Integrating On-Prem Infrastructure With Amazon EC2 Systems Manager

At AWS re:Invent 2016, Amazon announced the availability of Amazon EC2 Systems Manager. AWS SSM is a collection of capabilities that helps automate management tasks in a hybrid cloud environment. This provides the ability to manage your existing on-premise infrastructure seamlessly with AWS. If you're interested, a video showcasing those capabilities can be found below:

Some of the features available in AWS SSM include:

• Run Command: Remotely and securely manage the configuration of your managed instances at scale.
• State Manager: Automate the process of keeping your managed instances in a defined state.
• Inventory Manager: Automate the process of collecting software inventory from managed instances.
• Automation: Automate common maintenance and deployment tasks.

Additional capabilities shared across the four services include:

• Maintenance Window: Set up recurring schedules for managed instances to execute administrative tasks like installing patches and updates without interrupting business-critical operations.
• Parameter Store: Centralize the management of configuration data.

The SSM User Guide provides all the details of the features offered by the service. The following outlines how to get SSM setup on your SUSE Linux Enterprise Server instances.

SSM Setup

For this tutorial, we will focus on EC2 instances and the Run Command. For more information on setting up SSM for on-premise systems, see the Amazon user guide's “Setting Up Systems Manager in Hybrid Environments” section.

The following steps are required to get started with AWS SSM:

• Launch an instance with the proper role
• Install the amazon-ssm-agent on the new instance
• (Optional) Add permssions to your user

To enable system management on an instance, the instance must be launched with the proper role. See the “Configuring Security Roles for Systems Manager” section of the users guide.

Once the EC2 instance is running, it’s time to install the agent. For SUSE Linux Enterprise Server, the agent is available in the Public Cloud Module. Use the following commands to install, enable, and start the SSM agent (as root).

zypper refresh

zypper in amazon-ssm-agent

systemctl enable amazon-ssm-agent

systemctl start amazon-ssm-agent

The agent is now running on the instance and ready to accept commands.

Remote Management With aws-cli

With the setup complete, we can now manage the instance remotely and set up automated tasks. Systems with a running SSM agent can be managed with the aws-cli or through the web console. SUSE Linux Enterprise Server 12 and later images have the aws-cli package pre-installed and you can configure the CLI with:

aws configure

If you want to run the aws-cli on your local system, the package is part of the Public Cloud Module repository and can be installed by running (as root):

zypper in aws-cli

At this point, we should now have a SUSE Linux Enterprise Server instance running with the proper role and the amazon-ssm-agent active. Additionally, we have set up a user with access to SSM and installed aws-cli to manage the instance remotely. To confirm the instance is accessible run the following command:

aws ssm describe-instance-information --instance-information-filter-list key=InstanceIds,valueSet={instanceid}

This command should return information regarding the instance.

{
    "InstanceInformationList": [
        {
            "IsLatestVersion": false, 
            "ComputerName": "ip-10.10.10.10.us-west-1.compute.internal", 
            "PingStatus": "Online", 
            "InstanceId": "{instanceid}", 
            "ResourceType": "EC2Instance", 
            "AgentVersion": "2.0.558.0", 
            "IPAddress": "10.10.10.10", 
            "PlatformType": "Linux", 
            "LastPingDateTime": 1482355841.974
        }
    ]
}

Now that we have confirmed the agent is running properly on the instance, it’s time to send remote commands.

Run Command

The Run Command, which offers a way to remotely manage instances using Amazon Elastic Compute Cloud (EC2), is one of the features provided by AWS SSM. To initiate a command on the instance you can send the command as follows:

command_id=$(aws ssm send-command --instance-ids "{instanceid}" --document-name "AWS-RunShellScript" --comment "Zypper Update" --parameters commands="sudo zypper -n up" --output text --query "Command.CommandId")

This will send the command “sudo zypper -n up” to all instances listed. It will trigger an update on the instance and return the output. The query option returns the CommandId. This is the ID we will use to retrieve the command status and output.

aws ssm list-command-invocations --command-id $command_id --details

You should see information about the command that was run. As a note, the output of the command is truncated after the first 2500 characters. To view the entire output you can configure the command to log output to an S3 bucket.

{
    "CommandInvocations": [
        {
            "Comment": "Zypper Update", 
            "Status": "Success", 
            "CommandPlugins": [
                {
                    "Status": "Success", 
                    "ResponseStartDateTime": 1482355637.705, 
                    "StandardErrorUrl": "", 
                    "OutputS3BucketName": "", 
                    "OutputS3Region": "us-west-1", 
                    "OutputS3KeyPrefix": "", 
                    "ResponseCode": 0, 
                    "Output": "---Output truncated---", 
                    "ResponseFinishDateTime": 1482355726.472, 
                    "StatusDetails": "Success", 
                    "StandardOutputUrl": "", 
                    "Name": "aws:runShellScript"
                }
            ], 
            "ServiceRole": "", 
            "InstanceId": "{instanceid}", 
            "DocumentName": "AWS-RunShellScript", 
            "NotificationConfig": {
                "NotificationArn": "", 
                "NotificationEvents": [], 
                "NotificationType": ""
            }, 
            "StatusDetails": "Success", 
            "StandardOutputUrl": "", 
            "StandardErrorUrl": "", 
            "InstanceName": "", 
            "CommandId": "{commandid}", 
            "RequestedDateTime": 1482355636.877
        }
    ]
}

As you can see, the Run Command is useful for initiating tasks remotely on your instances. The send command function allows for a maximum of 50 instance IDs per invocation. It can also be used in conjunction with the other services such as Automation (auto create up-to-date images) and State Manager (periodically update instances).