AWS OpsWorks - ユーザーガイド · AWS OpsWorks ユーザーガイド AWS OpsWorks...

797
AWS OpsWorks ユーザーガイド API バージョン 2013-02-18

Transcript of AWS OpsWorks - ユーザーガイド · AWS OpsWorks ユーザーガイド AWS OpsWorks...

  • AWS OpsWorks

    API 2013-02-18

  • AWS OpsWorks

    AWS OpsWorks: Copyright 2018 Amazon Web Services, Inc. and/or its affiliates. All rights reserved.

    Amazon's trademarks and trade dress may not be used in connection with any product or service that is not Amazon's, in any mannerthat is likely to cause confusion among customers, or in any manner that disparages or discredits Amazon. All other trademarks notowned by Amazon are the property of their respective owners, who may or may not be affiliated with, connected to, or sponsored byAmazon.

  • AWS OpsWorks

    Table of ContentsAWS OpsWorks .......................................................................................................................... 1

    AWS OpsWorks ............................................................................................................ 1AWS OpsWorks for Puppet Enterprise ................................................................................................... 3

    Puppet Enterprise .......................................................................................................... 3OpsWorks for Puppet Enterprise ................................................................... 4 ................................................................................................................. 4

    ............................................................................................................................ 4Puppet ....................................................................................................... 8 ................................................................................................................. 13 ................................................................................................. 16Puppet Enterprise ....................................................................... 18: AWS CodeCommit .................................................................................... 21

    ................................................................................................... 23OpsWorks for Puppet Enterprise ....................................................... 23OpsWorks for Puppet Enterprise ................................................................... 25

    ............................................................................................................... 26 .............................................................................................. 26 ...................................................................... 28 ................................................ 28

    ............................................................................................................... 29 ............................................................................ 29 1: IAM ........................... 29 2: ................................... 30

    ............................................................................................................................ 33 ........................................................................................ 33

    Puppet .............................................................................................................. 33 1: ........................................................ 34 2: ......................................................................................... 34 ........................................................................................ 34

    AWS CloudTrail ....................................................................................................... 35CloudTrail OpsWorks for Puppet Enterprise ............................................................ 35OpsWorks for Puppet Enterprise ................................................. 36

    ............................................................................................................ 37 ............................................................................ 37 ............................................................................... 38 ................................................................................................. 39

    AWS OpsWorks for Chef Automate ..................................................................................................... 40Chef Automate ............................................................................................................ 41AWS OpsWorks for Chef Automate .............................................................. 41 ............................................................................................................... 41

    .......................................................................................................................... 41Chef Automate ........................................................................................... 43 ................................................................... 49 ................................................................................................. 52Chef Automate .................................................................. 54

    ................................................................................................... 56AWS OpsWorks for Chef Automate ................................................... 56AWS OpsWorks for Chef Automate ............................................................... 58

    ............................................................................................................... 59 AWS OpsWorks ................................................ 59 .............................................................................................. 60 ...................................................................... 62 ................................................ 62

    Chef Compliance ...................................................................................................................... 62

    API 2013-02-18iii

  • AWS OpsWorks

    Chef Compliance ........................................................................................ 63Compliance ............................................................................................... 65: ............................................................................................ 66Chef Compliance .................................................................................................... 67 Compliance ................................................................ 67 ........................................................................................ 68

    ............................................................................................................... 68 ............................................................................ 68 1: IAM ........................... 69 2: Chef ............................................. 69 3: ................................... 69chef-client ............................................................. 71 .................................................................................................................... 72

    ............................................................................................................................ 72 .................................................................................................................... 73

    Chef Automate ................................................................................................... 73 1: ........................................................ 74 2: ......................................................................................... 74

    Chef ........................................................................................................... 74AWS CloudTrail ....................................................................................................... 75

    CloudTrail AWS OpsWorks for Chef Automate ........................................................ 75AWS OpsWorks for Chef Automate ............................................. 76

    ............................................................................................................ 77 ............................................................................ 77 ............................................................................... 78 ................................................................................................. 81

    AWS OpsWorks .................................................................................................................. 82 .................................................................................................................................. 84Layer ...................................................................................................................................... 84 .......................................................................................... 85 ............................................................................................................................ 85 ...................................................................................................................... 86 ............................................................................................................ 86 ............................................................................................................................ 87 ................................................................................................ 87 ............................................................................................................ 87CLISDK AWS CloudFormation ................................................................. 88 ............................................................................................................... 88

    ....................................................................................................... 89: ............................................................................................................ 89: Linux ............................................................................................................ 102: Windows ....................................................................................................... 121: .................................................................................................... 141

    ................................................................................................................. 161 ................................................................................................ 161 ......................................................................................................... 163 ......................................................................................................... 164 .............................................................. 166 ........................................................... 172

    ................................................................................................................................ 175 ................................................................................................ 176VPC ................................................................................................. 182 ............................................................................................................... 188 ................................................................................................ 189 ................................................................................................... 190 JSON .................................................................................................... 191 ............................................................................................................... 193

    API 2013-02-18iv

  • AWS OpsWorks

    Layer ..................................................................................................................................... 196OpsWorks Layer ................................................................................................... 197Elastic Load Balancing Layer ............................................................................................ 207Amazon RDS Layer ........................................................................................... 210ECS Layers .................................................................................................... 214 Layer ............................................................................................................... 218Layer .............................................................................. 218

    .......................................................................................................................... 219AWS OpsWorks ..................................................................... 220AWS OpsWorks Stacks ...................... 254 ................................................................................................... 279AWS OpsWorks Stacks ....................................................................... 280SSH .......................................................................................................... 281RDP .......................................................................................................... 283

    .................................................................................................................... 286 ................................................................................................... 286 ............................................................................................. 291 ................................................................................................... 293 ...................................................................................................... 294 ............................................................................................................... 295 ............................................................................. 296Git SSH ..................................................................................... 298 ................................................................................................... 299SSL .................................................................................................................... 300

    .............................................................................................................. 305 ................................................................................................... 305Chef .......................................................................................................... 308Ruby .......................................................................................................... 319 ................................................................................ 320 ............................................................................................. 323 .................................................................................................................. 324

    .......................................................................................................................... 329 ......................................................................................... 330 ...................................................................................... 334 ................................................................................................... 338 ................................................................................................ 340

    Tags ...................................................................................................................................... 342 ............................................................................................. 342 ......................................................................................... 344AWS CLI ........................................................................................ 345 ..................................................................................................................... 346

    Monitoring .............................................................................................................................. 346Amazon CloudWatch ............................................................................................. 346AWS CloudTrail .............................................................................................. 353Amazon CloudWatch Logs ............................................................................... 355Amazon CloudWatch Events ............................................................................ 359

    .............................................................................................. 360 ............................................................................................. 361IAM ...................................................................................... 377 AWS OpsWorks ...................... 378EC2 ........................... 380SSH ....................................................................................................... 382 ................................................................................................. 386 ............................................................................................. 388

    Chef 12 Linux ......................................................................................................................... 389 .............................................................................................................................. 390Chef 12 ............................................................................................................ 390

    API 2013-02-18v

  • AWS OpsWorks

    .......................................................................... 391 ................................................................................... 391 ........................................................................................................................ 391 ...................................................................................................... 392

    Chef ........................................................................................................ 393Linux Chef 11.10 ............................................................................... 393

    AWS AWS OpsWorks ............................................................. 662 ...................................................................................... 663ElastiCache Redis ........................................................................................................... 668Amazon S3 .............................................................................................. 676AWS OpsWorks AWS CodePipeline ..................................................... 685

    AWS OpsWorks CLI ........................................................................................ 727 ......................................................................................................... 729 ............................................................................................. 731 ................................................................................ 731 ............................................................................................. 732 ................................................................................... 733Elastic IP .................................................................................... 734 ...................................................................................... 734 ............................................................................................. 735Layer ................................................................................................ 736 .................................................................................................................. 739Install Dependencies ........................................................................................................ 739 ......................................................................................................... 740

    ............................................................................... 740 ............................................................................................................ 741 .............................................................. 752

    AWS OpsWorks CLI ............................................................................... 758agent_report ................................................................................................................... 760get_json ........................................................................................................................ 760instance_report ............................................................................................................... 763list_commands ............................................................................................................... 763run_command ................................................................................................................ 764show_log ...................................................................................................................... 764stack_state ..................................................................................................................... 765

    AWS OpsWorks .............................................................. 766 (aws_opsworks_app) ............................................................ 769 (aws_opsworks_command) ................................................................ 772Amazon ECS (aws_opsworks_ecs_cluster) ....................................... 773Elastic Load Balancing (aws_opsworks_elastic_load_balancer) ............................ 773 (aws_opsworks_instance) ............................................................ 774Layer (aws_opsworks_layer) .......................................................................... 777Amazon RDS (aws_opsworks_rds_db_instance) ................................................ 779 (aws_opsworks_stack) ...................................................................... 780 (aws_opsworks_user) ....................................................................... 781

    OpsWorks ................................................................................................. 782Chef 12 .......................................................................................... 782Chef 11.10 ..................................................................................... 783

    ........................................................................................................................................ 787 ................................................................ 787AWS Software Development Kits ............................................................................................... 787 ........................................................................................................ 788

    AWS OpsWorks .................................................................................................... 789 ............................................................................................................................. 789

    API 2013-02-18vi

  • AWS OpsWorks AWS OpsWorks

    AWS OpsWorks AWS OpsWorks Puppet Chef AWS OpsWorks AWS OpsWorksfor Chef Automate Chef OpsWorks for Puppet Enterprise AWS Puppet Enterprise Puppet

    AWS OpsWorks AWS OpsWorks for Puppet Enterprise (p. 3)

    OpsWorks for Puppet Enterprise AWS Puppet Puppet Puppet Puppet Puppet Forge Puppet Puppet Code Manager

    OpsWorks for Puppet Enterprise Puppet Puppet OpsWorks for Puppet Enterprise Puppet Amazon EC2 OpsWorks forPuppet Enterprise

    OpsWorks for Puppet Enterprise Puppet Enterprise AWS Puppet Amazon EC2 Auto Scaling Amazon EC2

    AWS OpsWorks for Chef Automate (p. 40)

    AWS OpsWorks for Chef Automate Chef Automate AWS Chef Chef DK Chef Chef Chef Chef chef-client knife Test Kitchen Chef AWS OpsWorks for Chef Automate Chef

    Chef Automate AWS OpsWorks for Chef AutomateAmazon Elastic Compute Cloud Chef ChefAutomate AWS OpsWorks for Chef Automate AWS OpsWorks Chef

