symbol # defaults to :add if not specified
endwhere:
windows_defender_exclusion is the resource.name is the name given to the resource block.action identifies which steps Chef Infra Client will take to bring the node into the desired state.extensions, paths, and process_paths are the properties available to this resource.The windows_defender_exclusion resource has the following actions:
:add:nothing:removeThe windows_defender_exclusion resource has the following properties:
extensions [] File extensions to exclude from scanning.
paths [] File or directory paths to exclude from scanning.
process_paths [] Paths to executables to exclude from scanning.
Chef resources include common properties, notifications, and resource guards.
The following properties are common to every resource:
compile_timeRuby Type: true, false | Default Value: false
Control the phase during which the resource is run on the node. Set to true to run while the resource collection is being built (the compile phase). Set to false to run while Chef Infra Client is configuring the node (the converge phase).
ignore_failureRuby Type: true, false, :quiet | Default Value: false
Continue running a recipe if a resource fails for any reason. :quiet will not display the full stack trace and the recipe will continue to run if a resource fails.
retriesRuby Type: Integer | Default Value: 0
The number of attempts to catch exceptions and retry the resource.
retry_delayRuby Type: Integer | Default Value: 2
The delay in seconds between retry attempts.
sensitiveRuby Type: true, false | Default Value: false
Ensure that sensitive resource data is not logged by Chef Infra Client.
notifies Ruby Type: Symbol, 'Chef::Resource[String]'
A resource may notify another resource to take action when its state changes. Specify a 'resource[name]', the :action that resource should take, and then the :timer for that action. A resource may notify more than one resource; use a notifies statement for each resource to be notified.
If the referenced resource does not exist, an error is raised. In contrast, subscribes will not fail if the source resource is not found.
A timer specifies the point during a Chef Infra Client run at which a notification is run. The following timers are available:
:beforeSpecifies that the action on a notified resource should be run before processing the resource block in which the notification is located.
:delayedDefault. Specifies that a notification should be queued up, and then executed at the end of a Chef Infra Client run.
:immediate, :immediately
Specifies that a notification should be run immediately, per resource notified.
The syntax for notifies is:
notifies :action, 'resource[name]', :timer
subscribes Ruby Type: Symbol, 'Chef::Resource[String]'
A resource may listen to another resource, and then take action if the state of the resource being listened to changes. Specify a 'resource[name]', the :action to be taken, and then the :timer for that action.
Note that subscribes does not apply the specified action to the resource that it listens to - for example:
file '/etc/nginx/ssl/example.crt' do
mode '0600'
owner 'root'
end
service 'nginx' do
subscribes :reload, 'file[/etc/nginx/ssl/example.crt]', :immediately
end
In this case the subscribes property reloads the nginx service whenever its certificate file, located under /etc/nginx/ssl/example.crt, is updated. subscribes does not make any changes to the certificate file itself, it merely listens for a change to the file, and executes the :reload action for its resource (in this example nginx) when a change is detected.
If the other resource does not exist, the subscription will not raise an error. Contrast this with the stricter semantics of notifies, which will raise an error if the other resource does not exist.
A timer specifies the point during a Chef Infra Client run at which a notification is run. The following timers are available:
:beforeSpecifies that the action on a notified resource should be run before processing the resource block in which the notification is located.
:delayedDefault. Specifies that a notification should be queued up, and then executed at the end of a Chef Infra Client run.
:immediate, :immediately
Specifies that a notification should be run immediately, per resource notified.
The syntax for subscribes is:
subscribes :action, 'resource[name]', :timer
A guard property can be used to evaluate the state of a node during the execution phase of a Chef Infra Client run. Based on the results of this evaluation, a guard property is then used to tell Chef Infra Client if it should continue executing a resource. A guard property accepts either a string value or a Ruby block value:
0, the guard is applied. If the command returns any other value, then the guard property is not applied. String guards in a powershell_script run Windows PowerShell commands and may return true in addition to 0.true or false. If the block returns true, the guard property is applied. If the block returns false, the guard property is not applied.A guard property is useful for ensuring that a resource is idempotent by allowing that resource to test for the desired state as it is being executed, and then if the desired state is present, for Chef Infra Client to do nothing.
PropertiesThe following properties can be used to define a guard that is evaluated during the execution phase of a Chef Infra Client run:
not_ifPrevent a resource from executing when the condition returns true.
only_ifAllow a resource to execute only if the condition returns true.
The following examples demonstrate various approaches for using the windows_defender_exclusion resource in recipes:
Add excluded items to Windows Defender scans:
windows_defender_exclusion 'Add to things to be excluded from scanning' do
paths 'c:\foo\bar, d:\bar\baz'
extensions 'png, foo, ppt, doc'
process_paths 'c:\windows\system32'
action :add
end
Remove excluded items from Windows Defender scans:
windows_defender_exclusion 'Remove things from the list to be excluded' do
process_paths 'c:\windows\system32'
action :remove
end
Use the windows_desktop_screensaver resource to configure secure screensaver settings on Windows systems.
New in Chef Infra Client 1.0.
The full syntax for all of the properties that are available to the windows_desktop_screensaver resource is:
windows_desktop_screensaver 'name' do
allow_lower_user_idle_time true, false # default value: false
idle_time Integer # default value: 20
require_password true, false # default value: true
screensaver_name String
action Symbol # defaults to :enable if not specified
endwhere:
windows_desktop_screensaver is the resource.name is the name given to the resource block.action identifies which steps Chef Infra Client will take to bring the node into the desired state.allow_lower_user_idle_time, idle_time, require_password, and screensaver_name are the properties available to this resource.The windows_desktop_screensaver resource has the following actions:
:disable:enable:nothingThe windows_desktop_screensaver resource has the following properties:
allow_lower_user_idle_time false Allow users to set their screen saver idle time lower than the system requirements.
idle_time 20 The amount of idle time in minutes before the screensaver comes on.
require_password true Require a password when waking from the screensaver.
screensaver_name The name of a specific or custom screensaver to enable.
Chef resources include common properties, notifications, and resource guards.
