Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
AWS and Ansible | Andrew Kurinnyi
Search
Matt Chung
February 11, 2015
Technology
1
100
AWS and Ansible | Andrew Kurinnyi
AWS and Ansible integration using CloudFormation.
Matt Chung
February 11, 2015
Tweet
Share
More Decks by Matt Chung
See All by Matt Chung
Serverless Architecture with AWS Lambda
itsmemattchung
0
220
@mwhuge - Tools don't matter @OCDevOps
itsmemattchung
0
100
Scale13X DevOps for the enterprise | Fox | Matt Chung
itsmemattchung
0
75
DevOps Journey for Fox | Matt Chung
itsmemattchung
0
110
Other Decks in Technology
See All in Technology
Claude Code Actionを使ったコード品質改善の取り組み
potix2
PRO
6
2.3k
Witchcraft for Memory
pocke
1
370
地図も、未来も、オープンに。 〜OSGeo.JPとFOSS4Gのご紹介〜
wata909
0
110
25分で解説する「最小権限の原則」を実現するための AWS「ポリシー」大全 / 20250625-aws-summit-aws-policy
opelab
9
1.2k
あなたの声を届けよう! 女性エンジニア登壇の意義とアウトプット実践ガイド #wttjp / Call for Your Voice
kondoyuko
4
450
Fabric + Databricks 2025.6 の最新情報ピックアップ
ryomaru0825
1
140
生成AI活用の組織格差を解消する 〜ビジネス職のCursor導入が開発効率に与えた好循環〜 / Closing the Organizational Gap in AI Adoption
upamune
5
3k
強化されたAmazon Location Serviceによる新機能と開発者体験
dayjournal
2
210
5min GuardDuty Extended Threat Detection EKS
takakuni
0
150
Github Copilot エージェントモードで試してみた
ochtum
0
110
「Chatwork」の認証基盤の移行とログ活用によるプロダクト改善
kubell_hr
1
170
GitHub Copilot の概要
tomokusaba
1
130
Featured
See All Featured
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
507
140k
The Invisible Side of Design
smashingmag
300
51k
For a Future-Friendly Web
brad_frost
179
9.8k
GraphQLとの向き合い方2022年版
quramy
48
14k
Fireside Chat
paigeccino
37
3.5k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
161
15k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
PRO
181
53k
Bootstrapping a Software Product
garrettdimon
PRO
307
110k
Learning to Love Humans: Emotional Interface Design
aarron
273
40k
Raft: Consensus for Rubyists
vanstee
140
7k
How GitHub (no longer) Works
holman
314
140k
Code Review Best Practice
trishagee
68
18k
Transcript
AWS!infrastructure!with!Ansible! and!CloudForma2on
Pieces&of&a&puzzle • Provisioning*of*resources*(VPC,*EC2,*ELB,*S3) • Machine*configura>on*(Ansible)
Provisioning)*)CloudForma2on An#AWS&specific#tool#which#makes#it#easier#to#deploy'the' collec+on'of'AWS'resources#you#need#to#run#your#applica9on# repeatedly'and'predictably#using#a#declara+ve'template
Pros • Infrastructure,as,a,code • Reusable,templates • Transac5onal,updates • Extensible
Cons • AWS%only • Not%always%up%to%date%with%latest%features • Wri7ng%custom%resources%is%a%bit%of%a%pain • Large%JSON%templates%could%be%hard%to%maintain Alterna(ve:+Terraform.io
Managing&mul*ple&stacks&with&Ansible --- - hosts: localhost connection: local gather_facts: False vars:
project: cftest environment: production region: us-east-1 tasks: - name: Create VPC cloudformation: stack_name={{ environment }}-{{ project }}-vpc state=present region="{{ region }}" template=vpc.json args: template_parameters: cidr: 10.8.0.0/16 register: vpc
- name: Create RDS cloudformation: stack_name={{ environment }}-{{ project }}-rds
state=present region="{{ region }}" template=rds.json args: template_parameters: vpcid: {{ vpc['stack_outputs']['VPCID'] }} subnets: {{ vpc['stack_outputs']['DbSubnets'] }} subnet_index: 0 register: rds
- name: Create WEB cloudformation: stack_name={{ environment }}-{{ project }}-web
state=present region="{{ region }}" template=web.json args: template_parameters: vpcid: {{ vpc['stack_outputs']['VPCID'] }} subnets: {{ vpc['stack_outputs']['PublicSubnets'] }} project: {{ project }} environment: {{ environment }} rds_endpoint: {{ rds['stack_outputs']['RDSEndpoint'] }} register: web
Machine(configura.on(/(Ansible Once%you%brought%up%your%fleet%you%need%to%configure%them Ansible(uses(SSH(to(connect(to(your(machines(and(run(commands
Ansible • Agentless)*)connect)to)servers)via)SSH • Tasks)are)sequen7al • Reusability)through)"roles"
