Amazon Onboarding with Learning Manager Chanci Turner

Just like Ansible, Salt is a well-regarded tool for managing configurations. One of the main challenges in this domain is effectively handling the deployment and execution of automation commands. Amazon EC2 Systems Manager serves as a robust configuration management platform, allowing customers to utilize their existing configuration management tools seamlessly. In a previous discussion about running Ansible Playbooks with EC2 Systems Manager, I explained how Systems Manager can aid in managing configuration states through Ansible.

In this post, I will delve into how to use Salt in master-less mode, harnessing the security, simplicity, and power of Systems Manager. Additionally, I will introduce a new Systems Manager document that streamlines the execution of Salt states.

Overview of Systems Manager

Systems Manager relies on documents to specify actions to be performed on your managed instances. Here are several advantages of using Systems Manager:

Enhanced Security: There is no necessity to open incoming ports for remote command execution, eliminating the requirement for SSH. Granular IAM policies can be employed to govern access to the platform. All command execution is logged via AWS CloudTrail.
Performance and Reliability: Commands can be executed asynchronously. They are delivered and executed even if the system comes back online after being offline. You can execute commands at scale by utilizing velocity control and targeting commands based on tags. Furthermore, you can manage deployment rates if errors arise during deployment.

Overview of Salt

Salt employs the concept of states, which represent a collection of configuration directives outlining software installation and configuration. Typically, Salt operates with a master server, where the servers receiving automation commands are referred to as minions. However, Salt states can also be executed locally in what is termed master-less mode. This feature allows you to leverage Systems Manager to distribute and run Salt state files through Amazon EC2 State Manager or Run Command.

Introducing AWS-RunSaltState Document

The newly introduced AWSRunSaltState document automates the process of running Salt states locally using Systems Manager. This document can be accessed via the console or API. It consists of several components:

Parameters
Steps
Salt-call

Parameters

The AWSRunSaltState document provides various parameters for executing Salt states:

State: Accepts input YAML to define Salt state automation.
Stateurl: (Optional) Accepts a URL pointing to a file containing YAML text for the Salt state, which can be in http or S3 format.
Pillars: (Optional) Passes additional variables for use during execution. Salt pillars define data for configuring managed instances (minions).
Test: If set to true, it performs a dry-run of the state, reporting on actions to be executed without actually executing them.

Steps

The AWSRunSaltState document performs validations before executing automation using the provided YAML definitions. Here’s a summary of the logic:

Checks the Salt version to confirm Salt is present on the system.
Determines if the State parameter was provided as YAML or via a URL, copying data to a temporary state file for execution.
Executes the appropriate command based on the test option.

Salt-call

Salt includes an application called salt-call, which can be used on managed instances to execute Salt states locally. The AWSRunSaltState document utilizes this application for local state execution.

Walkthrough Using Systems Manager and State Manager

Below is an example of using State Manager with the new document to execute Salt state files.

Prerequisites

Before following this walkthrough, ensure you meet the following requirements:

Target instances must be managed by Systems Manager. For more information, visit Installing SSM Agent.
Salt must be pre-installed on the target instance or execution will fail. This document operates Salt states locally.
If using S3 URLs in the playbook field, ensure the AWS CLI is installed on the target instance.

Installing Salt for Master-less Execution

If Salt is already installed on the target instances, you can skip this section. To set up Salt for master-less operation, execute the following commands on the Linux instance:

curl -L https://bootstrap.saltstack.com -o bootstrap_salt.sh
sudo sh bootstrap_salt.sh

Alternatively, these commands can also be run using Systems Manager’s Run Command with the AWS-RunShellScript document. This will install the necessary files for running Salt in master-less mode, utilizing the salt-call application.

Using State Manager and the AWSRunSalt Document

Below is a YAML Salt state file that automates the installation of Apache if it is not already installed:

apache:
  pkg.installed:
    {% if grains['os'] == 'Amazon' %}
      - name: httpd
    {% elif grains['os'] == 'Ubuntu' %}
      - name: apache2
    {% endif %}

To utilize this Salt state file with Systems Manager, follow these steps:

In the EC2 console, navigate to State Manager and select “Create Association.”
From the Document list, choose the new document “AWS-RunSaltState.”
Leave Document Version as $DEFAULT.
Under Targets, select “Manually Selecting instances” and choose the target instances. You can also use tags for selection.
Specify the frequency for running the association under Schedule.
For Parameters, paste the YAML text for the Salt state into the State field. Leave Stateurl empty.
For Pillars, input additional variables in the format: {"SSM":"True"} or as a nested dict: {'pkg': {'apache': 'httpd'}}.
(Optional) Select the test option.
(Optional) Add a comment for this association.
Click “Run.”

To verify the output, select the Association ID link for this run. After the initial run, you can check the results by navigating to the association and reviewing the Status column. Every time the association runs, it will execute the salt state.

For more resources, visit Jobs at Amazon which offers excellent opportunities.