SCALING YOUR MIGRATION OPERATIONS
Can you scale your migration operations?
Your company is going all-in on AWS, and the sysops on the migration team just called in sick on a big migration day. (probably too much work over the last few days, connecting to each instance to reconfigure them)
You are now the primary sysops on the migration, but can you migrate hundreds servers a day and still make it in time at home ?
Is your nickname really OpsAutomator ? Let’s find out.
Task 1: Scripting is everything
Background
Congratulations on your new job ! The migration lead is concerned about your ability to handle all these servers at once. Remember what happend to the previous engineer ? While searching about AWS, you found out that AWS Systems Manager has a feature to automate common administrative tasks across groups of instances. This service looks like exactly what you need!
Your task
Your task is to find a way to execute the following script on every migrated instance, without having to connect to any of them. The document should be named ConfigureProxy and should run only on linux platform.
#!/bin/bash
set -e
PROXY=“http://proxy.acme.aws:3128”
NOPROXY=“169.254.169.254,ssm.eu-west-1.amazonaws.com,ec2.eu-west-1.amazonaws.com,ec2messages.eu-west-1.amazonaws.com”
mkdir -p /etc/systemd/system/snap.amazon-ssm-agent.amazon-ssm-agent.service.d
cat << EOF > /etc/systemd/system/snap.amazon-ssm-agent.amazon-ssm-agent.service.d/override.conf
[Service]
Environment=“http_proxy=
P
R
O
X
Y
"
E
n
v
i
r
o
n
m
e
n
t
=
"
h
t
t
p
s
p
r
o
x
y
=
PROXY" Environment="https_proxy=
PROXY"Environment="httpsproxy=PROXY”
Environment=“no_proxy=KaTeX parse error: Expected '}', got 'EOF' at end of input: …{ HTTP::proxy "PROXY”;
HTTPS::proxy “$PROXY”;
}
EOF
echo “Proxy configuration complete.”
Getting started
Jump to the AWS Console and start looking at how AWS Systems Manager handles remote script execution.
Inventory
Your AWS Account is provisioned with an Amazon EC2 instance named MigratedInstance that you can use for testing and troubleshooting.
Services you should use
AWS Systems Manager, Amazon EC2 for troubleshooting
Task validation
Your task is validated automatically. You can also click on the check my progress button to have some guidance.
Clue 2:Solution
In order to solve this task, you must perform complete the following steps:
Go to AWS Systems Manager console page.
Click on Documents
Click Create command or session
Enter “ConfigureProxy” for Name
Select YAML for content and paste the following
schemaVersion: “2.2”
description: “Command Document Example YAML Template”
mainSteps:
- action: “aws:runShellScript”
name: “configureLinuxProxy”
precondition:
StringEquals:
- platformType
- Linux
inputs:
runCommand:- ‘#!/bin/bash’
- ‘set -e’
- ‘PROXY=“http://proxy.acme.aws:3128”’
- ‘NOPROXY=“169.254.169.254,ssm.eu-west-1.amazonaws.com,ec2.eu-west-1.amazonaws.com,ec2messages.eu-west-1.amazonaws.com”’
- ‘mkdir -p /etc/systemd/system/snap.amazon-ssm-agent.amazon-ssm-agent.service.d’
- ‘cat << EOF > /etc/systemd/system/snap.amazon-ssm-agent.amazon-ssm-agent.service.d/override.conf’
- ‘[Service]’
- ‘Environment=“http_proxy=$PROXY”’
- ‘Environment=“https_proxy=$PROXY”’
- ‘Environment=“no_proxy=$NOPROXY”’
- ‘EOF’
- ‘systemctl daemon-reload’
- ‘systemctl restart snap.amazon-ssm-agent.amazon-ssm-agent.service’
- ‘cat << EOF > /etc/apt/apt.conf.d/02proxy’
- ‘Acquire {’
- ‘HTTP::proxy “$PROXY”;’
- ‘HTTPS::proxy “$PROXY”;’
- ‘}’
- ‘EOF’
- ‘echo “Proxy configuration complete.”’
