AWS Deployment with AWS Managed Database
Warning
Follow the steps below to deploy Chef Automate High Availability (HA) on AWS (Amazon Web Services) cloud with Managed AWS Services. Please see the AWS Deployment Prerequisites page and move ahead with the following sections of this page.
Warning
- Do not modify the workspace path. It should always be
/hab/a2_deploy_workspace
- We currently don’t support AD managed users in nodes. We only support local Linux users.
- If you have configured a sudo password for the user, you must create an environment variable
sudo_password
and set the password as the variable’s value. Example:export sudo_password=<password>
. And then, run all sudo commands with thesudo -E or --preserve-env
option. Example:sudo -E ./chef-automate deploy config.toml --airgap-bundle automate.aib
. This is required for thechef-automate
CLI to run the commands with sudo privileges. Please refer this for details. - The SSH user should have execute permissions on the
/tmp
directory. - If SELinux is enabled, deployment with configure it to
permissive
(Usually in case of RHEL SELinux is enabled)
Run these steps on Bastion Host Machine
Run the below commands to download the latest Automate CLI and Airgapped Bundle:
#Run commands as sudo. sudo -- sh -c " #Download Chef Automate CLI. curl https://chefdownload-commercial.chef.io/files/current/latest/chef-automate-cli/chef-automate_linux_amd64.zip \ | gunzip - > chef-automate && chmod +x chef-automate \ | cp -f chef-automate /usr/bin/chef-automate #Download the latest Airgapped Bundle. #To download specific version bundle, example version: 4.2.59 then replace latest.aib with 4.2.59.aib curl https://chefdownload-commercial.chef.io/airgap_bundle/current/automate/latest.aib -o automate.aib "
Note
Chef Automate bundles are available for 365 days from the release of a version. However, the milestone release bundles are available for download forever.
Steps to Generate Config
Generate config with relevant data using the below command:
chef-automate config gen config.toml
To know more about on how to generate config, refer to the Automate HA Config Generation page.
Note
You can also generate a configuration file using the
init-config
subcommand. The command is as shown below:chef-automate init-config-ha aws
Warning
The following characters aren’t allowed in passwords:
‘
`
"
'
\
;
$
Steps to Provision
Continue with the deployment after generating the config:
chef-automate provision-infra config.toml --airgap-bundle automate.aib
Note
fqdn
), make sure to map the load-balancer FQDN from the output of the previous command to your DNS from DNS ProviderConfig Verify
After successful provision, run verify config command:
sudo chef-automate verify -c config.toml
To know more about config verify, you can check Config Verify Doc page.
Once the verification is successfully completed, then proceed with deployment, In case of failure, please fix the issue and re-run the verify command.
Steps to deploy
The following command will run the deployment. The deploy command will first run the verify command internally, to skip verification process during deploy command use
--skip-verify
flagchef-automate deploy config.toml --airgap-bundle automate.aib
To skip verification in the deployment command, use
--skip-verify
flagchef-automate deploy config.toml --airgap-bundle automate.aib --skip-verify
Verify Deployment
Once the deployment is successful, Get the consolidated status of the cluster
chef-automate status summary
Get the service status from each node
chef-automate status
Post Deployment, you can run the verification command
chef-automate verfiy
Get the cluster Info
chef-automate info
After the deployment is completed. To view the Automate UI, run the command
chef-automate info
, and you will get theautomate_url
. If you want to change the FQDN URL from the load balancer URL to some other FQDN URL, then use the below template.- Create a file
a2.fqdn.toml
[global] [global.v1] fqdn = "AUTOMATE-DNS-URL-WITHOUT-HTTP"
- Run the command to apply the config from the bastion
chef-automate config patch a2.fqdn.toml --automate
- Create a file
cs.fqdn.toml
[global] [global.v1] fqdn = "AUTOMATE-DNS-URL-WITHOUT-HTTPS" [global.v1.external.automate] node = "https://AUTOMATE-DNS-URL"
- Run the command to apply the config from the bastion
chef-automate config patch cs.fqdn.toml --chef_server
- Create a file
Note
- Have DNS certificate ready in ACM for 2 DNS entries: Example:
chefautomate.example.com
,chefinfraserver.example.com
, Reference for Creating new DNS Certificate in ACM. - DNS should have entries for
chefautomate.example.com
andchefinfraserver.example.com
pointing to respective Load Balancers as shown in thechef-automate info
command
Check if Chef Automate UI is accessible by going to (Domain used for Chef Automate) https://chefautomate.example.com.
After successful deployment, proceed with the following:
- To know moe about the user and organization creation, check the Create Users and Organization section in Node Bootstrapping page.
- To know more about Workstation setup, see the Workstation Setup section.
- To know more about Node bootstrapping, see the Bootstraping a Node section.
Sample Config
Note
Note
- User only needs to create/set up the bastion node, a user with IAM role of Admin access and the S3 bucket access attached to it.
- The following config will create an S3 bucket for backup.
