AWS OpsWorks - ユーザーガイド · AWS OpsWorks ユーザーガイド AWS OpsWorks...
Transcript of AWS OpsWorks - ユーザーガイド · AWS OpsWorks ユーザーガイド AWS OpsWorks...
-
AWS OpsWorks
API 2013-02-18
-
AWS OpsWorks
AWS OpsWorks: Copyright 2018 Amazon Web Services, Inc. and/or its affiliates. All rights reserved.
Amazon's trademarks and trade dress may not be used in connection with any product or service that is not Amazon's, in any mannerthat is likely to cause confusion among customers, or in any manner that disparages or discredits Amazon. All other trademarks notowned by Amazon are the property of their respective owners, who may or may not be affiliated with, connected to, or sponsored byAmazon.
-
AWS OpsWorks
Table of ContentsAWS OpsWorks .......................................................................................................................... 1
AWS OpsWorks ............................................................................................................ 1AWS OpsWorks for Puppet Enterprise ................................................................................................... 3
Puppet Enterprise .......................................................................................................... 3OpsWorks for Puppet Enterprise ................................................................... 4 ................................................................................................................. 4
............................................................................................................................ 4Puppet ....................................................................................................... 8 ................................................................................................................. 13 ................................................................................................. 16Puppet Enterprise ....................................................................... 18: AWS CodeCommit .................................................................................... 21
................................................................................................... 23OpsWorks for Puppet Enterprise ....................................................... 23OpsWorks for Puppet Enterprise ................................................................... 25
............................................................................................................... 26 .............................................................................................. 26 ...................................................................... 28 ................................................ 28
............................................................................................................... 29 ............................................................................ 29 1: IAM ........................... 29 2: ................................... 30
............................................................................................................................ 33 ........................................................................................ 33
Puppet .............................................................................................................. 33 1: ........................................................ 34 2: ......................................................................................... 34 ........................................................................................ 34
AWS CloudTrail ....................................................................................................... 35CloudTrail OpsWorks for Puppet Enterprise ............................................................ 35OpsWorks for Puppet Enterprise ................................................. 36
............................................................................................................ 37 ............................................................................ 37 ............................................................................... 38 ................................................................................................. 39
AWS OpsWorks for Chef Automate ..................................................................................................... 40Chef Automate ............................................................................................................ 41AWS OpsWorks for Chef Automate .............................................................. 41 ............................................................................................................... 41
.......................................................................................................................... 41Chef Automate ........................................................................................... 43 ................................................................... 49 ................................................................................................. 52Chef Automate .................................................................. 54
................................................................................................... 56AWS OpsWorks for Chef Automate ................................................... 56AWS OpsWorks for Chef Automate ............................................................... 58
............................................................................................................... 59 AWS OpsWorks ................................................ 59 .............................................................................................. 60 ...................................................................... 62 ................................................ 62
Chef Compliance ...................................................................................................................... 62
API 2013-02-18iii
-
AWS OpsWorks
Chef Compliance ........................................................................................ 63Compliance ............................................................................................... 65: ............................................................................................ 66Chef Compliance .................................................................................................... 67 Compliance ................................................................ 67 ........................................................................................ 68
............................................................................................................... 68 ............................................................................ 68 1: IAM ........................... 69 2: Chef ............................................. 69 3: ................................... 69chef-client ............................................................. 71 .................................................................................................................... 72
............................................................................................................................ 72 .................................................................................................................... 73
Chef Automate ................................................................................................... 73 1: ........................................................ 74 2: ......................................................................................... 74
Chef ........................................................................................................... 74AWS CloudTrail ....................................................................................................... 75
CloudTrail AWS OpsWorks for Chef Automate ........................................................ 75AWS OpsWorks for Chef Automate ............................................. 76
............................................................................................................ 77 ............................................................................ 77 ............................................................................... 78 ................................................................................................. 81
AWS OpsWorks .................................................................................................................. 82 .................................................................................................................................. 84Layer ...................................................................................................................................... 84 .......................................................................................... 85 ............................................................................................................................ 85 ...................................................................................................................... 86 ............................................................................................................ 86 ............................................................................................................................ 87 ................................................................................................ 87 ............................................................................................................ 87CLISDK AWS CloudFormation ................................................................. 88 ............................................................................................................... 88
....................................................................................................... 89: ............................................................................................................ 89: Linux ............................................................................................................ 102: Windows ....................................................................................................... 121: .................................................................................................... 141
................................................................................................................. 161 ................................................................................................ 161 ......................................................................................................... 163 ......................................................................................................... 164 .............................................................. 166 ........................................................... 172
................................................................................................................................ 175 ................................................................................................ 176VPC ................................................................................................. 182 ............................................................................................................... 188 ................................................................................................ 189 ................................................................................................... 190 JSON .................................................................................................... 191 ............................................................................................................... 193
API 2013-02-18iv
-
AWS OpsWorks
Layer ..................................................................................................................................... 196OpsWorks Layer ................................................................................................... 197Elastic Load Balancing Layer ............................................................................................ 207Amazon RDS Layer ........................................................................................... 210ECS Layers .................................................................................................... 214 Layer ............................................................................................................... 218Layer .............................................................................. 218
.......................................................................................................................... 219AWS OpsWorks ..................................................................... 220AWS OpsWorks Stacks ...................... 254 ................................................................................................... 279AWS OpsWorks Stacks ....................................................................... 280SSH .......................................................................................................... 281RDP .......................................................................................................... 283
