This repo contains the bits necessary for a successful Chef Essentials + InSpec workshop.
NOTE: Carpenter currently supports the chef-aws
, chef-engineering
, and chef-sa-group
accounts. If you would like Carpenter to support additional AWS accounts, see the "Adding Additional Account Support" section below.
- Ensure Terraform 0.10 or later is installed. Run
terraform version
to validate. - If your AWS key is different than your default key (
~/.ssh/id_rsa
, for example), add it to your ssh-agent (ssh-add ~/.ssh/my-aws-key
).- SSH agent is the preferred auth method in order to accommodate password-protected SSH keys which are not supported by Terraform.
- Put a valid
delivery.license
file in theterraform
directory in this repository. - Ensure your
~/.aws/credentials
file has a section for the account you choose when you runcarpenter build
below. The account names must match.- If you are using an account tied to Okta, such as
chef-engineering
, ensure that theokta_aws
tool is running so yourcredentials
file has a fresh set of keys.
- If you are using an account tied to Okta, such as
- Run:
bundle install
- Run:
bundle exec carpenter build NAME
- The
NAME
will be used in the FQDN of the Automate Hostname, and it also provides the ability to run multiple workshop environments simultaneously.
- The
- Answer carpenter's questions, say
yes
, and then Terraform will do its thing!
For Markdown output of all the workstation IP addresses, run: bundle exec carpenter markdown NAME
For the IP address of the Automate server, run: bundle exec carpenter automate_ip NAME
For the URL of the Automate server, run: bundle exec carpenter automate_url NAME
Should there be a problem during the Terraform run, a re-run will usually fix the infrastructure that didn't get set up properly.
To re-run Terraform, run: bundle exec carpenter rerun NAME
When the environment is no longer necessary, run: bundle exec carpenter destroy NAME
The CentOS workstation is built with packer, a single recipe, and a bunch of resources from other open-source cookbooks. To build a new workstation image:
- Ensure you have valid AWS credentials in the normal place (i.e.
~/.aws/credentials
) cd packer
- Edit the
workshop-workstation-centos.json
and update theami_name
(i.e. increment the version) - Vendor the dependent cookbooks:
berks vendor --berksfile=cookbooks/workstations/Berksfile vendored_cookbooks
- Run Packer:
packer build ./workshop-workstation-centos.json
- Submit a PR back to this repo with the new version number in the JSON.
Adding support for an additional account requires some EC2, Route 53, and Carpenter changes. But it's not that hard, I promise!
- Get the AWS account number of the new account.
- Modify the latest EC2 Workstation AMI permissions, and share it with the new account.
- Create a new security group in the new account. It will need to allow SSH, HTTP, and HTTPS traffic inbound from everyone.
- Create a new hosted zone in the new account. Follow the
<DEPARTMENT>.chefdemo.net
naming convention. For example, for the Solutions Architect account, a good zone name may besa.chefdemo.net
- Grab the
NS
records from the new account. - In the
chef-aws
account, create a newNS
record set. The name should be the name of the zone you created in step 1, and the contents should be theNS
records from the zone created in step 1.
Modify packer/workshop-workstation-centos.json
in this repo, and add the new account number to the ami_users
value.
Create a new section in the carpenter.toml
file at the root of this repository. Include the following information:
- name: the name of the account. This should match the section header in
~/.aws/credentials
which may be created automatically by theokta_aws
tool. - workstation AMI ID: this will likely be the same ID as the other existing sections if it was shared as instructed in this README.
- automate AMI ID: copy from an existing section - this is just a base CentOS image with no customizations.
- security group ID: the
sg-xxxxxxxxx
ID of the security group created above. - DNS zone: the name of the DNS zone created above. Be sure to include the trailing
.
Don't forget to open a PR back to this repo that contains all your awesome changes to support a new AWS account!