The document created will have one step named configureLinuxProxy. This step has a precondition to run only on Linux hosts. It takes then as input a runCommand object containing a list of shell commands to execute.
Click Create document
Task 2: If you do it twice, it’s one time too many.
Background
You made it through the day, all servers were migrated in time thanks to you and your manager is very pleased! As he hang up the call, he sends you a mail with a list of actions to be performed during migration. Those actions were dropped from the initial migration steps because the sysops didn’t have time to complete them.
FROM : manager@acme.com
Thanks again for your help today. Your script and RunCommand document really helped reduce the migration duration. Now that you have some spare time, maybe you could take care of the following list ?
- Tag the instance to track which one are being reconfigured. We had some issues with instances being missed.
- Apply the proxy settings
- Apply the patch baseline
- Remove the discovery agent
- Tag the instance to track the completion so the next team knows when to reconfigure the application.
Regards,
Your manager.
Your task
In this second task, you are expected to create an automation document named PostMigrationAutomation (case sensitive) which will perform the tasks above:
Tag the instance with the key : migration_status and the value : postmigration_started
Run the ConfigureProxy document to set the proxy settings
Run AWS-RunPatchBaseline document to check the instance for updates
Run the RemoveDiscoveryAgent document to clean the server from the discovery agent
Tag the instance with the key : migration_status and the value : postmigration_completed
Getting started
Open AWS Systems Manager console and look for some samples.
Inventory
One IAM Role to use to delegate the automation in the Output properties
Services you should use
AWS Systems Manager, Amazon EC2 for troubleshooting
Task validation
Your task is validated automatically. You can also click on the check my progress button to have some guidance.
NB:
You are not expected to run the automation document for successful completion of the challenge.
Clue 2:Solution
To solve this tasks, you must perform the following actions.
Go to AWS Systems Manager console.
Go to Documents.
Click on Create automation.
Enter “PostMigrationAutomation” as Name.
Enter the ARN of SSMAutomationRole for Assume role.
For Input parameters, Parameter name enter “instanceId”.
For Step 1:
Enter “tag_start” for Step Name.
Select Create tags for AWS resources for Action type.
Enter - ‘{{instanceId}}’ for Resource IDs under Inputs.
Enter [{“Key”: “migration_status”, “Value”: “postmigration_started”}] for Tags.
Click on Add step.
For Step 2:
Enter “configure_proxy” for Step Name.
Select Run a command on a managed instance for Action type.
Enter “ConfigureProxy” for Document name under Inputs
Enter - ‘{{instanceId}}’ for InstanceIds under Inputs.
Click on Add step.
For Step 3:
Enter “patch_instance” for Step Name.
Select Run a command on a managed instance for Action type.
Enter “AWS-RunPatchBaseline” for Document name under Inputs
Enter - ‘{{instanceId}}’ for InstanceIds under Inputs.
Click on Add step.
For Step 4:
Enter “remove_discovery_agent” for Step Name.
Select Run a command on a managed instance for Action type.
Enter “RemoveDiscoveryAgent” for Document name under Inputs
Enter - ‘{{instanceId}}’ for InstanceIds under Inputs.
Click on Add step.
For Step 5:
Enter “tag_complete” for Step Name.
Select Create tags for AWS resources for Action type.
Enter - ‘{{instanceId}}’ for Resource IDs under Inputs.
Enter [{“Key”: “migration_status”, “Value”: “postmigration_completed”}] for Tags.
Click on Create automation.
This document will perform the 5 steps of tagging, configuring proxy, patching, removing the agent and tagging again. All this steps will be launched throught the SSM Automation Role. The parameter instanceId will determine which instance must be targeted.
Task 3: All hands off ! Time to relax
Keeping track of migrated servers
Background
You automated all the post migrations steps and servers are being migrated day in, day out. You made sure to never forget a server by tagging them when the post migration starts and when the post migration ends. As the migration project is a bit late on schedule, your manager is calling in to ask if you could postpone your holidays to keep the migration flowing. As you have no intentions to do so, you are looking for a way to trigger the automation automatically even when on holidays.
