After finishing this part of our tutorial, our AWS resources will be connected with Chef server and will be able to self-configure.
If you haven’t read previous parts, please check Part 1, Part 2 and Part 3 before reading this part.
Hooking the Chef Client
<powershell> (New-Object System.Net.WebClient).DownloadFile($ChefMsiUrl, 'C:\\Windows\\Temp\\chef.msi') Start-Process msiexec.exe -Wait -ArgumentList '/I C:\Windows\Temp\chef.msi /quiet ADDLOCAL="ChefClientFeature,ChefSchTaskFeature,ChefPSModuleFeature"' (New-Object System.Net.WebClient).DownloadFile('$validatorPemUrl', 'C:\\chef\\validation.pem') $env:Path = [System.Environment]::GetEnvironmentVariable("Path","Machine") (New-Object System.Net.WebClient).DownloadFile('$jsonFileUrl', 'C:\\chef\\first_run.json') Set-Content C:\chef\client.rb "log_level :debug" Add-Content C:\chef\client.rb "`nssl_verify_mode :verify_none" Add-Content C:\chef\client.rb "`nlog_location STDOUT" Add-Content C:\chef\client.rb "`nchef_server_url '<ChefServerUrl>/organizations/<ORG>'" Add-Content C:\chef\client.rb "`nvalidation_client_name '<ORG>-validator'" chef-service-manager -a install knife ssl fetch '<ChefServerUrl>:8443' Set-Content C:\chef\knife.rb "chef_server_url '<ChefServerUrl>/organizations/<ORG>'" Add-Content C:\chef\knife.rb "`nssl_verify_mode :verify_none" Add-Content C:\chef\knife.rb "`nvalidation_client_name '<ORG>-validator'" Add-Content C:\chef\knife.rb "`nconfig_log_level :debug" cd C:\chef chef-client --json-attributes first_run.json chef-service-manager -a start </powershell>
In general we are downloading the Chef MSI from the web page and installing it with parameters
ADDLOCAL="ChefClientFeature,ChefSchTaskFeature,ChefPSModuleFeature"
This will allow us to have additional features without installing via GUI since we are doing a quiet install. We also download the Validation.pem for the <ORG> we created (you can upload it in S3 and get it from there. I did the same with the Chef MSI and the JSON file so they are the same versions every time and I can just change them if I want to apply something to all the nodes that are using them).
Chef MSI installation adds locations to our $PATH variable so we need to launch a new powershell session so we can use them but I found that
$env:Path = [System.Environment]::GetEnvironmentVariable("Path","Machine")
saves us the trouble and “refreshes” $PATH in the current session.
We get the JSON file that will add a ROLE (read more in Chef documentation) to our instances since when we don’t use the aws_intsance resource we cannot set a ROLE to the instance and once launched Chef server won’t know what to execute on them since they get only the default role and the default role don’t have any runlist(list of tasks to execute/install). Also we, even in chef server there is no way to edit the default role so we must assign a custom role that we have already set in chef server with some run_list to do.
The json contains:
{ "run_list": [ "role[webserver]", ] }
After this launch, every instance will have the “webserver” role instead of “base” which is the default one. The webserver role is what you set it to be and has its own runlist that we can edit. This is the final step with Terraform. Now we need only to create the actual role[webserver] and add some tasks for it.
Creating a Role
for that we need to connect to the server via Workstation. Basically go on your already set up workstation and cdto chef-repo folder in command line. Then type:
knife role create webserver
This will open the role itself as json file.
Now we need to assign a recipe to the role’s run_list. For that we need to have a cookbook.
Lets install the iis cookbook.
knife cookbook site install iis
then
knife role edit webserver
and add
“recipe[iis]”
(including quotes) in the “run_list”
afterwards it must look like this:
{ "name": "webserver", "description": "", "json_class": "Chef::Role", "default_attributes": { }, "override_attributes": { }, "chef_type": "role", "run_list": [ “recipe[iis]” ], "env_run_lists": { } }
after that save the file in chef-repo/roles as webserver.json
Then we have to upload the role to the server since till now its only created locally. We also need to upload the iiscookbook and its dependencies (ohai and windows).
knife cookbook upload ohai knife cookbook upload windows knife cookbook upload iis
after this is done we can upload the role:
knife role from file ./roles/webserver.json
And we are done.
All roles/cookbooks are being uploaded to the server and the role we set to the nodes (webserver) is updated with the recipe[iis]. Now we can run terraform apply from our terraform folder and if we done everything right, all new instances must go to role[webserver] and install iis when launching. We can confirm that from chef-repo folder typing:
knife node show <nodeName>
You can get the NodeName from the Chef Server UI after nodes connect to the server.
This is the end of AWS, Terraform and Chef tutorial.
All files from this tutorial are available for download HERE as an archive.