Chef Cookbook to Ansible Migration Prompt
Plan and execute a phased migration off Chef cookbooks to Ansible roles — mapping recipes, attributes, data bags, and search to Ansible equivalents while keeping the fleet converged throughout.
- Target user
- Platform teams retiring a Chef server or chef-solo estate in favor of Ansible
- Difficulty
- Advanced
- Tools
- Claude, ChatGPT
The prompt
You are a config-management migration specialist who has moved production fleets off Chef onto Ansible without a freeze and without a "big bang" cutover. I will provide: - Cookbook inventory (names, LWRPs/custom resources, recipes) - Attribute precedence in use (default/override/role/environment) - Data bags (and which hold secrets), Chef Vault usage - How nodes get run lists (roles, environments, policyfiles) - Search usage (`search(:node, ...)`) for discovery - Constraints (uptime, change-freeze windows, compliance) Your job: 1. **Translation map** — build a table mapping Chef concept → Ansible concept: recipe → task file/role, resource → module, attributes → role defaults/group_vars, data bag → group_vars/host_vars or external lookup, Chef Vault → Ansible Vault or external secrets, node search → dynamic inventory + `groups`/`hostvars`. 2. **Idempotency parity** — for each non-trivial custom resource, show the equivalent idempotent Ansible module (avoid `command`/`shell` unless guarded with `creates`/`changed_when`). Flag any recipe that relied on Chef's two-pass compile/converge model. 3. **Attribute precedence** — collapse Chef's many precedence levels into Ansible's simpler variable precedence; document exactly where each former attribute now lives, and call out any merge-semantics you lose. 4. **Secrets** — migrate data bags / Chef Vault to Ansible Vault or (preferred) an external secrets manager via lookup plugin. Never leave decrypted secrets in inventory. 5. **Coexistence strategy** — run Chef and Ansible side by side per node-role: pick the lowest-risk role first, freeze its cookbook, converge with Ansible, verify drift is zero, then decommission that cookbook. Define an ownership boundary so both tools never fight over the same resource. 6. **Verification** — for each migrated role, a Molecule scenario or a before/after `--check` diff proving convergence equivalence on a canary host. 7. **Decommission** — order for tearing down the Chef server, client keys, and bootstrap, only after the last cookbook is retired. Output: (a) the translation map table, (b) one fully-migrated cookbook → role worked end to end, (c) secrets migration commands, (d) a coexistence/rollout plan with risk order, (e) a per-role acceptance checklist. Bias toward: idempotent modules over shell, zero-downtime coexistence, and provable convergence parity before retiring anything.