Your task
In this third tasks, you should look at triggering the automation when the tag migration_status = ready_for_postmigration is set. You can do so by creating a rule for associated event in CloudTrail. The rule should be named AutomationTrigger.
sample event:
{
“version”: “0”,
“id”: “67df5f3e-57ea-fac5-4c6e-fc83b9abcdef”,
“detail-type”: “AWS API Call via CloudTrail”,
“source”: “aws.ec2”,
“account”: “123456789012”,
“time”: “2020-10-19T06:22:21Z”,
“region”: “eu-west-1”,
“resources”: [],
“detail”: {
“eventVersion”: “1.05”,
“userIdentity”: {
“type”: “AssumedRole”,
“principalId”: “AROAI4UAWJ76D55TKEVY6:Example”,
“arn”: “arn:aws:sts::123456789012:assumed-role/Admin/ExampleSession”,
“accountId”: “123456789012”,
“accessKeyId”: “ASIAUTDEHZRDLEXAMPLE”,
“sessionContext”: {
“sessionIssuer”: {
“type”: “Role”,
“principalId”: “AROAI4UAWJ76D5EXAMPLE”,
“arn”: “arn:aws:iam::123456789012:role/Admin”,
“accountId”: “123456789012”,
“userName”: “Admin”
},
“webIdFederationData”: {},
“attributes”: {
“mfaAuthenticated”: “false”,
“creationDate”: “2020-10-19T06:13:22Z”
}
}
},
“eventTime”: “2020-10-19T06:22:21Z”,
“eventSource”: “ec2.amazonaws.com”,
“eventName”: “CreateTags”,
“awsRegion”: “eu-west-1”,
“sourceIPAddress”: “10.0.0.1”,
“userAgent”: “console.ec2.amazonaws.com”,
“requestParameters”: {
“resourcesSet”: {
“items”: [
{
“resourceId”: “i-00c9eab2d04abcdef”
}
]
},
“tagSet”: {
“items”: [
{
“key”: “migration_status”,
“value”: “ready_for_postmigration”
}
]
}
},
“responseElements”: {
“requestId”: “a939f941-6a83-4048-9717-a9ba43485aad”,
“_return”: true
},
“requestID”: “a939f941-6a83-4048-9717-a9ba43485aad”,
“eventID”: “80e3b894-d070-4ad5-b122-e0712da23d79”,
“eventType”: “AwsApiCall”
}
}
Getting started
Open Amazon EventBridge and create your own rule.
You will be dealing with JSON events, so I would recommend to use a JSONPath evaluator to ease the troublehsooting.
Inventory
One IAM Role to start the automation in the Output properties.
Services you should use
Amazon EventBridge, AWS Systems Manager, Amazon EC2 for troubleshooting.
Task validation
Your task is validated automatically. You can also click on the check my progress button to have some guidance.
Clue 3:Solution
In order to solve this task:
Go to Amazon EventBridge console.
Click on Create rule.
Enter “AutomationTrigger” for Name.
Select Event pattern.
Select custom pattern.
Enter the following pattern in Event pattern.
{
“source”: [
“aws.ec2”
],
“detail-type”: [
“AWS API Call via CloudTrail”
],
“detail”: {
“eventSource”: [
“ec2.amazonaws.com”
],
“eventName”: [
“CreateTags”
],
“requestParameters”: {
“tagSet”: {
“items”: {
“key”: [
“migration_status”
],
“value”: [
“ready_for_postmigration”
]
}
}
}
}
}
This pattern means that we are looking for aws.ec2 events, coming from CloudTrail, where the source is ec2.amazonaws.com, the event name is CreateTags and the Key and Value are migration_status and ready_for_postmigration.
Click Save
For Select targets, choose SSM Automation.
Select PostMigrationAutomation for Document.
Choose Input Transformer for Configure automation parameter(s)
Paste the following json in the first cell
{“instances”: “$.detail.requestParameters.resourcesSet.items[*].resourceId”}
Paste the following json in the second cell (replace instanceId with the parameter name of your PostMigrationAutomation SSM document)
{“instanceId”: []}
Choose Use existing role
Select Amazon_EventBridge_Start_Automation
Click Create