    API 2013-02-181

    https://www.chef.iohttps://puppet.com/products/puppet-enterprisehttps://forge.puppet.com/https://www.chef.io/automate/https://downloads.chef.io/chef-dk/https://docs.chef.io/knife.htmlhttp://kitchen.ci/

  • AWS OpsWorks AWS OpsWorks

    AWS OpsWorks for Chef Automate 1 Chef Automate Chef Chef Amazon EC2 Auto Scaling Amazon EC2

    AWS OpsWorks (p. 82)

    EC2 Amazon Relational DatabaseService (RDS) AWS

    AWS OpsWorks AWS OpsWorks EC2 Chef

    AWS OpsWorks for Chef Automate AWS OpsWorks Chef Chef AWS OpsWorks Chef AWS OpsWorks Auto Scaling

    API 2013-02-182

    http://docs.chef.io/recipes.html

  • AWS OpsWorks Puppet Enterprise

    AWS OpsWorks for PuppetEnterprise

    OpsWorks for Puppet Enterprise Puppet Enterprise AWSOpsWorks OpsWorks for Puppet Enterprise Puppet OpsWorks for Puppet Enterprise Puppet Puppet Enterprise AWS AWS CLI

    Puppet puppet-agent Puppet OpsWorks for Puppet Enterprise Puppet puppet-agent Puppet Enterprise

    OpsWorks for Puppet Enterprise Amazon Elastic Compute Cloud OpsWorks for Puppet Enterprise Amazon Linux (Amazon Linux 2) Puppet Enterprise Master 2018.1 Puppet Enterprise 2018.1 Puppet Enterprise

    Puppet AWS Puppet Enterprise AWS Puppet

    OpsWorks for Puppet Enterprise EC2 Puppet Enterprise Supported operating systemspuppet Puppet

    Puppet Enterprise (p. 3) OpsWorks for Puppet Enterprise (p. 4) OpsWorks for Puppet Enterprise (p. 4) OpsWorks for Puppet Enterprise (p. 23) OpsWorks for Puppet Enterprise (p. 26) OpsWorks for Puppet Enterprise (p. 29) OpsWorks for Puppet Enterprise (p. 33) OpsWorks for Puppet Enterprise (p. 33) AWS CloudTrail OpsWorks for Puppet Enterprise API (p. 35) OpsWorks for Puppet Enterprise (p. 37)

    Puppet Enterprise Puppet Puppet Securing an Application()

    API 2013-02-183

    https://puppet.com/products/puppet-enterprisehttps://docs.puppet.com/puppet/4.9/about_agent.htmlhttps://puppet.com/docs/pe/2018.1/release_notes/release_notes.htmlhttps://docs.puppet.com/pe/latest/sys_req_os.html#puppet-agent-platformshttps://docs.puppet.com/puppet/4.9/about_agent.htmlhttps://puppet.com/docs/pipelines-for-apps/free/application-secure.html

  • AWS OpsWorks OpsWorks for Puppet Enterprise

    OpsWorks for Puppet Enterprise

    OpsWorks for Puppet Enterprise OpsWorks for Puppet Enterprise Puppet IAM Puppet Puppet VPC VPC VPC

    () () () () () () () () ()

    OpsWorks for Puppet Enterprise OpsWorks for Puppet Enterprise AWS Puppet Enterprise 15 Puppet Enterprise

    OpsWorks for Puppet Enterprise Puppet

    AWS AWS (p. 4) Puppet (p. 5) Puppet Enterprise (p. 6) (p. 6) Git (p. 6) VPC (p. 7) EC2 () (p. 8)

    Puppet OpsWorks for PuppetEnterprise AWS VPC (p. 7)

    AWS AWS AWS AWS

    AWS

    1. https://aws.amazon.com/ [Create an AWS Account]

    API 2013-02-184

    https://puppet.com/products/puppet-enterprisehttps://aws.amazon.com/

  • AWS OpsWorks

    Note

    AWS [Sign in to a different account] [Createa new AWS account]

    2.

    PIN

    AWS https://aws.amazon.com/ [My Account/Console]

    IAM ID

    ID AWS AWS AWS IAM IAM AWS AWS

    IAM IAM IAM

    1. IAM 2. [Users] 3. IAM () 4. [Security credentials] [Create access key] 5. [Show]

    ID: AKIAIOSFODNN7EXAMPLE : wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

    6. [Download .csv file]

    AWS AWS Amazon.com Amazon

    IAM (IAM ) AWS (AWS General Reference)

    Puppet 1. Puppet Puppet

    2. Puppet

    API 2013-02-185

    https://aws.amazon.com/https://aws.amazon.com/http://docs.aws.amazon.com/IAM/latest/UserGuide/access_permissions-required.htmlhttps://console.aws.amazon.com/iam/home?#homehttp://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.htmlhttp://docs.aws.amazon.com/general/latest/gr/aws-security-credentials.htmlhttps://puppet.com/download-puppet-development-kithttps://puppet.com/download-puppet-development-kit

  • AWS OpsWorks

    3. Puppet PATH

    Linux macOS Bash Puppet PATH

    echo 'export PATH=/opt/puppetlabs/pdk/bin/pdk:$PATH' >> ~/.bash_profile && source ~/.bash_profile

    Windows PowerShell [SystemProperties] [Environment Variables] .NET Puppet PATH PowerShell

    [Environment]::SetEnvironmentVariable("Path","new path value","Machine")

    Puppet Enterprise Puppet Enterprise (PE) Puppet Enterprise Puppet Puppet Enterprise Installing PE client tools

    Puppet API PuppetEnterprise

    5 Puppet Enterprise Change the token'sdefault lifetime

    puppet-access login --config-file .config/puppetlabs/client-tools/puppet-access.conf --lifetime 8h

    Note

    5 --lifetime 10 (10y) Puppet Enterprise Change the token's default lifetime

    Git Puppet Git Puppet Git URL SSH Puppet Enterprise Puppet Enterprise Setting up a control repositoryPuppet control-repoGitHub readme

    LICENSE

    API 2013-02-186

    https://puppet.com/docs/pe/2017.3/installing/installing_pe_client_tools.htmlhttps://puppet.com/docs/pe/2017.3/rbac/rbac_token_auth_intro.html#change-the-token-default-lifetimehttps://puppet.com/docs/pe/2017.3/rbac/rbac_token_auth_intro.html#change-the-token-default-lifetimehttps://puppet.com/docs/pe/2017.3/rbac/rbac_token_auth_intro.html#change-the-token-default-lifetimehttps://puppet.com/docs/pe/2017.3/code_management/control_repo.htmlhttps://github.com/puppetlabs/control-repohttps://github.com/puppetlabs/control-repo

  • AWS OpsWorks

    Puppetfile README.md environment.conf hieradata common.yaml nodes example-node.yaml manifests site.pp scripts code_manager_config_version.rb config_version.rb config_version.sh site profile manifests base.pp example.pp role manifests database_server.pp example.pp webserver.pp

    AWS CodeCommit

    AWS CodeCommit AWS CodeCommit the section called : AWS CodeCommit (p. 21)AWS CodeCommit Git AWS CodeCommit OpsWorks for Puppet Enterprise IAM AWSCodeCommitReadOnly

    VPC OpsWorks for Puppet Enterprise Amazon Virtual Private Cloud VPC VPC VPC Amazon VPC VPC Amazon VPC

    VPC VPC VPC

    VPC [DNS resolution] [Auto-assign public IP]

    VPC VPC AWS OpsWorks AWS CloudFormation AWS CLI VPC AWS AWS CloudFormation

    aws cloudformation create-stack --stack-name OpsWorksVPC --template-url https://s3.amazonaws.com/opsworks-cm-us-east-1-prod-default-assets/misc/opsworks-cm-vpc.yaml

    API 2013-02-187

    http://docs.aws.amazon.com/codecommit/latest/userguide/getting-started.htmlhttp://docs.aws.amazon.com/AmazonVPC/latest/GettingStartedGuide/https://s3.amazonaws.com/opsworks-cm-us-east-1-prod-default-assets/misc/opsworks-cm-vpc.yaml

  • AWS OpsWorks Puppet

    EC2 ()Puppet SSH AWS AWS CLI Puppet

    Puppet Enterprise SSH EC2 EC2 Amazon EC2

    EC2 Puppet Enterprise

    Puppet Enterprise OpsWorks for Puppet Enterprise AWS CLI Puppet

    AWS Puppet Enterprise Master (p. 8) AWS CLI Puppet Enterprise Master (p. 11)

    AWS Puppet EnterpriseMaster 1. AWS AWS OpsWorks (https://

    console.aws.amazon.com/opsworks/) 2. AWS OpsWorks [Go to OpsWorks for Puppet Enterprise]

    3. OpsWorks for Puppet Enterprise [Create Puppet Enterprise server]

    API 2013-02-188

    https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.htmlhttps://console.aws.amazon.com/opsworks/https://console.aws.amazon.com/opsworks/

  • AWS OpsWorks Puppet

    4. [Set name, region, and type] Puppet 40 () c4.large [Next]

    5. [Configure credentials] [SSH key] [Configure Puppet Code Manager] [r10k remote] Git SSH URL [r10k private key] r10k AWS OpsWorks SSH Git []

    API 2013-02-189

  • AWS OpsWorks Puppet

    6. [] [] VPC 1 AWS OpsWorks Puppet

    7. [System maintenance]

    AWS AWS CLI API

    8. Amazon Simple Storage Service 30 OpsWorks forPuppet Enterprise

    9. [Next] 10. [Review] [Launch]

    API 2013-02-1810

  • AWS OpsWorks Puppet

    Puppet AWS OpsWorks Puppet (p. 13) PuppetEnterprise

    OpsWorks for Puppet Enterprise Puppet [online] Puppet Enterprise https://your_server_name-randomID.region.opsworks-cm.io URL

    AWS CLI Puppet Enterprise Master AWS CLI OpsWorks for Puppet Enterprise AWS OpsWorks AWS CLI AWS OpsWorks ARN create-server Puppet AWS OpsWorks Puppet Enterprise AWS CLI OpsWorksfor Puppet Enterprise OpsWorks for PuppetEnterprise JSON create-server

    AWS CLI AWS AWS CLI create-server create-server AWS CLI create-server

    1. (p. 4)Puppet ID VPC

    2. AWS OpsWorks AWS CloudFormation AWS CLI AWS CloudFormation

    aws cloudformation create-stack --stack-name OpsWorksCMRoles --template-url https://s3.amazonaws.com/opsworks-cm-us-east-1-prod-default-assets/misc/opsworks-cm-roles.yaml --capabilities CAPABILITY_IAM

