homeblogpuppet integration

The Future of Hybrid Cloud Automation

Over the past year, we’ve talked to people building and operating the next generation of applications. Across the map, we saw cloud-native applications built upon an ever-increasing number of public cloud infrastructure APIs, tools, and managed services. Modern infrastructure lets anyone create automation, not just a few gatekeepers. This shift is powerful, but comes at the cost of complexity, which we built Relay to manage.

Puppet, the missing link

But does adopting public cloud mean you can forget all the stuff you ran on-premises? Have you suddenly shut down everything running in your datacenter? I don't think so. As public cloud adoption grows, there's greater urgency than ever to automate across a hybrid environment. If only there were a tool to help us do this 🤔.

Turns out there is. Puppet is the most powerful configuration management tool in the solar system. For thousands of organizations, it’s the engine that drives their compliance, baseline, drift remediation, and deployment needs across public cloud and on-premises infrastructure. Puppet’s massive ecosystem of open source modules provides out-of-the-box content for managing millions of resources in the desired state model.

Puppet and Relay

Today, we’re introducing a new Relay integration for Puppet and Puppet Enterprise. This integration helps open source Puppet users and Puppet Enterprise users automate their hybrid environments with Relay’s event-driven workflows.

Puppet users can now do things like:

  • If you typically run Puppet in noop mode, use Relay to trigger a run in enforcement mode in response to a Puppet resource change.
  • Automatically inform individuals on Slack or Teams when a custom fact’s value changes.
  • Shut down an EC2 instance in response to a security or compliance violation for forensics analysis later.

How It Works

This integration requires installation of the puppetlabs/relay module from the Forge into your puppetserver. This module does two things:

  1. Listens to Puppet runs and triggers Relay workflows
  2. Enables Relay to talk back to Puppet to trigger Puppet runs

Relay and Puppet diagram

It does both of these things without requiring you to punch a hole in your firewall. Instead, Relay installs an agent on your puppet server that provides connectivity back to the Relay service. For more details, check out the puppetlabs/relay module.

Example: Responding to a compliance violation

Say you’re running a Puppet agent on an EC2 instance and the latest report shows that your sudoers file changed. Yikes!

Maybe it was just a mistake (after all, Puppet did correct it), but let’s not take our chances. Let’s shut down that EC2 instance to do some forensic analysis later and figure out what happened.

First, click here to install this workflow in your Relay account. This will set up the Puppet trigger to listen for new Puppet reports.

In the workflow, click Settings and copy the JWT access token:

Relay push trigger configuration

Next, you’ll need to install the puppetlabs/relay module on your puppetserver. This will listen for Puppet runs and tell Relay about them.

To configure your puppetserver to start sending reports, add this to the node classification for your puppetserver nodes:

Replace the relay_trigger_token value here with the JWT access token you copied earlier.

Then configure your AWS connection by supplying a user credential that has permission to stop EC2 instances.

To test it out, kick off a Puppet run on one of your nodes (or on the puppetserver):

When a sudoers file resource change is detected during a Puppet run, Relay will prompt you to approve the action to shut down the EC2 instance.