Deploying Puppet Enterprise agents with HashiCorp Terraform on Azure VMs

See more posts about: Tips & How To and Tools & Integrations

HashiCorp Terraform is an open source Infrastructure as Code (IaC) tool that is widely used to deploy cloud infrastructure in the public cloud, such as AWS and Azure, along with on-premises VMware vSphere environments.

One of the challenges is developing a method for bootstrapping the instances with configuration management agents such as the Puppet Enterprise agent. In this blog post we cover a simple and easy way to install the Puppet Enterprise agent on Azure virtual machines provisioned with HashiCorp Terraform.

Azure virtual machine extensions

Microsoft Azure supports what are known as virtual machine extensions which are small applications that provide post-deployment configuration and automation on Azure VMs. There are a number of extensions available from companies such as DataDog, New Relic, and others. These extensions have been created to wrap the installation and configuration of their respective agents.

Custom script extension

In addition to extensions created by vendors, Microsoft Azure has created a custom script extension that allows arbitrary commands or scripts to be executed during the post-provisioning stage. The HashiCorp Terraform Azure provider includes a resource for custom script extensions and can be used to quickly install the Puppet Enterprise agent on a virtual machine during the provisioning process.

Puppet Enterprise agent installation

Puppet Enterprise provides a simple method for installing the Puppet Enterprise agent using the PE agent install script. Using this script enables us to easily provide additional agent configuration information, such as trusted facts that are embedded in the CSR or a pre-shared key used for automatically signing the agent SSL certificate. This method assumes that a certificate autosigning process is in place to allow the certificate to be automatically signed during the bootstrap process. If sensitive information such as the pre-shared key is passed as part of the provisioning code, it should be properly secured. There are several options to properly secure that information:

  • Create a custom wrapper script that dynamically fetches the sensitive information from Azure Key Vault
  • Create a custom wrapper script that dynamically fetches the sensitive information from a HashiCorp Vault deployment
  • Embed the sensitive information in a custom wrapper script that is securely stored in an Azure Blob

Linux

The Puppet Enterprise agent installation script for Linux uses Bash and an example is shown below:

The text in bold should be replaced with the FQDN of your Puppet Enterprise master or compiler load balancer.

curl -k https://puppetmaster.grt.local:8140/packages/current/install.bash | sudo bash -s custom_attributes:challengePassword=PASSWORD123 extension_requests:pp_role=web

Once we’ve got our installation command, we just need to add it to an azurerm_virtual_machine_extension Terraform resource.

resource "azurerm_virtual_machine_extension" "linux_pe_install" {
 name                 = "PEAgentInstallLinux"
 virtual_machine_id   = azurerm_linux_virtual_machine.example.id
 publisher            = "Microsoft.Azure.Extensions"
 type                 = "CustomScript"
 type_handler_version = "2.0"

 settings = <<SETTINGS
   {
       "commandToExecute": "curl -k https://puppetmaster.grt.local:8140/packages/current/install.bash | sudo bash -s custom_attributes:challengePassword=PASSWORD123 extension_requests:pp_role=web"
   }
SETTINGS

 tags = {
   environment = "Production"
 }
}

Windows

The Puppet Enterprise agent installation script for Windows uses PowerShell and an example is shown below:

The text in bold should be replaced with the FQDN of your Puppet Enterprise master or compiler load balancer.

[System.Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; [Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}; $webClient = New-Object System.Net.WebClient; $webClient.DownloadFile('https://puppetmaster.grt.local:8140/packages/current/install.ps1', 'install.ps1'); .\install.ps1 custom_attributes:challengePassword=PASSWORD123 extension_requests:pp_role=database

Once we’ve got our installation command, we just need to add it to an azurerm_virtual_machine_extension Terraform resource.

resource "azurerm_virtual_machine_extension" "windows_pe_install" {
 name                 = "PEAgentInstallWindows"
 virtual_machine_id   = azurerm_windows_virtual_machine.example.id
 publisher            = "Microsoft.Azure.Extensions"
 type                 = "CustomScript"
 type_handler_version = "2.0"

 settings = <<SETTINGS
   {
       "commandToExecute": "[System.Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; [Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}; $webClient = New-Object System.Net.WebClient; $webClient.DownloadFile('https://puppetmaster.grt.local:8140/packages/current/install.ps1', 'install.ps1'); .\install.ps1 custom_attributes:challengePassword=PASSWORD123 extension_requests:pp_role=database"
   }
SETTINGS

 tags = {
   environment = "Production"
 }
}

There are certainly more complex or intricate configurations that can be developed to install the Puppet Enterprise agent. This post focused on providing a simple method to easily get started with deploying Puppet Enterprise agents with HashiCorp Terraform.

References

Puppet sites use proprietary and third-party cookies. By using our sites, you agree to our cookie policy.