Automate All The Things Software Defined Infrastructure with AWS CloudFormation, Docker and Jenkins
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Automate All The Things
Software Defined Infrastructure with
AWS CloudFormation, Docker and Jenkins
Mark Fischer
• 20 Years of Web Application Development
• 5 Years of Infrastructure Tools Development
• 2 Years AWS Cloud Automation Development
Overview
• Codify Infrastructure Decisions
• Document Deployment Processes
• Ensure Repeatable Operations
• Empower Developers and Product Owners
huh, it worked last time
are you sure you installed the fizbuzz_x86_64
library correctly?
how are we going to do user training in prod?
we need another dev environment
*appologies to piecomic.com
Automation Progression
Manual Infrastructure Provisioning
➡ CloudFormation
Manual Environment Configuration ➡ Docker
Manual Code Deployment ➡ Jenkins
Infrastructure Provisioning
A few years ago Operations Staff 1 Week
Last year Better Operations Proceedures 1 Day
Now DevOps & AWS 10 Minutes
Time for me to get new infrastructure provisioned
Manual AWS EC2 InstanceProvision a simple EC2 Instance for some testing and
experimentation
Manual AWS EC2 Instance
Manual AWS EC2 Instance
Manual AWS EC2 Instance
Manual AWS EC2 Instance
Manual AWS EC2 Instance
Manual AWS EC2 Instance
Manual AWS EC2 Instance
Manual AWS EC2 Instance
Manual AWS EC2 Instance
Manual AWS EC2 Instance
Manual AWS EC2 Instance
Manual AWS EC2 Instance
Security Group
SSH Key
Security Group Security GroupSecurity Group
DB Subnet Group
X
DB Option Group
10+ Separate Resources
Security Group SSH Key
CloudFormationCodify Infrastructure Deployment
CloudFormation
"AWS CloudFormation gives developers and systems administrators an easy way to create and manage a collection of related AWS resources, provisioning and updating them in an orderly and predictable fashion."
https://aws.amazon.com/cloudformation/
CloudFormation
• JSON Text Document
• Defines AWS Resources
• Defines Resource Relationships
• Input Parameters for Flexibility
• Provisioning and De-Provisioning
Now With
100%
More Y
AML!
CloudFormation
• Originally All JSON Text Files
• Recently Added YAML Support
"Resources": { "VpcEcsEas": { "Type": "AWS::EC2::VPC", "Properties": { "CidrBlock" : { "Ref": "VPCcidr" }, "EnableDnsSupport": true, "EnableDnsHostnames": true, "Tags" : [ { "Key": "Name", "Value": { "Ref": "VPCName" } } ] } }, "InternetGateway": { "Type": "AWS::EC2::InternetGateway", "Properties": { "Tags" : [ { "Key": "Name", "Value": { "Fn::Join": [ "", [ { "Ref": "VPCName" }, " Internet Gateway" ] ] } } ] } }, "InternetGatewayAttachment": { "Type": "AWS::EC2::VPCGatewayAttachment", "Properties": { "InternetGatewayId": { "Ref": "InternetGateway" }, "VpcId": { "Ref": "VpcEcsEas" } } },
• Parameters (Input Variables)
• Metadata
• Mappings
• Conditions
• Resources
• Outputs
--- AWSTemplateFormatVersion: "2010-09-09"
Parameters: # Pick Zone-A or Zone-B where this EC2 instance will be deployed. AZChoice: Description: "Availability Zone" Type: String AllowedValues: - "Zone-A" - "Zone-B"
Mappings: # The two availability zones where this EC2 instance can be deployed in. ZoneMap: Zone-A: subnet: "subnet-e1c2f584" zone: "us-west-2a" Zone-B: subnet: "subnet-f28fda85" zone: "us-west-2b"
Resources: # Deploys an EC2 instance with some tags. Ec2Instance: Type: "AWS::EC2::Instance" Properties: ImageId: !FindInMap ["OSImageMap", !Ref "OSType", "64"] KeyName: !Ref "KeyName" InstanceType: !Ref "InstanceType" AvailabilityZone: !FindInMap ["ZoneMap", !Ref "AZChoice", "zone"] NetworkInterfaces: - AssociatePublicIpAddress: "true" DeviceIndex: "0" GroupSet: - !Ref "InstanceSecurityGroup" SubnetId: !FindInMap ["ZoneMap", !Ref "AZChoice", "subnet"] Tags: - Key: "Name" Value: !Ref "HostName"