The following properties are common to every resource:
compile_timeRuby Type: true, false | Default Value: false
Control the phase during which the resource is run on the node. Set to true to run while the resource collection is being built (the compile phase). Set to false to run while Chef Infra Client is configuring the node (the converge phase).
ignore_failureRuby Type: true, false, :quiet | Default Value: false
Continue running a recipe if a resource fails for any reason. :quiet will not display the full stack trace and the recipe will continue to run if a resource fails.
retriesRuby Type: Integer | Default Value: 0
The number of attempts to catch exceptions and retry the resource.
retry_delayRuby Type: Integer | Default Value: 2
The delay in seconds between retry attempts.
sensitiveRuby Type: true, false | Default Value: false
Ensure that sensitive resource data is not logged by Chef Infra Client.
notifies Ruby Type: Symbol, 'Chef::Resource[String]'
A resource may notify another resource to take action when its state changes. Specify a 'resource[name]', the :action that resource should take, and then the :timer for that action. A resource may notify more than one resource; use a notifies statement for each resource to be notified.
If the referenced resource does not exist, an error is raised. In contrast, subscribes will not fail if the source resource is not found.
A timer specifies the point during a Chef Infra Client run at which a notification is run. The following timers are available:
:beforeSpecifies that the action on a notified resource should be run before processing the resource block in which the notification is located.
:delayedDefault. Specifies that a notification should be queued up, and then executed at the end of a Chef Infra Client run.
:immediate, :immediately
Specifies that a notification should be run immediately, per resource notified.
The syntax for notifies is:
notifies :action, 'resource[name]', :timer
subscribes Ruby Type: Symbol, 'Chef::Resource[String]'
A resource may listen to another resource, and then take action if the state of the resource being listened to changes. Specify a 'resource[name]', the :action to be taken, and then the :timer for that action.
Note that subscribes does not apply the specified action to the resource that it listens to - for example:
file '/etc/nginx/ssl/example.crt' do
mode '0600'
owner 'root'
end
service 'nginx' do
subscribes :reload, 'file[/etc/nginx/ssl/example.crt]', :immediately
end
In this case the subscribes property reloads the nginx service whenever its certificate file, located under /etc/nginx/ssl/example.crt, is updated. subscribes does not make any changes to the certificate file itself, it merely listens for a change to the file, and executes the :reload action for its resource (in this example nginx) when a change is detected.
If the other resource does not exist, the subscription will not raise an error. Contrast this with the stricter semantics of notifies, which will raise an error if the other resource does not exist.
A timer specifies the point during a Chef Infra Client run at which a notification is run. The following timers are available:
:beforeSpecifies that the action on a notified resource should be run before processing the resource block in which the notification is located.
:delayedDefault. Specifies that a notification should be queued up, and then executed at the end of a Chef Infra Client run.
:immediate, :immediately
Specifies that a notification should be run immediately, per resource notified.
The syntax for subscribes is:
subscribes :action, 'resource[name]', :timer
A guard property can be used to evaluate the state of a node during the execution phase of a Chef Infra Client run. Based on the results of this evaluation, a guard property is then used to tell Chef Infra Client if it should continue executing a resource. A guard property accepts either a string value or a Ruby block value:
0, the guard is applied. If the command returns any other value, then the guard property is not applied. String guards in a powershell_script run Windows PowerShell commands and may return true in addition to 0.true or false. If the block returns true, the guard property is applied. If the block returns false, the guard property is not applied.A guard property is useful for ensuring that a resource is idempotent by allowing that resource to test for the desired state as it is being executed, and then if the desired state is present, for Chef Infra Client to do nothing.
PropertiesThe following properties can be used to define a guard that is evaluated during the execution phase of a Chef Infra Client run:
not_ifPrevent a resource from executing when the condition returns true.
only_ifAllow a resource to execute only if the condition returns true.
The following examples demonstrate various approaches for using the windows_desktop_screensaver resource in recipes:
Secure the desktop with a screensaver and password:
desktop_screensaver 'Sets up a Screensaver to come on and require a password after xx minutes' do
require_password true
idle_time 20
allow_lower_user_idle_time false
screensaver_name 'mystify.scr'
action :enable
end
Disable requiring a screensaver with a password:
desktop_screensaver 'Disable the screensaver' do
action :disable
end
Use the windows_desktop_winrm_settings resource to setup and teardown WinRM settings on a node. Chef Infra Client does not require this for operation.
New in Chef Infra Client 1.0.
The full syntax for all of the properties that are available to the windows_desktop_winrm_settings resource is:
windows_desktop_winrm_settings 'name' do
action Symbol # defaults to :enable if not specified
endwhere:
windows_desktop_winrm_settings is the resource.name is the name given to the resource block.action identifies which steps Chef Infra Client will take to bring the node into the desired state.The windows_desktop_winrm_settings resource has the following actions:
:disable:enable:nothingThis resource does not have any properties.
Chef resources include common properties, notifications, and resource guards.
The following properties are common to every resource:
compile_timeRuby Type: true, false | Default Value: false
Control the phase during which the resource is run on the node. Set to true to run while the resource collection is being built (the compile phase). Set to false to run while Chef Infra Client is configuring the node (the converge phase).
ignore_failureRuby Type: true, false, :quiet | Default Value: false
Continue running a recipe if a resource fails for any reason. :quiet will not display the full stack trace and the recipe will continue to run if a resource fails.
retriesRuby Type: Integer | Default Value: 0
The number of attempts to catch exceptions and retry the resource.
retry_delayRuby Type: Integer | Default Value: 2
The delay in seconds between retry attempts.
sensitiveRuby Type: true, false | Default Value: false
Ensure that sensitive resource data is not logged by Chef Infra Client.
notifies Ruby Type: Symbol, 'Chef::Resource[String]'
A resource may notify another resource to take action when its state changes. Specify a 'resource[name]', the :action that resource should take, and then the :timer for that action. A resource may notify more than one resource; use a notifies statement for each resource to be notified.
If the referenced resource does not exist, an error is raised. In contrast, subscribes will not fail if the source resource is not found.