    AWS CloudFormation ARN

    aws iam list-roles --path-prefix "/service-role/" --no-paginate

    list-roles ARN Puppet

    { "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ {

    API 2013-02-1811

    https://docs.aws.amazon.com/cli/latest/userguide/installing.htmlhttps://docs.aws.amazon.com/cli/latest/reference/opsworks-cm/create-server.html

  • AWS OpsWorks Puppet

    "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ec2.amazonaws.com" } } ] }, "RoleId": "AROZZZZZZZZZZQG6R22HC", "CreateDate": "2018-01-05T20:42:20Z", "RoleName": "aws-opsworks-cm-ec2-role", "Path": "/service-role/", "Arn": "arn:aws:iam::000000000000:role/service-role/aws-opsworks-cm-ec2-role"},{ "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "opsworks-cm.amazonaws.com" } } ] }, "RoleId": "AROZZZZZZZZZZZZZZZ6QE", "CreateDate": "2018-01-05T20:42:20Z", "RoleName": "aws-opsworks-cm-service-role", "Path": "/service-role/", "Arn": "arn:aws:iam::000000000000:role/service-role/aws-opsworks-cm-service-role"}

    3. create-server OpsWorks for Puppet Enterprise

    --engine Puppet--engine-model Monolithic--engine-version 2017

    AWS (-) 40

    2 ARN ARN c4.largec4.xlarge c4.2xlarge

    Amazon EC2

    --engine-attributes Puppet --engine-attributes PUPPET_ADMIN_PASSWORD Puppet Enterprise 8 32 (ASCII)

    SSH Puppet SSH& AmazonEC2 Amazon EC2

    1 :DDD:HH:MM (UTC) --preferred-maintenance-window 1

    --preferred-backup-window : HH:MM DDD:HH:MM UTC --disable-automated-backup

    API 2013-02-1812

    https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.htmlhttps://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html

  • AWS OpsWorks

    --security-group-ids 1 ID

    --subnet-ids ID

    aws opsworks-cm create-server --engine "Puppet" --engine-model "Monolithic" --engine-version "2017" --server-name "server_name" --instance-profile-arn "instance_profile_ARN" --instance-type "instance_type" --engine-attributes '{"PUPPET_ADMIN_PASSWORD":"ASCII_password"}' --key-pair "key_pair_name" --preferred-maintenance-window "ddd:hh:mm" --preferred-backup-window "ddd:hh:mm" --security-group-ids security_group_id1 security_group_id2 --service-role-arn "service_role_ARN" --subnet-ids subnet_ID

    aws opsworks-cm create-server --engine "Puppet" --engine-model "Monolithic" --engine-version "2017" --server-name "puppet-02" --instance-profile-arn "arn:aws:iam::1019881987024:instance-profile/aws-opsworks-cm-ec2-role" --instance-type "c4.large" --engine-attributes '{"PUPPET_ADMIN_PASSWORD":"zZZzDj2DLYXSZFRv1d"}' --key-pair "amazon-test" --preferred-maintenance-window "Mon:08:00" --preferred-backup-window "Sun:02:00" --security-group-ids sg-b00000001 sg-b0000008 --service-role-arn "arn:aws:iam::044726508045:role/aws-opsworks-cm-service-role" --subnet-ids subnet-383daa71

    4. OpsWorks for Puppet Enterprise 15 create-server create-server

    5. OpsWorks for Puppet Enterprise jq JSON create-server jq Puppet 3

    Get the Puppet password:cat resp.json | jq -r '.Server.EngineAttributes[] | select(.Name == "PUPPET_ADMIN_PASSWORD") | .Value'

    Get the Puppet Starter Kit:cat resp.json | jq -r '.Server.EngineAttributes[] | select(.Name == "PUPPET_STARTER_KIT") | .Value' | base64 -D > starterkit.zip

    Note

    AWS Puppet AWS CLI Puppet jq create-server base64 ZIP

    6. the section called (p. 13)

    Puppet Puppet OpsWorks for Puppet Enterprise [Properties] Puppet [Properties] 2

    API 2013-02-1813

    https://stedolan.github.io/jq/https://stedolan.github.io/jq/

  • AWS OpsWorks

    Puppet

    Puppet Puppet Enterprise AWS OpsWorks

    API 2013-02-1814

  • AWS OpsWorks

    Puppet Enterprise README

    1. Puppet

    2. .zip

    Puppet Puppet Enterprise Puppet Puppet Enterprise Creating and managing users and user roles

    Nginx control-repo-example Nginx

    control-repo control-repo-example 2 control-repocontrol-repo production Puppet GitHub repository control-repo-example production Nginx

    1. control-repo-example production Git (Puppet r10k_remoteURL) r10kRemoteUrl r10k_remote URL

    cd control-repo-examplegit remote add origin r10kRemoteUrlgit push origin production

    Puppet Code Manager Git

    Important

    master master Puppet

    2. control-repo-example Puppet Puppet Git Puppet (r10k_remote)

    puppet-code deploy --all --wait --config-file .config/puppet-code.conf

    Nginx Amazon EC2 OpsWorks for Puppet Enterprise (p. 29)

    API 2013-02-1815

    https://docs.puppet.com/pe/latest/rbac_user_roles.html#add-a-user-to-a-user-rolehttps://github.com/puppetlabs/control-repo

  • AWS OpsWorks

    Puppet Puppet AWS CLI AWS

    aws --region region opsworks-cm describe-servers --server-name server_name --query "Servers[0].EngineAttributes[?Name=='PUPPET_API_CA_CERT'].Value" --output text > .config/ssl/certs/ca.pem

    Code Manager Code Manager Code Manager Puppet Enterprise Set up authentication for Code Manager

    Puppet

    (p. 17) associateNode() API (p. 17) (p. 17) (p. 18)

    AWS OpsWorks associateNode() API PuppetEnterprise Puppet Puppet OpsWorks forPuppet Enterprise OpsWorks for Puppet Enterprise

    Ubuntu 14.0416.04

    Red Hat Enterprise Linux (RHEL) 6

    Windows Puppet Windows 64

    puppet-agent Debian OpsWorks for PuppetEnterprise puppet-agent puppet-agent Puppet Enterprise Installing agents

    API 2013-02-1816

    https://puppet.com/docs/pe/2017.3/code_management/code_mgr_config.html#set-up-authentication-for-code-managerhttps://puppet.com/docs/pe/2017.3/installing/supported_operating_systems.html#agent-platformshttps://puppet.com/docs/pe/2017.3/installing/installing_agents.html

  • AWS OpsWorks

    EC2 Puppet OpsWorks for Puppet Enterprise (p. 29)

    Puppet Enterprise Puppet agent platforms

    associateNode() API puppet-agent (CSR) OpsWorks forPuppet Enterprise Puppet CSR CSR Puppet Enterprise Managing certificate signing requestsOpsWorks for Puppet Enterprise associateNode() API CSR AWS CLI API PEM CSR Puppet

    aws opsworks-cm associate-node --server-name "test-puppet-server" --node-name "node or instance ID" --engine-attributes "Name=PUPPET_NODE_CSR,Value='PEM_formatted_CSR_from_the_node'

    associateNode() OpsWorks forPuppet Enterprise (p. 29)

    puppet-agent 2 OpsWorks for Puppet Enterprise

    AWS SDKAWS CLI AWS Tools for PowerShell associateNode() API OpsWorks for Puppet Enterprise CSR Puppet pp_role AmazonEC2 CSR Puppet Extension requests(permanent certificate data)

    AWS PuppetEnterprise OpsWorks for Puppet Enterprise puppet-agent OpsWorksfor Puppet Enterprise CSR Puppet CSR Puppet autosign.conf CSR autosign.conf Puppet SSL configuration: autosigning certificate requests

    Puppet Puppet CSR Puppet Enterprise puppet_enterprise::profile::master::allow_unauthenticated_ca

    Important

    CSR Puppet CSR CSR

    API 2013-02-1817

    https://docs.puppet.com/pe/latest/sys_req_os.html#puppet-agent-platformshttps://puppet.com/docs/pe/2017.3/managing_nodes/adding_and_removing_nodes.html#managing-certificate-signing-requestshttps://aws.amazon.com/tools/https://aws.amazon.com/cli/https://aws.amazon.com/powershell/https://puppet.com/docs/puppet/5.1/ssl_attributes_extensions.html#extension-requests-permanent-certificate-datahttps://puppet.com/docs/puppet/5.1/ssl_attributes_extensions.html#extension-requests-permanent-certificate-datahttps://puppet.com/docs/puppet/5.3/ssl_autosign.html

  • AWS OpsWorks Puppet Enterprise

    Puppet Puppet (DoS)

    1. Puppet Enterprise 2. [][][PE Master] (PE ) [] 3. [] [puppet_enterprise::profile::master] 4. [allow_unauthenticated_ca] [true] 5. Puppet (

    ) 30 PE [Run] () Puppet

    OpsWorks for Puppet Enterprise Puppet Enterprise Learn Puppet tutorial site

    Puppet Enterprise Puppet [Properties] Puppet Enterprise 1

    Puppet Enterprise PE (CA) CA PE

    Puppet Enterprise

    1. (p. 15) Puppet Enterprise

    2. AWS Puppet [] 3. [] [Open Puppet Enterprise console] (Puppet Enterprise

    )

    4. 1

    API 2013-02-1818

    https://learn.puppet.com/

  • AWS OpsWorks Puppet Enterprise

    5. Puppet Enterprise Puppet Enterprise Puppet Enterprise Viewing node-specific information

    API 2013-02-1819

    https://docs.puppet.com/pe/2017.2/nodes_viewing.htmlhttps://docs.puppet.com/pe/2017.2/nodes_viewing.html

  • AWS OpsWorks Puppet Enterprise

    PEPuppet Enterprise Grouping and classifying nodes

    1. 2. 3.

