Puppet on AWS
Quick Start Reference Deployment Guide

Implementation Details

This section discusses the implementation of this Quick Start and explains the considerations for installing and configuring Puppet on AWS. Note that some steps are manual and others are automated for you by this Quick Start.

AWS Services

The core AWS components used by this Quick Start include the following AWS services. (If you are new to AWS, see the Getting Started section of the AWS documentation.)

  • Amazon VPC – The Amazon Virtual Private Cloud (Amazon VPC) service lets you provision a private, isolated section of the AWS Cloud where you can launch AWS services and other resources in a virtual network that you define. You have complete control over your virtual networking environment, including selection of your own IP address range, creation of subnets, and configuration of route tables and network gateways.

  • Amazon EC2 – The Amazon Elastic Compute Cloud (Amazon EC2) service enables you to launch virtual machine instances with a variety of operating systems. You can choose from existing Amazon Machine Images (AMIs) or import your own virtual machine images.

  • Amazon Route 53 – Amazon Route 53 is a highly available and scalable cloud Domain Name System (DNS) web service. It is designed to give developers and businesses an extremely reliable and cost-effective way to route end users to Internet or internal applications by translating host names to IP addresses.

Puppet Master Installation

This Quick Start deploys the Puppet master on an EC2 instance that is running Ubuntu 14.04. The installation is automated with a user data script that executes when the instance is launched via AWS CloudFormation. The Open Source version of Puppet is installed using a package called puppetmaster-passenger, which is provided by Puppet Labs. This package deploys the Puppet master, including a production-ready web server implementation of Passenger with Apache. For more information about Passenger, see the documentation on the Puppet Labs website.

In addition to installing the Puppet master, this Quick Start downloads preconfigured Puppet modules from Amazon Simple Storage Service (Amazon S3), which will enable you to apply a web server configuration to both the Windows and Linux nodes.

Certificates and DNS Names

The Puppet master acts as a certificate authority (CA), and SSL certificates are used to authenticate communications between the master and agent nodes. Since the Puppet master is a CA, it will generate its own certificates, which will be used to sign agent certificate requests.

Because this Quick Start pre-provisions record sets for each EC2 instance in Amazon Route 53, the Puppet master will use the host name by default. During the automated setup of Puppet, the master’s CA certificates will be generated using this host name. This ensures that clients that connect to the master using its predetermined host name will see the correct host name on the certificate. Using the default host name eliminates the need to regenerate the certificates after a typical installation to include the appropriate name.

Puppet agents need to be configured to connect to your Puppet master, and the Quick Start automates that work. If you want to use different host names, you can simply download a copy of the templates, modify them to use your desired host names, and then launch the stack to automatically configure your master and agents. Keep in mind that the Quick Start downloads configuration files, modules, and manifests from Amazon S3 that include these names, so you’ll also want to download and modify those if you want to customize your deployment.

The first time the Puppet agent runs on a node, it will send a certificate signing request to the master. Typically, this is not done automatically, and you must sign the agent certificate on the master server before you can start controlling the node.

In this Quick Start, certificate signing requests from the Linux and Windows agents are whitelisted by using the autosign.conf configuration file on the Puppet master. This file includes the names and As with DNS name resolution, the Quick Start provisions record sets for these names for you in an Amazon Route 53 private hosted zone, and configures the agents to use these host names within the operating system. Using the autosigning configuration file with this Quick Start enables you to get up and running quickly. However, for production environments you’ll likely want to manually sign agent requests, or use Puppet’s policy-based interface for autosigning certificates.

Puppet Agent Installation

The Linux agent deployed by this Quick Start also runs Ubuntu 14.04, like the master. The installation of the agent takes place after the master has been deployed. The Quick Start runs a simple user data script when it launches the agent via AWS CloudFormation. This script installs the agent and configures it to point to the master at, and the server automatically requests and signs the agent certificate.

The Windows agent is deployed on an instance running Windows Server 2012 R2. As with Linux, the Quick Start runs a simple user data script to install and configure the agent at launch, after the master has already been deployed. In addition, the Quick Start automatically downloads and installs the puppetlabs-powershell and puppetlabs-windowsfeature modules from the Puppet Forge. These modules are used within a module manifest that installs the IIS web server with all required components and support for ASP.NET websites.

Managing AWS Resources with Puppet

You can use the AWS module from Puppet Labs to provision, configure, and manage AWS resources in a consistent and repeatable manner. You can use this module to audit AWS resources, launch Auto Scaling groups in the VPC, perform unit testing, and more. The module supports the following AWS services:

  • Amazon EC2

  • Amazon VPC

  • Elastic Load Balancing

  • Auto Scaling

  • Security groups

  • Amazon Route 53 DNS

To learn more, see Provision, Configure & Manage AWS Resources with Puppet Enterprise on the Puppet Labs website.