.................................................................................................................... 286 ................................................................................................... 286 ............................................................................................. 291 ................................................................................................... 293 ...................................................................................................... 294 ............................................................................................................... 295 ............................................................................. 296Git SSH ..................................................................................... 298 ................................................................................................... 299SSL .................................................................................................................... 300
.............................................................................................................. 305 ................................................................................................... 305Chef .......................................................................................................... 308Ruby .......................................................................................................... 319 ................................................................................ 320 ............................................................................................. 323 .................................................................................................................. 324
.......................................................................................................................... 329 ......................................................................................... 330 ...................................................................................... 334 ................................................................................................... 338 ................................................................................................ 340
Tags ...................................................................................................................................... 342 ............................................................................................. 342 ......................................................................................... 344AWS CLI ........................................................................................ 345 ..................................................................................................................... 346
Monitoring .............................................................................................................................. 346Amazon CloudWatch ............................................................................................. 346AWS CloudTrail .............................................................................................. 353Amazon CloudWatch Logs ............................................................................... 355Amazon CloudWatch Events ............................................................................ 359
.............................................................................................. 360 ............................................................................................. 361IAM ...................................................................................... 377 AWS OpsWorks ...................... 378EC2 ........................... 380SSH ....................................................................................................... 382 ................................................................................................. 386 ............................................................................................. 388
Chef 12 Linux ......................................................................................................................... 389 .............................................................................................................................. 390Chef 12 ............................................................................................................ 390
API 2013-02-18v
-
AWS OpsWorks
.......................................................................... 391 ................................................................................... 391 ........................................................................................................................ 391 ...................................................................................................... 392
Chef ........................................................................................................ 393Linux Chef 11.10 ............................................................................... 393
AWS AWS OpsWorks ............................................................. 662 ...................................................................................... 663ElastiCache Redis ........................................................................................................... 668Amazon S3 .............................................................................................. 676AWS OpsWorks AWS CodePipeline ..................................................... 685
AWS OpsWorks CLI ........................................................................................ 727 ......................................................................................................... 729 ............................................................................................. 731 ................................................................................ 731 ............................................................................................. 732 ................................................................................... 733Elastic IP .................................................................................... 734 ...................................................................................... 734 ............................................................................................. 735Layer ................................................................................................ 736 .................................................................................................................. 739Install Dependencies ........................................................................................................ 739 ......................................................................................................... 740
............................................................................... 740 ............................................................................................................ 741 .............................................................. 752
AWS OpsWorks CLI ............................................................................... 758agent_report ................................................................................................................... 760get_json ........................................................................................................................ 760instance_report ............................................................................................................... 763list_commands ............................................................................................................... 763run_command ................................................................................................................ 764show_log ...................................................................................................................... 764stack_state ..................................................................................................................... 765
AWS OpsWorks .............................................................. 766 (aws_opsworks_app) ............................................................ 769 (aws_opsworks_command) ................................................................ 772Amazon ECS (aws_opsworks_ecs_cluster) ....................................... 773Elastic Load Balancing (aws_opsworks_elastic_load_balancer) ............................ 773 (aws_opsworks_instance) ............................................................ 774Layer (aws_opsworks_layer) .......................................................................... 777Amazon RDS (aws_opsworks_rds_db_instance) ................................................ 779 (aws_opsworks_stack) ...................................................................... 780 (aws_opsworks_user) ....................................................................... 781
OpsWorks ................................................................................................. 782Chef 12 .......................................................................................... 782Chef 11.10 ..................................................................................... 783
........................................................................................................................................ 787 ................................................................ 787AWS Software Development Kits ............................................................................................... 787 ........................................................................................................ 788
AWS OpsWorks .................................................................................................... 789 ............................................................................................................................. 789
API 2013-02-18vi
-
AWS OpsWorks AWS OpsWorks
AWS OpsWorks AWS OpsWorks Puppet Chef AWS OpsWorks AWS OpsWorksfor Chef Automate Chef OpsWorks for Puppet Enterprise AWS Puppet Enterprise Puppet
AWS OpsWorks AWS OpsWorks for Puppet Enterprise (p. 3)
OpsWorks for Puppet Enterprise AWS Puppet Puppet Puppet Puppet Puppet Forge Puppet Puppet Code Manager
OpsWorks for Puppet Enterprise Puppet Puppet OpsWorks for Puppet Enterprise Puppet Amazon EC2 OpsWorks forPuppet Enterprise
OpsWorks for Puppet Enterprise Puppet Enterprise AWS Puppet Amazon EC2 Auto Scaling Amazon EC2
AWS OpsWorks for Chef Automate (p. 40)
AWS OpsWorks for Chef Automate Chef Automate AWS Chef Chef DK Chef Chef Chef Chef chef-client knife Test Kitchen Chef AWS OpsWorks for Chef Automate Chef
Chef Automate AWS OpsWorks for Chef AutomateAmazon Elastic Compute Cloud Chef ChefAutomate AWS OpsWorks for Chef Automate AWS OpsWorks Chef
API 2013-02-181
https://www.chef.iohttps://puppet.com/products/puppet-enterprisehttps://forge.puppet.com/https://www.chef.io/automate/https://downloads.chef.io/chef-dk/https://docs.chef.io/knife.htmlhttp://kitchen.ci/
-
AWS OpsWorks AWS OpsWorks
AWS OpsWorks for Chef Automate 1 Chef Automate Chef Chef Amazon EC2 Auto Scaling Amazon EC2
AWS OpsWorks (p. 82)
EC2 Amazon Relational DatabaseService (RDS) AWS
AWS OpsWorks AWS OpsWorks EC2 Chef
AWS OpsWorks for Chef Automate AWS OpsWorks Chef Chef AWS OpsWorks Chef AWS OpsWorks Auto Scaling
API 2013-02-182
http://docs.chef.io/recipes.html
-
AWS OpsWorks Puppet Enterprise
AWS OpsWorks for PuppetEnterprise
OpsWorks for Puppet Enterprise Puppet Enterprise AWSOpsWorks OpsWorks for Puppet Enterprise Puppet OpsWorks for Puppet Enterprise Puppet Puppet Enterprise AWS AWS CLI
Puppet puppet-agent Puppet OpsWorks for Puppet Enterprise Puppet puppet-agent Puppet Enterprise
OpsWorks for Puppet Enterprise Amazon Elastic Compute Cloud OpsWorks for Puppet Enterprise Amazon Linux (Amazon Linux 2) Puppet Enterprise Master 2018.1 Puppet Enterprise 2018.1 Puppet Enterprise
Puppet AWS Puppet Enterprise AWS Puppet
OpsWorks for Puppet Enterprise EC2 Puppet Enterprise Supported operating systemspuppet Puppet
Puppet Enterprise (p. 3) OpsWorks for Puppet Enterprise (p. 4) OpsWorks for Puppet Enterprise (p. 4) OpsWorks for Puppet Enterprise (p. 23) OpsWorks for Puppet Enterprise (p. 26) OpsWorks for Puppet Enterprise (p. 29) OpsWorks for Puppet Enterprise (p. 33) OpsWorks for Puppet Enterprise (p. 33) AWS CloudTrail OpsWorks for Puppet Enterprise API (p. 35) OpsWorks for Puppet Enterprise (p. 37)
Puppet Enterprise Puppet Puppet Securing an Application()
API 2013-02-183
https://puppet.com/products/puppet-enterprisehttps://docs.puppet.com/puppet/4.9/about_agent.htmlhttps://puppet.com/docs/pe/2018.1/release_notes/release_notes.htmlhttps://docs.puppet.com/pe/latest/sys_req_os.html#puppet-agent-platformshttps://docs.puppet.com/puppet/4.9/about_agent.htmlhttps://puppet.com/docs/pipelines-for-apps/free/application-secure.html
-
AWS OpsWorks OpsWorks for Puppet Enterprise
OpsWorks for Puppet Enterprise
OpsWorks for Puppet Enterprise OpsWorks for Puppet Enterprise Puppet IAM Puppet Puppet VPC VPC VPC
() () () () () () () () ()
OpsWorks for Puppet Enterprise OpsWorks for Puppet Enterprise AWS Puppet Enterprise 15 Puppet Enterprise
OpsWorks for Puppet Enterprise Puppet
AWS AWS (p. 4) Puppet (p. 5) Puppet Enterprise (p. 6) (p. 6) Git (p. 6) VPC (p. 7) EC2 () (p. 8)
Puppet OpsWorks for PuppetEnterprise AWS VPC (p. 7)
AWS AWS AWS AWS
AWS
1. https://aws.amazon.com/ [Create an AWS Account]
API 2013-02-184
https://puppet.com/products/puppet-enterprisehttps://aws.amazon.com/
-
AWS OpsWorks
Note
AWS [Sign in to a different account] [Createa new AWS account]
2.
PIN
AWS https://aws.amazon.com/ [My Account/Console]
IAM ID
ID AWS AWS AWS IAM IAM AWS AWS
IAM IAM IAM
1. IAM 2. [Users] 3. IAM () 4. [Security credentials] [Create access key] 5. [Show]
ID: AKIAIOSFODNN7EXAMPLE : wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
6. [Download .csv file]
AWS AWS Amazon.com Amazon
IAM (IAM ) AWS (AWS General Reference)
Puppet 1. Puppet Puppet
2. Puppet
API 2013-02-185
https://aws.amazon.com/https://aws.amazon.com/http://docs.aws.amazon.com/IAM/latest/UserGuide/access_permissions-required.htmlhttps://console.aws.amazon.com/iam/home?#homehttp://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.htmlhttp://docs.aws.amazon.com/general/latest/gr/aws-security-credentials.htmlhttps://puppet.com/download-puppet-development-kithttps://puppet.com/download-puppet-development-kit
-
AWS OpsWorks
3. Puppet PATH
Linux macOS Bash Puppet PATH
echo 'export PATH=/opt/puppetlabs/pdk/bin/pdk:$PATH' >> ~/.bash_profile && source ~/.bash_profile
Windows PowerShell [SystemProperties] [Environment Variables] .NET Puppet PATH PowerShell
[Environment]::SetEnvironmentVariable("Path","new path value","Machine")
Puppet Enterprise Puppet Enterprise (PE) Puppet Enterprise Puppet Puppet Enterprise Installing PE client tools
Puppet API PuppetEnterprise
5 Puppet Enterprise Change the token'sdefault lifetime
puppet-access login --config-file .config/puppetlabs/client-tools/puppet-access.conf --lifetime 8h
Note
5 --lifetime 10 (10y) Puppet Enterprise Change the token's default lifetime
Git Puppet Git Puppet Git URL SSH Puppet Enterprise Puppet Enterprise Setting up a control repositoryPuppet control-repoGitHub readme
LICENSE
API 2013-02-186
https://puppet.com/docs/pe/2017.3/installing/installing_pe_client_tools.htmlhttps://puppet.com/docs/pe/2017.3/rbac/rbac_token_auth_intro.html#change-the-token-default-lifetimehttps://puppet.com/docs/pe/2017.3/rbac/rbac_token_auth_intro.html#change-the-token-default-lifetimehttps://puppet.com/docs/pe/2017.3/rbac/rbac_token_auth_intro.html#change-the-token-default-lifetimehttps://puppet.com/docs/pe/2017.3/code_management/control_repo.htmlhttps://github.com/puppetlabs/control-repohttps://github.com/puppetlabs/control-repo
-
AWS OpsWorks
Puppetfile README.md environment.conf hieradata common.yaml nodes example-node.yaml manifests site.pp scripts code_manager_config_version.rb config_version.rb config_version.sh site profile manifests base.pp example.pp role manifests database_server.pp example.pp webserver.pp
AWS CodeCommit
AWS CodeCommit AWS CodeCommit the section called : AWS CodeCommit (p. 21)AWS CodeCommit Git AWS CodeCommit OpsWorks for Puppet Enterprise IAM AWSCodeCommitReadOnly
VPC OpsWorks for Puppet Enterprise Amazon Virtual Private Cloud VPC VPC VPC Amazon VPC VPC Amazon VPC
VPC VPC VPC
VPC [DNS resolution] [Auto-assign public IP]
VPC VPC AWS OpsWorks AWS CloudFormation AWS CLI VPC AWS AWS CloudFormation
aws cloudformation create-stack --stack-name OpsWorksVPC --template-url https://s3.amazonaws.com/opsworks-cm-us-east-1-prod-default-assets/misc/opsworks-cm-vpc.yaml
API 2013-02-187
http://docs.aws.amazon.com/codecommit/latest/userguide/getting-started.htmlhttp://docs.aws.amazon.com/AmazonVPC/latest/GettingStartedGuide/https://s3.amazonaws.com/opsworks-cm-us-east-1-prod-default-assets/misc/opsworks-cm-vpc.yaml
-
AWS OpsWorks Puppet
EC2 ()Puppet SSH AWS AWS CLI Puppet
Puppet Enterprise SSH EC2 EC2 Amazon EC2
EC2 Puppet Enterprise
Puppet Enterprise OpsWorks for Puppet Enterprise AWS CLI Puppet
AWS Puppet Enterprise Master (p. 8) AWS CLI Puppet Enterprise Master (p. 11)
AWS Puppet EnterpriseMaster 1. AWS AWS OpsWorks (https://
console.aws.amazon.com/opsworks/) 2. AWS OpsWorks [Go to OpsWorks for Puppet Enterprise]
3. OpsWorks for Puppet Enterprise [Create Puppet Enterprise server]
API 2013-02-188
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.htmlhttps://console.aws.amazon.com/opsworks/https://console.aws.amazon.com/opsworks/
-
AWS OpsWorks Puppet
4. [Set name, region, and type] Puppet 40 () c4.large [Next]
5. [Configure credentials] [SSH key] [Configure Puppet Code Manager] [r10k remote] Git SSH URL [r10k private key] r10k AWS OpsWorks SSH Git []
API 2013-02-189
-
AWS OpsWorks Puppet
6. [] [] VPC 1 AWS OpsWorks Puppet
7. [System maintenance]
AWS AWS CLI API
8. Amazon Simple Storage Service 30 OpsWorks forPuppet Enterprise
9. [Next] 10. [Review] [Launch]
API 2013-02-1810
-
AWS OpsWorks Puppet
Puppet AWS OpsWorks Puppet (p. 13) PuppetEnterprise
OpsWorks for Puppet Enterprise Puppet [online] Puppet Enterprise https://your_server_name-randomID.region.opsworks-cm.io URL
AWS CLI Puppet Enterprise Master AWS CLI OpsWorks for Puppet Enterprise AWS OpsWorks AWS CLI AWS OpsWorks ARN create-server Puppet AWS OpsWorks Puppet Enterprise AWS CLI OpsWorksfor Puppet Enterprise OpsWorks for PuppetEnterprise JSON create-server
AWS CLI AWS AWS CLI create-server create-server AWS CLI create-server
1. (p. 4)Puppet ID VPC
2. AWS OpsWorks AWS CloudFormation AWS CLI AWS CloudFormation
aws cloudformation create-stack --stack-name OpsWorksCMRoles --template-url https://s3.amazonaws.com/opsworks-cm-us-east-1-prod-default-assets/misc/opsworks-cm-roles.yaml --capabilities CAPABILITY_IAM
AWS CloudFormation ARN
aws iam list-roles --path-prefix "/service-role/" --no-paginate
list-roles ARN Puppet
{ "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ {
API 2013-02-1811
https://docs.aws.amazon.com/cli/latest/userguide/installing.htmlhttps://docs.aws.amazon.com/cli/latest/reference/opsworks-cm/create-server.html
-
AWS OpsWorks Puppet
"Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ec2.amazonaws.com" } } ] }, "RoleId": "AROZZZZZZZZZZQG6R22HC", "CreateDate": "2018-01-05T20:42:20Z", "RoleName": "aws-opsworks-cm-ec2-role", "Path": "/service-role/", "Arn": "arn:aws:iam::000000000000:role/service-role/aws-opsworks-cm-ec2-role"},{ "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "opsworks-cm.amazonaws.com" } } ] }, "RoleId": "AROZZZZZZZZZZZZZZZ6QE", "CreateDate": "2018-01-05T20:42:20Z", "RoleName": "aws-opsworks-cm-service-role", "Path": "/service-role/", "Arn": "arn:aws:iam::000000000000:role/service-role/aws-opsworks-cm-service-role"}
3. create-server OpsWorks for Puppet Enterprise
--engine Puppet--engine-model Monolithic--engine-version 2017
AWS (-) 40
2 ARN ARN c4.largec4.xlarge c4.2xlarge
Amazon EC2
--engine-attributes Puppet --engine-attributes PUPPET_ADMIN_PASSWORD Puppet Enterprise 8 32 (ASCII)
SSH Puppet SSH& AmazonEC2 Amazon EC2
1 :DDD:HH:MM (UTC) --preferred-maintenance-window 1
--preferred-backup-window : HH:MM DDD:HH:MM UTC --disable-automated-backup
API 2013-02-1812
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.htmlhttps://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html
-
AWS OpsWorks
--security-group-ids 1 ID
--subnet-ids ID
aws opsworks-cm create-server --engine "Puppet" --engine-model "Monolithic" --engine-version "2017" --server-name "server_name" --instance-profile-arn "instance_profile_ARN" --instance-type "instance_type" --engine-attributes '{"PUPPET_ADMIN_PASSWORD":"ASCII_password"}' --key-pair "key_pair_name" --preferred-maintenance-window "ddd:hh:mm" --preferred-backup-window "ddd:hh:mm" --security-group-ids security_group_id1 security_group_id2 --service-role-arn "service_role_ARN" --subnet-ids subnet_ID
aws opsworks-cm create-server --engine "Puppet" --engine-model "Monolithic" --engine-version "2017" --server-name "puppet-02" --instance-profile-arn "arn:aws:iam::1019881987024:instance-profile/aws-opsworks-cm-ec2-role" --instance-type "c4.large" --engine-attributes '{"PUPPET_ADMIN_PASSWORD":"zZZzDj2DLYXSZFRv1d"}' --key-pair "amazon-test" --preferred-maintenance-window "Mon:08:00" --preferred-backup-window "Sun:02:00" --security-group-ids sg-b00000001 sg-b0000008 --service-role-arn "arn:aws:iam::044726508045:role/aws-opsworks-cm-service-role" --subnet-ids subnet-383daa71
4. OpsWorks for Puppet Enterprise 15 create-server create-server
5. OpsWorks for Puppet Enterprise jq JSON create-server jq Puppet 3
Get the Puppet password:cat resp.json | jq -r '.Server.EngineAttributes[] | select(.Name == "PUPPET_ADMIN_PASSWORD") | .Value'
Get the Puppet Starter Kit:cat resp.json | jq -r '.Server.EngineAttributes[] | select(.Name == "PUPPET_STARTER_KIT") | .Value' | base64 -D > starterkit.zip
Note
AWS Puppet AWS CLI Puppet jq create-server base64 ZIP
6. the section called (p. 13)
Puppet Puppet OpsWorks for Puppet Enterprise [Properties] Puppet [Properties] 2
API 2013-02-1813
https://stedolan.github.io/jq/https://stedolan.github.io/jq/
-
AWS OpsWorks
Puppet
Puppet Puppet Enterprise AWS OpsWorks
API 2013-02-1814
-
AWS OpsWorks
Puppet Enterprise README
1. Puppet
2. .zip
Puppet Puppet Enterprise Puppet Puppet Enterprise Creating and managing users and user roles
Nginx control-repo-example Nginx
control-repo control-repo-example 2 control-repocontrol-repo production Puppet GitHub repository control-repo-example production Nginx
1. control-repo-example production Git (Puppet r10k_remoteURL) r10kRemoteUrl r10k_remote URL
cd control-repo-examplegit remote add origin r10kRemoteUrlgit push origin production
Puppet Code Manager Git
Important
master master Puppet
2. control-repo-example Puppet Puppet Git Puppet (r10k_remote)
puppet-code deploy --all --wait --config-file .config/puppet-code.conf
Nginx Amazon EC2 OpsWorks for Puppet Enterprise (p. 29)
API 2013-02-1815
https://docs.puppet.com/pe/latest/rbac_user_roles.html#add-a-user-to-a-user-rolehttps://github.com/puppetlabs/control-repo
-
AWS OpsWorks
Puppet Puppet AWS CLI AWS
aws --region region opsworks-cm describe-servers --server-name server_name --query "Servers[0].EngineAttributes[?Name=='PUPPET_API_CA_CERT'].Value" --output text > .config/ssl/certs/ca.pem
Code Manager Code Manager Code Manager Puppet Enterprise Set up authentication for Code Manager
Puppet
(p. 17) associateNode() API (p. 17) (p. 17) (p. 18)
AWS OpsWorks associateNode() API PuppetEnterprise Puppet Puppet OpsWorks forPuppet Enterprise OpsWorks for Puppet Enterprise
Ubuntu 14.0416.04
Red Hat Enterprise Linux (RHEL) 6
Windows Puppet Windows 64
puppet-agent Debian OpsWorks for PuppetEnterprise puppet-agent puppet-agent Puppet Enterprise Installing agents
API 2013-02-1816
https://puppet.com/docs/pe/2017.3/code_management/code_mgr_config.html#set-up-authentication-for-code-managerhttps://puppet.com/docs/pe/2017.3/installing/supported_operating_systems.html#agent-platformshttps://puppet.com/docs/pe/2017.3/installing/installing_agents.html
-
AWS OpsWorks
EC2 Puppet OpsWorks for Puppet Enterprise (p. 29)
Puppet Enterprise Puppet agent platforms
associateNode() API puppet-agent (CSR) OpsWorks forPuppet Enterprise Puppet CSR CSR Puppet Enterprise Managing certificate signing requestsOpsWorks for Puppet Enterprise associateNode() API CSR AWS CLI API PEM CSR Puppet
aws opsworks-cm associate-node --server-name "test-puppet-server" --node-name "node or instance ID" --engine-attributes "Name=PUPPET_NODE_CSR,Value='PEM_formatted_CSR_from_the_node'
associateNode() OpsWorks forPuppet Enterprise (p. 29)
puppet-agent 2 OpsWorks for Puppet Enterprise
AWS SDKAWS CLI AWS Tools for PowerShell associateNode() API OpsWorks for Puppet Enterprise CSR Puppet pp_role AmazonEC2 CSR Puppet Extension requests(permanent certificate data)
AWS PuppetEnterprise OpsWorks for Puppet Enterprise puppet-agent OpsWorksfor Puppet Enterprise CSR Puppet CSR Puppet autosign.conf CSR autosign.conf Puppet SSL configuration: autosigning certificate requests
Puppet Puppet CSR Puppet Enterprise puppet_enterprise::profile::master::allow_unauthenticated_ca
Important
CSR Puppet CSR CSR
API 2013-02-1817
https://docs.puppet.com/pe/latest/sys_req_os.html#puppet-agent-platformshttps://puppet.com/docs/pe/2017.3/managing_nodes/adding_and_removing_nodes.html#managing-certificate-signing-requestshttps://aws.amazon.com/tools/https://aws.amazon.com/cli/https://aws.amazon.com/powershell/https://puppet.com/docs/puppet/5.1/ssl_attributes_extensions.html#extension-requests-permanent-certificate-datahttps://puppet.com/docs/puppet/5.1/ssl_attributes_extensions.html#extension-requests-permanent-certificate-datahttps://puppet.com/docs/puppet/5.3/ssl_autosign.html
-
AWS OpsWorks Puppet Enterprise
Puppet Puppet (DoS)
1. Puppet Enterprise 2. [][][PE Master] (PE ) [] 3. [] [puppet_enterprise::profile::master] 4. [allow_unauthenticated_ca] [true] 5. Puppet (
) 30 PE [Run] () Puppet
OpsWorks for Puppet Enterprise Puppet Enterprise Learn Puppet tutorial site
Puppet Enterprise Puppet [Properties] Puppet Enterprise 1
Puppet Enterprise PE (CA) CA PE
Puppet Enterprise
1. (p. 15) Puppet Enterprise
2. AWS Puppet [] 3. [] [Open Puppet Enterprise console] (Puppet Enterprise
)
4. 1
API 2013-02-1818
https://learn.puppet.com/
-
AWS OpsWorks Puppet Enterprise
5. Puppet Enterprise Puppet Enterprise Puppet Enterprise Viewing node-specific information
API 2013-02-1819
https://docs.puppet.com/pe/2017.2/nodes_viewing.htmlhttps://docs.puppet.com/pe/2017.2/nodes_viewing.html
-
AWS OpsWorks Puppet Enterprise
PEPuppet Enterprise Grouping and classifying nodes
1. 2. 3.