A timer specifies the point during a Chef Infra Client run at which a notification is run. The following timers are available:
:beforeSpecifies that the action on a notified resource should be run before processing the resource block in which the notification is located.
:delayedDefault. Specifies that a notification should be queued up, and then executed at the end of a Chef Infra Client run.
:immediate, :immediately
Specifies that a notification should be run immediately, per resource notified.
The syntax for notifies is:
notifies :action, 'resource[name]', :timer
subscribes Ruby Type: Symbol, 'Chef::Resource[String]'
A resource may listen to another resource, and then take action if the state of the resource being listened to changes. Specify a 'resource[name]', the :action to be taken, and then the :timer for that action.
Note that subscribes does not apply the specified action to the resource that it listens to - for example:
file '/etc/nginx/ssl/example.crt' do
mode '0600'
owner 'root'
end
service 'nginx' do
subscribes :reload, 'file[/etc/nginx/ssl/example.crt]', :immediately
end
In this case the subscribes property reloads the nginx service whenever its certificate file, located under /etc/nginx/ssl/example.crt, is updated. subscribes does not make any changes to the certificate file itself, it merely listens for a change to the file, and executes the :reload action for its resource (in this example nginx) when a change is detected.
If the other resource does not exist, the subscription will not raise an error. Contrast this with the stricter semantics of notifies, which will raise an error if the other resource does not exist.
A timer specifies the point during a Chef Infra Client run at which a notification is run. The following timers are available:
:beforeSpecifies that the action on a notified resource should be run before processing the resource block in which the notification is located.
:delayedDefault. Specifies that a notification should be queued up, and then executed at the end of a Chef Infra Client run.
:immediate, :immediately
Specifies that a notification should be run immediately, per resource notified.
The syntax for subscribes is:
subscribes :action, 'resource[name]', :timer
A guard property can be used to evaluate the state of a node during the execution phase of a Chef Infra Client run. Based on the results of this evaluation, a guard property is then used to tell Chef Infra Client if it should continue executing a resource. A guard property accepts either a string value or a Ruby block value:
0, the guard is applied. If the command returns any other value, then the guard property is not applied. String guards in a powershell_script run Windows PowerShell commands and may return true in addition to 0.true or false. If the block returns true, the guard property is applied. If the block returns false, the guard property is not applied.A guard property is useful for ensuring that a resource is idempotent by allowing that resource to test for the desired state as it is being executed, and then if the desired state is present, for Chef Infra Client to do nothing.
PropertiesThe following properties can be used to define a guard that is evaluated during the execution phase of a Chef Infra Client run:
not_ifPrevent a resource from executing when the condition returns true.
only_ifAllow a resource to execute only if the condition returns true.
The following examples demonstrate various approaches for using the windows_desktop_winrm_settings resource in recipes:
Turn WinRM On:
windows_desktop_winrm_settings 'Settings to enable WinRM on a node for desktop-config' do
action :enable
end
Turn WinRM Off:
windows_desktop_winrm_settings 'Settings to disable WinRM on a node for desktop-config' do
action :disable
end
Use the windows_disk_encryption resource to enable or disable BitLocker Drive Encryption on Windows systems.
New in Chef Infra Client 1.0.
The full syntax for all of the properties that are available to the windows_disk_encryption resource is:
windows_disk_encryption 'name' do
reboot_after_update true, false # default value: true
action Symbol # defaults to :enable if not specified
endwhere:
windows_disk_encryption is the resource.name is the name given to the resource block.action identifies which steps Chef Infra Client will take to bring the node into the desired state.reboot_after_update is the property available to this resource.The windows_disk_encryption resource has the following actions:
:disable:enable:nothingThe windows_disk_encryption resource has the following properties:
reboot_after_update true Control the reboot behavior after enabling BitLocker
New in Chef Client 1.1
Chef resources include common properties, notifications, and resource guards.
The following properties are common to every resource:
compile_timeRuby Type: true, false | Default Value: false
Control the phase during which the resource is run on the node. Set to true to run while the resource collection is being built (the compile phase). Set to false to run while Chef Infra Client is configuring the node (the converge phase).
ignore_failureRuby Type: true, false, :quiet | Default Value: false
Continue running a recipe if a resource fails for any reason. :quiet will not display the full stack trace and the recipe will continue to run if a resource fails.
retriesRuby Type: Integer | Default Value: 0
The number of attempts to catch exceptions and retry the resource.
retry_delayRuby Type: Integer | Default Value: 2
The delay in seconds between retry attempts.
sensitiveRuby Type: true, false | Default Value: false
Ensure that sensitive resource data is not logged by Chef Infra Client.
notifies Ruby Type: Symbol, 'Chef::Resource[String]'
A resource may notify another resource to take action when its state changes. Specify a 'resource[name]', the :action that resource should take, and then the :timer for that action. A resource may notify more than one resource; use a notifies statement for each resource to be notified.
If the referenced resource does not exist, an error is raised. In contrast, subscribes will not fail if the source resource is not found.
A timer specifies the point during a Chef Infra Client run at which a notification is run. The following timers are available:
:beforeSpecifies that the action on a notified resource should be run before processing the resource block in which the notification is located.
:delayedDefault. Specifies that a notification should be queued up, and then executed at the end of a Chef Infra Client run.
:immediate, :immediately
Specifies that a notification should be run immediately, per resource notified.
The syntax for notifies is:
notifies :action, 'resource[name]', :timer
subscribes Ruby Type: Symbol, 'Chef::Resource[String]'
A resource may listen to another resource, and then take action if the state of the resource being listened to changes. Specify a 'resource[name]', the :action to be taken, and then the :timer for that action.
Note that subscribes does not apply the specified action to the resource that it listens to - for example:
file '/etc/nginx/ssl/example.crt' do
mode '0600'
owner 'root'
end
service 'nginx' do
subscribes :reload, 'file[/etc/nginx/ssl/example.crt]', :immediately
end
In this case the subscribes property reloads the nginx service whenever its certificate file, located under /etc/nginx/ssl/example.crt, is updated. subscribes does not make any changes to the certificate file itself, it merely listens for a change to the file, and executes the :reload action for its resource (in this example nginx) when a change is detected.
