Article

Using HashiCorp Terraform with AWS and Chef

In the course of assisting AHEAD clients towards streamlining and standardizing their infrastructure, we like to demonstrate the products that we represent, and using HashiCorp Terraform allows us to configure our demonstrations on-demandeither a data center- or cloud-centric fashion.

One of the solutions that we demonstrate to our clients is configuration management and compliance automation using Chef Automate. Chef Automate can be installed in an on-premises data center or in a cloud environment. It’s available in the marketplaces of both AWS and Azure, as well as in the OpsWorks offering in AWS. These installations are all managed by the appropriate vendor (AWS or Microsoft) and updated on the vendors’ cadence. This is perfectly acceptable for some cloud users, however, many prefer to have a bit more control of the update cycle for their config management tools. This leaves enterprise users with the task of installing and configuring their own Chef Automate infrastructure.

Chef Automate does a great job of managing the configuration of the workloads that an enterprise runs in the data center or the cloud, however, the underlying infrastructure of the Chef servers must also be managed. One way to do that is with Terraform by Hashicorp.

Terraform is one component of the suite of tools that Hashicorp has been providing for individual users of large enterprise organizations for several years now. Hashicorp also offers several other tools: Vault for secrets management, Consul for service discovery, Nomad for scheduling and launching VMs or containers, as well as their lesser-known tools, Vagrant for local virtualization and Packer for VM image management.

Terraform gives us the ability to manage the code for our demo infrastructure in such a way that we can easily create a Chef Automate Demoin AWS, Azure, or in vSphere on-premises. All of these environments have native tools for orchestrating workloads in their respective environments, but each has their own specific configuration language. Terraform gives us a single configuration language to use across multiple providers, cloud and data center.

The following code shows how we can create the Chef and Automate servers in AWS. Note the usage of user_data to configure the Chef and Automate servers once instantiated. See this page for more information on how to configure and use user_data (Scroll to the right below for the entire code snippet.):

data "template_file" "cuserdata" {

template = "${file("${path.module}/chef_userdata.tpl")}"

vars {

   TERRAFORM_chost = “<FQDN_of_Chef_Server>"

}
}
resource "aws_instance" "chef_server" {


 ami = "${var.aws_ami}"

instance_type = "${var.chef_instance_type}"

key_name = "${var.aws_key_name}"

subnet_id = "${data.terraform_remote_state.network.chef_vpc_subnet}"

vpc_security_group_ids = ["${data.terraform_remote_state.network.chef_linux_security_group}", "${data.terraform_remote_state.network.chef_server_security_group} "]

user_data = "${data.template_file.cuserdata.rendered}. "

root_block_device = {

  volume_type = "gp2"

   volume_size = "120"

   delete_on_termination = "true"

}

tags {

   Name = "Automate Server"

  Owner = “<Owner_of_the_Node>"

   Purpose = "Chef Automate Server for Demos."

   AutoOff = "true"

   DoNotDelete = "true"
}
}

data "template_file" "auserdata" {

template = "${file("${path.module}/automate_userdata.tpl")}"

vars {

   TERRAFORM_ahost = “<FQDN of Automate Server>"

}
}

resource "aws_instance" "automate_server" {

ami = "${var.aws_ami}"

instance_type = "${var.automate_instance_type}"

key_name = "${var.aws_key_name}"

subnet_id = "${data.terraform_remote_state.network.chef_vpc_subnet}"

vpc_security_group_ids = ["${data.terraform_remote_state.network.chef_linux_security_group}", "${data.terraform_remote_state.network.chef_server_security_group}"]

user_data = "${data.template_file.auserdata.rendered}"

root_block_device = {

   volume_type = "gp2"

   volume_size = "120"

   delete_on_termination = "true"

}

tags {

   Name = "Automate Server"

   Owner = “<Owner)of_Node>"

   Purpose = "Chef Automate Server for Demos."

   AutoOff = "true"

   DoNotDelete = "true"

}
}

Terraform uses what it refers to as providers to extend and abstract the specifics of each platform, and as of this article, there are 93 providers covering all of the major cloud vendors, as well as a number of third-party applications, including Chef. The providers are separate from core Terraform to allow updates to providers outside of the Terraform core code stream. What this means to users is that when AWS or Azure add new features, for example, those new features can be added to the respective provider and made available in a much more timely fashion than the original method of including the providers in the core Terraform code stream.

Using the Chef provider, we can create a node to demo, and pass it off to Chef for configuration management by simply adding the following to our resource block in our Terraform code. For more information on the Chef providers, check out this page.

provisioner "chef" {


environment = “develop"


run_list = ["role[base_linux]"]


node_name = "LinTest01"


server_url = "https://<url_of_the_chef_server>/organizations/<org_name>"


user_name = “<chef user>"


user_key = "${file(“<location of the users key file>")}"


recreate_client = true


fetch_chef_certificates = true


os_type = “Linux"


 connection {


  user = “ec2-user”
  private_key = "${file(“<key_to_use>")}” 
}
}

In the above example, we are creating a node that we are naming LinTest01, assigning it to the develop environment, and adding it to the base_linux Chef Role. The provider takes care of installing the Chef client and making all of the required connections. This allows us to create the demo instances in Chef and have them ready for demonstrating items such as compliance automation, and remediation.

Hashicorp and Chef both provide great tools for management of your infrastructure and while there is some overlap, each tool helps you manage and secure your infrastructurewhether in the data center or the public cloud. Terraform provides the ability to interactively or programmatically via API build infrastructure on multiple public and private cloud platforms, and Chef provides state and compliance management for the infrastructure.


Curious to learn about more HashiCorp tools? Check out all of our HashiCorp content in The LAB.

Ready to get started? Visit the AHEAD Lab and Briefing Center to see how we can help you in your digital transformation journey.