Puppet Enterprise PuppetEnterprise Reset the Admin Password
10 Puppet PuppetEnterprise Password endpoints
API 2013-02-1820
https://puppet.com/docs/pe/2017.3/managing_nodes/grouping_and_classifying_nodes.htmlhttps://puppet.com/docs/pe/2017.3/accessing_console/console_accessing.html#reset-the-admin-passwordhttps://puppet.com/docs/pe/2017.3/api_rbac_activity/rbac_api_v1_password.html
-
AWS OpsWorks : AWS CodeCommit
: AWS CodeCommit Puppet r10k AWS CodeCommit r10k
1. AWS CodeCommit
2. [Skip] Amazon SNS 3. [Code] [Connect to your repository] 4. [Connect to your repository] [HTTPS] [Connection type]
API 2013-02-1821
-
AWS OpsWorks : AWS CodeCommit
[Steps to clone your repository] git clone URL : https://git-codecommit.region.amazonaws.com/v1/repos/control-repo URL Puppet
5. [Connect to your repository] OpsWorks for Puppet Enterprise
6. 4 URL Puppet [Configure credentials] [r10k remote] [r10k private key] Puppet
7. IAM [AWSCodeCommitReadOnly] Puppet IAM IAM
8. AWS CodeCommit Git HTTPS control-repo AWS CodeCommit
9. the section called (p. 13) Puppet
puppet-code deploy --all --wait --config-file .config/puppet-code.conf
API 2013-02-1822
http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-using.html#attach-managed-policy-consolehttp://docs.aws.amazon.com/codecommit/latest/userguide/setting-up-gc.html
-
AWS OpsWorks
OpsWorks for Puppet Enterprise
OpsWorks for Puppet Enterprise
OpsWorks for Puppet Enterprise (p. 23) OpsWorks for Puppet Enterprise (p. 25)
OpsWorks for Puppet Enterprise OpsWorks for Puppet Enterprise 1 Amazon Simple Storage Service (Amazon S3)
Amazon S3 30 AWS Amazon S3 S3 S3
OpsWorks for Puppet Enterprise OpsWorks for Puppet Enterprise [Configure advanced settings] [Automated backup]
1. [More settings]
API 2013-02-1823
http://docs.aws.amazon.com/AmazonS3/latest/user-guide/empty-bucket.htmlhttp://docs.aws.amazon.com/AmazonS3/latest/user-guide/delete-bucket.html
-
AWS OpsWorks OpsWorks for Puppet Enterprise
2. [Enable automated backups] [No]
3. [Automated Backup]
AWS AWS CLI create-backup 30 10 Amazon S3
AWS
1. [Puppet Enterprise servers] 2. [Backups] 3. [Create backup] 4. [Status]
AWS CLI
AWS CLI
API 2013-02-1824
http://docs.aws.amazon.com/opsworks-cm/latest/APIReference/API_CreateBackup.html
-
AWS OpsWorks OpsWorks for Puppet Enterprise
aws opsworks-cm --region region name create-backup --server-name "Puppet server name" --description "optional descriptive string"
S3
AWS
1. [Puppet Enterprise servers] 2. [Backups] 3. [Delete backup] 1
4. [Delete the backup, which is stored in an S3 bucket]
[Yes, Delete]
AWS CLI
AWS CLI --backup-id ID ID ServerName-yyyyMMddHHmmssSSS puppet-server-20171218132604388
aws opsworks-cm --region region name delete-backup --backup-id ServerName-yyyyMMddHHmmssSSS
OpsWorks for Puppet Enterprise OpsWorks for Puppet Enterprise () ( EC2 ) Puppet Puppet
AWS CLI OpsWorks for Puppet Enterprise Puppet
Note
restore-server SSH
1. AWS CLI ID ID ID myServerName-yyyyMMddHHmmssSSS
aws opsworks-cm --region region name describe-backups
API 2013-02-1825
http://docs.aws.amazon.com/opsworks-cm/latest/APIReference/API_RestoreServer.html
-
AWS OpsWorks
2.
aws opsworks-cm --region region name restore-server --backup-id "myServerName-yyyyMMddHHmmssSSS" --instance-type "Type of instance" --key-pair "name of your EC2 key pair" --server-name "name of Puppet master"
aws opsworks-cm --region us-west-2 restore-server --backup-id "MyPuppetServer-20161120122143125" --server-name "MyPuppetServer"
3.
OpsWorks for Puppet Enterprise
OpsWorks for Puppet Enterprise Puppet AWS () 1 AWS CLI
Puppet AWS Puppet AWS Puppet Puppet OpsWorks for Puppet Enterprise Puppet (p. 28)
Amazon EC2
Important
OpsWorks for Puppet Enterprise (p. 28)
(p. 26) (p. 28) (p. 28)
OpsWorks for Puppet Enterprise (UTC) UNDER_MAINTENANCE
API 2013-02-1826
https://en.wikipedia.org/wiki/Coordinated_Universal_Time
-
AWS OpsWorks
OpsWorks for Puppet Enterprise [Settings] [Systemmaintenance]
[System maintenance]
AWS CLI AWS CLI AWS CLI 3
create-server ( ARN ARN ) --preferred-maintenance-window create-server --preferred-maintenance-window Mon:08:00 8:00 (UTC)
aws opsworks-cm create-server --engine "Puppet" --engine-model "Monolithic" --engine-version "2017" --server-name "puppet-06" --instance-profile-arn "arn:aws:iam::1119001987000:instance-profile/aws-opsworks-cm-ec2-role" --instance-type
API 2013-02-1827
-
AWS OpsWorks
"c4.large" --key-pair "amazon-test" --service-role-arn "arn:aws:iam::044726508045:role/aws-opsworks-cm-service-role" --preferred-maintenance-window "Mon:08:00"
update-server --preferred-maintenance-window 6 15 (UTC)
aws opsworks-cm update-server --server-name "puppet-06" --preferred-maintenance-window "Fri:18:15"
6 15 3
aws opsworks-cm update-server --server-name "puppet-06" --preferred-maintenance-window "18:15"
AWS CLI create-serverupdate-server
AWS CLI AWS
aws opsworks-cm start-maintenance --server-name server_name
start-maintenance
OpsWorks for Puppet Enterprise
RunCommand SSH Puppet Amazon Machine Image (AMI) Amazon EC2 AMI
Puppet
Important
Puppet
AMI EC2 Amazon EC2 [Launch] [My AMIs] AMI Amazon EC2
API 2013-02-1828
http://docs.aws.amazon.com/cli/latest/reference/opsworkscm/update-server.htmlhttp://docs.aws.amazon.com/cli/latest/reference/opsworkscm/update-server.htmlhttp://docs.aws.amazon.com/cli/latest/reference/opsworkscm/start-maintenance.html
-
AWS OpsWorks
OpsWorks for Puppet Enterprise
Amazon Elastic Compute Cloud (Amazon EC2) OpsWorks for PuppetEnterprise Puppet (p. 16)associate-node 1 PuppetEnterprise () Amazon EC2 OpsWorks for Puppet Enterprise puppet-agent UbuntuAmazon Linux RHEL
OpsWorks for Puppet Enterprise (p. 33) OpsWorks for Puppet Enterprise API disassociate-node
Puppet agent platforms
1: IAM EC2 AWS Identity and Access Management (IAM) IAM opsworks-cm API EC2 Amazon EC2 IAM Amazon EC2 IAM
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "opsworks-cm:AssociateNode", "opsworks-cm:DescribeNodeAssociationStatus", "opsworks-cm:DescribeServers", "ec2:DescribeTags" ], "Resource": "*", "Effect": "Allow" } ]}
AWS OpsWorks IAM AWS CloudFormation AWS CLI AWS CloudFormation --region
aws cloudformation --region region ID create-stack --stack-name myPuppetinstanceprofile --template-url https://s3.amazonaws.com/opsworks-cm-us-east-1-prod-default-assets/misc/owpe/opsworks-cm-nodes-roles.yaml --capabilities CAPABILITY_IAM
API 2013-02-1829
https://puppet.com/docs/pe/2017.3/installing/installing_agents.htmlhttp://docs.aws.amazon.com/opsworks-cm/latest/APIReference/API_DisassociateNode.htmlhttps://docs.puppet.com/pe/latest/sys_req_os.html#puppet-agent-platformshttp://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.htmlhttp://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html#create-iam-role-consolehttp://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html#create-iam-role-console
-
AWS OpsWorks 2:
2: EC2 EC2 Amazon EC2 Auto Scaling AWS CloudFormation userdata Amazon EC2 Linux Amazon EC2 OpsWorks for Puppet Enterprise (p. 4) Nginx
1. opsworks-cm API associate-node Puppet AWS CLI AWS CLI userdata.sh
ID
!/bin/bashset -euo pipefail
set aws settingsdeclare -x PP_INSTANCE_ID=$(curl --silent --show-error --retry 3 http://169.254.169.254/latest/meta-data/instance-id) this uses the EC2 instance ID as the node namedeclare -x PP_IMAGE_NAME=$(curl --silent --show-error --retry 3 http://169.254.169.254/latest/meta-data/ami-id)declare -x PP_REGION=$(curl --silent --show-error --retry 3 http://169.254.169.254/latest/meta-data/placement/availability-zone | sed 's/.$//')
put the opsworks name of your server if you don't use the ocm_server tagdeclare -x OCM_SERVER="" put the region of your OCM Server if you don't use the ocm_region tagdeclare -x OCM_REGION=""