Ansible(Inventory vpn.example.com [elasticsearch] foo.example.com bar.example.com [web] one.example.com two.example.com three.example.com
Ansible(Playbooks(.(Configura4on --- - hosts: elasticsearch sudo: true roles: - role:
elasticsearch - role: users - hosts: web sudo: true roles: - role: nginx - role: supervisord - role: users
Ansible(Playbooks(.(Deploy --- - hosts: web sudo: true roles: - role:
scout - role: celery - role: uwsgi
Ansible(Playbooks(.(Nginx(tasks --- - name: add nginx ppa apt_repository: repo=ppa:nginx/stable state=present
- name: install nginx apt: pkg=nginx state=present - name: nginx config copy: src=etc/nginx/nginx.conf dest=/etc/nginx/nginx.conf notify: restart nginx - name: log folder permissions file: path=/var/log/nginx/ state=directory owner=deploy group=adm - name: cache folder file: path=/var/cache/nginx/ state=directory owner=deploy group=adm - name: launch nginx service: name=nginx state=running enabled=yes
Ansible(Playbooks(.(Run $ ansible all -m ping $ ansible web -m
ping $ ansible-playbook -i ec2.py site.yml $ ansible-playbook -i ec2.py deploy.yml -f 10
Ansible(challenges • Managing'inventories'across'mul2ple'accounts • Provisioning'machines'across'mul2ple'VPCs • Provisioning'on'startup
Mul$ple'accounts 'ec2.py'(dynamic(inventory(works(with(a(single(account h"ps:/ /raw.github.com/ansible/ansible/devel/plugins/inventory/ ec2.py ansible -i ec2.py -u ubuntu
us-east-1d -m ping
Mul$ple'accounts 'ansible)inventory'/IAM/role/in/each/account/with/read)only/ permissions [ec2] iam_roles = arn:aws:iam::13000000001:role/ansible-inventory,arn:aws:iam::25000000002:role/ansible-inventory regions = us-east-1
regions_exclude = # us-gov-west-1,cn-north-1
Mul$ple'accounts • one%central%role%with%'sts:AssumeRole'%permissions • changed%'ec2.py'%to%iterate%through%role%ARNs,%and%run% 'assume_role'%on%each%one • once%we%have%all%the%instances,%generate%dynamic%inventory
ec2.py def get_all_instances(self, iam_role=None): for region in self.regions: kwargs =
{} if iam_role: conn = sts.connect_to_region(region) role = conn.assume_role(iam_role, "AnsibleInventory") kwargs = { 'aws_access_key_id': role.credentials.access_key, 'aws_secret_access_key': role.credentials.secret_key, 'security_token': role.credentials.session_token } self.get_instances_by_region(region, **kwargs) if self.rds_enabled: self.get_rds_instances_by_region(region, **kwargs)
Mul$ple'VPCs • VPC%peering • One%central%infrastructure%VPC%peered%with%individual%app%VPCs
Provisioning)on)startup • Keep%a%zip%with%Ansible%config%in%s3%bucket • Use%UserData%script%to%download%the%latest%ansible%config • Run%it%locally • You%s?ll%need%to%run%'ec2.py'%inventory%script%to%determine% instance%group%membership
Provisioning)on)startup #cloud-config # vim: syntax=yaml packages: - git-core - python-dev
- python-virtualenv - python-pip - awscli runcmd: - update-ca-certificates --fresh - aws --region us-east-1 s3 cp s3://<your_bucket_name>/ansible_config/$(aws --region us-east-1 s3 ls s3://<your_bucket_name>/ansible_config/ | awk '{print $4}' | tail -n1) /tmp/ansible_config.tar.gz - cd /tmp; tar -xzvf ansible_config.tar.gz - cd /tmp/ansible_config; pip install -r requirements.txt - cd /tmp/ansible_config; EC2_INI_PATH="/tmp/ansible_config/config/local.ini" ansible-playbook -i ec2.py site.yml --connection=local --limit `ec2metadata --local-ipv4`,localhost,127.0.0.1 - cd /tmp/ansible_config; EC2_INI_PATH="/tmp/ansible_config/config/local.ini" ansible-playbook -i ec2.py deploy.yml --connection=local --limit `ec2metadata --local-ipv4`,localhost,127.0.0.1 - cd /tmp/ansible_config; EC2_INI_PATH="/tmp/ansible_config/config/local.ini" ansible-playbook -i ec2.py notify.yml --connection=local --limit `ec2metadata --local-ipv4`,localhost,127.0.0.1
Other&challenges • Accessing)your)private)network)4)OpenVPN)(pritunl.com) • Service)discovery)4)Route53)Internal)HostedZones,)Consul • SSH)into)instances)for)developers)by)tags)4)Fabric)script)which) uses)jumpbox)as)a)gateway)host
Ques%ons?
Thank&you