    Puppet Enterprise PuppetEnterprise Reset the Admin Password

    10 Puppet PuppetEnterprise Password endpoints

    API 2013-02-1820

    https://puppet.com/docs/pe/2017.3/managing_nodes/grouping_and_classifying_nodes.htmlhttps://puppet.com/docs/pe/2017.3/accessing_console/console_accessing.html#reset-the-admin-passwordhttps://puppet.com/docs/pe/2017.3/api_rbac_activity/rbac_api_v1_password.html

  • AWS OpsWorks : AWS CodeCommit

    : AWS CodeCommit Puppet r10k AWS CodeCommit r10k

    1. AWS CodeCommit

    2. [Skip] Amazon SNS 3. [Code] [Connect to your repository] 4. [Connect to your repository] [HTTPS] [Connection type]

    API 2013-02-1821

  • AWS OpsWorks : AWS CodeCommit

    [Steps to clone your repository] git clone URL : https://git-codecommit.region.amazonaws.com/v1/repos/control-repo URL Puppet

    5. [Connect to your repository] OpsWorks for Puppet Enterprise

    6. 4 URL Puppet [Configure credentials] [r10k remote] [r10k private key] Puppet

    7. IAM [AWSCodeCommitReadOnly] Puppet IAM IAM

    8. AWS CodeCommit Git HTTPS control-repo AWS CodeCommit

    9. the section called (p. 13) Puppet

    puppet-code deploy --all --wait --config-file .config/puppet-code.conf

    API 2013-02-1822

    http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-using.html#attach-managed-policy-consolehttp://docs.aws.amazon.com/codecommit/latest/userguide/setting-up-gc.html

  • AWS OpsWorks

    OpsWorks for Puppet Enterprise

    OpsWorks for Puppet Enterprise

    OpsWorks for Puppet Enterprise (p. 23) OpsWorks for Puppet Enterprise (p. 25)

    OpsWorks for Puppet Enterprise OpsWorks for Puppet Enterprise 1 Amazon Simple Storage Service (Amazon S3)

    Amazon S3 30 AWS Amazon S3 S3 S3

    OpsWorks for Puppet Enterprise OpsWorks for Puppet Enterprise [Configure advanced settings] [Automated backup]

    1. [More settings]

    API 2013-02-1823

    http://docs.aws.amazon.com/AmazonS3/latest/user-guide/empty-bucket.htmlhttp://docs.aws.amazon.com/AmazonS3/latest/user-guide/delete-bucket.html

  • AWS OpsWorks OpsWorks for Puppet Enterprise

    2. [Enable automated backups] [No]

    3. [Automated Backup]

    AWS AWS CLI create-backup 30 10 Amazon S3

    AWS

    1. [Puppet Enterprise servers] 2. [Backups] 3. [Create backup] 4. [Status]

    AWS CLI

    AWS CLI

    API 2013-02-1824

    http://docs.aws.amazon.com/opsworks-cm/latest/APIReference/API_CreateBackup.html

  • AWS OpsWorks OpsWorks for Puppet Enterprise

    aws opsworks-cm --region region name create-backup --server-name "Puppet server name" --description "optional descriptive string"

    S3

    AWS

    1. [Puppet Enterprise servers] 2. [Backups] 3. [Delete backup] 1

    4. [Delete the backup, which is stored in an S3 bucket]

    [Yes, Delete]

    AWS CLI

    AWS CLI --backup-id ID ID ServerName-yyyyMMddHHmmssSSS puppet-server-20171218132604388

    aws opsworks-cm --region region name delete-backup --backup-id ServerName-yyyyMMddHHmmssSSS

    OpsWorks for Puppet Enterprise OpsWorks for Puppet Enterprise () ( EC2 ) Puppet Puppet

    AWS CLI OpsWorks for Puppet Enterprise Puppet

    Note

    restore-server SSH

    1. AWS CLI ID ID ID myServerName-yyyyMMddHHmmssSSS

    aws opsworks-cm --region region name describe-backups

    API 2013-02-1825

    http://docs.aws.amazon.com/opsworks-cm/latest/APIReference/API_RestoreServer.html

  • AWS OpsWorks

    2.

    aws opsworks-cm --region region name restore-server --backup-id "myServerName-yyyyMMddHHmmssSSS" --instance-type "Type of instance" --key-pair "name of your EC2 key pair" --server-name "name of Puppet master"

    aws opsworks-cm --region us-west-2 restore-server --backup-id "MyPuppetServer-20161120122143125" --server-name "MyPuppetServer"

    3.

    OpsWorks for Puppet Enterprise

    OpsWorks for Puppet Enterprise Puppet AWS () 1 AWS CLI

    Puppet AWS Puppet AWS Puppet Puppet OpsWorks for Puppet Enterprise Puppet (p. 28)

    Amazon EC2

    Important

    OpsWorks for Puppet Enterprise (p. 28)

    (p. 26) (p. 28) (p. 28)

    OpsWorks for Puppet Enterprise (UTC) UNDER_MAINTENANCE

    API 2013-02-1826

    https://en.wikipedia.org/wiki/Coordinated_Universal_Time

  • AWS OpsWorks

    OpsWorks for Puppet Enterprise [Settings] [Systemmaintenance]

    [System maintenance]

    AWS CLI AWS CLI AWS CLI 3

    create-server ( ARN ARN ) --preferred-maintenance-window create-server --preferred-maintenance-window Mon:08:00 8:00 (UTC)

    aws opsworks-cm create-server --engine "Puppet" --engine-model "Monolithic" --engine-version "2017" --server-name "puppet-06" --instance-profile-arn "arn:aws:iam::1119001987000:instance-profile/aws-opsworks-cm-ec2-role" --instance-type

    API 2013-02-1827

  • AWS OpsWorks

    "c4.large" --key-pair "amazon-test" --service-role-arn "arn:aws:iam::044726508045:role/aws-opsworks-cm-service-role" --preferred-maintenance-window "Mon:08:00"

    update-server --preferred-maintenance-window 6 15 (UTC)

    aws opsworks-cm update-server --server-name "puppet-06" --preferred-maintenance-window "Fri:18:15"

    6 15 3

    aws opsworks-cm update-server --server-name "puppet-06" --preferred-maintenance-window "18:15"

    AWS CLI create-serverupdate-server

    AWS CLI AWS

    aws opsworks-cm start-maintenance --server-name server_name

    start-maintenance

    OpsWorks for Puppet Enterprise

    RunCommand SSH Puppet Amazon Machine Image (AMI) Amazon EC2 AMI

    Puppet

    Important

    Puppet

    AMI EC2 Amazon EC2 [Launch] [My AMIs] AMI Amazon EC2

    API 2013-02-1828

    http://docs.aws.amazon.com/cli/latest/reference/opsworkscm/update-server.htmlhttp://docs.aws.amazon.com/cli/latest/reference/opsworkscm/update-server.htmlhttp://docs.aws.amazon.com/cli/latest/reference/opsworkscm/start-maintenance.html

  • AWS OpsWorks

    OpsWorks for Puppet Enterprise

    Amazon Elastic Compute Cloud (Amazon EC2) OpsWorks for PuppetEnterprise Puppet (p. 16)associate-node 1 PuppetEnterprise () Amazon EC2 OpsWorks for Puppet Enterprise puppet-agent UbuntuAmazon Linux RHEL

    OpsWorks for Puppet Enterprise (p. 33) OpsWorks for Puppet Enterprise API disassociate-node

    Puppet agent platforms

    1: IAM EC2 AWS Identity and Access Management (IAM) IAM opsworks-cm API EC2 Amazon EC2 IAM Amazon EC2 IAM

    { "Version": "2012-10-17", "Statement": [ { "Action": [ "opsworks-cm:AssociateNode", "opsworks-cm:DescribeNodeAssociationStatus", "opsworks-cm:DescribeServers", "ec2:DescribeTags" ], "Resource": "*", "Effect": "Allow" } ]}

    AWS OpsWorks IAM AWS CloudFormation AWS CLI AWS CloudFormation --region

    aws cloudformation --region region ID create-stack --stack-name myPuppetinstanceprofile --template-url https://s3.amazonaws.com/opsworks-cm-us-east-1-prod-default-assets/misc/owpe/opsworks-cm-nodes-roles.yaml --capabilities CAPABILITY_IAM

    API 2013-02-1829

    https://puppet.com/docs/pe/2017.3/installing/installing_agents.htmlhttp://docs.aws.amazon.com/opsworks-cm/latest/APIReference/API_DisassociateNode.htmlhttps://docs.puppet.com/pe/latest/sys_req_os.html#puppet-agent-platformshttp://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.htmlhttp://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html#create-iam-role-consolehttp://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html#create-iam-role-console

  • AWS OpsWorks 2:

    2: EC2 EC2 Amazon EC2 Auto Scaling AWS CloudFormation userdata Amazon EC2 Linux Amazon EC2 OpsWorks for Puppet Enterprise (p. 4) Nginx

    1. opsworks-cm API associate-node Puppet AWS CLI AWS CLI userdata.sh

    ID

    !/bin/bashset -euo pipefail

    set aws settingsdeclare -x PP_INSTANCE_ID=$(curl --silent --show-error --retry 3 http://169.254.169.254/latest/meta-data/instance-id) this uses the EC2 instance ID as the node namedeclare -x PP_IMAGE_NAME=$(curl --silent --show-error --retry 3 http://169.254.169.254/latest/meta-data/ami-id)declare -x PP_REGION=$(curl --silent --show-error --retry 3 http://169.254.169.254/latest/meta-data/placement/availability-zone | sed 's/.$//')

    put the opsworks name of your server if you don't use the ocm_server tagdeclare -x OCM_SERVER="" put the region of your OCM Server if you don't use the ocm_region tagdeclare -x OCM_REGION=""

    we're detecting if a tag is set; if so, override anything in the filedeclare -x TAG_SERVER=$(aws ec2 describe-tags --region $PP_REGION --filters "Name=resource-id,Values=$PP_INSTANCE_ID" \--query 'Tags[?Key==`ocm_server`].Value' --output text)declare -x TAG_REGION=$(aws ec2 describe-tags --region $PP_REGION --filters "Name=resource-id,Values=$PP_INSTANCE_ID" \--query 'Tags[?Key==`ocm_region`].Value' --output text)

    if [ -n $TAG_SERVER ] && [ ! -z $TAG_SERVER ]; then declare -x OCM_SERVER=$TAG_SERVERfi

    if [ -n $TAG_REGION ] && [ ! -z $TAG_REGION ]; then declare -x OCM_REGION=$TAG_REGIONfi

    set global settingsdeclare -x PUPPETSERVER=$(aws opsworks-cm describe-servers --region=$OCM_REGION \--query "Servers[?ServerName=='$OCM_SERVER'].Endpoint" --output text)declare -x PRUBY='/opt/puppetlabs/puppet/bin/ruby'declare -x PUPPET='/opt/puppetlabs/bin/puppet'declare -x DAEMONSPLAY='true'declare -x SPLAYLIMIT='30'declare -x PUPPET_CA_PATH='/etc/puppetlabs/puppet/ssl/certs/ca.pem'

    function loadmodel {

    API 2013-02-1830

    http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/user-data.htmlhttp://docs.aws.amazon.com/AWSEC2/latest/UserGuide/user-data.htmlhttp://docs.aws.amazon.com/AWSEC2/latest/UserGuide/launching-instance.htmlhttp://docs.aws.amazon.com/AWSEC2/latest/UserGuide/launching-instance.htmlhttp://docs.aws.amazon.com/opsworks-cm/latest/APIReference/API_AssociateNode.html