we're detecting if a tag is set; if so, override anything in the filedeclare -x TAG_SERVER=$(aws ec2 describe-tags --region $PP_REGION --filters "Name=resource-id,Values=$PP_INSTANCE_ID" \--query 'Tags[?Key==`ocm_server`].Value' --output text)declare -x TAG_REGION=$(aws ec2 describe-tags --region $PP_REGION --filters "Name=resource-id,Values=$PP_INSTANCE_ID" \--query 'Tags[?Key==`ocm_region`].Value' --output text)
if [ -n $TAG_SERVER ] && [ ! -z $TAG_SERVER ]; then declare -x OCM_SERVER=$TAG_SERVERfi
if [ -n $TAG_REGION ] && [ ! -z $TAG_REGION ]; then declare -x OCM_REGION=$TAG_REGIONfi
set global settingsdeclare -x PUPPETSERVER=$(aws opsworks-cm describe-servers --region=$OCM_REGION \--query "Servers[?ServerName=='$OCM_SERVER'].Endpoint" --output text)declare -x PRUBY='/opt/puppetlabs/puppet/bin/ruby'declare -x PUPPET='/opt/puppetlabs/bin/puppet'declare -x DAEMONSPLAY='true'declare -x SPLAYLIMIT='30'declare -x PUPPET_CA_PATH='/etc/puppetlabs/puppet/ssl/certs/ca.pem'
function loadmodel {
API 2013-02-1830
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/user-data.htmlhttp://docs.aws.amazon.com/AWSEC2/latest/UserGuide/user-data.htmlhttp://docs.aws.amazon.com/AWSEC2/latest/UserGuide/launching-instance.htmlhttp://docs.aws.amazon.com/AWSEC2/latest/UserGuide/launching-instance.htmlhttp://docs.aws.amazon.com/opsworks-cm/latest/APIReference/API_AssociateNode.html
-
AWS OpsWorks 2:
aws configure add-model --service-model https://s3.amazonaws.com/opsworks-cm-us-east-1-prod-default-assets/misc/owpe/model-2017-09-05/opsworkscm-2016-11-01.normal.json --service-name opsworks-cm-puppet}
function preparepuppet { mkdir -p /opt/puppetlabs/puppet/cache/state mkdir -p /etc/puppetlabs/puppet/ssl/certs/ mkdir -p /etc/puppetlabs/code/modules/
echo "{\"disabled_message\":\"Locked by OpsWorks Deploy - $(date --iso-8601=seconds)\"}" > /opt/puppetlabs/puppet/cache/state/agent_disabled.lock}
function establishtrust { aws opsworks-cm describe-servers --region=$OCM_REGION --server-name $OCM_SERVER \--query "Servers[0].EngineAttributes[?Name=='PUPPET_API_CA_CERT'].Value" --output text > /etc/puppetlabs/puppet/ssl/certs/ca.pem}
function installpuppet { ADD_EXTENSIONS=$(generate_csr_attributes) curl --retry 3 --cacert /etc/puppetlabs/puppet/ssl/certs/ca.pem "https://$PUPPETSERVER:8140/packages/current/install.bash" | \/bin/bash -s agent:certname=$PP_INSTANCE_ID \agent:splay=$DAEMONSPLAY \extension_requests:pp_instance_id=$PP_INSTANCE_ID \extension_requests:pp_region=$PP_REGION \extension_requests:pp_image_name=$PP_IMAGE_NAME $ADD_EXTENSIONS
$PUPPET resource service puppet ensure=stopped}
function generate_csr_attributes { pp_tags=$(aws ec2 describe-tags --region $PP_REGION --filters "Name=resource-id,Values=$PP_INSTANCE_ID" \--query 'Tags[?starts_with(Key, `pp_`)].[Key,Value]' --output text | sed s/\\t/=/)
csr_attrs="" for i in $pp_tags do csr_attrs="$csr_attrs extension_requests:$i" done
echo $csr_attrs}
function installpuppetbootstrap { $PUPPET help bootstrap > /dev/null && bootstrap_installed=true || bootstrap_installed=false if [ "$bootstrap_installed" = false ]; then echo "Puppet Bootstrap not present, installing" curl --retry 3 https://s3.amazonaws.com/opsworks-cm-us-east-1-prod-default-assets/misc/owpe/puppet-agent-bootstrap-0.2.1.tar.gz \ -o /tmp/puppet-agent-bootstrap-0.2.1.tar.gz $PUPPET module install /tmp/puppet-agent-bootstrap-0.2.1.tar.gz --ignore-dependencies echo "Puppet Bootstrap installed" else echo "Puppet Bootstrap already present" fi}
function runpuppet { sleep $[ ( $RANDOM % $SPLAYLIMIT ) + 1]s
API 2013-02-1831
-
AWS OpsWorks 2:
$PUPPET agent --enable $PUPPET agent --onetime --no-daemonize --no-usecacheonfailure --no-splay --verbose $PUPPET resource service puppet ensure=running enable=true}
function associatenode { CERTNAME=$($PUPPET config print certname --section agent) SSLDIR=$($PUPPET config print ssldir --section agent) PP_CSR_PATH="$SSLDIR/certificate_requests/$CERTNAME.pem" PP_CERT_PATH="$SSLDIR/certs/$CERTNAME.pem"
clear out extraneous certs and generate a new one $PUPPET bootstrap purge $PUPPET bootstrap csr
submit the cert ASSOCIATE_TOKEN=$(aws opsworks-cm associate-node --region $OCM_REGION --server-name $OCM_SERVER --node-name $CERTNAME --engine-attributes Name=PUPPET_NODE_CSR,Value="`cat $PP_CSR_PATH`" --query "NodeAssociationStatusToken" --output text)
wait aws opsworks-cm wait node-associated --region $OCM_REGION --node-association-status-token "$ASSOCIATE_TOKEN" --server-name $OCM_SERVER install and verify aws opsworks-cm-puppet describe-node-association-status --region $OCM_REGION --node-association-status-token "$ASSOCIATE_TOKEN" --server-name $OCM_SERVER --query 'EngineAttributes[0].Value' --output text > $PP_CERT_PATH
$PUPPET bootstrap verify
}
Order of execution of functionsloadmodelpreparepuppetestablishtrustinstallpuppetinstallpuppetbootstrapassociatenoderunpuppet
2. EC2 EC2 Amazon Linux AMI
3. [Configure Instance Details] [myPuppetinstanceprofile] 1: IAM (p. 29) IAM
4. [Advanced Details] 1 userdata.sh
5. [Add Storage] [Add Tags]
EC2 userdata.sh pp_role nginx_webserver nginx_webserver
pp_role Puppet Extension requests (permanent certificate data)
6. [Configure Security Group] [Add Rule] [HTTP] Nginx 80
API 2013-02-1832
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/launching-instance.htmlhttps://puppet.com/docs/puppet/5.1/ssl_attributes_extensions.html#extension-requests-permanent-certificate-data
-
AWS OpsWorks
7. [Review and launch] [Launch] OpsWorks for Puppet Enterprise (p. 4)Nginx
8. DNS Puppet Nginx
OpsWorks for Puppet Enterprise
OpsWorks for Puppet Enterprise Puppet Enterprise OpsWorks for Puppet Enterprise OpsWorks for Puppet Enterprise API 1
Puppet AWS CLI disassociate-node PE Puppet Puppet puppet-agent
1. AWS CLI Node_name Amazon EC2 ID Server_name Puppet Puppet --region
aws opsworks-cm --region Region_name disassociate-node --node-name Node_name --server-name Server_name
aws opsworks-cm --region us-west-2 disassociate-node --node-name i-0010zzz00d66zzz90 --server-name opsworkstest
2.
OpsWorks for Puppet Enterprise OpsWorks for Puppet Enterprise (p. 33)
Puppet Enterprise Remove nodes
OpsWorks for Puppet Enterprise OpsWorks for Puppet Enterprise
API 2013-02-1833
http://docs.aws.amazon.com/opsworks-cm/latest/APIReference/API_DisassociateNode.htmlhttps://puppet.com/docs/pe/2017.3/installing/uninstalling.html#uninstall-agentshttps://puppet.com/docs/pe/2017.3/managing_nodes/adding_and_removing_nodes.html#remove-nodes
-
AWS OpsWorks 1:
(Amazon Elastic Compute Cloud Amazon Elastic Block Store )
Puppet AWS CLI
1: Puppet AWS CLI disassociate-node
1. AWS CLI Server_name Puppet --node-name ID
aws opsworks-cm --region Region_name disassociate-node --node-name Node_name --server-name Server_name
2.
2: 1. [Actions]
2. [Delete Puppet Enterprise server] 3.
[Yes, Delete]
OpsWorks for Puppet Enterprise (p. 33)
API 2013-02-1834
http://docs.aws.amazon.com/opsworks-cm/latest/APIReference/API_DisassociateNode.htmlhttp://docs.aws.amazon.com/opsworks-cm/latest/APIReference/API_DisassociateNode.html
-
AWS OpsWorks AWS CloudTrail
AWS CloudTrail OpsWorks for PuppetEnterprise API
OpsWorks for Puppet Enterprise AWS CloudTrail OpsWorks for Puppet Enterprise AWS CloudTrail OpsWorks for Puppet Enterprise OpsWorks for Puppet Enterprise API OpsWorks for Puppet Enterprise API OpsWorks for PuppetEnterprise Amazon S3 CloudTrail CloudTrail [Event history] CloudTrail OpsWorks for Puppet Enterprise IP
CloudTrail AWS CloudTrail User Guide
CloudTrail OpsWorks for Puppet Enterprise CloudTrail AWS OpsWorks for Puppet Enterprise [] AWS CloudTrail AWS CloudTrail
OpsWorks for Puppet Enterprise AWS CloudTrail Amazon S3 AWS AmazonS3 CloudTrail AWS
CloudTrail CloudTrail Amazon SNS Receiving CloudTrail Log Files from Multiple RegionsReceiving CloudTrail Log Files from
Multiple Accounts
OpsWorks for Puppet Enterprise CloudTrail OpsWorks for Puppet Enterprise API CreateServerCreateBackup DescribeServers CloudTrail
ID
IAM .
. AWS .
