Any examples of fetching policy and group (like chef show-policy
) but using some api call?
I don’t have examples but the api is pretty well documented https://docs.chef.io/server/api_chef_server/#get-39
Sorry should have been clearer…am looking for output of policy’s lock file for a given group…would like to compare it between 2 infras (migrating to a2)
Unless i am reading it wrong, that page only shows an endpoint to get list of policy revisions and/or group
Policy lock file is going to be associated with a specific policyfile revision in a policy_group. I don’t think there is anyway to get the specific policy_lock_file. The revision ID is dependent on the content so if you have the policyfile with exact same content then creating a new lockfile with chef install should give you a lockfile with same revision ID as that found in the policy_group.
I did something similar by doing this
rest.get("organizations/#{org}/policies/#{policy_name}/revisions/#{revision_id}")
that’s how to get it directly from the chef server. i wrote a knife plugin that uses that and parses it into a bit more of a legible output, but if you just want to compare the raw locks, you should be able to print the json from that
Guys another ? - anyway to delete poilcy_group associated with a specific policy…afaict only option seems to be delete the group fully (undesirable as it will delete wanted group association with other policies … making it up but something like chef unpush $group $policy
Policy_group is an arbitrary container that organizes nodes and policies liken to an environment. So it sounds like you actually want to delete a specific policy within a policy_group. I am not finding that in the chef docs, but if no nodes are assigned to a policy it won’t be used then anyway.
With that said it would make sense to be able to remove a specific revision or entire policy within a group with a simple knife command. I’ll try to look into that some more.
Yeah this mainly for esthetics
Would that be over and above what is already provided by chef delete-policy
and chef delete-policy-group
?
You can also use chef clean-policy-revisions
and chef clean-policy-cookbooks
if you’re just looking to keep things neat and tidy. we run both of those prior to our nightly backups
Do note, however, that those commands need to be run for each organization
So group in question is in use for other policies but accidentally pushed to this one policy
Understood. digging.
So it appears that you can do
rest.delete("policies/#{policy_name}/revisions/#{revision_id}")
but do note that this bypasses the undelete
process that’s built in to chef delete-policy
But you could also piece that together on your own if you wanted from within chef-cli/lib/chef-cli/policyfile_services/rm_policy.rb
I’d have to check later but I’m wondering if there is a way to do it via automate infra-view for chef-server. That’d also be interacting with chef-server api.
This would definitely be a good one to add to aha ideaz for knife command to do this.
Yeah it’s kind of surprising that your only options from the cli right now are “delete every revision of a policy” and “delete an entire policy group”