• Overview
    • Enforce Policy as Code
    • Infrastructure as Code
    • Inject Secrets into Terraform
    • Integrate with Existing Workflows
    • Manage Kubernetes
    • Manage Virtual Machine Images
    • Multi-Cloud Deployment
    • Network Infrastructure Automation
    • Terraform CLI
    • Terraform Cloud
    • Terraform Enterprise
  • Registry
  • Tutorials
    • About the Docs
    • Intro to Terraform
    • Configuration Language
    • Terraform CLI
    • Terraform Cloud
    • Terraform Enterprise
    • Provider Use
    • Plugin Development
    • Registry Publishing
    • Integration Program
    • Terraform Tools
    • CDK for Terraform
    • Glossary
  • Community
GitHubTerraform Cloud
Download

    Terraform Language

  • Overview
  • Attributes as Blocks - Configuration Language
  • Terraform v1.0 Compatibility Promises
    • Overview
    • Override Files
    • Dependency Lock File
    • Overview
    • Configuration Syntax
    • JSON Configuration Syntax
    • Style Conventions
    • Overview
    • Resource Blocks
    • Resource Behavior
      • depends_on
      • count
      • for_each
      • provider
      • lifecycle
      • Declaring Provisioners
      • Provisioner Connections
      • Provisioners Without a Resource
      • file
      • local-exec
      • remote-exec

      • chef
      • habitat
      • puppet
      • salt-masterless
  • Data Sources
    • count
    • depends_on
    • for_each
    • lifecycle
    • providers
    • provider
    • Overview
    • Provider Configuration
    • Provider Requirements
    • Dependency Lock File
    • Overview
    • Input Variables
    • Output Values
    • Local Values
    • Overview
    • Module Blocks
    • Module Sources
      • providers
      • depends_on
      • count
      • for_each
      • Overview
      • Standard Module Structure
      • Providers Within Modules
      • Best Practices: Module Composition
      • Publishing Modules
      • Refactoring Modules
    • Module Testing Experiment
    • Overview
    • Types and Values
    • Strings and Templates
    • References to Values
    • Operators
    • Function Calls
    • Conditional Expressions
    • For Expressions
    • Splat Expressions
    • Dynamic Blocks
    • Custom Condition Checks
    • Type Constraints
    • Version Constraints
    • Overview
      • abs
      • ceil
      • floor
      • log
      • max
      • min
      • parseint
      • pow
      • signum
      • chomp
      • format
      • formatlist
      • indent
      • join
      • lower
      • regex
      • regexall
      • replace
      • split
      • strrev
      • substr
      • title
      • trim
      • trimprefix
      • trimsuffix
      • trimspace
      • upper
      • alltrue
      • anytrue
      • chunklist
      • coalesce
      • coalescelist
      • compact
      • concat
      • contains
      • distinct
      • element
      • flatten
      • index
      • keys
      • length
      • list
      • lookup
      • map
      • matchkeys
      • merge
      • one
      • range
      • reverse
      • setintersection
      • setproduct
      • setsubtract
      • setunion
      • slice
      • sort
      • sum
      • transpose
      • values
      • zipmap
      • base64decode
      • base64encode
      • base64gzip
      • csvdecode
      • jsondecode
      • jsonencode
      • textdecodebase64
      • textencodebase64
      • urlencode
      • yamldecode
      • yamlencode
      • abspath
      • dirname
      • pathexpand
      • basename
      • file
      • fileexists
      • fileset
      • filebase64
      • templatefile
      • formatdate
      • timeadd
      • timestamp
      • base64sha256
      • base64sha512
      • bcrypt
      • filebase64sha256
      • filebase64sha512
      • filemd5
      • filesha1
      • filesha256
      • filesha512
      • md5
      • rsadecrypt
      • sha1
      • sha256
      • sha512
      • uuid
      • uuidv5
      • cidrhost
      • cidrnetmask
      • cidrsubnet
      • cidrsubnets
      • can
      • defaults
      • nonsensitive
      • sensitive
      • tobool
      • tolist
      • tomap
      • tonumber
      • toset
      • tostring
      • try
      • type
    • abs
    • abspath
    • alltrue
    • anytrue
    • base64decode
    • base64encode
    • base64gzip
    • base64sha256
    • base64sha512
    • basename
    • bcrypt
    • can
    • ceil
    • chomp
    • chunklist
    • cidrhost
    • cidrnetmask
    • cidrsubnet
    • cidrsubnets
    • coalesce
    • coalescelist
    • compact
    • concat
    • contains
    • csvdecode
    • defaults
    • dirname
    • distinct
    • element
    • file
    • filebase64
    • filebase64sha256
    • filebase64sha512
    • fileexists
    • filemd5
    • fileset
    • filesha1
    • filesha256
    • filesha512
    • flatten
    • floor
    • format
    • formatdate
    • formatlist
    • indent
    • index
    • join
    • jsondecode
    • jsonencode
    • keys
    • length
    • list
    • log
    • lookup
    • lower
    • map
    • matchkeys
    • max
    • md5
    • merge
    • min
    • nonsensitive
    • one
    • parseint
    • pathexpand
    • pow
    • range
    • regex
    • regexall
    • replace
    • reverse
    • rsadecrypt
    • sensitive
    • setintersection
    • setproduct
    • setsubtract
    • setunion
    • sha1
    • sha256
    • sha512
    • signum
    • slice
    • sort
    • split
    • strrev
    • substr
    • sum
    • templatefile
    • textdecodebase64
    • textencodebase64
    • timeadd
    • timestamp
    • title
    • tobool
    • tolist
    • tomap
    • tonumber
    • toset
    • tostring
    • transpose
    • trim
    • trimprefix
    • trimspace
    • trimsuffix
    • try
    • type
    • upper
    • urlencode
    • uuid
    • uuidv5
    • values
    • yamldecode
    • yamlencode
    • zipmap
    • Overview
    • Terraform Cloud
      • Backend Configuration
        • local
        • remote
        • artifactory
        • azurerm
        • consul
        • cos
        • etcd
        • etcdv3
        • gcs
        • http
        • Kubernetes
        • manta
        • oss
        • pg
        • s3
        • swift
      • local
      • remote
      • artifactory
      • azurerm
      • consul
      • cos
      • etcd
      • etcdv3
      • gcs
      • http
      • Kubernetes
      • manta
      • oss
      • pg
      • s3
      • swift
    • Overview
    • Purpose
    • The terraform_remote_state Data Source
    • Backends: State Storage and Locking
    • Import Existing Resources
    • Locking
    • Workspaces
    • Remote State
    • Sensitive Data
    • Overview
    • Upgrading to Terraform v1.2
    • Upgrading to Terraform v1.1
    • Upgrading to Terraform v1.0
    • v1.0 Compatibility Promises
    • Upgrading to Terraform v0.15
    • Upgrading to Terraform v0.14
    • Upgrading to Terraform v0.13
    • Upgrading to Terraform v0.12
    • Upgrading to Terraform v0.11
    • Upgrading to Terraform v0.10
    • Upgrading to Terraform v0.9
    • Upgrading to Terraform v0.8
    • Upgrading to Terraform v0.7
    • Overview
    • Load Order and Semantics
    • Configuration Syntax
    • Interpolation Syntax
    • Overrides
    • Resources
    • Data Sources
    • Providers
    • Variables
    • Outputs
    • Local Values
    • Modules
    • Terraform
    • Provisioners
    • Providers
    • Terraform Push (deprecated)
    • Environment Variables