CloudTrail userIdentity
API 2013-02-1835
http://docs.aws.amazon.com/awscloudtrail/latest/userguide/http://docs.aws.amazon.com/awscloudtrail/latest/userguide/view-cloudtrail-events.htmlhttp://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-and-update-a-trail.htmlhttp://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-aws-service-specific-topics.html#cloudtrail-aws-service-specific-topics-integrationshttp://docs.aws.amazon.com/awscloudtrail/latest/userguide/getting_notifications_top_level.htmlhttp://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.htmlhttp://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-receive-logs-from-multiple-accounts.htmlhttp://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-receive-logs-from-multiple-accounts.htmlhttp://docs.aws.amazon.com/opsworks-cm/latest/APIReference/Welcome.htmlhttp://docs.aws.amazon.com/opsworks-cm/latest/APIReference/API_CreateServer.htmlhttp://docs.aws.amazon.com/opsworks-cm/latest/APIReference/API_CreateBackup.htmlhttp://docs.aws.amazon.com/opsworks-cm/latest/APIReference/API_DescribeServers.htmlhttp://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html
-
AWS OpsWorks OpsWorks for Puppet Enterprise
OpsWorks for Puppet Enterprise Amazon S3 CloudTrail 1 1 CloudTrail API
OpsWorks for Puppet Enterprise CreateServer CloudTrail
{"eventVersion":"1.05","userIdentity":{ "type":"AssumedRole", "principalId":"ID number:OpsWorksCMUser", "arn":"arn:aws:sts::831000000000:assumed-role/Admin/OpsWorksCMUser", "accountId":"831000000000","accessKeyId":"ID number", "sessionContext":{ "attributes":{ "mfaAuthenticated":"false", "creationDate":"2017-01-05T22:03:47Z" }, "sessionIssuer":{ "type":"Role", "principalId":"ID number", "arn":"arn:aws:iam::831000000000:role/Admin", "accountId":"831000000000", "userName":"Admin" } } },"eventTime":"2017-01-05T22:18:23Z","eventSource":"opsworks-cm.amazonaws.com","eventName":"CreateServer","awsRegion":"us-west-2","sourceIPAddress":"101.25.190.51","userAgent":"console.amazonaws.com","requestParameters":{ "serverName":"test-puppet-server", "engineModel":"Single", "engine":"Puppet", "instanceProfileArn":"arn:aws:iam::831000000000:instance-profile/aws-opsworks-cm-ec2-role", "backupRetentionCount":3,"serviceRoleArn":"arn:aws:iam::831000000000:role/service-role/aws-opsworks-cm-service-role", "engineVersion":"12", "preferredMaintenanceWindow":"Fri:21:00", "instanceType":"t2.medium", "subnetIds":["subnet-1e111f11"], "preferredBackupWindow":"Wed:08:00" },"responseElements":{ "server":{ "endpoint":"test-puppet-server-xxxx8u4390xo6pd9.us-west-2.opsworks-cm.io", "createdAt":"Jan 5, 2017 10:18:22 PM", "serviceRoleArn":"arn:aws:iam::831000000000:role/service-role/aws-opsworks-cm-service-role", "preferredBackupWindow":"Wed:08:00", "status":"CREATING", "subnetIds":["subnet-1e111f11"], "engine":"Puppet",
API 2013-02-1836
-
AWS OpsWorks
"instanceType":"t2.medium", "serverName":"test-puppet-server", "serverArn":"arn:aws:opsworks-cm:us-west-2:831000000000:server/test-puppet-server/8ezz7f6z-e91f-4z10-89z5-8c6219zzz09f", "engineModel":"Single", "backupRetentionCount":3, "engineAttributes":[ {"name":"PUPPET_ADMIN_PASSWORD","value":"*** Redacted ***"}, {"name":"PUPPET_API_CA_CERT","value":"*** Redacted ***"}, ], "engineVersion":"12.11.1", "instanceProfileArn":"arn:aws:iam::831000000000:instance-profile/aws-opsworks-cm-ec2-role", "preferredMaintenanceWindow":"Fri:21:00" } },"requestID":"de7z64z9-d394-12ug-8081-7zz0386fbcb6","eventID":"8z7z18dz-6z90-47bz-87cf-e8346428zzz3","eventType":"AwsApiCall","recipientAccountId":"831000000000"}
OpsWorks for Puppet Enterprise
OpsWorks for Puppet Enterprise
(p. 37) (p. 38) (p. 39)
Puppet Puppet (p. 38)
Puppet OpsWorks for Puppet Enterprise Puppet Puppet OpsWorks for Puppet EnterpriseAWS CloudFormation Amazon EC2
EC2 SSH EC2 /var/log/aws/opsworks-cm OpsWorks for Puppet Enterprise Puppet
API 2013-02-1837
-
AWS OpsWorks
(p. 38)
Amazon EC2 (p. 38) (p. 38) Elastic IP (p. 39) (p. 39)
: Puppet Enterprise
: Puppet VPC Puppet VPC t2 Puppet VPC
: VPC m4
Amazon EC2 : The following resource(s) failedto create: [EC2Instance]. Failed to receive 1 resource signal(s) within the specified duration
: EC2
: AWS VPC ( VPC) [DNSresolution] [Auto-assign Public IP]
: Not authorized to perform sts:AssumeRole.
:
: OpsWorks for Puppet Enterprise AWSOpsWorksCMServiceRole opsworks-cm.amazonaws.com [Trust Relationships] Puppet AWSOpsWorksCMServerRole
API 2013-02-1838
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/dedicated-instance.html
-
AWS OpsWorks
Elastic IP : The following resource(s) failed to create: [EIP, EC2Instance]. Resource creation cancelled, themaximum number of addresses has been reached.
: Elastic IP (EIP) EIP 5
: EIP AWS EIP
: Amazon EC2 Puppet Puppet Enterprise
: opsworks-cm API EC2 IAM
: OpsWorks for Puppet Enterprise (p. 29)AssociateNode DescribeNodeAssociationStatus API EC2 EC2
AWS OpsWorks
AWS AWS AWS AWS AWS Trusted Advisor
API 2013-02-1839
https://forums.aws.amazon.com/forum.jspa?forumID=153&start=0https://console.aws.amazon.com/support/home#/
-
AWS OpsWorks
AWS OpsWorks for Chef AutomateAWS OpsWorks for Chef Automate AWS Chef Automate Chef AWS OpsWorks for Chef AutomateAWSOpsWorks for Chef Automate Chef
Chef Automate chef-client Chef Chef AWS OpsWorks for Chef Automate Chef Automate; Chef ()
AWS OpsWorks for Chef Automate Amazon Elastic Compute Cloud AWS OpsWorks for Chef Automate Amazon Linux (Amazon Linux2)Chef Server 12.xChef Automate Server 1.8. ChefAutomate Chef Automate
AWS OpsWorks for Chef Automate chef-client 13 x chef-client
Chef AWS Chef Automate Chef Server AWS Chef Chef Chef Automate OpsWorks Amazon Linux
AWS OpsWorks for Chef Automate EC2 Chef chef-client Chef
Chef Automate (p. 41) AWS OpsWorks for Chef Automate (p. 41) AWS OpsWorks for Chef Automate (p. 41) AWS OpsWorks for Chef Automate (p. 56) AWS OpsWorks for Chef Automate (p. 59) AWS OpsWorks for Chef Automate Chef Compliance (p. 62) AWS OpsWorks for Chef Automate (p. 68) AWS OpsWorks for Chef Automate (p. 72) AWS OpsWorks for Chef Automate (p. 73) Chef Automate (p. 74) AWS CloudTrail AWS OpsWorks for Chef Automate API (p. 75)
API 2013-02-1840
https://www.chef.io/automate/https://docs.chef.io/chef_client.htmlhttps://discourse.chef.io/t/chef-automate-1-8-68/13089https://downloads.chef.io/chef/stablehttps://downloads.chef.io/chef/stablehttps://docs.chef.io/platforms.htmlhttps://docs.chef.io/chef_client.html
-
AWS OpsWorks Chef Automate
AWS OpsWorks for Chef Automate (p. 77)
Chef Automate Chef Automate Chef AutomateAutomate API
AWS OpsWorks for Chef Automate
AWS OpsWorks for Chef Automate AWSOpsWorks for Chef Automate Chef IAM Chef Chef VPC VPC VPC
() () () () () () () () ()
AWS OpsWorks for Chef Automate AWS OpsWorks for Chef Automate AWS Chef Automate 15 Chef
AWS OpsWorks for Chef Automate Chef
Chef AWS OpsWorks for ChefAutomate AWS VPC (p. 43)
AWS AWS (p. 4) VPC (p. 43) EC2 () (p. 43)
API 2013-02-1841
https://docs.chef.io/api_analytics.htmlhttps://www.chef.io/automate/
-
AWS OpsWorks
AWS AWS AWS AWS
AWS
1. https://aws.amazon.com/ [Create an AWS Account]
Note
AWS [Sign in to a different account] [Createa new AWS account]
2.