  • AWS OpsWorks 2:

    aws configure add-model --service-model https://s3.amazonaws.com/opsworks-cm-us-east-1-prod-default-assets/misc/owpe/model-2017-09-05/opsworkscm-2016-11-01.normal.json --service-name opsworks-cm-puppet}

    function preparepuppet { mkdir -p /opt/puppetlabs/puppet/cache/state mkdir -p /etc/puppetlabs/puppet/ssl/certs/ mkdir -p /etc/puppetlabs/code/modules/

    echo "{\"disabled_message\":\"Locked by OpsWorks Deploy - $(date --iso-8601=seconds)\"}" > /opt/puppetlabs/puppet/cache/state/agent_disabled.lock}

    function establishtrust { aws opsworks-cm describe-servers --region=$OCM_REGION --server-name $OCM_SERVER \--query "Servers[0].EngineAttributes[?Name=='PUPPET_API_CA_CERT'].Value" --output text > /etc/puppetlabs/puppet/ssl/certs/ca.pem}

    function installpuppet { ADD_EXTENSIONS=$(generate_csr_attributes) curl --retry 3 --cacert /etc/puppetlabs/puppet/ssl/certs/ca.pem "https://$PUPPETSERVER:8140/packages/current/install.bash" | \/bin/bash -s agent:certname=$PP_INSTANCE_ID \agent:splay=$DAEMONSPLAY \extension_requests:pp_instance_id=$PP_INSTANCE_ID \extension_requests:pp_region=$PP_REGION \extension_requests:pp_image_name=$PP_IMAGE_NAME $ADD_EXTENSIONS

    $PUPPET resource service puppet ensure=stopped}

    function generate_csr_attributes { pp_tags=$(aws ec2 describe-tags --region $PP_REGION --filters "Name=resource-id,Values=$PP_INSTANCE_ID" \--query 'Tags[?starts_with(Key, `pp_`)].[Key,Value]' --output text | sed s/\\t/=/)

    csr_attrs="" for i in $pp_tags do csr_attrs="$csr_attrs extension_requests:$i" done

    echo $csr_attrs}

    function installpuppetbootstrap { $PUPPET help bootstrap > /dev/null && bootstrap_installed=true || bootstrap_installed=false if [ "$bootstrap_installed" = false ]; then echo "Puppet Bootstrap not present, installing" curl --retry 3 https://s3.amazonaws.com/opsworks-cm-us-east-1-prod-default-assets/misc/owpe/puppet-agent-bootstrap-0.2.1.tar.gz \ -o /tmp/puppet-agent-bootstrap-0.2.1.tar.gz $PUPPET module install /tmp/puppet-agent-bootstrap-0.2.1.tar.gz --ignore-dependencies echo "Puppet Bootstrap installed" else echo "Puppet Bootstrap already present" fi}

    function runpuppet { sleep $[ ( $RANDOM % $SPLAYLIMIT ) + 1]s

    API 2013-02-1831

  • AWS OpsWorks 2:

    $PUPPET agent --enable $PUPPET agent --onetime --no-daemonize --no-usecacheonfailure --no-splay --verbose $PUPPET resource service puppet ensure=running enable=true}

    function associatenode { CERTNAME=$($PUPPET config print certname --section agent) SSLDIR=$($PUPPET config print ssldir --section agent) PP_CSR_PATH="$SSLDIR/certificate_requests/$CERTNAME.pem" PP_CERT_PATH="$SSLDIR/certs/$CERTNAME.pem"

    clear out extraneous certs and generate a new one $PUPPET bootstrap purge $PUPPET bootstrap csr

    submit the cert ASSOCIATE_TOKEN=$(aws opsworks-cm associate-node --region $OCM_REGION --server-name $OCM_SERVER --node-name $CERTNAME --engine-attributes Name=PUPPET_NODE_CSR,Value="`cat $PP_CSR_PATH`" --query "NodeAssociationStatusToken" --output text)

    wait aws opsworks-cm wait node-associated --region $OCM_REGION --node-association-status-token "$ASSOCIATE_TOKEN" --server-name $OCM_SERVER install and verify aws opsworks-cm-puppet describe-node-association-status --region $OCM_REGION --node-association-status-token "$ASSOCIATE_TOKEN" --server-name $OCM_SERVER --query 'EngineAttributes[0].Value' --output text > $PP_CERT_PATH

    $PUPPET bootstrap verify

    }

    Order of execution of functionsloadmodelpreparepuppetestablishtrustinstallpuppetinstallpuppetbootstrapassociatenoderunpuppet

    2. EC2 EC2 Amazon Linux AMI

    3. [Configure Instance Details] [myPuppetinstanceprofile] 1: IAM (p. 29) IAM

    4. [Advanced Details] 1 userdata.sh

    5. [Add Storage] [Add Tags]

    EC2 userdata.sh pp_role nginx_webserver nginx_webserver

    pp_role Puppet Extension requests (permanent certificate data)

    6. [Configure Security Group] [Add Rule] [HTTP] Nginx 80

    API 2013-02-1832

    http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/launching-instance.htmlhttps://puppet.com/docs/puppet/5.1/ssl_attributes_extensions.html#extension-requests-permanent-certificate-data

  • AWS OpsWorks

    7. [Review and launch] [Launch] OpsWorks for Puppet Enterprise (p. 4)Nginx

    8. DNS Puppet Nginx

    OpsWorks for Puppet Enterprise

    OpsWorks for Puppet Enterprise Puppet Enterprise OpsWorks for Puppet Enterprise OpsWorks for Puppet Enterprise API 1

    Puppet AWS CLI disassociate-node PE Puppet Puppet puppet-agent

    1. AWS CLI Node_name Amazon EC2 ID Server_name Puppet Puppet --region

    aws opsworks-cm --region Region_name disassociate-node --node-name Node_name --server-name Server_name

    aws opsworks-cm --region us-west-2 disassociate-node --node-name i-0010zzz00d66zzz90 --server-name opsworkstest

    2.

    OpsWorks for Puppet Enterprise OpsWorks for Puppet Enterprise (p. 33)

    Puppet Enterprise Remove nodes

    OpsWorks for Puppet Enterprise OpsWorks for Puppet Enterprise

    API 2013-02-1833

    http://docs.aws.amazon.com/opsworks-cm/latest/APIReference/API_DisassociateNode.htmlhttps://puppet.com/docs/pe/2017.3/installing/uninstalling.html#uninstall-agentshttps://puppet.com/docs/pe/2017.3/managing_nodes/adding_and_removing_nodes.html#remove-nodes

  • AWS OpsWorks 1:

    (Amazon Elastic Compute Cloud Amazon Elastic Block Store )

    Puppet AWS CLI

    1: Puppet AWS CLI disassociate-node

    1. AWS CLI Server_name Puppet --node-name ID

    aws opsworks-cm --region Region_name disassociate-node --node-name Node_name --server-name Server_name

    2.

    2: 1. [Actions]

    2. [Delete Puppet Enterprise server] 3.

    [Yes, Delete]

    OpsWorks for Puppet Enterprise (p. 33)

    API 2013-02-1834

    http://docs.aws.amazon.com/opsworks-cm/latest/APIReference/API_DisassociateNode.htmlhttp://docs.aws.amazon.com/opsworks-cm/latest/APIReference/API_DisassociateNode.html

  • AWS OpsWorks AWS CloudTrail

    AWS CloudTrail OpsWorks for PuppetEnterprise API

    OpsWorks for Puppet Enterprise AWS CloudTrail OpsWorks for Puppet Enterprise AWS CloudTrail OpsWorks for Puppet Enterprise OpsWorks for Puppet Enterprise API OpsWorks for Puppet Enterprise API OpsWorks for PuppetEnterprise Amazon S3 CloudTrail CloudTrail [Event history] CloudTrail OpsWorks for Puppet Enterprise IP

    CloudTrail AWS CloudTrail User Guide

    CloudTrail OpsWorks for Puppet Enterprise CloudTrail AWS OpsWorks for Puppet Enterprise [] AWS CloudTrail AWS CloudTrail

    OpsWorks for Puppet Enterprise AWS CloudTrail Amazon S3 AWS AmazonS3 CloudTrail AWS

    CloudTrail CloudTrail Amazon SNS Receiving CloudTrail Log Files from Multiple RegionsReceiving CloudTrail Log Files from

    Multiple Accounts

    OpsWorks for Puppet Enterprise CloudTrail OpsWorks for Puppet Enterprise API CreateServerCreateBackup DescribeServers CloudTrail

    ID

    IAM .

    . AWS .

    CloudTrail userIdentity

    API 2013-02-1835

    http://docs.aws.amazon.com/awscloudtrail/latest/userguide/http://docs.aws.amazon.com/awscloudtrail/latest/userguide/view-cloudtrail-events.htmlhttp://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-and-update-a-trail.htmlhttp://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-aws-service-specific-topics.html#cloudtrail-aws-service-specific-topics-integrationshttp://docs.aws.amazon.com/awscloudtrail/latest/userguide/getting_notifications_top_level.htmlhttp://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.htmlhttp://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-receive-logs-from-multiple-accounts.htmlhttp://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-receive-logs-from-multiple-accounts.htmlhttp://docs.aws.amazon.com/opsworks-cm/latest/APIReference/Welcome.htmlhttp://docs.aws.amazon.com/opsworks-cm/latest/APIReference/API_CreateServer.htmlhttp://docs.aws.amazon.com/opsworks-cm/latest/APIReference/API_CreateBackup.htmlhttp://docs.aws.amazon.com/opsworks-cm/latest/APIReference/API_DescribeServers.htmlhttp://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html

  • AWS OpsWorks OpsWorks for Puppet Enterprise

    OpsWorks for Puppet Enterprise Amazon S3 CloudTrail 1 1 CloudTrail API

    OpsWorks for Puppet Enterprise CreateServer CloudTrail

    {"eventVersion":"1.05","userIdentity":{ "type":"AssumedRole", "principalId":"ID number:OpsWorksCMUser", "arn":"arn:aws:sts::831000000000:assumed-role/Admin/OpsWorksCMUser", "accountId":"831000000000","accessKeyId":"ID number", "sessionContext":{ "attributes":{ "mfaAuthenticated":"false", "creationDate":"2017-01-05T22:03:47Z" }, "sessionIssuer":{ "type":"Role", "principalId":"ID number", "arn":"arn:aws:iam::831000000000:role/Admin", "accountId":"831000000000", "userName":"Admin" } } },"eventTime":"2017-01-05T22:18:23Z","eventSource":"opsworks-cm.amazonaws.com","eventName":"CreateServer","awsRegion":"us-west-2","sourceIPAddress":"101.25.190.51","userAgent":"console.amazonaws.com","requestParameters":{ "serverName":"test-puppet-server", "engineModel":"Single", "engine":"Puppet", "instanceProfileArn":"arn:aws:iam::831000000000:instance-profile/aws-opsworks-cm-ec2-role", "backupRetentionCount":3,"serviceRoleArn":"arn:aws:iam::831000000000:role/service-role/aws-opsworks-cm-service-role", "engineVersion":"12", "preferredMaintenanceWindow":"Fri:21:00", "instanceType":"t2.medium", "subnetIds":["subnet-1e111f11"], "preferredBackupWindow":"Wed:08:00" },"responseElements":{ "server":{ "endpoint":"test-puppet-server-xxxx8u4390xo6pd9.us-west-2.opsworks-cm.io", "createdAt":"Jan 5, 2017 10:18:22 PM", "serviceRoleArn":"arn:aws:iam::831000000000:role/service-role/aws-opsworks-cm-service-role", "preferredBackupWindow":"Wed:08:00", "status":"CREATING", "subnetIds":["subnet-1e111f11"], "engine":"Puppet",

    API 2013-02-1836

  • AWS OpsWorks

    "instanceType":"t2.medium", "serverName":"test-puppet-server", "serverArn":"arn:aws:opsworks-cm:us-west-2:831000000000:server/test-puppet-server/8ezz7f6z-e91f-4z10-89z5-8c6219zzz09f", "engineModel":"Single", "backupRetentionCount":3, "engineAttributes":[ {"name":"PUPPET_ADMIN_PASSWORD","value":"*** Redacted ***"}, {"name":"PUPPET_API_CA_CERT","value":"*** Redacted ***"}, ], "engineVersion":"12.11.1", "instanceProfileArn":"arn:aws:iam::831000000000:instance-profile/aws-opsworks-cm-ec2-role", "preferredMaintenanceWindow":"Fri:21:00" } },"requestID":"de7z64z9-d394-12ug-8081-7zz0386fbcb6","eventID":"8z7z18dz-6z90-47bz-87cf-e8346428zzz3","eventType":"AwsApiCall","recipientAccountId":"831000000000"}

    OpsWorks for Puppet Enterprise

    OpsWorks for Puppet Enterprise

    (p. 37) (p. 38) (p. 39)

    Puppet Puppet (p. 38)

    Puppet OpsWorks for Puppet Enterprise Puppet Puppet OpsWorks for Puppet EnterpriseAWS CloudFormation Amazon EC2

    EC2 SSH EC2 /var/log/aws/opsworks-cm OpsWorks for Puppet Enterprise Puppet

    API 2013-02-1837

  • AWS OpsWorks

    (p. 38)

    Amazon EC2 (p. 38) (p. 38) Elastic IP (p. 39) (p. 39)

    : Puppet Enterprise

    : Puppet VPC Puppet VPC t2 Puppet VPC

    : VPC m4

    Amazon EC2 : The following resource(s) failedto create: [EC2Instance]. Failed to receive 1 resource signal(s) within the specified duration

    : EC2

    : AWS VPC ( VPC) [DNSresolution] [Auto-assign Public IP]

    : Not authorized to perform sts:AssumeRole.

    :

    : OpsWorks for Puppet Enterprise AWSOpsWorksCMServiceRole opsworks-cm.amazonaws.com [Trust Relationships] Puppet AWSOpsWorksCMServerRole

    API 2013-02-1838

    https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/dedicated-instance.html

  • AWS OpsWorks

    Elastic IP : The following resource(s) failed to create: [EIP, EC2Instance]. Resource creation cancelled, themaximum number of addresses has been reached.

    : Elastic IP (EIP) EIP 5

    : EIP AWS EIP

    : Amazon EC2 Puppet Puppet Enterprise

    : opsworks-cm API EC2 IAM

    : OpsWorks for Puppet Enterprise (p. 29)AssociateNode DescribeNodeAssociationStatus API EC2 EC2

    AWS OpsWorks

    AWS AWS AWS AWS AWS Trusted Advisor

    API 2013-02-1839

    https://forums.aws.amazon.com/forum.jspa?forumID=153&start=0https://console.aws.amazon.com/support/home#/

  • AWS OpsWorks

    AWS OpsWorks for Chef AutomateAWS OpsWorks for Chef Automate AWS Chef Automate Chef AWS OpsWorks for Chef AutomateAWSOpsWorks for Chef Automate Chef

    Chef Automate chef-client Chef Chef AWS OpsWorks for Chef Automate Chef Automate; Chef ()

    AWS OpsWorks for Chef Automate Amazon Elastic Compute Cloud AWS OpsWorks for Chef Automate Amazon Linux (Amazon Linux2)Chef Server 12.xChef Automate Server 1.8. ChefAutomate Chef Automate

    AWS OpsWorks for Chef Automate chef-client 13 x chef-client

    Chef AWS Chef Automate Chef Server AWS Chef Chef Chef Automate OpsWorks Amazon Linux

    AWS OpsWorks for Chef Automate EC2 Chef chef-client Chef

    Chef Automate (p. 41) AWS OpsWorks for Chef Automate (p. 41) AWS OpsWorks for Chef Automate (p. 41) AWS OpsWorks for Chef Automate (p. 56) AWS OpsWorks for Chef Automate (p. 59) AWS OpsWorks for Chef Automate Chef Compliance (p. 62) AWS OpsWorks for Chef Automate (p. 68) AWS OpsWorks for Chef Automate (p. 72) AWS OpsWorks for Chef Automate (p. 73) Chef Automate (p. 74) AWS CloudTrail AWS OpsWorks for Chef Automate API (p. 75)

    API 2013-02-1840

    https://www.chef.io/automate/https://docs.chef.io/chef_client.htmlhttps://discourse.chef.io/t/chef-automate-1-8-68/13089https://downloads.chef.io/chef/stablehttps://downloads.chef.io/chef/stablehttps://docs.chef.io/platforms.htmlhttps://docs.chef.io/chef_client.html

  • AWS OpsWorks Chef Automate

    AWS OpsWorks for Chef Automate (p. 77)

    Chef Automate Chef Automate Chef AutomateAutomate API

    AWS OpsWorks for Chef Automate

    AWS OpsWorks for Chef Automate AWSOpsWorks for Chef Automate Chef IAM Chef Chef VPC VPC VPC

    () () () () () () () () ()

    AWS OpsWorks for Chef Automate AWS OpsWorks for Chef Automate AWS Chef Automate 15 Chef

    AWS OpsWorks for Chef Automate Chef

    Chef AWS OpsWorks for ChefAutomate AWS VPC (p. 43)

    AWS AWS (p. 4) VPC (p. 43) EC2 () (p. 43)

    API 2013-02-1841

    https://docs.chef.io/api_analytics.htmlhttps://www.chef.io/automate/

  • AWS OpsWorks

    AWS AWS AWS AWS

    AWS

    1. https://aws.amazon.com/ [Create an AWS Account]

    Note

    AWS [Sign in to a different account] [Createa new AWS account]

    2.

    PIN

    AWS https://aws.amazon.com/ [My Account/Console]

    IAM ID

    ID AWS AWS AWS IAM IAM AWS AWS

    IAM IAM IAM

    1. IAM 2. [Users] 3. IAM () 4. [Security credentials] [Create access key] 5. [Show]

    ID: AKIAIOSFODNN7EXAMPLE : wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

    6. [Download .csv file]

    AWS AWS Amazon.com Amazon

    IAM (IAM )API 2013-02-18

    42

    https://aws.amazon.com/https://aws.amazon.com/https://aws.amazon.com/http://docs.aws.amazon.com/IAM/latest/UserGuide/access_permissions-required.htmlhttps://console.aws.amazon.com/iam/home?#homehttp://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html

  • AWS OpsWorks Chef Automate

    AWS (AWS General Reference)

    VPC AWS OpsWorks for Chef Automate Amazon Virtual Private Cloud VPC VPC VPC Amazon VPC VPC Amazon VPC

    VPC VPC VPC

    VPC [DNS resolution] [Auto-assign public IP]

    VPC VPC AWS OpsWorks AWS CloudFormation AWS CLI VPC AWS AWS CloudFormation

    aws cloudformation create-stack --stack-name OpsWorksVPC --template-url https://s3.amazonaws.com/opsworks-cm-us-east-1-prod-default-assets/misc/opsworks-cm-vpc.yaml

    EC2 ()Chef SSH knife Chef

    Chef Automate SSH EC2 EC2 Amazon EC2

    EC2 Chef

    Chef Automate AWS OpsWorks for Chef Automate AWS CLI Chef

    AWS Chef Automate (p. 43) AWS CLI Chef Automate (p. 46)

    AWS Chef Automate 1. AWS AWS OpsWorks (https://

    console.aws.amazon.com/opsworks/) 2. AWS OpsWorks [Go to OpsWorks for Chef Automate]

    API 2013-02-1843

    http://docs.aws.amazon.com/general/latest/gr/aws-security-credentials.htmlhttp://docs.aws.amazon.com/AmazonVPC/latest/GettingStartedGuide/https://s3.amazonaws.com/opsworks-cm-us-east-1-prod-default-assets/misc/opsworks-cm-vpc.yamlhttps://docs.chef.io/knife.htmlhttps://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.htmlhttps://console.aws.amazon.com/opsworks/https://console.aws.amazon.com/opsworks/

  • AWS OpsWorks Chef Automate

    3. AWS OpsWorks for Chef Automate [Create Chef Automate server]

    4. [Set name, region, and type] Chef 40 () m4.large [Next]

    API 2013-02-1844

  • AWS OpsWorks Chef Automate

    5. [Select an SSH key] [SSH key] [Next]

