A Chef cookbook that applies validation rules to the node attributes during a chef run. The cookbook itself is rather small; most of the guts are in a gem named 'chef-attribute-validator'.

Attribute merging is hard. It's very easy to accidentally override something (in a role, node, environment, third-order-dependent cookbook....), or fat-finger a attribute name, or have a change in another cookbook stomp on your attributes. I wanted something industrial-strength that would provide early warning when an attribute was missing, spurious, or had an incoherent value.

I also wanted the cookbook that cares about the validation to be able to define the rules in a simple way, and make it easy to have as much or as little validation as you want to implement.

Requires the chef-attribute-validator gem installed to the Chef client's gem store. This cookbook will install it automatically if it is not present.

Basically, you define rules in node attributes. A typical use case comes up when you're creating a new cookbook. Naturally, you expose certain "knobs" as node attributes, which the user of your cookbook can set in any number of ways - application or wrapper cookbooks attribute files, roles, even environments. You'd like to catch missing or invalid attribute values before you try to converge using them, and throw a meaningful error (something better than "No such method [] for nil:NilClass", for example).

So, to define rules, add a series of hashes in your cookbook attributes. Each rule has a path, which optionally includes wildcards; the path is then used to select which attributes to apply the rule's checks. Checks include things like type, presence, regex, and so one; the list is growing, see https://github.com/clintoncwolfe/chef-attribute-validator for the latest.

Here is how to make sure that your feature flags really are booleans, and not 0, 1, "true", etc.

 default['attribute-validator']['rules']['some-rule'] = {
    'path' => '/my-cookbook/feature_*/enabled',
    'type' => 'boolean',
 }

To enforce the rules, include one of the two recipes in your runlist, or directly in your runlist.

Most people will want this one, which will check for invalid attributes and abort the run before any* resources are actually converged:

include_recipe "attribute-validator::compile-time-check"

• It is possible to converge a resource at compile-time; this is common for setting up package repos, installing gems, etc. Those resources may still fire, depending on where the compile-time-check recipe is in the runlist.

Alternatively, if you want the run to converge up until reaching your cookbook, and then abort if anything is invalid, you can use:

include_recipe "attribute-validator::converge-time-check"

This tends to be messier, but that may be OK.

If you'd like to have more control over how violations are handled, you can call the gem directly.

# In a recipe or LWRP
include_recipe "attribute-validator::install"
violations = Chef::Attribute::Validator.new(node).validate_all

For details on the contents of violations, as well as other method calls allowing you to validate rules one at a time, see https://github.com/clintoncwolfe/chef-attribute-validator .

Rule definitions occur under default['attribute-validator']['rules'][...] like this:

 default['attribute-validator']['rules'][some-rule] = {
    'path' => '/my-cookbook/feature_*/enabled',
    # Checks like type, regex, looks_like, min_children, present, etc 
    ...
 }

 default['attribute-validator']['rules'][another-rule] = { ... }

The cookbook also exposes a few settings of its own:

  default['attribute-validator']['fail-action'] = 'error'

The default is 'error', which will raise an exception if any violations are found, halting the chef run. You may also provide 'warn', which will issue a warning to the chef log for each violation found, but allow the run t continue.

This cookbook has no default recipe.

Calls the install recipe, then calls validate_all at compile time; if nonzero violations are found, throws an exception, which halts the run.

Calls the install recipe, then calls validate_all at convergence time (inside a ruby block); if nonzero violations are found, throws an exception, which halts the run.

Utility recipe; installs and loads the chef-attribute-validator gem at compile-time.

Please report issues by opening a github issue at https://github.com/clintoncwolfe/attribute-validator . You're a thorough person who knows how important it is to give back to the community, so of course you'll be sending along a pull requst with a failing test, and another pull request with a fix. That's just who you are, you're not bragging.

None known.

Because nothing enforces that now.

Add support for sending violations via a handler, to ... somewhere?

Clinton Wolfe

1. Fork it (https://github.com/clintoncwolfe/attribute-validator)
2. Create your feature branch (git checkout -b my-new-feature)
3. Commit your changes (git commit -am 'Add some feature')
4. Push to the branch (git push origin my-new-feature)
5. Create new Pull Request at (https://github.com/clintoncwolfe/attribute-validator)