- To provide multiline certificates use triple quotes like
""" multiline certificate contents"""
.
[architecture]
[architecture.aws]
ssh_user = "ec2-user"
ssh_group_name = "ec2-user"
ssh_key_file = "/home/ec2-user/KEY_FILENAME.pem"
ssh_port = "22"
secrets_key_file = "/hab/a2_deploy_workspace/secrets.key"
secrets_store_file = "/hab/a2_deploy_workspace/secrets.json"
architecture = "aws"
workspace_path = "/hab/a2_deploy_workspace"
backup_mount = "/mnt/automate_backups"
backup_config = "s3"
s3_bucketName = "BUCKET_NAME"
[automate]
[automate.config]
admin_password = "test@343423"
fqdn = "chefautomate.example.com"
config_file = "configs/automate.toml"
root_ca = "-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----"
instance_count = "2"
[chef_server]
[chef_server.config]
fqdn = "chefserver.example.com"
lb_root_ca = "-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----"
instance_count = "2"
[opensearch]
[opensearch.config]
instance_count = "0"
[postgresql]
[postgresql.config]
instance_count = "0"
[aws]
[aws.config]
profile = "default" # This should be commented incase if IAM role is attached
region = "us-east-2"
aws_vpc_id = "vpc12318h"
private_custom_subnets = ["subnet-e556d512", "subnet-e556d513", "subnet-e556d514"]
public_custom_subnets = ["subnet-p556d512", "subnet-p556d513", "subnet-p556d514"]
ssh_key_pair_name = "my-key"
setup_managed_services = true
managed_opensearch_domain_name = "automate-ha"
managed_opensearch_domain_url = "vpc-automate-ha-a6uhtsu.ap-southeast-2.es.amazonaws.com"
managed_opensearch_username = "MY-USER-NAME"
managed_opensearch_user_password = "MY-OPENSEARCH-PASSWORD"
aws_os_snapshot_role_arn = "......."
os_snapshot_user_access_key_id = "......."
os_snapshot_user_access_key_secret = "......."
managed_rds_instance_url = "database-1.jux.us-east-2.rds.amazonaws.com:5432"
managed_rds_superuser_username = "MY-POSTGRES-SUPER-USER-NAME"
managed_rds_superuser_password = "MY-POSTGRES-PASSWORD"
managed_rds_dbuser_username = "MY-DB-USERNAME"
managed_rds_dbuser_password = "MY-DB-PASSWORD"
ami_id = "ami-08d4ac5b634553e16"
automate_server_instance_type = "m5.large"
chef_server_instance_type = "m5.large"
automate_lb_certificate_arn = "arn:aws:acm:ap-southeast-2:112758395563:certificate/9b04-6513-4ac5-9332-2ce4e"
chef_server_lb_certificate_arn = "arn:aws:acm:ap-southeast-2:112758395563:certificate/9b04-6513-4ac5-9332-2ce4e"
chef_ebs_volume_iops = "100"
chef_ebs_volume_size = "200"
chef_ebs_volume_type = "gp3"
automate_ebs_volume_iops = "100"
automate_ebs_volume_size = "200"
automate_ebs_volume_type = "gp3"
lb_access_logs = "true"
Minimum Changes required in the Sample Config
- Provide
ssh_user
which has access to all the machines. E.g.,ec2-user
- Provide a
ssh_key_file
path; this key should have access to all the Machines or VMs. E.g.:~/.ssh/user-key.pem
. - Provide
region
Eg:ap-southeast-2
. - Provide
aws_vpc_id
Eg:vpc-0a12*****
. - Provide
private_custom_subnets
andpublic_custom_subnets
. - Provide
ssh_key_pair_name
Eg:user-key
. - Provide
setup_managed_services
Eg:true
. - Provide
managed_opensearch_domain_name
,managed_opensearch_domain_url
,managed_opensearch_username
,managed_opensearch_user_password
. - Provide
managed_rds_instance_url
,managed_rds_superuser_username
,managed_rds_superuser_password
,managed_rds_dbuser_username
,managed_rds_dbuser_password
. - Provide
ami_id
for the region where the infra is created. Eg:ami-0bb66b6ba59664870
. - Provide
certificate ARN
for both automate and Chef servers inautomate_lb_certificate_arn
andchef_server_lb_certificate_arn
, respectively.
Uninstall Chef Automate HA
Danger
The cleanup
command will remove all AWS resources created by the provision-infra
command
Adding the --force
flag will remove object storage if it was created with the provision-infra
command.
To uninstall Chef Automate HA instances after successful deployment, run the below command in your bastion host. This will delete the AWS resources that are created during provision-infra.
chef-automate cleanup --aws-deployment --force
OR
chef-automate cleanup --aws-deployment
Following the cleanup
command the following command can be used to remove the deployment workspace in the Bastion machine. This will also remove the logs file inside the workspace.
hab pkg uninstall chef/automate-ha-deployment