    6. [] [] VPC 1 AWS OpsWorks Chef

    7. [System maintenance] pending-server

    AWS AWS CLI API

    8. Amazon Simple Storage Service 30 AWS OpsWorks forChef Automate

    API 2013-02-1845

  • AWS OpsWorks Chef Automate

    9. [Next] 10. [Review] [Launch]

    Chef AWS OpsWorks Chef (p. 49) Chef Automate

    AWS OpsWorks for Chef Automate Chef [online] Chef Automate https://your_server_name-random.region.opsworks-cm.io URL

    AWS CLI Chef Automate AWS CLI AWS OpsWorks for Chef Automate AWS OpsWorks AWS CLI AWS OpsWorks ARN create-server Chef Automate AWS OpsWorks Chef Automate Chef Automate AWS CLI AWS OpsWorks for Chef Automate AWS OpsWorks for Chef Automate JSON create-server AWS OpsWorks for Chef Automate

    AWS CLI AWS AWS CLI create-server create-server AWS CLI create-server

    1. VPC (p. 43) VPC Chef Automate ID

    2. Chef OpenSSL create-server

    API 2013-02-1846

    https://docs.aws.amazon.com/cli/latest/userguide/installing.htmlhttps://docs.aws.amazon.com/cli/latest/reference/opsworks-cm/create-server.htmlhttps://www.openssl.org/

  • AWS OpsWorks Chef Automate

    create-server Chef 6

    umask 077openssl genrsa -out "pivotal" 2048openssl rsa -in "pivotal" -pubout

    3. AWS OpsWorks AWS CloudFormation AWS CLI AWS CloudFormation

    aws cloudformation create-stack --stack-name OpsWorksCMRoles --template-url https://s3.amazonaws.com/opsworks-cm-us-east-1-prod-default-assets/misc/opsworks-cm-roles.yaml --capabilities CAPABILITY_IAM

    AWS CloudFormation ARN

    aws iam list-roles --path-prefix "/service-role/" --no-paginate

    list-roles ARN ChefAutomate

    { "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "ec2.amazonaws.com" } } ] }, "RoleId": "AROZZZZZZZZZZQG6R22HC", "CreateDate": "2018-01-05T20:42:20Z", "RoleName": "aws-opsworks-cm-ec2-role", "Path": "/service-role/", "Arn": "arn:aws:iam::000000000000:role/service-role/aws-opsworks-cm-ec2-role"},{ "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": "opsworks-cm.amazonaws.com" } } ] }, "RoleId": "AROZZZZZZZZZZZZZZZ6QE", "CreateDate": "2018-01-05T20:42:20Z", "RoleName": "aws-opsworks-cm-service-role", "Path": "/service-role/",

    API 2013-02-1847

  • AWS OpsWorks Chef Automate

    "Arn": "arn:aws:iam::000000000000:role/service-role/aws-opsworks-cm-service-role"}

    4. create-server AWS OpsWorks for Chef Automate

    --engine Chef--engine-model Single--engine-version 12 AWS

    (-) 40

    3 ARN ARN m4.larger4.xlarge r4.2xlarge

    Amazon EC2

    --engine-attributes --engine-attributes 2 CHEF_PIVOTAL_KEY CHEF_DELIVERY_ADMIN_PASSWORD

    CHEF_DELIVERY_ADMIN_PASSWORD create-server 8 32 (!/@$%^+=_) 1 1 1 1

    SSH Chef Automate Chef Automate SSH& Amazon EC2 Amazon EC2

    1 :DDD:HH:MM (UTC) --preferred-maintenance-window 1

    --preferred-backup-window : HH:MM DDD:HH:MM UTC --disable-automated-backup

    --security-group-ids 1 ID

    --subnet-ids ID

    aws opsworks-cm create-server --engine "Chef" --engine-model "Single" --engine-version "12" --server-name "server_name" --instance-profile-arn "instance_profile_ARN" --instance-type "instance_type" --engine-attributes '{"CHEF_PIVOTAL_KEY":"Chef_pivotal_key","CHEF_DELIVERY_ADMIN_PASSWORD":"password"}' --key-pair "key_pair_name" --preferred-maintenance-window "ddd:hh:mm" --preferred-backup-window "ddd:hh:mm" --security-group-ids security_group_id1 security_group_id2 --service-role-arn "service_role_ARN" --subnet-ids subnet_ID

    aws opsworks-cm create-server --engine "Chef" --engine-model "Single" --engine-version "12" --server-name "automate-06" --instance-profile-arn "arn:aws:iam::1019881987024:instance-profile/aws-opsworks-cm-ec2-role" --instance-type "m4.large" --engine-attributes '{"CHEF_PIVOTAL_KEY":"MZZE...Wobg","CHEF_DELIVERY_ADMIN_PASSWORD":"zZZzDj2DLYXSZFRv1d"}' --key-pair "amazon-test" --preferred-maintenance-window "Mon:08:00" --preferred-

    API 2013-02-1848

    https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.htmlhttps://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html

  • AWS OpsWorks

    backup-window "Sun:02:00" --security-group-ids sg-b00000001 sg-b0000008 --service-role-arn "arn:aws:iam::044726508045:role/aws-opsworks-cm-service-role" --subnet-ids subnet-300aaa00

    5. AWS OpsWorks for Chef Automate 15 create-server create-server

    6. AWS OpsWorks for Chef Automate jq JSON create-server jq Chef Automate 4

    Get the Chef password:cat resp.json | jq -r '.Server.EngineAttributes[] | select(.Name == "CHEF_DELIVERY_ADMIN_PASSWORD") | .Value'

    Get the Chef Pivotal Key:cat resp.json | jq -r '.Server.EngineAttributes[] | select(.Name == "CHEF_PIVOTAL_KEY") | .Value'

    Get the Chef Starter Kit:cat resp.json | jq -r '.Server.EngineAttributes[] | select(.Name == "CHEF_STARTER_KIT") | .Value' | base64 -D > starterkit.zip

    7. create-server AWS OpsWorks for Chef Automate Chef Automate

    8. the section called (p. 49)

    Chef Chef AWS OpsWorks for Chef Automate [Properties] Chef [Properties] 2 Chef

    API 2013-02-1849

    https://stedolan.github.io/jq/https://stedolan.github.io/jq/

  • AWS OpsWorks

    Chef Chef Automate Chef Automate () AWS OpsWorks

    README knife.rb

    .zip AWSOpsWorks for Chef Automate Chef Chef Chef (Git )

    API 2013-02-1850

  • AWS OpsWorks

    Git Chef Chef chef-repo

    1. Chef

    2. .zip

    Chef Chef Automate Chef Chef Automate

    3. Chef Chef Development Kit (Chef DK) knife Chef DK Chef Install the Chef DK

    knife .chef

    .chef/knife.rb - knife (knife.rb)knife.rb Chef knife AWS OpsWorks for Chef Automate

    .chef/ca_certs/opsworks-cm-ca-2016-root.pem - AWS OpsWorks (CA) SSL chef-client

    Chef Chef Chef README Chef knife Berkshelf 2 Berkshelf

    1. chef-repo (AWS CodeCommitGitAmazon S3 )

    2. chef-repo 3

    cookbooks/ - roles/ - .rb .json environments/ - .rb .json

    Berkshelf Berkshelf Berkshelf Berkshelf Chef

    API 2013-02-1851

    https://docs.chef.io/chef_repo.htmlhttps://docs.chef.io/delivery_users_and_roles.html#manage-usershttps://downloads.chef.io/chef-dkhttps://docs.chef.io/knife.htmlhttps://docs.chef.io/release/devkit/install_dk.htmlhttps://docs.chef.io/config_rb_knife.htmlhttps://docs.chef.io/knife.html

  • AWS OpsWorks

    Berksfile Berksfile Chef Chef chef-client Chef Supermarket Chef Client Cookbook

    1. (Apache ) Berksfile Berksfile

    source 'https://supermarket.chef.io'cookbook 'chef-client'cookbook 'apache2'

    2.

    berks install

    3. Chef

    Linux

    SSL_CERT_FILE='.chef/ca_certs/opsworks-cm-ca-2016-root.pem' berks upload

    Windows PowerShell Chef DK PowerShell RemoteSigned PowerShell Chef DKchef shell-init

    $env:SSL_CERT_FILE="ca_certs\opsworks-cm-ca-2016-root.pem"chef shell-init berks uploadRemove-Item Env:\SSL_CERT_FILE

    4. Chef Automate

    AWS OpsWorks for Chef Automate

    knife cookbook list

    Chef chef-client () Chef Chef ()Chef chef-client

    AWS OpsWorks for Chef Automate chef-client 12.16.42 chef-client 13.6.4

    Chef EC2 knife Chef AWS OpsWorks for ChefAutomate (p. 68)

    API 2013-02-1852

    https://supermarket.chef.io/cookbooks/chef-clienthttps://docs.chef.io/chef_client.html

  • AWS OpsWorks

    Chef

    knife knife-ec2 Chef DK knife-ec2 knifebootstrap EC2 EC2

    1. knife bootstrap Chef EC2 Berkshelf (p. 51) apache2 Chef knife bootstrap Chef

    knife root ec2-user AMI Linux AWS SSH Linux

    Amazon Linux ec2-user

    Red Hat Enterprise Linux 5 root ec2-user

    Ubuntu ubuntu

    Fedora fedora ec2-user

    SUSE Linux root ec2-user

    knife bootstrap INSTANCE_IP_ADDRESS -N INSTANCE_NAME -x USER_NAME --sudo --run-list "recipe[apache2]"

    2. (INSTANCE_NAME )

    knife client show INSTANCE_NAMEknife node show INSTANCE_NAME

    AWS OpsWorks for Chef Automate Chef Automate Learn Chef tutorials

    API 2013-02-1853

    https://docs.chef.io/platforms.htmlhttps://github.com/chef/knife-ec2https://docs.chef.io/install_bootstrap.htmlhttp://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AccessingInstancesLinux.htmlhttp://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AccessingInstancesLinux.htmlhttps://learn.chef.io/tutorials/manage-a-node/opsworks

  • AWS OpsWorks Chef Automate

    Chef Automate Chef [Properties] Chef Automate 1

    AWS OpsWorks CA SSL Chef SSL

    AWS OpsWorks SSL

    Linux MacOS Amazon S3 PEM: https://s3-eu-west-1.amazonaws.com/opsworks-cm-us-east-1-prod-default-assets/misc/opsworks-cm-ca-2016-root.pem

    MacOS SSL Apple

    Windows Amazon S3 P7B : https://s3-eu-west-1.amazonaws.com/opsworks-cm-us-east-1-prod-default-assets/misc/opsworks-cm-ca-2016-root.p7b

