AWS

Bake Your Free Time – Vol II

By 09/19/2018 September 21st, 2018 No Comments

So, how does this AWS SSM bake this cake?

In general, SSM uses an agent, installed on each instance you want to maintain/monitor, and an IAM role required for EC2 instances’ management. This particular ManagedRole is called ‘AmazonEC2RoleforSSM’. Apart from that we also leveraged Maintenance Windows feature, which is really cool, because it allows you to specify a recurring time window during which Run Command and other tasks are executed. SSM wasn’t the only AWS service we’ve used to bring this baking to the end therefore we’ve add following ones:

    • AWS Lambda – FaaS. Allowed us to invoke a function prepared for one particular task:
      • First one: looking for the newest available Foundation AMI (AMI provided by AWS) based on proper input parameters,
      • Second one: deleting old images in accordance with retention policy(CleanUp-Ami-Images),
    • S3 (S3 is an AWS object storage service. bucket – for storing Ansible playbooks used during AMI baking process,
    • IAM (AWS Identity Access Management Service) – we’ve defined IAM Roles and Policies describing relations among services and levels of permissions,
  • CloudFormation – as strong enthusiasts of IaC we’ve used this service to describe everything via code; it gave us a convenient way to manage the changes and recorded configurations against the desired configuration.

Then, to make the magic real, we decided to implement the whole process as a continuous one and then, SSM brought hand in need with its Maintenance Windows feature, which according to the documentation “lets you define a schedule for when to perform potentially disruptive actions on your instances such as patching an operating system, updating drivers, installing software or patches”.  Below you can see a screenshot from our Maintenance Windows and under the url sample Document which has been used for AmazonLinux AMI baking. We’re using quite similar one for Ubuntu.

Maintenance Window – configuration part 1

Maintenance Window – configuration part 2

Document Example:

https://chaosgears.com/chaos-publications/articles/ami-baking.zip

11 steps of Baking – AWS SSM Maintenance Window

As you’ve probably noticed in the picture above, we’ve set 11 steps to prepare single Base AMI image. Let me shortly describe you what each step does:

  1. Invoke the Lambda Function, which then is looking for the newest Foundation AMI in selected region, regarding set parameters like: AMI_Name, Owner,
  2. Launch of a temporary EC2 instances from AMI selected in step 1,
  3. Verification if the installed SSM agent on the EC2 instance was done correctly,
  4. Update of all mandatory system packages is launched,
  5. Installation of additional packages like aws-cli or ansible,
  6. Download and launch of Ansible playbooks (formerly prepared) from S3 bucket,
  7. Creation of AMI images from EC2 instance (from step 2),
  8. Adding tags to make the image easy identifiable,
  9. Termination of Instance from step 2,
  10. Deletion of the Instance from AWS,
  11. Another Lambda Function is invoked and it’s deleting all old images (older than value set in the parameter).

With these 11 easy steps we received up-to-date image with all the required packages, updates and remedies for security vulnerabilities.

The Finale

You can either provision all packages manually, via Ansible/Chef or anything else, even AWS SSM. It generally doesn’t matter. We’ve chosen to put repeatable tasks into one place and invoke the pipeline once per pre-set time.

At the end of the day you’ll find yourself at a point where you should ask yourself: “Do I want to be a clog in the machine or automate my time to have more time for other cool things”. It’s up to you but remember – no matter which way you choose “do not reinvent the wheel, just adjust it to your requirements”. Our team has gained confidence and decreased the possibility of mistakes occurring during manual package provisions (previously done via Ansible). This can happen many times, especially when you’re in a hurry doing many things at once. And last but not least, if time is money then we managed to save both. We are all aware of the saying that “time is money”. We believe that reduction of waste time which we spend on repeatable tasks, allows us to accelerate our activities in other areas, therefore earn money. Keep in mind that in the contemporary world time is the most valuable currency.

It’s high time to Tame your CHaos!