Outputs: InstancePublicIP: Description: "The Public IP address of the instance" Value: !GetAtt Ec2Instance.PublicIp
TemplateAnatomy
# #### EC2 Instance # # Deploys the EC2 instance with some tags. Ec2Instance: Type: "AWS::EC2::Instance" Properties: ImageId: !FindInMap ["OSImageMap", !Ref "OSType", "64"] KeyName: !Ref "KeyName" InstanceType: !Ref "InstanceType" AvailabilityZone: !FindInMap ["ZoneMap", !Ref "AZChoice", "zone"] NetworkInterfaces: - AssociatePublicIpAddress: "true" DeviceIndex: "0" GroupSet: - !Ref "InstanceSecurityGroup" SubnetId: !FindInMap ["ZoneMap", !Ref "AZChoice", "subnet"] Tags: - Key: "Name" Value: !Ref "HostName"
# #### Instance Security Group # # Security group for the EC2 instance, that allows you to SSH into the instance InstanceSecurityGroup: Type: "AWS::EC2::SecurityGroup" Properties: GroupDescription: "Allow ssh to client host" VpcId: !Ref "VPCID" SecurityGroupIngress: - IpProtocol: "tcp" FromPort: "22" ToPort: "22" CidrIp: "0.0.0.0/0" Tags: - Key: "Name" Value: !Sub "${HostName} Security Group"
# #### Instance Role # # This is the IAM role that will be applied to the EC2 Instance. Any AWS specific # permissions that the node might need should be defined here. # EnvInstanceRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service:
• AWS Resources are codified in the Template
• Relationships Established
TemplateAnatomy
# #### EC2 Instance # # Deploys the EC2 instance with some tags. Ec2Instance: Type: "AWS::EC2::Instance" Properties: ImageId: !FindInMap ["OSImageMap", !Ref "OSType", "64"] KeyName: !Ref "KeyName" InstanceType: !Ref "InstanceType" AvailabilityZone: !FindInMap ["ZoneMap", !Ref "AZChoice", "zone"] NetworkInterfaces: - AssociatePublicIpAddress: "true" DeviceIndex: "0" GroupSet: - !Ref "InstanceSecurityGroup" SubnetId: !FindInMap ["ZoneMap", !Ref "AZChoice", "subnet"] Tags: - Key: "Name" Value: !Ref "HostName"
# #### Instance Security Group # # Security group for the EC2 instance, that allows you to SSH into the instance InstanceSecurityGroup: Type: "AWS::EC2::SecurityGroup" Properties: GroupDescription: "Allow ssh to client host" VpcId: !Ref "VPCID" SecurityGroupIngress: - IpProtocol: "tcp" FromPort: "22" ToPort: "22" CidrIp: "0.0.0.0/0" Tags: - Key: "Name" Value: !Sub "${HostName} Security Group"
# #### Instance Role # # This is the IAM role that will be applied to the EC2 Instance. Any AWS specific # permissions that the node might need should be defined here. # EnvInstanceRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service:
# #### EC2 Instance # # Deploys the EC2 instance with some tags. Ec2Instance: Type: "AWS::EC2::Instance" Properties: ImageId: !FindInMap ["OSImageMap", !Ref "OSType", "64"] KeyName: !Ref "KeyName" InstanceType: !Ref "InstanceType" AvailabilityZone: !FindInMap ["ZoneMap", !Ref "AZChoice", "zone"] NetworkInterfaces: - AssociatePublicIpAddress: "true" DeviceIndex: "0" GroupSet: - !Ref "InstanceSecurityGroup" SubnetId: !FindInMap ["ZoneMap", !Ref "AZChoice", "subnet"] Tags: - Key: "Name" Value: !Ref "HostName"
# #### Instance Security Group # # Security group for the EC2 instance, that allows you to SSH into the instance InstanceSecurityGroup: Type: "AWS::EC2::SecurityGroup" Properties: GroupDescription: "Allow ssh to client host" VpcId: !Ref "VPCID" SecurityGroupIngress: - IpProtocol: "tcp" FromPort: "22" ToPort: "22" CidrIp: "0.0.0.0/0" Tags: - Key: "Name" Value: !Sub "${HostName} Security Group"
# #### Instance Role # # This is the IAM role that will be applied to the EC2 Instance. Any AWS specific # permissions that the node might need should be defined here. # EnvInstanceRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service:
• Reference resources created within the template or passed in via parameters
