Getting Started with Policyfiles

Policyfiles bring the Chef user experience to new heights! They offer a streamlined interface for testing and promoting code, making it easier than ever before. With the help of Policyfiles node-level cookbook data is easily manageable; from roles, environments, and community recipes – users can trust their run lists are secure while they continue workflows without disruption. What’s more? Policyfiles promise real solutions that make those pesky workflow issues become things of the past. With the use of Policyfiles, you can confidently manage your entire infrastructure with focused workflows that are safer and less costly. Plus, teams benefit from improved visibility of code as well as role and cookbook mutability.

Getting Your Environment Setup

You can hit the ground running with Policyfiles quickly on Windows, Linux, and macOS with Chef Workstation—the ultimate toolkit for creating, testing, and executing Chef code.

Working with cookbooks is usually done by uploading error-free recipes to the Chef Infra Server using $ knife cookbook upload <cookbook-name>, but Policyfiles offer a better approach. With this alternative you can bundle multiple cookbooks into an immutable artifact and assign them using policy names or groups – then your nodes will be able to download these files for use!

If you are already familiar with roles, run lists, and environments in Chef Infra Server, Policyfiles shouldn’t be too much of a conceptual jump. Just remember roles and run lists equate to policyfile_name and environments equate to policyfile_group.

We’ll start by creating a new cookbook using the Chef generate command $ chef generate cookbook <my_cookbook_name> -k dokken . You’ll notice that when you create a cookbook this way, a Policyfile.rb file will automatically be created in the cookbook folder. 

Closer Look at Policyfile.rb

name '<my_cookbook_name>' 
run_list 'my_cookbook_name::default'
default_source :chef_repo, "~/chef-repo/cookbooks" do |s| 
     s.preferred_for "my_cookbook_name" 
default_source :supermarket 
default_source :chef_server,'’ 

In this example we’ve identified three sources for cookbook content – chef_repo for the path on your local machine, supermarket for, and chef_server for personal Chef Infra Server! Now get cooking with confidence knowing all options are securely at hand.

Run_list entries create a powerful way to simplify building complex Chef recipes. In this example,  my_cookbook_name::default points to ~/chef-repo/cookbooks/my_cookbook_name/recipes/default.rb. Add multiple run list items and you can easily create profiles that combine several cookbooks into one immutable Policyfile.

When you’re done editing your Policyfile, run $ cookstyle –a in your cookbook directory to double-check the syntax.

$ cd ~/chef-repo/cookbooks/my_cookbook/
$ cookstyle –a 

Policyfiles let you quickly bundle your cookbooks and compliance profiles and upload them to Chef Infra Server. When Chef installs the Policyfile.rb, it fetches all dependencies and creates a Policyfile.lock.json file. No dependencies to fetch in this example – just create the lockfile and off we go!

$ chef install Policyfile.rb 

Each time you update the lockfile, you trigger Chef to generate a revision_id. Using the revision_id you can easily track different versions of your policy to apply them to various sets of servers – ensuring the highest level of accuracy with every update.

Now use the chef push command to bundle your policies and send them to Chef Infra Server

$ chef push default Policyfile.lock.json

With the push command, you can easily set up Policy Groups for various environments like build, test, and prod. Relevant cookbooks and profiles can then be assigned to appropriate policy groups. To keep track of all your active policies – Chef uses the generated revision ID as the unique identifier. Run the following command to see active policies:

$ chef show-policy webserver


* build: 7874a723a9

Ready to go? Now you can ensure your cookbook and compliance controls are up-to-par with Test Kitchen. Alternatively, create a dynamic baseline by bootstrapping nodes and applying the cookbook & profile directly!

Other Important Policyfile Commands

$ chef generate policyfile generates a Policyfile.

$ chef show-policy POLICY_NAME POLICY_GROUP (option) displays revisions for every Policyfile.rb file that is on the Infra server.

$ chef clean-policy-cookbooks deletes cookbooks that are not used by Policyfiles. Cookbooks are considered unused when they are not referenced by any policy revisions on the Infra server.

$ chef clean-policy-revisions deletes orphaned policy revisions to Policyfile files from the Infra server. An orphaned policy revision is not associated with any policy group and therefore is not in active use by any node.

$ chef delete-policy POLICY_NAME (options)  is a command to delete all revisions of the named policy that exist on the Infra server.


I believe Policyfiles are key to improving your Chef experience! By adopting them over legacy workflows, you can shorten the learning curve and exert greater change management control. Not only that, but for those focused on their security parameters, Policyfiles provide even more control and flexibility when it comes down to secure implementations. We want to advocate for all members of the Chef Community to consider using Policyfiles as their next step in modernizing infrastructure configurations. Check out the docs for more info!

Leave a Comment

Close Bitnami banner