(Based on GARLC https://github.com/awslabs/lambda-runcommand-configuration-management)
THIS SCRIPT IS PROVIDED TO YOU "AS IS." TO THE EXTENT PERMITTED BY LAW, QUALYS HEREBY DISCLAIMS ALL WARRANTIES AND LIABILITY FOR THE PROVISION OR USE OF THIS SCRIPT. IN NO EVENT SHALL THESE SCRIPTS BE DEEMED TO BE CLOUD SERVICES AS PROVIDED BY QUALYS
Infrastructure as code has helped customers move into continuous deployment phase and can leverage the same concept to introduce continuous configuration management in their environment. In this mode, configuration management of instances is done automatically, using the above technologies, as configurations are committed to version control. We can consider a scenario where infrastructure as code is stored in git repository as ansible playbook and when any changes/ addition are made like introduction of playbook for installation of QCA and committed to master branch, it gets deployed to all ssm managed instance. SSM managed instances are considered owing to the fact that ssh could not be enabled for all instances for management by ansible.
This tutorial makes use of following services:
- AWS CodePipeline
- AWS Lambda
- Amazon EC2 Run Command
- CloudWatch Events
- S3 Bucket
- Ansible
- Git
we start by creating a Pipeline which will get triggered by any changes in master branch of your selected repository “Configuration Management” (create a new one to start with). That trigger will invoke an AWS Lambda function to execute Run Command on the instance to run ansible playbook locally to install QCA.
-
Instances are SSM managed
-
Instances have ansible installed. [Note: installation of ansible could be added to the module as a command.]
- Create Pipeline named “Configuration_management” with all default parameters. Select Github as source and select master branch of this forked repo.
- if you make changes via Console, you will have to create two stages to complete the pipeline. Create a dummy build stage which can later be replaced by invoke stage.
-
Create IAM roles for the lambdas with permissions as listed in file "Conf_role" from this repo.
-
Create two lambda functions running on 2.7 named as conf_main and conf_helper and replace them with the contents of the "Conf_main.py" and "Conf_helper.py" from the repo.
- View the Pipeline and edit it and add one stage after source named as “Invoke-stage”. Click on Add Action Group and give the Action name as “Lambda” and Action Provider as “AWS Lambda”. Select your Lambda Function and Input Artifacts as “SourceArtifacts”.
- Delete the build stage create earlier.
- Add your own ansible playbook to the repo “Configuration Management” under folder ansible. The demo playbook here is named as "InstallQCA.yml".