• Order doesn't matter. CloudFormation builds its own dependency graph
Deploying a Template
Deploying a Template
Deploying a Template
Deploying a Template
Deploying a Template
Deploying a Template
Deploying a Template
Deploying a Template
Deploying a Template
Deploying a Template
Un-Deploying a Template
Un-Deploying a Template
Un-Deploying a Template
Un-Deploying a Template
Un-Deploying a Template
Un-Deploying a Template
Security Group
Command Line Deployments
• Filling out complex CloudFormation forms is still tedious
• Can create CloudFormation deployments via the aws-cli tools
• Parameters are fed in via a JSON parameters file
Command Line Deployments[ { "ParameterKey": "HostName", "ParameterValue": "fischerm-ec2-demo" }, { "ParameterKey": "KeyName", "ParameterValue": "FischermUAPilots" }, { "ParameterKey": "VPCID", "ParameterValue": "vpc-12a98977" }, { "ParameterKey": "AZChoice", "ParameterValue": "Zone-A" }, { "ParameterKey": "InstanceType", "ParameterValue": "t2.micro" }, { "ParameterKey": "OSType", "ParameterValue": "Amazon-Linux" } ]
--- # EC2 Basic CloudFormation Deployment # ----------------------------------------- # # This CloudFormation template will deploy a single EC2 instance with # its own security group.
AWSTemplateFormatVersion: "2010-09-09"
# Parameters # ---------- # # These are the input parameters for this template. All of these parameters # must be supplied for this template to be deployed. Parameters: # HostName to be used in tagging the EC2 instance. HostName: Type: String Description: "Enter the name of the host or service, ie 'Civil Engineering Structures App', or 'UITS Cloud Services Testing', etc."
# SSH Key Pair to be used on the application EC2 instances for emergency administrative access. KeyName: Description: "Amazon EC2 Key Pair" Type: "AWS::EC2::KeyPair::KeyName" # VPCID is the ID of the VPC where this template will be deployed. VPCID: Description: "Target VPC" Type: "AWS::EC2::VPC::Id" AllowedValues: - "vpc-12a98977"
# Pick Zone-A or Zone-B where this EC2 instance will be deployed. AZChoice: Description: "Availability Zone" Type: String AllowedValues: - "Zone-A" - "Zone-B"
# Default EC2 Instance Type for Application instances. InstanceType: Description: "EC2 Instance Type" Type: String Default: "t2.micro" AllowedValues:
Command Line Deployments
Command Line Deployments
Configuration As Code
• CloudFormation allows you to codify your infrastructure deployments
• Each template deployment will be identical to previous ones
• Plain text files can be versioned and stored in source control
Configuration As Code
Configuration As Code
UA CloudFormation Catalog
https://bitbucket.org/ua-ecs/service-catalog
Docker
• Identify, codify, and encapsulate application dependencies
Configuring new App Server
• Following notes from the last time
• Hopefully I wrote everything down…
FROM php:5.6-apache
# Add application dependencies. RUN apt-get update && apt-get install -y \ freetds-common \ freetds-bin \ freetds-dev \ libapache2-mod-auth-cas \ libcurl4-openssl-dev \ libldap-2.4-2 \ libldap2-dev \ libxml2 \ libxml2-dev \ unixodbc \ vim
# Install Well Behaved Extensions RUN docker-php-ext-install \ bcmath \ curl \ json \ ldap \ mbstring \ mssql \ opcache \ pdo_mysql \ soap
# Copy over our application COPY app/ /var/www/html/
# Run our custom startup script CMD ["startup.sh"]
docker git repository
built docker image
Run Image Anywhere That Supports Docker
• Only need to install Docker on a host, no other dependencies
• Lots of Docker enabled environments
• AWS ECR & Elastic Beanstalk
• Azure
• Linode / Digital Ocean / etc.