If the other resource does not exist, the subscription will not raise an error. Contrast this with the stricter semantics of notifies, which will raise an error if the other resource does not exist.
A timer specifies the point during a Chef Infra Client run at which a notification is run. The following timers are available:
:beforeSpecifies that the action on a notified resource should be run before processing the resource block in which the notification is located.
:delayedDefault. Specifies that a notification should be queued up, and then executed at the end of a Chef Infra Client run.
:immediate, :immediately
Specifies that a notification should be run immediately, per resource notified.
The syntax for subscribes is:
subscribes :action, 'resource[name]', :timer
A guard property can be used to evaluate the state of a node during the execution phase of a Chef Infra Client run. Based on the results of this evaluation, a guard property is then used to tell Chef Infra Client if it should continue executing a resource. A guard property accepts either a string value or a Ruby block value:
0, the guard is applied. If the command returns any other value, then the guard property is not applied. String guards in a powershell_script run Windows PowerShell commands and may return true in addition to 0.true or false. If the block returns true, the guard property is applied. If the block returns false, the guard property is not applied.A guard property is useful for ensuring that a resource is idempotent by allowing that resource to test for the desired state as it is being executed, and then if the desired state is present, for Chef Infra Client to do nothing.
PropertiesThe following properties can be used to define a guard that is evaluated during the execution phase of a Chef Infra Client run:
not_ifPrevent a resource from executing when the condition returns true.
only_ifAllow a resource to execute only if the condition returns true.
The following examples demonstrate various approaches for using the windows_disk_encryption resource in recipes:
Enable BitLocker:
disk_encryption 'Turns on BitLocker Drive Encryption' do
action :enable
reboot_after_update true
end
Use the windows_firewall resource to enable or disable the Windows firewall service and all profiles.
New in Chef Infra Client 1.0.
The full syntax for all of the properties that are available to the windows_firewall resource is:
windows_firewall 'name' do
action Symbol # defaults to :enable if not specified
endwhere:
windows_firewall is the resource.name is the name given to the resource block.action identifies which steps Chef Infra Client will take to bring the node into the desired state.The windows_firewall resource has the following actions:
:disable:enable:nothingThis resource does not have any properties.
Chef resources include common properties, notifications, and resource guards.
The following properties are common to every resource:
compile_timeRuby Type: true, false | Default Value: false
Control the phase during which the resource is run on the node. Set to true to run while the resource collection is being built (the compile phase). Set to false to run while Chef Infra Client is configuring the node (the converge phase).
ignore_failureRuby Type: true, false, :quiet | Default Value: false
Continue running a recipe if a resource fails for any reason. :quiet will not display the full stack trace and the recipe will continue to run if a resource fails.
retriesRuby Type: Integer | Default Value: 0
The number of attempts to catch exceptions and retry the resource.
retry_delayRuby Type: Integer | Default Value: 2
The delay in seconds between retry attempts.
sensitiveRuby Type: true, false | Default Value: false
Ensure that sensitive resource data is not logged by Chef Infra Client.
notifies Ruby Type: Symbol, 'Chef::Resource[String]'
A resource may notify another resource to take action when its state changes. Specify a 'resource[name]', the :action that resource should take, and then the :timer for that action. A resource may notify more than one resource; use a notifies statement for each resource to be notified.
If the referenced resource does not exist, an error is raised. In contrast, subscribes will not fail if the source resource is not found.
A timer specifies the point during a Chef Infra Client run at which a notification is run. The following timers are available:
:beforeSpecifies that the action on a notified resource should be run before processing the resource block in which the notification is located.
:delayedDefault. Specifies that a notification should be queued up, and then executed at the end of a Chef Infra Client run.
:immediate, :immediately
Specifies that a notification should be run immediately, per resource notified.
The syntax for notifies is:
notifies :action, 'resource[name]', :timer
subscribes Ruby Type: Symbol, 'Chef::Resource[String]'
A resource may listen to another resource, and then take action if the state of the resource being listened to changes. Specify a 'resource[name]', the :action to be taken, and then the :timer for that action.
Note that subscribes does not apply the specified action to the resource that it listens to - for example:
file '/etc/nginx/ssl/example.crt' do
mode '0600'
owner 'root'
end
service 'nginx' do
subscribes :reload, 'file[/etc/nginx/ssl/example.crt]', :immediately
end
In this case the subscribes property reloads the nginx service whenever its certificate file, located under /etc/nginx/ssl/example.crt, is updated. subscribes does not make any changes to the certificate file itself, it merely listens for a change to the file, and executes the :reload action for its resource (in this example nginx) when a change is detected.
If the other resource does not exist, the subscription will not raise an error. Contrast this with the stricter semantics of notifies, which will raise an error if the other resource does not exist.
A timer specifies the point during a Chef Infra Client run at which a notification is run. The following timers are available:
:beforeSpecifies that the action on a notified resource should be run before processing the resource block in which the notification is located.
:delayedDefault. Specifies that a notification should be queued up, and then executed at the end of a Chef Infra Client run.
:immediate, :immediately
Specifies that a notification should be run immediately, per resource notified.
The syntax for subscribes is:
subscribes :action, 'resource[name]', :timer
A guard property can be used to evaluate the state of a node during the execution phase of a Chef Infra Client run. Based on the results of this evaluation, a guard property is then used to tell Chef Infra Client if it should continue executing a resource. A guard property accepts either a string value or a Ruby block value:
0, the guard is applied. If the command returns any other value, then the guard property is not applied. String guards in a powershell_script run Windows PowerShell commands and may return true in addition to 0.true or false. If the block returns true, the guard property is applied. If the block returns false, the guard property is not applied.A guard property is useful for ensuring that a resource is idempotent by allowing that resource to test for the desired state as it is being executed, and then if the desired state is present, for Chef Infra Client to do nothing.
PropertiesThe following properties can be used to define a guard that is evaluated during the execution phase of a Chef Infra Client run:
not_ifPrevent a resource from executing when the condition returns true.
only_ifAllow a resource to execute only if the condition returns true.