    Windows SSL Microsoft TechNet

    SSL Chef Automate

    Note

    Ubuntu Linux Google Chrome Mozilla Firefox Chef Automate Windows MacOS Google Chrome

    Chef Automate

    1. (p. 51) Chef Automate

    2. Chef [Properties] 3. [Properties] [Open Chef Automate dashboard] 4. 1

    API 2013-02-1854

    https://s3.amazonaws.com/opsworks-cm-us-east-1-prod-default-assets/misc/opsworks-cm-ca-2016-root.pemhttps://s3.amazonaws.com/opsworks-cm-us-east-1-prod-default-assets/misc/opsworks-cm-ca-2016-root.pemhttps://s3.amazonaws.com/opsworks-cm-us-east-1-prod-default-assets/misc/opsworks-cm-ca-2016-root.pemhttps://support.apple.com/kb/PH18677?locale=en_UShttps://s3.amazonaws.com/opsworks-cm-us-east-1-prod-default-assets/misc/opsworks-cm-ca-2016-root.p7bhttps://s3.amazonaws.com/opsworks-cm-us-east-1-prod-default-assets/misc/opsworks-cm-ca-2016-root.p7bhttps://technet.microsoft.com/en-us/library/cc754841.aspxhttps://technet.microsoft.com/en-us/library/cc754841.aspx

  • AWS OpsWorks Chef Automate

    5. Chef Automate ChefAutomate Chef Automate

    API 2013-02-1855

    https://docs.chef.io/chef_automate.htmlhttps://docs.chef.io/chef_automate.html

  • AWS OpsWorks

    Note

    Chef Automate Chef Automate (p. 74)

    AWS OpsWorks for Chef Automate

    AWS OpsWorks for Chef Automate

    AWS OpsWorks for Chef Automate (p. 56) AWS OpsWorks for Chef Automate (p. 58)

    AWS OpsWorks for Chef Automate AWS OpsWorks for Chef Automate 1 Amazon Simple Storage Service (Amazon S3)

    Amazon S3 30 AWS Amazon S3

    API 2013-02-1856

  • AWS OpsWorks AWS OpsWorks for Chef Automate

    S3 S3

    AWS OpsWorks for Chef Automate AWS OpsWorks for Chef Automate [Configure advanced settings] [Automated backup] ChefAutomate [Properties]

    1. Chef servers [Actions] [Change settings]

    2. [Enable automated backups] [No]

    3. [Automated Backup]

    AWS AWS CLI create-backup 30 10 Amazon S3

    AWS

    1. [Chef Automate servers] 2. [Backups] 3. [Create backup] 4. [Status]

    AWS CLI

    AWS CLI

    aws opsworks-cm --region region name create-backup --server-name "Chef server name" --description "optional descriptive string"

    S3

    AWS

    1. [Chef Automate servers] 2. [Backups] 3. [Delete backup] 1

    4. [Delete the backup, which is stored in an S3 bucket]

    [Yes, Delete]

    API 2013-02-1857

    http://docs.aws.amazon.com/AmazonS3/latest/user-guide/empty-bucket.htmlhttp://docs.aws.amazon.com/AmazonS3/latest/user-guide/delete-bucket.htmlhttp://docs.aws.amazon.com/opsworks-cm/latest/APIReference/API_CreateBackup.html

  • AWS OpsWorks AWS OpsWorks for Chef Automate

    AWS CLI

    AWS CLI --backup-id ID ID ServerName-yyyyMMddHHmmssSSS test-chef-server-20171218132604388

    aws opsworks-cm --region region name delete-backup --backup-id ServerName-yyyyMMddHHmmssSSS

    AWS OpsWorks for Chef Automate AWS OpsWorks for Chef Automate () (EC2 ) Chef Chef

    AWS CLI AWS OpsWorks for Chef Automate Chef

    Note

    restore-server SSH

    1. AWS CLI ID ID ID myServerName-yyyyMMddHHmmssSSS

    aws opsworks-cm --region region name describe-backups

    2.

    aws opsworks-cm --region region name restore-server --backup-id "myServerName-yyyyMMddHHmmssSSS" --instance-type "Type of instance" --key-pair "name of your EC2 key pair" --server-name "name of Chef server"

    aws opsworks-cm --region us-west-2 restore-server --backup-id "MyChefServer-20161120122143125" --server-name "MyChefServer"

    3.

    API 2013-02-1858

    http://docs.aws.amazon.com/opsworks-cm/latest/APIReference/API_RestoreServer.html

  • AWS OpsWorks

    AWS OpsWorks for Chef Automate

    AWS OpsWorks for Chef Automate Chef Server Chef Automate Server () 1 AWS CLI

    Chef AWS Chef Automate Chef Server AWS Chef Chef Chef Automate OpsWorks Chef (p. 62)

    Amazon EC2

    Important

    AWS OpsWorks for Chef Automate (p. 62)

    AWS OpsWorks (p. 59) (p. 60) (p. 62) (p. 62)

    AWS OpsWorks AWS OpsWorks for Chef Automate AWS OpsWorks AWS OpsWorks (CA) AWS OpsWorks CA CA AWS OpsWorks for Chef Automate AWS OpsWorks CA AWS OpsWorks for Chef Automate (p. 68) EC2 userdata EC2 AWS OpsWorks CA

    Linux CA S3 https://opsworks-cm-${REGION}-prod-default-assets.s3.amazonaws.com/misc/opsworks-cm-ca-2016-root.pem AWS OpsWorks CA /etc/chef/opsworks-cm-ca-2016-root.pem

    API 2013-02-1859

  • AWS OpsWorks

    Windows CA S3 https://opsworks-cm-$env:AWS_REGION-prod-default-assets.s3.amazonaws.com/misc/opsworks-cm-ca-2016-root.pem AWS OpsWorks CA Chef (C:\chef\opsworks-cm-ca-2016-root.pem )

    2 region

    us-east-2 us-east-1 us-west-1 us-west-2 ap-northeast-1 ap-southeast-1 ap-southeast-2 eu-central-1 eu-west-1

    AWS OpsWorks for Chef Automate (UTC) UNDER_MAINTENANCE

    AWS OpsWorks for Chef Automate [Settings] [Systemmaintenance]

    API 2013-02-1860

    https://en.wikipedia.org/wiki/Coordinated_Universal_Time

  • AWS OpsWorks

    [System maintenance]

    AWS CLI AWS CLI AWS CLI 3

    create-server ( ARN ARN ) --preferred-maintenance-window create-server --preferred-maintenance-window Mon:08:00 8:00 (UTC)

    aws opsworks-cm create-server --engine "Chef" --engine-model "Single" --engine-version "12" --server-name "automate-06" --instance-profile-arn "arn:aws:iam::1019881987024:instance-profile/aws-opsworks-cm-ec2-role" --instance-type "t2.medium" --key-pair "amazon-test" --service-role-arn "arn:aws:iam::044726508045:role/aws-opsworks-cm-service-role" --preferred-maintenance-window "Mon:08:00"

    update-server --preferred-maintenance-window 6 15 (UTC)

    aws opsworks-cm update-server --server-name "automate-06" --preferred-maintenance-window "Fri:18:15"

    API 2013-02-1861

  • AWS OpsWorks

    6 15 3

    aws opsworks-cm update-server --server-name "automate-06" --preferred-maintenance-window "18:15"

    AWS CLI create-serverupdate-server

    AWS CLI AWS

    aws opsworks-cm start-maintenance --server-name server_name

    start-maintenance

    AWS OpsWorks for Chef Automate

    RunCommand SSH Chef Amazon (AMI) Amazon EC2 AMI

    Chef

    Important

    Chef

    AMI EC2 Amazon EC2 [Launch] [My AMIs] AMI Amazon EC2

    AWS OpsWorks for Chef Automate ChefCompliance

    Chef Compliance () Chef Compliance () Chef Compliance

    API 2013-02-1862

    http://docs.aws.amazon.com/cli/latest/reference/opsworkscm/update-server.htmlhttp://docs.aws.amazon.com/cli/latest/reference/opsworkscm/update-server.htmlhttp://docs.aws.amazon.com/cli/latest/reference/opsworkscm/start-maintenance.htmlhttps://www.chef.io/solutions/compliance/https://docs.chef.io/chef_compliance.html

  • AWS OpsWorks Chef Compliance

    Note

    AWS OpsWorks for Chef Automate chef-client 13 x chef-client

    Chef Compliance Chef Compliance AWS OpsWorks for Chef Automate AWS OpsWorksfor Chef Automate Chef Automate berks Audit Chef Automate Audit InSpec Chef Chef Automate 1.8 5.0.1 Audit InSpec 1.24.0

    AWS OpsWorks for Chef Automate opsworks-audit Chef Audit opsworks-audit chef-client ChefCompliance DevSec SSH Baseline opsworks-audit

    Compliance

    1. Chef Automate (p. 54)AWS OpsWorks for Chef Automate

    2. Chef Automate [Compliance]

    3. [Profile Store] [Available]

    4. 1 [>]

    API 2013-02-1863

    https://downloads.chef.io/chef/stablehttps://supermarket.chef.io/cookbooks/audithttps://supermarket.chef.io/cookbooks/audithttps://www.inspec.io/https://discourse.chef.io/t/chef-automate-1-8-68/13089

  • AWS OpsWorks Chef Compliance

    5. Chef Automate [Get] 6.

    opsworks-audit

    1. 6 AWS OpsWorks for Chef Automate roles/opsworks-example-role.rb ssh-hardening

    run_list( "recipe[chef-client]", "recipe[apache2]", "recipe[opsworks-audit]" "recipe[ssh-hardening]" )

    2. Berksfile Berksfile chef-client apache2 opsworks-audit Berksfile

    source 'https://supermarket.chef.io cookbook 'chef-client' cookbook 'apache2', '~> 5.0.1' cookbook 'opsworks-audit', path: 'site-cookbooks/opsworks-audit', '~> 1.0.0'

    metadata.rb metadata.rb

    3. cookbooks

    berks vendor cookbooks

    API 2013-02-1864

  • AWS OpsWorks Compliance

    4. AWS OpsWorks for Chef Automate

    knife upload .

    5. opsworks-audit

    knife cookbook list

    6. AWS OpsWorks for Chef Automate (p. 68) Chef (p. 52) 1 1 opsworks-example-role RUN_LIST userdata

    RUN_LIST="role[opsworks-example-role]"

    1 3: (p. 69) Amazon EC2

    RUN_LIST="recipe[chef-client],recipe[apache2],recipe[opworks-au