Chef-vault with Users cookbook (users_manage resource)

Question

I intend to encrypt "users" databag with chef-vault and use the same with chef provided "users" cookbook. "users_manage" resource provided by "users" cookbook accepts one of the attributes as "databag" (with username, group_id and search_group properties). To my knowledge chef-vault allows you to decrypt one item at a time

vault = chef_vault_item(:mydatabbag, ‘item1’)

ideally I would expect chef-vault to provide similar function to decrypt entire vault (encrypted databag) and I could pass the same to "uses_manage" resource:

decrypted_data_bag = chef_vault(:mydatabbag) #Something similar

users_manage "#{search_group}" do
  group_id search_group
  action [ :remove, :create ]
  data_bag "#{decrypted_data_bag}"
end

Since chef-vault does not provide an ability to decrypt the entire databag, am I left with the only solution to call "users_manage" in a loop and pass each item (as hash)?

mydatabag.each do |myuser|
  decrypted_user = vault = chef_vault_item(:mydatabbag, "#{myuser}")
  users_manage "#{search_group}" do
    group_id search_group
    action [ :remove, :create ]
    data_bag "#{decrypted_user}"
  end
end

Is there a better solution?

Answer 1

The data_bag property is the name of a data bag, not the bag itself. You cannot use users_manage with chef-vault, you'll have to write something similar yourself.

That said, nothing in a user object should need to be private in the first place unless you're trying to set passwords or something (don't do that) so this is probably not needed.