Introduction

We recently worked with one of our clients to provide a configuration management capability. This capability assists them with managing the more traditional operating system and application settings in their AWS EC2 environment that run “long lived” applications, or more specifically, those that had lower automation capabilities, or had characteristics that did not lend themselves well to blue/green release methodologies.

As they already had an existing Puppet code base and skill set, they opted to introduce a Puppet Enterprise Master into their environment to handle the configuration and compliance reporting of these particular instances.

Over the last 10 years, Sourced has been involved in a number of Puppet Enterprise deployments and is intimately familiar with the some of the challenges that can come with installing and maintaining Puppet Enterprise. As a result, we set ourselves a number of additional objectives to ensure that the solution was highly performant, resilient to failure, secure and easy to operate.

These objectives were:

Ensure the solution had the highest levels of automation so that operational overhead was minimal

Ensure that the solution leveraged an Infrastructure as Code and/or API first approach to deployment and configuration

Ensure that the solution could seamlessly integrate into the clients existing tool chains; Specifically: Datadog for Monitoring Splunk for Logging & SIEM Atlassian Bitbucket Server for CI/CD & code management

Ensure that the solution could be easily recovered to a known good state in the event of catastrophic failure of the underlying infrastructure

Ensure that the solution could be used as a service across the wider AWS environments

Ensure that the solution was deployed with a high level of security in place: Deployed into the client’s private shared services VPCs with no Internet facing interfaces Leveraged encryption and strong authentication (for both data, users and systems connecting to the solution) Integrated into the group’s single sign-on systems (Active Directory) Used a least privilege model for access control (Deploy tokens, RBAC, etc)



In this blog post, we will walk you through how we used AWS OpsWorks CM Puppet to deliver an extremely light, and highly automated, Puppet service in the client’s environment that met all of these objectives. We will also provide some sample code to assist you in implementing it yourself.

Please be aware that this blog post assumes that you are familiar with a number of Puppet Enterprise and AWS concepts.

If you are still learning these technologies, we encourage you look to the excellent learning resources below: