Table Of Contents


A resource defines the desired state for a single configuration item present on a node that is under management by Chef. A resource collection—one (or more) individual resources—defines the desired state for the entire node. During a chef-client run, the current state of each resource is tested, after which the chef-client will take any steps that are necessary to repair the node and bring it back into the desired state.

Use the env resource to manage environment keys in Microsoft Windows. After an environment key is set, Microsoft Windows must be restarted before the environment key will be available to the Task Scheduler.


On UNIX-based systems, the best way to manipulate environment keys is with the ENV variable in Ruby; however, this approach does not have the same permanent effect as using the env resource.


The syntax for using the env resource in a recipe is as follows:

env "name" do
  attribute "value" # see attributes section below
  action :action # see actions section below


  • env tells the chef-client to use the Chef::Provider::Env::Windows provider during the chef-client run
  • name is the name of the resource block; when the key_name attribute is not specified as part of a recipe, name is also the name of the environment key that is created, deleted, or modified
  • attribute is zero (or more) of the attributes that are available for this resource
  • :action identifies which steps the chef-client will take to bring the node into the desired state


This resource has the following actions:

Action Description
:create Default. Use to create an environment variable. If an environment variable already exists (but does not match), use to update that environment variable to match.
:delete Use to delete an environment variable.
:modify Use to modify an existing environment variable. This will prepend the new value to the existing value, using the delimiter specified by the delim attribute.


This resource has the following attributes:

Attribute Description
delim The delimiter that is used to separate multiple values for a single key.
key_name The name of the key that will be created, deleted, or modified. Default value: the name of the resource block. (See “Syntax” section above for more information.)
provider Optional. Use to explicitly specify a provider. (See “Providers” section below for more information.)
value The value with which key_name is set.


A guard attribute can be used to evaluate the state of a node during the execution phase of the chef-client run. Based on the results of this evaluation, a guard attribute is then used to tell the chef-client if it should continue executing a resource. A guard attribute accepts either a string value or a Ruby block value:

  • A string is executed as a shell command. If the command returns 0, the guard is applied. If the command returns any other value, then the guard attribute is not applied. String guards in a powershell_script run Windows PowerShell commands and may return true in addition to 0.
  • A block is executed as Ruby code that must return either true or false. If the block returns true, the guard attribute is applied. If the block returns false, the guard attribute is not applied.

A guard attribute is useful for ensuring that a resource is idempotent by allowing that resource to test for the desired state as it is being executed, and then if the desired state is present, for the chef-client to do nothing.


The following attributes can be used to define a guard that is evaluated during the execution phase of the chef-client run:

Guard Description
not_if Use to prevent a resource from executing when the condition returns true.
only_if Use to allow a resource to execute only if the condition returns true.


The following arguments can be used with the not_if or only_if guard attributes:

Argument Description

Use to specify the user that a command will run as. For example:

not_if "grep adam /etc/passwd", :user => 'adam'

Use to specify the group that a command will run as. For example:

not_if "grep adam /etc/passwd", :group => 'adam'

Use to specify a Hash of environment variables to be set. For example:

not_if "grep adam /etc/passwd", :environment => {
  'HOME' => "/home/adam"

Use to set the current working directory before running a command. For example:

not_if "grep adam passwd", :cwd => '/etc'

Use to set a timeout for a command. For example:

not_if "sleep 10000", :timeout => 10


Where a resource represents a piece of the system (and its desired state), a provider defines the steps that are needed to bring that piece of the system from its current state into the desired state.

The chef-client will determine the correct provider based on configuration data collected by Ohai at the start of the chef-client run. This configuration data is then mapped to a platform and an associated list of providers.

Generally, it’s best to let the chef-client choose the provider and this is (by far) the most common approach. However, in some cases specifying a provider may be desirable. There are two approaches:

  • Use a more specific short name—yum_package "foo" do instead of package "foo" do, script "foo" do instead of bash "foo" do, and so on—when available
  • Use the provider attribute to specify the long name as an attribute of a resource, e.g. provider Chef::Provider::Long::Name

This resource has the following providers:

Long name Short name Notes
Chef::Provider::Env::Windows env The default provider for all Microsoft Windows platforms.


The following examples demonstrate various approaches for using resources in recipes. If you want to see examples of how Chef uses resources in recipes, take a closer look at the cookbooks that Chef authors and maintains:

Set an environment variable

env "ComSpec" do
  value "C:\\Windows\\system32\\cmd.exe"