PIN
AWS https://aws.amazon.com/ [My Account/Console]
IAM ID
ID AWS AWS AWS IAM IAM AWS AWS
IAM IAM IAM
1. IAM 2. [Users] 3. IAM () 4. [Security credentials] [Create access key] 5. [Show]
ID: AKIAIOSFODNN7EXAMPLE : wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
6. [Download .csv file]
AWS AWS Amazon.com Amazon
IAM (IAM )API 2013-02-18
42
https://aws.amazon.com/https://aws.amazon.com/https://aws.amazon.com/http://docs.aws.amazon.com/IAM/latest/UserGuide/access_permissions-required.htmlhttps://console.aws.amazon.com/iam/home?#homehttp://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html
-
AWS OpsWorks Chef Automate
AWS (AWS General Reference)
VPC AWS OpsWorks for Chef Automate Amazon Virtual Private Cloud VPC VPC VPC Amazon VPC VPC Amazon VPC
VPC VPC VPC
VPC [DNS resolution] [Auto-assign public IP]
VPC VPC AWS OpsWorks AWS CloudFormation AWS CLI VPC AWS AWS CloudFormation
aws cloudformation create-stack --stack-name OpsWorksVPC --template-url https://s3.amazonaws.com/opsworks-cm-us-east-1-prod-default-assets/misc/opsworks-cm-vpc.yaml
EC2 ()Chef SSH knife Chef
Chef Automate SSH EC2 EC2 Amazon EC2
EC2 Chef
Chef Automate AWS OpsWorks for Chef Automate AWS CLI Chef
AWS Chef Automate (p. 43) AWS CLI Chef Automate (p. 46)
AWS Chef Automate 1. AWS AWS OpsWorks (https://
console.aws.amazon.com/opsworks/) 2. AWS OpsWorks [Go to OpsWorks for Chef Automate]
API 2013-02-1843
http://docs.aws.amazon.com/general/latest/gr/aws-security-credentials.htmlhttp://docs.aws.amazon.com/AmazonVPC/latest/GettingStartedGuide/https://s3.amazonaws.com/opsworks-cm-us-east-1-prod-default-assets/misc/opsworks-cm-vpc.yamlhttps://docs.chef.io/knife.htmlhttps://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.htmlhttps://console.aws.amazon.com/opsworks/https://console.aws.amazon.com/opsworks/
-
AWS OpsWorks Chef Automate
3. AWS OpsWorks for Chef Automate [Create Chef Automate server]
4. [Set name, region, and type] Chef 40 () m4.large [Next]
API 2013-02-1844
-
AWS OpsWorks Chef Automate
5. [Select an SSH key] [SSH key] [Next]
6. [] [] VPC 1 AWS OpsWorks Chef
7. [System maintenance] pending-server
AWS AWS CLI API
8. Amazon Simple Storage Service 30 AWS OpsWorks forChef Automate
API 2013-02-1845
-
AWS OpsWorks Chef Automate
9. [Next] 10. [Review] [Launch]
Chef AWS OpsWorks Chef (p. 49) Chef Automate
AWS OpsWorks for Chef Automate Chef [online] Chef Automate https://your_server_name-random.region.opsworks-cm.io URL
AWS CLI Chef Automate AWS CLI AWS OpsWorks for Chef Automate AWS OpsWorks AWS CLI AWS OpsWorks ARN create-server Chef Automate AWS OpsWorks Chef Automate Chef Automate AWS CLI AWS OpsWorks for Chef Automate AWS OpsWorks for Chef Automate JSON create-server AWS OpsWorks for Chef Automate
AWS CLI AWS AWS CLI create-server create-server AWS CLI create-server
1. VPC (p. 43) VPC Chef Automate ID
2. Chef OpenSSL create-server
API 2013-02-1846
https://docs.aws.amazon.com/cli/latest/userguide/installing.htmlhttps://docs.aws.amazon.com/cli/latest/reference/opsworks-cm/create-server.htmlhttps://www.openssl.org/
-
AWS OpsWorks Chef Automate
create-server Chef 6
umask 077openssl genrsa -out "pivotal" 2048openssl rsa -in "pivotal" -pubout
3. AWS OpsWorks AWS CloudFormation AWS CLI AWS CloudFormation
aws cloudformation create-stack --stack-name OpsWorksCMRoles --template-url https://s3.amazonaws.com/opsworks-cm-us-east-1-prod-default-assets/misc/opsworks-cm-roles.yaml --capabilities CAPABILITY_IAM
AWS CloudFormation ARN
aws iam list-roles --path-prefix "/service-role/" --no-paginate
list-roles ARN ChefAutomate
{ "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ec2.amazonaws.com" } } ] }, "RoleId": "AROZZZZZZZZZZQG6R22HC", "CreateDate": "2018-01-05T20:42:20Z", "RoleName": "aws-opsworks-cm-ec2-role", "Path": "/service-role/", "Arn": "arn:aws:iam::000000000000:role/service-role/aws-opsworks-cm-ec2-role"},{ "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "opsworks-cm.amazonaws.com" } } ] }, "RoleId": "AROZZZZZZZZZZZZZZZ6QE", "CreateDate": "2018-01-05T20:42:20Z", "RoleName": "aws-opsworks-cm-service-role", "Path": "/service-role/",
API 2013-02-1847
-
AWS OpsWorks Chef Automate
"Arn": "arn:aws:iam::000000000000:role/service-role/aws-opsworks-cm-service-role"}
4. create-server AWS OpsWorks for Chef Automate
--engine Chef--engine-model Single--engine-version 12 AWS
(-) 40
3 ARN ARN m4.larger4.xlarge r4.2xlarge
Amazon EC2
--engine-attributes --engine-attributes 2 CHEF_PIVOTAL_KEY CHEF_DELIVERY_ADMIN_PASSWORD
CHEF_DELIVERY_ADMIN_PASSWORD create-server 8 32 (!/@$%^+=_) 1 1 1 1
SSH Chef Automate Chef Automate SSH& Amazon EC2 Amazon EC2
1 :DDD:HH:MM (UTC) --preferred-maintenance-window 1
--preferred-backup-window : HH:MM DDD:HH:MM UTC --disable-automated-backup
--security-group-ids 1 ID
--subnet-ids ID
aws opsworks-cm create-server --engine "Chef" --engine-model "Single" --engine-version "12" --server-name "server_name" --instance-profile-arn "instance_profile_ARN" --instance-type "instance_type" --engine-attributes '{"CHEF_PIVOTAL_KEY":"Chef_pivotal_key","CHEF_DELIVERY_ADMIN_PASSWORD":"password"}' --key-pair "key_pair_name" --preferred-maintenance-window "ddd:hh:mm" --preferred-backup-window "ddd:hh:mm" --security-group-ids security_group_id1 security_group_id2 --service-role-arn "service_role_ARN" --subnet-ids subnet_ID
aws opsworks-cm create-server --engine "Chef" --engine-model "Single" --engine-version "12" --server-name "automate-06" --instance-profile-arn "arn:aws:iam::1019881987024:instance-profile/aws-opsworks-cm-ec2-role" --instance-type "m4.large" --engine-attributes '{"CHEF_PIVOTAL_KEY":"MZZE...Wobg","CHEF_DELIVERY_ADMIN_PASSWORD":"zZZzDj2DLYXSZFRv1d"}' --key-pair "amazon-test" --preferred-maintenance-window "Mon:08:00" --preferred-
API 2013-02-1848
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.htmlhttps://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html
-
AWS OpsWorks
backup-window "Sun:02:00" --security-group-ids sg-b00000001 sg-b0000008 --service-role-arn "arn:aws:iam::044726508045:role/aws-opsworks-cm-service-role" --subnet-ids subnet-300aaa00
5. AWS OpsWorks for Chef Automate 15 create-server create-server
6. AWS OpsWorks for Chef Automate jq JSON create-server jq Chef Automate 4
Get the Chef password:cat resp.json | jq -r '.Server.EngineAttributes[] | select(.Name == "CHEF_DELIVERY_ADMIN_PASSWORD") | .Value'
Get the Chef Pivotal Key:cat resp.json | jq -r '.Server.EngineAttributes[] | select(.Name == "CHEF_PIVOTAL_KEY") | .Value'
Get the Chef Starter Kit:cat resp.json | jq -r '.Server.EngineAttributes[] | select(.Name == "CHEF_STARTER_KIT") | .Value' | base64 -D > starterkit.zip
7. create-server AWS OpsWorks for Chef Automate Chef Automate
8. the section called (p. 49)
Chef Chef AWS OpsWorks for Chef Automate [Properties] Chef [Properties] 2 Chef
API 2013-02-1849
https://stedolan.github.io/jq/https://stedolan.github.io/jq/
-
AWS OpsWorks
Chef Chef Automate Chef Automate () AWS OpsWorks
README knife.rb
.zip AWSOpsWorks for Chef Automate Chef Chef Chef (Git )
API 2013-02-1850
-
AWS OpsWorks
Git Chef Chef chef-repo
1. Chef
2. .zip
Chef Chef Automate Chef Chef Automate
3. Chef Chef Development Kit (Chef DK) knife Chef DK Chef Install the Chef DK
knife .chef
.chef/knife.rb - knife (knife.rb)knife.rb Chef knife AWS OpsWorks for Chef Automate
.chef/ca_certs/opsworks-cm-ca-2016-root.pem - AWS OpsWorks (CA) SSL chef-client
Chef Chef Chef README Chef knife Berkshelf 2 Berkshelf
1. chef-repo (AWS CodeCommitGitAmazon S3 )
2. chef-repo 3
cookbooks/ - roles/ - .rb .json environments/ - .rb .json
Berkshelf Berkshelf Berkshelf Berkshelf Chef
API 2013-02-1851
https://docs.chef.io/chef_repo.htmlhttps://docs.chef.io/delivery_users_and_roles.html#manage-usershttps://downloads.chef.io/chef-dkhttps://docs.chef.io/knife.htmlhttps://docs.chef.io/release/devkit/install_dk.htmlhttps://docs.chef.io/config_rb_knife.htmlhttps://docs.chef.io/knife.html
-
AWS OpsWorks
Berksfile Berksfile Chef Chef chef-client Chef Supermarket Chef Client Cookbook
1. (Apache ) Berksfile Berksfile
source 'https://supermarket.chef.io'cookbook 'chef-client'cookbook 'apache2'
2.
