Getting Started with AWS OpsWorks for Chef Automate - AWS OpsWorks

Getting Started with AWS OpsWorks for Chef Automate

Important

AWS OpsWorks for Chef Automate is no longer accepting new customers. Existing customers will be unaffected until May 5, 2024 at which time the service will become unavailable. We recommend that existing customers migrate to Chef SaaS or an alternative solution. For more information, see AWS OpsWorks for Chef Automate End of Life FAQs.

AWS OpsWorks for Chef Automate lets you run a Chef Automate server in AWS. You can provision a Chef server in about 15 minutes.

Starting May 3, 2021, AWS OpsWorks for Chef Automate stores some Chef Automate server attributes in AWS Secrets Manager. For more information, see Integration with AWS Secrets Manager.

The following walkthrough helps you create your first Chef server in AWS OpsWorks for Chef Automate.

Prerequisites

Before you begin, you must complete the following prerequisites.

Set Up a VPC

Your AWS OpsWorks for Chef Automate server must operate in an Amazon Virtual Private Cloud. You can add it to an existing VPC, use the default VPC, or create a new VPC to contain the server. For information about Amazon VPC and how to create a new VPC, see the Amazon VPC Getting Started Guide.

If you create your own VPC, or use an existing one, the VPC should have the following settings or properties.

  • The VPC should have at least one subnet.

    If your AWS OpsWorks for Chef Automate server will be publicly accessible, make the subnet public, and enable Auto-assign public IP.

  • DNS resolution should be enabled.

  • On the subnet, enable Auto-assign public IP.

If you are unfamiliar with creating VPCs or running your instances in them, you can run the following AWS CLI command to create a VPC with a single public subnet, by using an AWS CloudFormation template that AWS OpsWorks provides for you. If you prefer to use the AWS Management Console, you can also upload the template to the AWS CloudFormation console.

aws cloudformation create-stack --stack-name OpsWorksVPC --template-url https://s3.amazonaws.com/opsworks-cm-us-east-1-prod-default-assets/misc/opsworks-cm-vpc.yaml

Prerequisites for Using a Custom Domain (Optional)

You can set up your Chef Automate server on your own domain, specifying a public endpoint in a custom domain to use as the endpoint of your server. When you use a custom domain, all of the following are required, as described in detail in this section.

Set Up a Custom Domain

To run your Chef Automate server on your own custom domain, you will need a public endpoint of a server, such as https://aws.my-company.com. If you specify a custom domain, you must also provide a certificate and a private key, as described in the preceding sections.

To access the server after you create it, add a CNAME DNS record in your preferred DNS service. This record must point the custom domain to the endpoint (the value of the server's Endpoint attribute) that is generated by the Chef Automate server creation process. You cannot access the server by using the generated Endpoint value if the server is using a custom domain.

Get a Certificate

To set up your Chef Automate server on your own custom domain, you need A PEM-formatted HTTPS certificate. This can be be a single, self-signed certificate, or a certificate chain. As you complete the Create Chef Automate server workflow, if you specify this certificate, you must also provide a custom domain and a private key.

The following are requirements for the certificate value:

  • You can provide either a self-signed, custom certificate, or the full certificate chain.

  • The certificate must be a valid X509 certificate, or a certificate chain in PEM format.

  • The certificate must be valid at the time of upload. A certificate can't be used before its validity period begins (the certificate's NotBefore date), or after it expires (the certificate's NotAfter date).

  • The certificate’s common name or subject alternative names (SANs), if present, must match the custom domain value.

  • The certificate must match the value of the Custom private key field.

Get a Private Key

To set up your Chef Automate server on your own custom domain, you need a private key in PEM format for connecting to the server by using HTTPS. The private key must not be encrypted; it cannot be protected by a password or passphrase. If you specify a custom private key, you must also provide a custom domain and a certificate.

Set Up an EC2 Key Pair (Optional)

An SSH connection is not necessary or recommended for typical management of the Chef server; you can use knife commands to perform most management tasks on your Chef server.

An EC2 key pair is required to connect to your server by using SSH in the event that you lose or want to change the sign-in password for the Chef Automate dashboard. You can use an existing key pair, or create a new key pair. For more information about how to create a new EC2 key pair, see Amazon EC2 Key Pairs.

If you don't need an EC2 key pair, you are ready to create a Chef server.