docker run -d --name yourapp \ -p 80:80 -h yourapp.example.com \ -e "PHP_db_user=ausername" \ -e "PHP_db_pass=secret" \ yourproj/dockerimage
JenkinsDevOps Glue
Jenkins
• Really Fancy cron
• Configure jobs to run on-demand or scheduled
• Control access to jobs by user
• Store secrets encrypted & pass into jobs as they're run
Jenkins
• Lots of built-in functionality
• Check out a git repository
• Build a Java Project
• Run shell scripts
• Integrations with services such as Slack, email, SMS, etc
• Chain jobs together on success or failure
docker projectapp source
Nexus
chef cookbooks
cookbooks.tar.gz
template libraryCloudFormation
TemplateCloudFormation
StackOpsWorks
Stack (Environment)Instance
Deployment ApplicationInstances
Jenkins
Secrets
Jenkins
Jenkins
Jenkins docker repository
docker projectapp source
Nexus
chef cookbooks
cookbooks.tar.gz
template libraryCloudFormation
TemplateCloudFormation
StackOpsWorks
Stack (Environment)Instance
Deployment ApplicationInstances
Jenkins
Secrets
Jenkins
Jenkins
Jenkins docker repository
docker projectapp source
Nexus
chef cookbooks
cookbooks.tar.gz
template libraryCloudFormation
TemplateCloudFormation
StackOpsWorks
Stack (Environment)Instance
Deployment ApplicationInstances
Jenkins
Secrets
Jenkins
Jenkins
Jenkins docker repository
docker projectapp source
Nexus
chef cookbooks
cookbooks.tar.gz
template libraryCloudFormation
TemplateCloudFormation
StackOpsWorks
Stack (Environment)Instance
Deployment ApplicationInstances
Jenkins
Secrets
Jenkins
Jenkins
Jenkins docker repository
docker projectapp source
Nexus
chef cookbooks
cookbooks.tar.gz
template libraryCloudFormation
TemplateCloudFormation
StackOpsWorks
Stack (Environment)Instance
Deployment ApplicationInstances
Jenkins
Secrets
Jenkins
Jenkins
Jenkins docker repository
Define Multiple Jobs
Configuring Jobs
Checkout git Repo
Reference Secrets
Build shell Script
Jenkins
• Restrict access to Jobs
• Certain people can create jobs
• Certain people can run jobs
• Certain people manage secrets
• Allows you to abstract AWS deployment capabilities
• A single AWS IAM User Credential can be used for multiple Jenkins Jobs
• IAM Credentials never leave Jenkins, stay encrypted
Jenkins
• Examples
• App developers can provision & de-provision new environments
• Business Analysts can perform database refreshes (Load new Prod data to Dev for example)
• DevOps staff can manage Jenkins jobs without needing to setup AWS IAM Credentials for Job runners
Sticking Points
• Automation takes more time up front to get right
• IAM Permissions
• Persistant File Storage
• Try and use RDS / S3 as much as possible
• EFS makes this slightly easier (AWS managed NFS service)
Thank Youhttps://arizona.box.com/v/automate-things
fin
Related Documents
