Chef - fetching policy and group via API

Any examples of fetching policy and group (like chef show-policy) but using some api call?

I don’t have examples but the api is pretty well documented

Sorry should have been clearer…am looking for output of policy’s lock file for a given group…would like to compare it between 2 infras (migrating to a2)

Unless i am reading it wrong, that page only shows an endpoint to get list of policy revisions and/or group

Policy lock file is going to be associated with a specific policyfile revision in a policy_group. I don’t think there is anyway to get the specific policy_lock_file. The revision ID is dependent on the content so if you have the policyfile with exact same content then creating a new lockfile with chef install should give you a lockfile with same revision ID as that found in the policy_group.

I did something similar by doing this
that’s how to get it directly from the chef server. i wrote a knife plugin that uses that and parses it into a bit more of a legible output, but if you just want to compare the raw locks, you should be able to print the json from that

Guys another ? - anyway to delete poilcy_group associated with a specific policy…afaict only option seems to be delete the group fully (undesirable as it will delete wanted group association with other policies … making it up but something like chef unpush $group $policy

Policy_group is an arbitrary container that organizes nodes and policies liken to an environment. So it sounds like you actually want to delete a specific policy within a policy_group. I am not finding that in the chef docs, but if no nodes are assigned to a policy it won’t be used then anyway.

With that said it would make sense to be able to remove a specific revision or entire policy within a group with a simple knife command. I’ll try to look into that some more.

Yeah this mainly for esthetics

Would that be over and above what is already provided by chef delete-policy and chef delete-policy-group?

You can also use chef clean-policy-revisions and chef clean-policy-cookbooks if you’re just looking to keep things neat and tidy. we run both of those prior to our nightly backups

Do note, however, that those commands need to be run for each organization

So group in question is in use for other policies but accidentally pushed to this one policy

Understood. digging.

So it appears that you can do
but do note that this bypasses the undelete process that’s built in to chef delete-policy

But you could also piece that together on your own if you wanted from within chef-cli/lib/chef-cli/policyfile_services/rm_policy.rb

I’d have to check later but I’m wondering if there is a way to do it via automate infra-view for chef-server. That’d also be interacting with chef-server api.

This would definitely be a good one to add to aha ideaz for knife command to do this.

Yeah it’s kind of surprising that your only options from the cli right now are “delete every revision of a policy” and “delete an entire policy group”