  • Terraform Internals

  • Other Docs

  • Intro to Terraform
  • Configuration Language
  • Terraform CLI
  • Terraform Cloud
  • Terraform Enterprise
  • Provider Use
  • Plugin Development
  • Registry Publishing
  • Integration Program
  • Terraform Tools
  • CDK for Terraform
  • Glossary
Type '/' to Search

»Chef Provisioner

The chef provisioner installs, configures and runs the Chef Client on a remote resource. The chef provisioner supports both ssh and winrm type connections.

Warning: This provisioner was removed in the 0.15.0 version of Terraform after being deprecated as of Terraform 0.13.4. Provisioners should also be a last resort. There are better alternatives for most situations. Refer to Declaring Provisioners for more details.

»Requirements

The chef provisioner has some prerequisites for specific connection types:

  • For ssh type connections, cURL must be available on the remote host.
  • For winrm connections, PowerShell 2.0 must be available on the remote host.

Chef end user license agreement must be accepted by setting chef_license to accept in client_options argument unless you are installing an old version of Chef client.

Without these prerequisites, your provisioning execution will fail.

»Example usage

resource "aws_instance" "web" {
  # ...

  provisioner "chef" {
    attributes_json = <<EOF
      {
        "key": "value",
        "app": {
          "cluster1": {
            "nodes": [
              "webserver1",
              "webserver2"
            ]
          }
        }
      }
    EOF

    environment     = "_default"
    client_options  = ["chef_license 'accept'"]
    run_list        = ["cookbook::recipe"]
    node_name       = "webserver1"
    secret_key      = "${file("../encrypted_data_bag_secret")}"
    server_url      = "https://chef.company.com/organizations/org1"
    recreate_client = true
    user_name       = "bork"
    user_key        = "${file("../bork.pem")}"
    version         = "15.10.13"
    # If you have a self signed cert on your chef server change this to :verify_none
    ssl_verify_mode = ":verify_peer"
  }
}
resource "aws_instance" "web" {
  # ...

  provisioner "chef" {
    attributes_json = <<EOF
      {
        "key": "value",
        "app": {
          "cluster1": {
            "nodes": [
              "webserver1",
              "webserver2"
            ]
          }
        }
      }
    EOF

    environment     = "_default"
    client_options  = ["chef_license 'accept'"]
    run_list        = ["cookbook::recipe"]
    node_name       = "webserver1"
    secret_key      = "${file("../encrypted_data_bag_secret")}"
    server_url      = "https://chef.company.com/organizations/org1"
    recreate_client = true
    user_name       = "bork"
    user_key        = "${file("../bork.pem")}"
    version         = "15.10.13"
    # If you have a self signed cert on your chef server change this to :verify_none
    ssl_verify_mode = ":verify_peer"
  }
}

»Argument Reference

The following arguments are supported:

  • attributes_json (string) - (Optional) A raw JSON string with initial node attributes for the new node. These can also be loaded from a file on disk using the file function.