The following examples demonstrate various approaches for using the windows_firewall resource in recipes:
Set the Windows firewall:
windows_firewall 'Enable the node firewall' do
action :enable
end
Use the windows_ie_esc resource to adjust the Internet Explorer extensibility and security settings.
New in Chef Infra Client 2.0.
The full syntax for all of the properties that are available to the windows_ie_esc resource is:
windows_ie_esc 'name' do
scopes Array
action Symbol # defaults to :enable if not specified
endwhere:
windows_ie_esc is the resource.name is the name given to the resource block.action identifies which steps Chef Infra Client will take to bring the node into the desired state.scopes is the property available to this resource.The windows_ie_esc resource has the following actions:
:disable:enable:nothingThe windows_ie_esc resource has the following properties:
scopes REQUIRED Windows user scopes targeted by this security config
Chef resources include common properties, notifications, and resource guards.
The following properties are common to every resource:
compile_timeRuby Type: true, false | Default Value: false
Control the phase during which the resource is run on the node. Set to true to run while the resource collection is being built (the compile phase). Set to false to run while Chef Infra Client is configuring the node (the converge phase).
ignore_failureRuby Type: true, false, :quiet | Default Value: false
Continue running a recipe if a resource fails for any reason. :quiet will not display the full stack trace and the recipe will continue to run if a resource fails.
retriesRuby Type: Integer | Default Value: 0
The number of attempts to catch exceptions and retry the resource.
retry_delayRuby Type: Integer | Default Value: 2
The delay in seconds between retry attempts.
sensitiveRuby Type: true, false | Default Value: false
Ensure that sensitive resource data is not logged by Chef Infra Client.
notifies Ruby Type: Symbol, 'Chef::Resource[String]'
A resource may notify another resource to take action when its state changes. Specify a 'resource[name]', the :action that resource should take, and then the :timer for that action. A resource may notify more than one resource; use a notifies statement for each resource to be notified.
If the referenced resource does not exist, an error is raised. In contrast, subscribes will not fail if the source resource is not found.
A timer specifies the point during a Chef Infra Client run at which a notification is run. The following timers are available:
:beforeSpecifies that the action on a notified resource should be run before processing the resource block in which the notification is located.
:delayedDefault. Specifies that a notification should be queued up, and then executed at the end of a Chef Infra Client run.
:immediate, :immediately
Specifies that a notification should be run immediately, per resource notified.
The syntax for notifies is:
notifies :action, 'resource[name]', :timer
subscribes Ruby Type: Symbol, 'Chef::Resource[String]'
A resource may listen to another resource, and then take action if the state of the resource being listened to changes. Specify a 'resource[name]', the :action to be taken, and then the :timer for that action.
Note that subscribes does not apply the specified action to the resource that it listens to - for example:
file '/etc/nginx/ssl/example.crt' do
mode '0600'
owner 'root'
end
service 'nginx' do
subscribes :reload, 'file[/etc/nginx/ssl/example.crt]', :immediately
end
In this case the subscribes property reloads the nginx service whenever its certificate file, located under /etc/nginx/ssl/example.crt, is updated. subscribes does not make any changes to the certificate file itself, it merely listens for a change to the file, and executes the :reload action for its resource (in this example nginx) when a change is detected.
If the other resource does not exist, the subscription will not raise an error. Contrast this with the stricter semantics of notifies, which will raise an error if the other resource does not exist.
A timer specifies the point during a Chef Infra Client run at which a notification is run. The following timers are available:
:beforeSpecifies that the action on a notified resource should be run before processing the resource block in which the notification is located.
:delayedDefault. Specifies that a notification should be queued up, and then executed at the end of a Chef Infra Client run.
:immediate, :immediately
Specifies that a notification should be run immediately, per resource notified.
The syntax for subscribes is:
subscribes :action, 'resource[name]', :timer
A guard property can be used to evaluate the state of a node during the execution phase of a Chef Infra Client run. Based on the results of this evaluation, a guard property is then used to tell Chef Infra Client if it should continue executing a resource. A guard property accepts either a string value or a Ruby block value:
0, the guard is applied. If the command returns any other value, then the guard property is not applied. String guards in a powershell_script run Windows PowerShell commands and may return true in addition to 0.true or false. If the block returns true, the guard property is applied. If the block returns false, the guard property is not applied.A guard property is useful for ensuring that a resource is idempotent by allowing that resource to test for the desired state as it is being executed, and then if the desired state is present, for Chef Infra Client to do nothing.
PropertiesThe following properties can be used to define a guard that is evaluated during the execution phase of a Chef Infra Client run:
not_ifPrevent a resource from executing when the condition returns true.
only_ifAllow a resource to execute only if the condition returns true.
The following examples demonstrate various approaches for using the windows_ie_esc resource in recipes:
Turns off Internet Explorer ESC:
windows_ie_esc 'Turn off Internet Explorer ESC for admin' do
scopes [:admin]
action :disable
end
Turns on Internet Explorer ESC to reduce risks from exposure to websites:
windows_ie_esc 'Enforce Internet Explorer ESC for all user scopes' do
scopes [:admin, :user]
action :enable
end
Use the windows_password_policy resource to setup password complexity, password length, etc.
New in Chef Infra Client 1.0.
The full syntax for all of the properties that are available to the windows_password_policy resource is:
windows_password_policy 'name' do
change_password_at_next_logon true, false # default value: false
group_name_for_expired_passwords String # default value: "Users"
group_name_for_password_never_expires String # default value: "Administrators"
maximum_password_age Integer # default value: 365
minimum_password_length Integer # default value: 12
password_never_expires true, false
require_complex_passwords true, false # default value: true
action Symbol # defaults to :set if not specified
endwhere:
windows_password_policy is the resource.name is the name given to the resource block.action identifies which steps Chef Infra Client will take to bring the node into the desired state.change_password_at_next_logon, group_name_for_expired_passwords, group_name_for_password_never_expires, maximum_password_age, minimum_password_length, password_never_expires, and require_complex_passwords are the properties available to this resource.The windows_password_policy resource has the following actions:
:nothing:setThe windows_password_policy resource has the following properties:
change_password_at_next_logon false Force all users in a local user group to change passwords at next logon
group_name_for_expired_passwords Users The group whose passwords were just to change at the next login
group_name_for_password_never_expires Administrators The group to which the password_never_expires rule applies. Defaults to Admins
maximum_password_age 365 The maximum age in days for a password before it must be changed, defaults to 365
minimum_password_length 12 Sets the minimum password length, defaults to 12 Characters
password_never_expires True/False to never expire the passwords, set to True by default
require_complex_passwords true A True/False option to require special characters, upper, lower, etc in the password
Chef resources include common properties, notifications, and resource guards.
