Deploying Puppet Enterprise Agents with HashiCorp Terraform on Azure VMs
Martez Reed
Posted on August 18, 2020
HashiCorp Terraform is an open source Infrastructure as Code (IaC) tool that is widely used to deploy cloud infrastructure in the public cloud such as AWS and Azure along with on-premises VMware vSphere environments.
One of the challenges is developing a method for bootstrapping the instances with configuration management agents such as the Puppet Enterprise agent. In this blog post we cover a simple and easy way to install the Puppet Enterprise agent on Azure virtual machines provisioned with HashiCorp Terraform.
Azure Virtual Machine Extensions
Microsoft Azure supports what are known as virtual machine extensions which small applications that provide post-deployment configuration and automation on Azure VMs. There are a number of extensions available from companies such as DataDog, New Relic and others. These extensions have been created to wrap the installation and configuration of their respective agents.
Custom Script Extension
In addition to extensions created by vendors, Microsoft Azure has created a custom script extensions that allows arbitrary commands or scripts to be executed during the post-provisioning stage. The HashiCorp Terraform Azure provider includes a resource for custom script extensions and can be used to quickly install the Puppet Enterprise agent on a virtual machine during the provisioning process.
Puppet Enterprise Agent Installation
Puppet Enterprise provides a simple method for installing the Puppet Enterprise agent using the PE agent install script. Using this script enables us to easily provide additional agent configuration information such as trusted facts that are embedded in the CSR or a pre-shared key used for automatically signing the agent SSL certificate. This method assumes that a certificate autosiging process is in place to allow the certificate to be automatically signed during the bootstrap process.
If sensitive information such as the pre-shared key is passed as part of the provisioning code it should be properly secured. There are several options to properly secure that information.
- Create a custom wrapper script that dynamically fetches the sensitive information from Azure Key Vault
- Create a custom wrapper script that dynamically fetches the sensitive information from a HashiCorp Vault deployment
- Embed the sensitive information in a custom wrapper script that is securely stored in an Azure Blob
Linux
The Puppet Enterprise agent installation script for Linux uses Bash and an example is show below:
The hostname should be replaced with the FQDN of your Puppet Enterprise master or compiler load balancer
curl -k https://puppetmaster.grt.local:8140/packages/current/install.bash] | sudo bash -s custom_attributes:challengePassword=PASSWORD123 extension_requests:pp_role=web
Once we’ve got our installation command we just need to add it to an azurerm_virtual_machine_extension Terraform resource.
resource "azurerm_virtual_machine_extension" "linux_pe_install" {
name ="PEAgentInstallLinux"
virtual_machine_id = azurerm_linux_virtual_machine.example.id
publisher ="Microsoft.Azure.Extensions"
type ="CustomScript"
type_handler_version ="2.0"
settings = << SETTINGS
{
"commandToExecute": "curl -k https://puppetmaster.grt.local:8140/packages/current/install.bash | sudo bash -s custom_attributes:challengePassword=PASSWORD123 extension_requests:pp_role=web"
}
SETTINGS
tags ={
environment ="Production"
}
}
Windows
The Puppet Enterprise agent installation script for Windows uses PowerShell and an example is show below:
The hostname should be replaced with the FQDN of your Puppet Enterprise master or compiler load balancer
[System.Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; [Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}; $webClient = New-Object System.Net.WebClient; $webClient.DownloadFile('https://puppetmaster.grt.local:8140/packages/current/install.ps1', 'install.ps1'); .\install.ps1 custom_attributes:challengePassword=PASSWORD123 extension_requests:pp_role=database
Once we’ve got our installation command we just need to add it to an azurerm_virtual_machine_extension Terraform resource.
resource "azurerm_virtual_machine_extension" "windows_pe_install" {
name ="PEAgentInstallWindows"
virtual_machine_id = azurerm_windows_virtual_machine.example.id
publisher ="Microsoft.Azure.Extensions"
type ="CustomScript"
type_handler_version ="2.0"
settings = << SETTINGS
{
"commandToExecute": "[System.Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; [Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}; $webClient = New-Object System.Net.WebClient; $webClient.DownloadFile('https://puppetmaster.grt.local:8140/packages/current/install.ps1', 'install.ps1'); .\install.ps1 custom_attributes:challengePassword=PASSWORD123 extension_requests:pp_role=database"
}
SETTINGS
tags = {
environment ="Production"
}
}
There are certainly more complex or intricate configurations that can be developed to install the Puppet Enterprise agent. This post focused on providing a simple method to easily get started with deploying Puppet Enterprise agents with HashiCorp Terraform.
References
https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/overview
https://www.terraform.io/docs/providers/azurerm/r/virtual_machine_extension.html
Posted on August 18, 2020
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.