Deploying Puppet Enterprise Agents with HashiCorp Terraform on Azure VMs

martezr

Martez Reed

Posted on August 18, 2020

Deploying Puppet Enterprise Agents with HashiCorp Terraform on Azure VMs

Microsoft Azure Logo

HashiCorp Terraform is an open source Infrastructure as Code (IaC) tool that is widely used to deploy cloud infrastructure in the public cloud such as AWS and Azure along with on-premises VMware vSphere environments.

One of the challenges is developing a method for bootstrapping the instances with configuration management agents such as the Puppet Enterprise agent. In this blog post we cover a simple and easy way to install the Puppet Enterprise agent on Azure virtual machines provisioned with HashiCorp Terraform.

Azure Virtual Machine Extensions

Microsoft Azure supports what are known as virtual machine extensions which small applications that provide post-deployment configuration and automation on Azure VMs. There are a number of extensions available from companies such as DataDog, New Relic and others. These extensions have been created to wrap the installation and configuration of their respective agents.

Custom Script Extension

In addition to extensions created by vendors, Microsoft Azure has created a custom script extensions that allows arbitrary commands or scripts to be executed during the post-provisioning stage. The HashiCorp Terraform Azure provider includes a resource for custom script extensions and can be used to quickly install the Puppet Enterprise agent on a virtual machine during the provisioning process.

Puppet Enterprise Agent Installation

Puppet Enterprise provides a simple method for installing the Puppet Enterprise agent using the PE agent install script. Using this script enables us to easily provide additional agent configuration information such as trusted facts that are embedded in the CSR or a pre-shared key used for automatically signing the agent SSL certificate. This method assumes that a certificate autosiging process is in place to allow the certificate to be automatically signed during the bootstrap process.

If sensitive information such as the pre-shared key is passed as part of the provisioning code it should be properly secured. There are several options to properly secure that information.

  • Create a custom wrapper script that dynamically fetches the sensitive information from Azure Key Vault
  • Create a custom wrapper script that dynamically fetches the sensitive information from a HashiCorp Vault deployment
  • Embed the sensitive information in a custom wrapper script that is securely stored in an Azure Blob

Linux

The Puppet Enterprise agent installation script for Linux uses Bash and an example is show below:

The hostname should be replaced with the FQDN of your Puppet Enterprise master or compiler load balancer

curl -k https://puppetmaster.grt.local:8140/packages/current/install.bash] | sudo bash -s custom_attributes:challengePassword=PASSWORD123 extension_requests:pp_role=web
Enter fullscreen mode Exit fullscreen mode

Once we’ve got our installation command we just need to add it to an azurerm_virtual_machine_extension Terraform resource.

resource "azurerm_virtual_machine_extension" "linux_pe_install" {
  name ="PEAgentInstallLinux"
  virtual_machine_id = azurerm_linux_virtual_machine.example.id
  publisher ="Microsoft.Azure.Extensions"
  type ="CustomScript"
  type_handler_version ="2.0"

  settings =  << SETTINGS
    {
        "commandToExecute": "curl -k https://puppetmaster.grt.local:8140/packages/current/install.bash | sudo bash -s custom_attributes:challengePassword=PASSWORD123 extension_requests:pp_role=web"
    }
SETTINGS

  tags ={
    environment ="Production"
  }
}
Enter fullscreen mode Exit fullscreen mode

Windows

The Puppet Enterprise agent installation script for Windows uses PowerShell and an example is show below:

The hostname should be replaced with the FQDN of your Puppet Enterprise master or compiler load balancer

[System.Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; [Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}; $webClient = New-Object System.Net.WebClient; $webClient.DownloadFile('https://puppetmaster.grt.local:8140/packages/current/install.ps1', 'install.ps1'); .\install.ps1 custom_attributes:challengePassword=PASSWORD123 extension_requests:pp_role=database
Enter fullscreen mode Exit fullscreen mode

Once we’ve got our installation command we just need to add it to an azurerm_virtual_machine_extension Terraform resource.

resource "azurerm_virtual_machine_extension" "windows_pe_install" {
  name ="PEAgentInstallWindows"
  virtual_machine_id = azurerm_windows_virtual_machine.example.id
  publisher ="Microsoft.Azure.Extensions"
  type ="CustomScript"
  type_handler_version ="2.0"

  settings =  << SETTINGS
    {
        "commandToExecute": "[System.Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; [Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}; $webClient = New-Object System.Net.WebClient; $webClient.DownloadFile('https://puppetmaster.grt.local:8140/packages/current/install.ps1', 'install.ps1'); .\install.ps1 custom_attributes:challengePassword=PASSWORD123 extension_requests:pp_role=database"
    }
SETTINGS

  tags = {
    environment ="Production"
  }
}
Enter fullscreen mode Exit fullscreen mode

There are certainly more complex or intricate configurations that can be developed to install the Puppet Enterprise agent. This post focused on providing a simple method to easily get started with deploying Puppet Enterprise agents with HashiCorp Terraform.

References

https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/overview

https://www.terraform.io/docs/providers/azurerm/r/virtual_machine_extension.html

💖 💪 🙅 🚩
martezr
Martez Reed

Posted on August 18, 2020

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related