The following properties are common to every resource:
compile_timeRuby Type: true, false | Default Value: false
Control the phase during which the resource is run on the node. Set to true to run while the resource collection is being built (the compile phase). Set to false to run while Chef Infra Client is configuring the node (the converge phase).
ignore_failureRuby Type: true, false, :quiet | Default Value: false
Continue running a recipe if a resource fails for any reason. :quiet will not display the full stack trace and the recipe will continue to run if a resource fails.
retriesRuby Type: Integer | Default Value: 0
The number of attempts to catch exceptions and retry the resource.
retry_delayRuby Type: Integer | Default Value: 2
The delay in seconds between retry attempts.
sensitiveRuby Type: true, false | Default Value: false
Ensure that sensitive resource data is not logged by Chef Infra Client.
notifies Ruby Type: Symbol, 'Chef::Resource[String]'
A resource may notify another resource to take action when its state changes. Specify a 'resource[name]', the :action that resource should take, and then the :timer for that action. A resource may notify more than one resource; use a notifies statement for each resource to be notified.
If the referenced resource does not exist, an error is raised. In contrast, subscribes will not fail if the source resource is not found.
A timer specifies the point during a Chef Infra Client run at which a notification is run. The following timers are available:
:beforeSpecifies that the action on a notified resource should be run before processing the resource block in which the notification is located.
:delayedDefault. Specifies that a notification should be queued up, and then executed at the end of a Chef Infra Client run.
:immediate, :immediately
Specifies that a notification should be run immediately, per resource notified.
The syntax for notifies is:
notifies :action, 'resource[name]', :timer
subscribes Ruby Type: Symbol, 'Chef::Resource[String]'
A resource may listen to another resource, and then take action if the state of the resource being listened to changes. Specify a 'resource[name]', the :action to be taken, and then the :timer for that action.
Note that subscribes does not apply the specified action to the resource that it listens to - for example:
file '/etc/nginx/ssl/example.crt' do
mode '0600'
owner 'root'
end
service 'nginx' do
subscribes :reload, 'file[/etc/nginx/ssl/example.crt]', :immediately
end
In this case the subscribes property reloads the nginx service whenever its certificate file, located under /etc/nginx/ssl/example.crt, is updated. subscribes does not make any changes to the certificate file itself, it merely listens for a change to the file, and executes the :reload action for its resource (in this example nginx) when a change is detected.
If the other resource does not exist, the subscription will not raise an error. Contrast this with the stricter semantics of notifies, which will raise an error if the other resource does not exist.
A timer specifies the point during a Chef Infra Client run at which a notification is run. The following timers are available:
:beforeSpecifies that the action on a notified resource should be run before processing the resource block in which the notification is located.
:delayedDefault. Specifies that a notification should be queued up, and then executed at the end of a Chef Infra Client run.
:immediate, :immediately
Specifies that a notification should be run immediately, per resource notified.
The syntax for subscribes is:
subscribes :action, 'resource[name]', :timer
A guard property can be used to evaluate the state of a node during the execution phase of a Chef Infra Client run. Based on the results of this evaluation, a guard property is then used to tell Chef Infra Client if it should continue executing a resource. A guard property accepts either a string value or a Ruby block value:
0, the guard is applied. If the command returns any other value, then the guard property is not applied. String guards in a powershell_script run Windows PowerShell commands and may return true in addition to 0.true or false. If the block returns true, the guard property is applied. If the block returns false, the guard property is not applied.A guard property is useful for ensuring that a resource is idempotent by allowing that resource to test for the desired state as it is being executed, and then if the desired state is present, for Chef Infra Client to do nothing.
PropertiesThe following properties can be used to define a guard that is evaluated during the execution phase of a Chef Infra Client run:
not_ifPrevent a resource from executing when the condition returns true.
only_ifAllow a resource to execute only if the condition returns true.
The following examples demonstrate various approaches for using the windows_password_policy resource in recipes:
Configure the local password policy:
windows_password_policy 'Settings for password complexity, length and duration' do
require_complex_passwords true
minimum_password_length 12
maximum_password_age 365
action :set
end
Use the windows_power_management resource to set the power settings of a kiosk-style device when you need it always-on
New in Chef Infra Client 1.0.
The full syntax for all of the properties that are available to the windows_power_management resource is:
windows_power_management 'name' do
disk_timeout Integer
hibernate_timeout Integer
monitor_timeout Integer
power_level String # default value: "balanced"
power_scheme_label String
standby_timeout Integer
action Symbol # defaults to :set if not specified
endwhere:
windows_power_management is the resource.name is the name given to the resource block.action identifies which steps Chef Infra Client will take to bring the node into the desired state.disk_timeout, hibernate_timeout, monitor_timeout, power_level, power_scheme_label, and standby_timeout are the properties available to this resource.The windows_power_management resource has the following actions:
:nothing:setThe windows_power_management resource has the following properties:
disk_timeout The amount of time in minutes to wait before turning off the HD
hibernate_timeout The amount of time in minutes to wait before hibernating the system
monitor_timeout The amount of time in minutes to wait before turning off the display
power_level balanced There are 2 levels of power - balanced, and ultimate.
power_scheme_label A label name to prefix your power scheme with. The code duplicates the existing power scheme to keep it distinct
standby_timeout The amount of time in minutes to wait before putting the system into standby
Chef resources include common properties, notifications, and resource guards.
