Skip to main content

A Puppet ENC which assigns Nodes based on their AWS EC2 metadata.

Project description

A Puppet ENC which assigns Nodes based on their AWS EC2 Tags. Additionally, all EC2 Tags are made available to Puppet as trusted Top Level Variables with the ec2_tag_ prefix.

Problem summary

Historically, I used the ec2tagfacts module to classify Puppet Nodes in AWS EC2. This works great! The Puppet Agents enumerate their own EC2 Tags using the module and they report the Tags to the Puppet Master as Untrusted Facts. These Facts can then be used by the Enterprise Node Classifier to assign Classes to the Node.

By example, I created an Environment and Role tag in EC2 that are reported by the Puppet Agent and used to assign the Node to the matching Puppet Environment and Role class.

There are a few problems with this approach:

  • Every EC2 Instance must be assigned permission to read its own tags, and consequently, the tags of any other EC2 Instance

  • A managed agent could spoof the EC2 Tag Facts to retrieve configuration for and other class or environment

  • When using the Puppet Enterprise console, a Classification Group had to be created for every Role in every Environment

This solution mitigates these issues as:

  • Only the Puppet Master needs permission to read tags

  • EC2 tags are provided by the ENC as Top Level Variables - these cannot be spoofed by an agent and are therefore more secure

  • No additional configuration is required in the Enterprise Console

Usage

This ENC assumes you are using the Roles and Profiles paradigm and intend to assign a single Role class to each node, with the role:: prefix.

Each managed EC2 Instance must have the following EC2 Tags assigned:

  • Environment - The Puppet Environment to assign (default: production)

  • Role - the Role class to assign, excluding the role:: prefix

Installation

Install the classifier on your Puppet Master with the following:

$ pip install puppet-enc-ec2

# or

$ curl -o /usr/local/bin/puppet-enc-ec2 \
    https://raw.githubusercontent.com/cavaliercoder/puppet-enc-ec2/master/bin/puppet-enc-ec2
$ chmod +x /usr/local/bin/puppet-enc-ec2

Configure the Puppet Master to use the executable Node Classifier in puppet.conf as follows:

[master]
  node_terminus = exec
  external_nodes = /usr/local/bin/puppet-enc-ec2

The Puppet Master will also need the following IAM Policy applied so that is can query the EC2 API for Instance metadata:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": ["ec2:DescribeInstances"],
            "Resource": "*"
        }
    ]
}

For for information about installing a custom ENC, see: https://puppet.com/docs/puppet/latest/nodes_external.html

Configuration

The script uses the Amazon AWS SDK (boto3) to connect to AWS. The SDK must be configured with credentials to connect to the AWS APIs. Please see the Boto3 documentation for instruction.

In addition, the desired AWS Region should be configured by modifying the script, or setting the AWS_DEFAULT_REGION environment variable.

Example

# test the classifier for an EC2 Instance
$ puppet-enc-ec2 i-deadbeefcafebabe
---
classes:
  role::web_server:
environment: production
parameters:
  ec2_tag_name: WebServer
  ec2_tag_description: Web Application Server
  ec2_tag_environment: production
  ec2_tag_role: web_server
  ec2_tag_aws_cloudformation_logical_id: WebServer
  ec2_tag_aws_cloudformation_stack_id: arn:aws:cloudformation:us-east-1:123456789000:stack/cf-web-server/0f7b6bb0-9d1a-11e7-848e-50fa575f68fe
  ec2_tag_aws_cloudformation_stack_name: cf-web-server
  ec2_tags:
    Name: WebServer
    Description: Web Application Server
    Environment: production
    Role: web_server
    aws:cloudformation:logical-id: WebServer
    aws:cloudformation:stack-id: arn:aws:cloudformation:us-east-1:123456789000:stack/cf-web-server/0f7b6bb0-9d1a-11e7-848e-50fa575f68fe
    aws:cloudformation:stack-name: cf-web-server

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

puppet-enc-ec2-1.0.0.tar.gz (4.8 kB view details)

Uploaded Source

File details

Details for the file puppet-enc-ec2-1.0.0.tar.gz.

File metadata

File hashes

Hashes for puppet-enc-ec2-1.0.0.tar.gz
Algorithm Hash digest
SHA256 afb5f5fad10ef4657c93501b02ccbfa3ba74a48ad17502a7fbac170a4c52fa68
MD5 dc299d9380a2cd590bc3d093288fe5aa
BLAKE2b-256 eb81d4396ff76ba0daf8d7049e11b11da9fba24e6308dd0e3b7bcdb1f8454508

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page