SYSTEM Cited by 1 source
Chef Policyfiles¶
What it is¶
Chef Policyfiles are Chef's newer configuration-bundling
feature: a single Policyfile.rb replaces the role + environment
+ run-list model with one versioned, immutable policy artifact
that pins cookbook versions and defines the run-list together.
Policyfiles compile to an immutable .lock.json artifact that is
uploaded to the Chef server and attached to nodes; unlike the
role/environment model, cookbook version pinning is explicit and
there's no "latest version in an environment" ambiguity.
Policyfiles are presented by the Chef community as the successor to the role + environment shape; most post-2018 Chef deployments and training start with Policyfiles as the default.
Named role: the architectural alternative Slack rejected¶
Slack's 2025-10-23 Chef Phase 2 post explicitly discusses Policyfiles as the architectural path not taken, on blast-radius-of-change grounds. Verbatim: "One idea we explored was moving to Chef Policyfiles. That would have meant replacing roles and environments and asking dozens of teams to change their cookbooks. In the long run, it might have made things safer, but in the short term it would have been a huge effort and added more risk than it solved."
Slack instead extended the existing role + environment model with
AZ-bucketed environments (prod-1 … prod-6) + signal-driven
Chef runs via systems/chef-summoner. The rejection is
canonical instance of incremental-improvement-over-clean-
slate at the fleet-configuration-management altitude.
Why this page is a stub¶
This page exists to give Slack's rejection a well-formed wiki
reference. A full canonicalisation of Policyfiles (compile
semantics, merge-and-lock workflow, attributes precedence,
migration from roles/environments, chef-cli policy subcommand)
is out of scope — no ingested source disclosing Policyfiles
internals exists on the wiki yet.
Caveats¶
- Stub-level. Policyfiles internals not canonicalised.
- Slack's rejection is not a universal recommendation. The trade-off was specific to Slack's "dozens of teams … their cookbooks" migration cost; a fresh Chef deployment or a smaller shop would likely prefer Policyfiles.
Seen in¶
- sources/2025-10-23-slack-advancing-our-chef-infrastructure-safety-without-disruption — named as the architectural alternative Slack considered and rejected in favour of incremental improvement of the existing role + environment model.