The following properties are common to every resource:
compile_timeRuby Type: true, false | Default Value: false
Control the phase during which the resource is run on the node. Set to true to run while the resource collection is being built (the compile phase). Set to false to run while Chef Infra Client is configuring the node (the converge phase).
ignore_failureRuby Type: true, false, :quiet | Default Value: false
Continue running a recipe if a resource fails for any reason. :quiet will not display the full stack trace and the recipe will continue to run if a resource fails.
retriesRuby Type: Integer | Default Value: 0
The number of attempts to catch exceptions and retry the resource.
retry_delayRuby Type: Integer | Default Value: 2
The delay in seconds between retry attempts.
sensitiveRuby Type: true, false | Default Value: false
Ensure that sensitive resource data is not logged by Chef Infra Client.
notifies Ruby Type: Symbol, 'Chef::Resource[String]'
A resource may notify another resource to take action when its state changes. Specify a 'resource[name]', the :action that resource should take, and then the :timer for that action. A resource may notify more than one resource; use a notifies statement for each resource to be notified.
If the referenced resource does not exist, an error is raised. In contrast, subscribes will not fail if the source resource is not found.
A timer specifies the point during a Chef Infra Client run at which a notification is run. The following timers are available:
:beforeSpecifies that the action on a notified resource should be run before processing the resource block in which the notification is located.
:delayedDefault. Specifies that a notification should be queued up, and then executed at the end of a Chef Infra Client run.
:immediate, :immediately
Specifies that a notification should be run immediately, per resource notified.
The syntax for notifies is:
notifies :action, 'resource[name]', :timer
subscribes Ruby Type: Symbol, 'Chef::Resource[String]'
A resource may listen to another resource, and then take action if the state of the resource being listened to changes. Specify a 'resource[name]', the :action to be taken, and then the :timer for that action.
Note that subscribes does not apply the specified action to the resource that it listens to - for example:
file '/etc/nginx/ssl/example.crt' do
mode '0600'
owner 'root'
end
service 'nginx' do
subscribes :reload, 'file[/etc/nginx/ssl/example.crt]', :immediately
end
In this case the subscribes property reloads the nginx service whenever its certificate file, located under /etc/nginx/ssl/example.crt, is updated. subscribes does not make any changes to the certificate file itself, it merely listens for a change to the file, and executes the :reload action for its resource (in this example nginx) when a change is detected.
If the other resource does not exist, the subscription will not raise an error. Contrast this with the stricter semantics of notifies, which will raise an error if the other resource does not exist.
A timer specifies the point during a Chef Infra Client run at which a notification is run. The following timers are available:
:beforeSpecifies that the action on a notified resource should be run before processing the resource block in which the notification is located.
:delayedDefault. Specifies that a notification should be queued up, and then executed at the end of a Chef Infra Client run.
:immediate, :immediately
Specifies that a notification should be run immediately, per resource notified.
The syntax for subscribes is:
subscribes :action, 'resource[name]', :timer
A guard property can be used to evaluate the state of a node during the execution phase of a Chef Infra Client run. Based on the results of this evaluation, a guard property is then used to tell Chef Infra Client if it should continue executing a resource. A guard property accepts either a string value or a Ruby block value:
0, the guard is applied. If the command returns any other value, then the guard property is not applied. String guards in a powershell_script run Windows PowerShell commands and may return true in addition to 0.true or false. If the block returns true, the guard property is applied. If the block returns false, the guard property is not applied.A guard property is useful for ensuring that a resource is idempotent by allowing that resource to test for the desired state as it is being executed, and then if the desired state is present, for Chef Infra Client to do nothing.
PropertiesThe following properties can be used to define a guard that is evaluated during the execution phase of a Chef Infra Client run:
not_ifPrevent a resource from executing when the condition returns true.
only_ifAllow a resource to execute only if the condition returns true.
The following examples demonstrate various approaches for using the windows_power_management resource in recipes:
Setup a Power Management Policy:
windows_power_management 'Set the Device to a defined power level' do
power_scheme_label 'Unrestricted'
power_level 'ultimate'
monitor_timeout 15
disk_timeout 0
standby_timeout 0
hibernate_timeout 0
action :set
end
Use the windows_update_settings resource to manage the various Windows Update patching options.
New in Chef Infra Client 1.0.
The full syntax for all of the properties that are available to the windows_update_settings resource is:
windows_update_settings 'name' do
add_to_target_wsus_group true, false # default value: false
automatic_update_option Integer # default value: 4
automatically_install_minor_updates true, false # default value: false
block_windows_update_website true, false # default value: false
custom_detection_frequency Integer # default value: 22
disable_automatic_updates true, false # default value: false
disable_os_upgrades true, false # default value: false
elevate_non_admins true, false # default value: true
enable_detection_frequency true, false # default value: false
no_reboot_with_users_logged_on true, false # default value: true
scheduled_install_day String # default value: "Everyday"
scheduled_install_hour Integer
target_wsus_group_name String
update_other_ms_products true, false # default value: true
use_custom_update_server true, false # default value: false
wsus_server_url String
wsus_status_server_url String
action Symbol # defaults to :enable if not specified
endwhere:
windows_update_settings is the resource.name is the name given to the resource block.action identifies which steps Chef Infra Client will take to bring the node into the desired state.add_to_target_wsus_group, automatic_update_option, automatically_install_minor_updates, block_windows_update_website, custom_detection_frequency, disable_automatic_updates, disable_os_upgrades, elevate_non_admins, enable_detection_frequency, no_reboot_with_users_logged_on, scheduled_install_day, scheduled_install_hour, target_wsus_group_name, update_other_ms_products, use_custom_update_server, wsus_server_url, and wsus_status_server_url are the properties available to this resource.The windows_update_settings resource has the following actions:
:enable:nothingThe windows_update_settings resource has the following properties:
add_to_target_wsus_group false If you have a WSUS Server and Target Groups, set this True
automatic_update_option 4 An Integer value to tell nodes when and how to download updates. Default is 4 - Auto-download and schedule updates to install
automatically_install_minor_updates false Automatically install minor updates. Default is False
block_windows_update_website false Denies access to Windows Update to get updates
custom_detection_frequency 22 If you decided to override the OS default detection frequency, specify your choice here. Valid choices are 0 - 22
disable_automatic_updates false Prevents automatic updates. Defaults to False to allow automatic updates
disable_os_upgrades false True/False to disable OS upgrades.