berks install
3. Chef
Linux
SSL_CERT_FILE='.chef/ca_certs/opsworks-cm-ca-2016-root.pem' berks upload
Windows PowerShell Chef DK PowerShell RemoteSigned PowerShell Chef DKchef shell-init
$env:SSL_CERT_FILE="ca_certs\opsworks-cm-ca-2016-root.pem"chef shell-init berks uploadRemove-Item Env:\SSL_CERT_FILE
4. Chef Automate
AWS OpsWorks for Chef Automate
knife cookbook list
Chef chef-client () Chef Chef ()Chef chef-client
AWS OpsWorks for Chef Automate chef-client 12.16.42 chef-client 13.6.4
Chef EC2 knife Chef AWS OpsWorks for ChefAutomate (p. 68)
API 2013-02-1852
https://supermarket.chef.io/cookbooks/chef-clienthttps://docs.chef.io/chef_client.html
-
AWS OpsWorks
Chef
knife knife-ec2 Chef DK knife-ec2 knifebootstrap EC2 EC2
1. knife bootstrap Chef EC2 Berkshelf (p. 51) apache2 Chef knife bootstrap Chef
knife root ec2-user AMI Linux AWS SSH Linux
Amazon Linux ec2-user
Red Hat Enterprise Linux 5 root ec2-user
Ubuntu ubuntu
Fedora fedora ec2-user
SUSE Linux root ec2-user
knife bootstrap INSTANCE_IP_ADDRESS -N INSTANCE_NAME -x USER_NAME --sudo --run-list "recipe[apache2]"
2. (INSTANCE_NAME )
knife client show INSTANCE_NAMEknife node show INSTANCE_NAME
AWS OpsWorks for Chef Automate Chef Automate Learn Chef tutorials
API 2013-02-1853
https://docs.chef.io/platforms.htmlhttps://github.com/chef/knife-ec2https://docs.chef.io/install_bootstrap.htmlhttp://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AccessingInstancesLinux.htmlhttp://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AccessingInstancesLinux.htmlhttps://learn.chef.io/tutorials/manage-a-node/opsworks
-
AWS OpsWorks Chef Automate
Chef Automate Chef [Properties] Chef Automate 1
AWS OpsWorks CA SSL Chef SSL
AWS OpsWorks SSL
Linux MacOS Amazon S3 PEM: https://s3-eu-west-1.amazonaws.com/opsworks-cm-us-east-1-prod-default-assets/misc/opsworks-cm-ca-2016-root.pem
MacOS SSL Apple
Windows Amazon S3 P7B : https://s3-eu-west-1.amazonaws.com/opsworks-cm-us-east-1-prod-default-assets/misc/opsworks-cm-ca-2016-root.p7b
Windows SSL Microsoft TechNet
SSL Chef Automate
Note
Ubuntu Linux Google Chrome Mozilla Firefox Chef Automate Windows MacOS Google Chrome
Chef Automate
1. (p. 51) Chef Automate
2. Chef [Properties] 3. [Properties] [Open Chef Automate dashboard] 4. 1
API 2013-02-1854
https://s3.amazonaws.com/opsworks-cm-us-east-1-prod-default-assets/misc/opsworks-cm-ca-2016-root.pemhttps://s3.amazonaws.com/opsworks-cm-us-east-1-prod-default-assets/misc/opsworks-cm-ca-2016-root.pemhttps://s3.amazonaws.com/opsworks-cm-us-east-1-prod-default-assets/misc/opsworks-cm-ca-2016-root.pemhttps://support.apple.com/kb/PH18677?locale=en_UShttps://s3.amazonaws.com/opsworks-cm-us-east-1-prod-default-assets/misc/opsworks-cm-ca-2016-root.p7bhttps://s3.amazonaws.com/opsworks-cm-us-east-1-prod-default-assets/misc/opsworks-cm-ca-2016-root.p7bhttps://technet.microsoft.com/en-us/library/cc754841.aspxhttps://technet.microsoft.com/en-us/library/cc754841.aspx
-
AWS OpsWorks Chef Automate
5. Chef Automate ChefAutomate Chef Automate
API 2013-02-1855
https://docs.chef.io/chef_automate.htmlhttps://docs.chef.io/chef_automate.html
-
AWS OpsWorks
Note
Chef Automate Chef Automate (p. 74)
AWS OpsWorks for Chef Automate
AWS OpsWorks for Chef Automate
AWS OpsWorks for Chef Automate (p. 56) AWS OpsWorks for Chef Automate (p. 58)
AWS OpsWorks for Chef Automate AWS OpsWorks for Chef Automate 1 Amazon Simple Storage Service (Amazon S3)
Amazon S3 30 AWS Amazon S3
API 2013-02-1856
-
AWS OpsWorks AWS OpsWorks for Chef Automate
S3 S3
AWS OpsWorks for Chef Automate AWS OpsWorks for Chef Automate [Configure advanced settings] [Automated backup] ChefAutomate [Properties]
1. Chef servers [Actions] [Change settings]
2. [Enable automated backups] [No]
3. [Automated Backup]
AWS AWS CLI create-backup 30 10 Amazon S3
AWS
1. [Chef Automate servers] 2. [Backups] 3. [Create backup] 4. [Status]
AWS CLI
AWS CLI
aws opsworks-cm --region region name create-backup --server-name "Chef server name" --description "optional descriptive string"
S3
AWS
1. [Chef Automate servers] 2. [Backups] 3. [Delete backup] 1
4. [Delete the backup, which is stored in an S3 bucket]
[Yes, Delete]
API 2013-02-1857
http://docs.aws.amazon.com/AmazonS3/latest/user-guide/empty-bucket.htmlhttp://docs.aws.amazon.com/AmazonS3/latest/user-guide/delete-bucket.htmlhttp://docs.aws.amazon.com/opsworks-cm/latest/APIReference/API_CreateBackup.html
-
AWS OpsWorks AWS OpsWorks for Chef Automate
AWS CLI
AWS CLI --backup-id ID ID ServerName-yyyyMMddHHmmssSSS test-chef-server-20171218132604388
aws opsworks-cm --region region name delete-backup --backup-id ServerName-yyyyMMddHHmmssSSS
AWS OpsWorks for Chef Automate AWS OpsWorks for Chef Automate () (EC2 ) Chef Chef
AWS CLI AWS OpsWorks for Chef Automate Chef
Note
restore-server SSH
1. AWS CLI ID ID ID myServerName-yyyyMMddHHmmssSSS
aws opsworks-cm --region region name describe-backups
2.
aws opsworks-cm --region region name restore-server --backup-id "myServerName-yyyyMMddHHmmssSSS" --instance-type "Type of instance" --key-pair "name of your EC2 key pair" --server-name "name of Chef server"
aws opsworks-cm --region us-west-2 restore-server --backup-id "MyChefServer-20161120122143125" --server-name "MyChefServer"
3.
API 2013-02-1858
http://docs.aws.amazon.com/opsworks-cm/latest/APIReference/API_RestoreServer.html
-
AWS OpsWorks
AWS OpsWorks for Chef Automate
AWS OpsWorks for Chef Automate Chef Server Chef Automate Server () 1 AWS CLI
Chef AWS Chef Automate Chef Server AWS Chef Chef Chef Automate OpsWorks Chef (p. 62)
Amazon EC2
Important
AWS OpsWorks for Chef Automate (p. 62)
AWS OpsWorks (p. 59) (p. 60) (p. 62) (p. 62)
AWS OpsWorks AWS OpsWorks for Chef Automate AWS OpsWorks AWS OpsWorks (CA) AWS OpsWorks CA CA AWS OpsWorks for Chef Automate AWS OpsWorks CA AWS OpsWorks for Chef Automate (p. 68) EC2 userdata EC2 AWS OpsWorks CA
Linux CA S3 https://opsworks-cm-${REGION}-prod-default-assets.s3.amazonaws.com/misc/opsworks-cm-ca-2016-root.pem AWS OpsWorks CA /etc/chef/opsworks-cm-ca-2016-root.pem
API 2013-02-1859
-
AWS OpsWorks
Windows CA S3 https://opsworks-cm-$env:AWS_REGION-prod-default-assets.s3.amazonaws.com/misc/opsworks-cm-ca-2016-root.pem AWS OpsWorks CA Chef (C:\chef\opsworks-cm-ca-2016-root.pem )
2 region
us-east-2 us-east-1 us-west-1 us-west-2 ap-northeast-1 ap-southeast-1 ap-southeast-2 eu-central-1 eu-west-1
AWS OpsWorks for Chef Automate (UTC) UNDER_MAINTENANCE
AWS OpsWorks for Chef Automate [Settings] [Systemmaintenance]
API 2013-02-1860
https://en.wikipedia.org/wiki/Coordinated_Universal_Time
-
AWS OpsWorks
[System maintenance]
AWS CLI AWS CLI AWS CLI 3
create-server ( ARN ARN ) --preferred-maintenance-window create-server --preferred-maintenance-window Mon:08:00 8:00 (UTC)
aws opsworks-cm create-server --engine "Chef" --engine-model "Single" --engine-version "12" --server-name "automate-06" --instance-profile-arn "arn:aws:iam::1019881987024:instance-profile/aws-opsworks-cm-ec2-role" --instance-type "t2.medium" --key-pair "amazon-test" --service-role-arn "arn:aws:iam::044726508045:role/aws-opsworks-cm-service-role" --preferred-maintenance-window "Mon:08:00"
update-server --preferred-maintenance-window 6 15 (UTC)
aws opsworks-cm update-server --server-name "automate-06" --preferred-maintenance-window "Fri:18:15"
API 2013-02-1861
-
AWS OpsWorks
6 15 3
aws opsworks-cm update-server --server-name "automate-06" --preferred-maintenance-window "18:15"
AWS CLI create-serverupdate-server
AWS CLI AWS
aws opsworks-cm start-maintenance --server-name server_name
start-maintenance
AWS OpsWorks for Chef Automate
RunCommand SSH Chef Amazon (AMI) Amazon EC2 AMI
Chef
Important
Chef
AMI EC2 Amazon EC2 [Launch] [My AMIs] AMI Amazon EC2
AWS OpsWorks for Chef Automate ChefCompliance
Chef Compliance () Chef Compliance () Chef Compliance
API 2013-02-1862
http://docs.aws.amazon.com/cli/latest/reference/opsworkscm/update-server.htmlhttp://docs.aws.amazon.com/cli/latest/reference/opsworkscm/update-server.htmlhttp://docs.aws.amazon.com/cli/latest/reference/opsworkscm/start-maintenance.htmlhttps://www.chef.io/solutions/compliance/https://docs.chef.io/chef_compliance.html
-
AWS OpsWorks Chef Compliance
Note
AWS OpsWorks for Chef Automate chef-client 13 x chef-client
Chef Compliance Chef Compliance AWS OpsWorks for Chef Automate AWS OpsWorksfor Chef Automate Chef Automate berks Audit Chef Automate Audit InSpec Chef Chef Automate 1.8 5.0.1 Audit InSpec 1.24.0
AWS OpsWorks for Chef Automate opsworks-audit Chef Audit opsworks-audit chef-client ChefCompliance DevSec SSH Baseline opsworks-audit
Compliance
1. Chef Automate (p. 54)AWS OpsWorks for Chef Automate
2. Chef Automate [Compliance]
3. [Profile Store] [Available]
4. 1 [>]
API 2013-02-1863
https://downloads.chef.io/chef/stablehttps://supermarket.chef.io/cookbooks/audithttps://supermarket.chef.io/cookbooks/audithttps://www.inspec.io/https://discourse.chef.io/t/chef-automate-1-8-68/13089
-
AWS OpsWorks Chef Compliance
5. Chef Automate [Get] 6.
opsworks-audit
1. 6 AWS OpsWorks for Chef Automate roles/opsworks-example-role.rb ssh-hardening
run_list( "recipe[chef-client]", "recipe[apache2]", "recipe[opsworks-audit]" "recipe[ssh-hardening]" )
2. Berksfile Berksfile chef-client apache2 opsworks-audit Berksfile
source 'https://supermarket.chef.io cookbook 'chef-client' cookbook 'apache2', '~> 5.0.1' cookbook 'opsworks-audit', path: 'site-cookbooks/opsworks-audit', '~> 1.0.0'
metadata.rb metadata.rb
3. cookbooks
berks vendor cookbooks
API 2013-02-1864
-
AWS OpsWorks Compliance
4. AWS OpsWorks for Chef Automate
knife upload .
5. opsworks-audit
knife cookbook list
6. AWS OpsWorks for Chef Automate (p. 68) Chef (p. 52) 1 1 opsworks-example-role RUN_LIST userdata
RUN_LIST="role[opsworks-example-role]"
1 3: (p. 69) Amazon EC2
RUN_LIST="recipe[chef-client],recipe[apache2],recipe[opworks-au