we should not delete the examples. Instead we should migrate to work with the new version

we are going to need it for now

chef_inspec feels like a strange name

can we just inspec for provides and as a resource name instead of chef_inspec?

of course! let's do it!

Do you think we should combine:

chef_handler 'Chef::Handler::AuditReport' do
  source "#{handler_directory}/audit_report.rb"
  action :enable
end

inspec_report 'report' do
  action :execute
end

how do we combine them?

seems like the right way to go, just unsure how?

As discussed with @vjeffrey we try to find a way that does not require us to write a file on the host node

not 100% sure what &profiles should refer to

leftover from initial implementation.. Yaml syntax docs: "Repeated nodes are first identified by an anchor (marked with the ampersand - “&”), and are then aliased (referenced with an asterisk - “*”) thereafter."

Since we're moving away from a resource converge I don't think 'fail_if_any_audits_failed' makes sense any more. The original intent was to fail during converge in a pipeline phase such as kitchen converge. Now, with the report handler, we'd rely on kitchen-inspec to reference the profiles and kitchen verify to provide a pass|fail status to the CI framework.

sounds good to me! i'll remove it

Oh, I see what you're achieving now 😃 more clearly. However, I suppose I don't understand what the requirement is to cause us to remove the chef handler ruby library code.
To me it smells fishy because it seems like it's akin to running an app that deletes all traces of itself after execution. I can think of two potential concerns that arise from that:

• It's not in the spirit of transparency - we're running code on nodes and then deleting that code from the nodes.
• Deleting the handler code from the node could make troubleshooting harder since it requires version correlation against a git repo or chef server to determine what actual code was running when the handler fired. Having the code intact on the node gives you a 100% assurance that you know what executed.

If this moves forward, I recommend adding the standard header to the recipe which gets generated from chef generate recipe clean-up One last thing on this commit, just me perhaps, but using - in recipe names is not consistent with the requirement that cookbooks are not allowed to have - in the name 😄

#
# Cookbook Name:: audit
# Recipe:: clean-up
#
# Copyright (c) 2016 The Authors, All Rights Reserved.

@jeremymv2 thanks for the honest feedback. That is very helpful! Background: This was an approach @vjeffrey and I discussed before. From my perspective it feels strange to install code on a node just for runtime and not cleaning the tmp stuff up. Nevertheless, if that is not standard practice we should not do this approach.

@vjeffrey I propose we leave the handler files there for now, I've an idea how we can get around generating the file in future to get the best of both worlds. But lets try that in future PRs.

cool, sounds good! also, get some sleep @chris-rock!!

just updated by dropping that last commit. :) thanks for your help @jeremymv2!! good points!