elevate_non_admins true This property allows normal user accounts to temporarily be elevated to install patches
enable_detection_frequency false Used to override the OS default of how often to check for updates
no_reboot_with_users_logged_on true Prevents the OS from rebooting while someone is on the console. Default is True
scheduled_install_day Everyday Allowed Values: "Everyday", "Friday", "Monday", "Saturday", "Sunday", "Thursday", "Tuesday", "Wednesday" A day of the week to tell Windows when to install updates. Defaults to Everyday
scheduled_install_hour If you chose a scheduled day to install, then choose an hour on that day for you installation
target_wsus_group_name This is the name of the WSUS Target Group you want the node to be in
update_other_ms_products true Allows for other Microsoft products to get updates too
use_custom_update_server false Used to tell nodes to use a WSUS server, Defaults to False - Use Microsoft for updates
wsus_server_url The URL of your WSUS server if you use one
wsus_status_server_url URL for the WSUS Status server. It can be the same as the URL for the WSUS server itself
Chef resources include common properties, notifications, and resource guards.
The following properties are common to every resource:
compile_timeRuby Type: true, false | Default Value: false
Control the phase during which the resource is run on the node. Set to true to run while the resource collection is being built (the compile phase). Set to false to run while Chef Infra Client is configuring the node (the converge phase).
ignore_failureRuby Type: true, false, :quiet | Default Value: false
Continue running a recipe if a resource fails for any reason. :quiet will not display the full stack trace and the recipe will continue to run if a resource fails.
retriesRuby Type: Integer | Default Value: 0
The number of attempts to catch exceptions and retry the resource.
retry_delayRuby Type: Integer | Default Value: 2
The delay in seconds between retry attempts.
sensitiveRuby Type: true, false | Default Value: false
Ensure that sensitive resource data is not logged by Chef Infra Client.
notifies Ruby Type: Symbol, 'Chef::Resource[String]'
A resource may notify another resource to take action when its state changes. Specify a 'resource[name]', the :action that resource should take, and then the :timer for that action. A resource may notify more than one resource; use a notifies statement for each resource to be notified.
If the referenced resource does not exist, an error is raised. In contrast, subscribes will not fail if the source resource is not found.
A timer specifies the point during a Chef Infra Client run at which a notification is run. The following timers are available:
:beforeSpecifies that the action on a notified resource should be run before processing the resource block in which the notification is located.
:delayedDefault. Specifies that a notification should be queued up, and then executed at the end of a Chef Infra Client run.
:immediate, :immediately
Specifies that a notification should be run immediately, per resource notified.
The syntax for notifies is:
notifies :action, 'resource[name]', :timer
subscribes Ruby Type: Symbol, 'Chef::Resource[String]'
A resource may listen to another resource, and then take action if the state of the resource being listened to changes. Specify a 'resource[name]', the :action to be taken, and then the :timer for that action.
Note that subscribes does not apply the specified action to the resource that it listens to - for example:
file '/etc/nginx/ssl/example.crt' do
mode '0600'
owner 'root'
end
service 'nginx' do
subscribes :reload, 'file[/etc/nginx/ssl/example.crt]', :immediately
end
In this case the subscribes property reloads the nginx service whenever its certificate file, located under /etc/nginx/ssl/example.crt, is updated. subscribes does not make any changes to the certificate file itself, it merely listens for a change to the file, and executes the :reload action for its resource (in this example nginx) when a change is detected.
If the other resource does not exist, the subscription will not raise an error. Contrast this with the stricter semantics of notifies, which will raise an error if the other resource does not exist.
A timer specifies the point during a Chef Infra Client run at which a notification is run. The following timers are available:
:beforeSpecifies that the action on a notified resource should be run before processing the resource block in which the notification is located.
:delayedDefault. Specifies that a notification should be queued up, and then executed at the end of a Chef Infra Client run.
:immediate, :immediately
Specifies that a notification should be run immediately, per resource notified.
The syntax for subscribes is:
subscribes :action, 'resource[name]', :timer
A guard property can be used to evaluate the state of a node during the execution phase of a Chef Infra Client run. Based on the results of this evaluation, a guard property is then used to tell Chef Infra Client if it should continue executing a resource. A guard property accepts either a string value or a Ruby block value:
0, the guard is applied. If the command returns any other value, then the guard property is not applied. String guards in a powershell_script run Windows PowerShell commands and may return true in addition to 0.true or false. If the block returns true, the guard property is applied. If the block returns false, the guard property is not applied.A guard property is useful for ensuring that a resource is idempotent by allowing that resource to test for the desired state as it is being executed, and then if the desired state is present, for Chef Infra Client to do nothing.
PropertiesThe following properties can be used to define a guard that is evaluated during the execution phase of a Chef Infra Client run:
not_ifPrevent a resource from executing when the condition returns true.
only_ifAllow a resource to execute only if the condition returns true.
The following examples demonstrate various approaches for using the windows_update_settings resource in recipes:
Set Windows Update settings:
windows_update_settings 'Settings to Configure Windows Nodes to automatically receive updates' do
disable_os_upgrades false
elevate_non_admins true
add_to_target_wsus_group false
block_windows_update_website false
automatic_update_option 4
automatically_install_minor_updates false
enable_detection_frequency false
custom_detection_frequency 22
no_reboot_with_users_logged_on true
disable_automatic_updates false
scheduled_install_day 'Monday'
scheduled_install_hour 20
update_other_ms_products false
use_custom_update_server false
action :enable
end
© Chef Software, Inc.
Licensed under the Creative Commons Attribution 3.0 Unported License.
The Chef™ Mark and Chef Logo are either registered trademarks/service marks or trademarks/servicemarks of Chef, in the United States and other countries and are used with Chef Inc's permission.
We are not affiliated with, endorsed or sponsored by Chef Inc.
https://docs.chef.io/desktop/resources/