  • channel (string) - (Optional) The Chef Client release channel to install from. If not set, the stable channel will be used.

  • client_options (array) - (Optional) A list of optional Chef Client configuration options. See the Chef Client documentation for all available options.

  • disable_reporting (boolean) - (Optional) If true the Chef Client will not try to send reporting data (used by Chef Reporting) to the Chef Server (defaults to false).

  • environment (string) - (Optional) The Chef environment the new node will be joining (defaults to _default).

  • fetch_chef_certificates (boolean) (Optional) If true the SSL certificates configured on your Chef Server will be fetched and trusted. See the knife ssl_fetch documentation for more details.

  • log_to_file (boolean) - (Optional) If true, the output of the initial Chef Client run will be logged to a local file instead of the console. The file will be created in a subdirectory called logfiles created in your current directory. The filename will be the node_name of the new node.

  • use_policyfile (boolean) - (Optional) If true, use the policy files to bootstrap the node. Setting policy_group and policy_name are required if this is true. (defaults to false).

  • policy_group (string) - (Optional) The name of a policy group that exists on the Chef server. Required if use_policyfile is set; policy_name must also be specified.

  • policy_name (string) - (Optional) The name of a policy, as identified by the name setting in a Policyfile.rb file. Required if use_policyfile is set; policy_group must also be specified.

  • http_proxy (string) - (Optional) The proxy server for Chef Client HTTP connections.

  • https_proxy (string) - (Optional) The proxy server for Chef Client HTTPS connections.

  • max_retries (integer) - (Optional) The number of times to retry the provisioning process after receiving an exit code in the retry_on_error list. Defaults to 0

  • named_run_list (string) - (Optional) The name of an alternate run-list to invoke during the initial Chef Client run. The run-list must already exist in the Policyfile that defines policy_name. Only applies when use_policyfile is true.

  • no_proxy (array) - (Optional) A list of URLs that should bypass the proxy.

  • node_name (string) - (Required) The name of the node to register with the Chef Server.

  • ohai_hints (array) - (Optional) A list with Ohai hints to upload to the node.

  • os_type (string) - (Optional) The OS type of the node. Valid options are: linux and windows. If not supplied, the connection type will be used to determine the OS type (ssh will assume linux and winrm will assume windows).

  • prevent_sudo (boolean) - (Optional) Prevent the use of the sudo command while installing, configuring and running the initial Chef Client run. This option is only used with ssh type connections.

  • recreate_client (boolean) - (Optional) If true, first delete any existing Chef Node and Client before registering the new Chef Client.

  • retry_on_error (array) - (Optional) The error codes upon which Terraform should gracefully retry the provisioning process. Intended for use with Chef RFC062 codes. (Defaults to [35, 37, 213])

  • run_list (array) - (Optional) A list with recipes that will be invoked during the initial Chef Client run. The run-list will also be saved to the Chef Server after a successful initial run. Required if use_policyfile is false; ignored when use_policyfile is true (see named_run_list to specify a run-list defined in a Policyfile).

  • secret_key (string) - (Optional) The contents of the secret key that is used by the Chef Client to decrypt data bags on the Chef Server. The key will be uploaded to the remote machine. This can also be loaded from a file on disk using the file function.

  • server_url (string) - (Required) The URL to the Chef server. This includes the path to the organization. See the example.

  • skip_install (boolean) - (Optional) Skip the installation of Chef Client on the remote machine. This assumes Chef Client is already installed when you run the chef provisioner.

  • skip_register (boolean) - (Optional) Skip the registration of Chef Client on the remote machine. This assumes Chef Client is already registered and the private key (client.pem) is available in the default Chef configuration directory when you run the chef provisioner.

  • ssl_verify_mode (string) - (Optional) Used to set the verify mode for Chef Client HTTPS requests. The options are :verify_none, or :verify_peer which is default.

  • user_name (string) - (Required) The name of an existing Chef user to register the new Chef Client and optionally configure Chef Vaults.

  • user_key (string) - (Required) The contents of the user key that will be used to authenticate with the Chef Server. This can also be loaded from a file on disk using the file function.

  • vault_json (string) - (Optional) A raw JSON string with Chef Vaults and Items to which the new node should have access. These can also be loaded from a file on disk using the file function.

  • version (string) - (Optional) The Chef Client version to install on the remote machine. If not set, the latest available version will be installed.

  • wait_for_retry (integer) - (Optional) - Amount of time in seconds to wait before retrying the provisionining process after receiving an exit code in the retry_on_error list. Defaults to 30.

github logoEdit this page
  • Overview
  • Docs
  • Extend
  • Privacy
  • Security
  • Press Kit
  • Consent Manager