8. SSM – Inventory
Now let’s look at inventory. And inventory is used to have a list of all the stuff running onto our instances that is tracked by ssm agents. So we’ll click on Setup inventory and we’ll name this inventory association and we’ll select all managed instances in this accounts and we’ll collect data every 30 minutes. We’ll collect all these things, applications, components, network, config and so on. All these things will be collected and we can sync the inventory execution log to an entry bucket if you wanted to. So we tap into bucket name and a bucket prefix, but I’m not going to do this. Now let’s click on set up Inventory. And now we have an inventory request that has succeeded.
So now the inventory has run. If you go to settings, we can see that success. Four. So four of my instances were being gathered for the inventory and we can get access to the dashboard. Some important graph is that three of our instances are running Amazon, the next two and one of it is running Red hats. We can look at the top five applications and so on. So I think this makes a lot of sense once you have a lot of data into inventory. But more importantly, we can go to any of these managed instances. For example, this one, I can click on it and in it I have an inventory tab and I’m able to see everything within aws application that is installed.
So all these things are aws applications. I could go and see for example, aws service and look at the services. So there’s none aws components, there’s a few. So there’s the ssm agent in the cfn bootstrap and so on. So through this inventory, I’m able to have a look at what is available on each of my instances. And that’s quite helpful. So that’s it for inventory. Remember, it’s just something we have to set up once and it will run every 30 minutes and will give us some information around what is running on our EC to our onpremise instances or anything we have registered with ssm. So that’s it for this very short lecture and I will see you in the next lecture.
9. SSM – Automations
So now we are going to look into aws Systems Manager automations and they allow you to simplify common maintenance and deployment tasks of EC Two instances and other aws resources. So we can build custom workflow, we can build automation. We have a tight integration with Cloud Watch events if you wanted to automate based on the automation results and you can monitor the execution details directly in EC Two or the Systems Manager console. So some common use cases for automations would be those for example, use the aws Stop easy to instance with approval to request that one or more aws iam users approve the instance stop action and after the approval is received then the automation stops the instance.
So this is quite nice. There’s another one, for example, to update confirmation stack with approval documents to only update resources that were deployed using confirmation templates after an approval. So we need to have an iam user approve this. This could be as well to safely perform disruptive tasks in bulk. For example, using the aws restart instances with approval documents to restart them with approval as well, you can also simplify complex tasks and we’ll use that for example to create golden Amazon Linux ami machines so amis and maybe recover unreachable easy to instances. So we’ll be doing the hands on and we’ll use the aws update to Linux ami to see how we can create a fully patched golden ami from a source ami.
But we could also execute the aws support execute EC Two risk queue to recover impaired instances by rebooting them. For example. So automations do allow you to create a lot of things and we’ll go through the hands on to get quite comfortable around what it can do. And we’ll also go through some diagrams to understand exactly how it can be used in a greater system as a DevOps. So let’s go ahead with this hands on. So in this hands on we are going to create a golden ami by basically having this aws Update Linux document that will do a couple of things. It will do nine things. If we scroll down it will launch an instance.
So it will launch an Amazon Easy to instance for us and it will install the ssm agent and so on.It will update the OS software so it will make sure to run all the updates we need. Then it will stop the instance, it will create an image, then it will terminate the instance and the output of it is going to be an ami ID and this ami D is going to be fully patched. Hence the word automation. So let’s go and do this. We’re going to go to automation and execute so automation is on the left hand side and execute an automation and this one is going to be called aws Update. And we are going to use update Linux. ami So I’m going to click on this one and we could open a new tab and see what the automation document looks like.
And so if you go to content this is going to be a giant json document with all the parameters we need and as well as what it will do one by one. So all of this is pretty long and it was created by aws. But this is a nice example of a full automation document. So let’s get back in here. So we selected this aws update Linux ami and we’ll scroll down and now we’ll click on Next. Okay, now we have to put a lot of input parameters. So we need to enter a source ami ID. And for this maybe I want to use the latest ami for easy to instances. So I’ll go to launch Instance and in here I will choose this ami ID which is Amazon Linux Two and copy this here. Then I need to choose an im instance profile name that will enable ssm to manage the instance.
And so in here I go back to EC Two and we’ll find the instance profile name. So let’s go to instances in here and here is the Im role that we can use. So this one will be great. Now the automation assume role. So we’ll just have it like this and the target ami name. So what we will name the ami as excellent. The instance type G two micro, the sender ID if we want to have one, but this is fine, I’ll leave it as is. All of these are optional so we could include some packages, exclude some packages and so on. But the one that were required are set right here so hopefully that will work. Let’s click on Execute and again we get the cli command if we want to have an automation for that command.
So we’ll do execute and this automation will run for us if the assume role is unable to be assumed. So we need to be able to create that assume role first. So to create this automation assume role, what I can do is to go to the method one to use cloud formation to configure the roles for automation and that will be quick and easy. So I’ll scroll down and there is a view and launch tags. We’ll launch this tag directly into cloud formation and this confirmation stack comes straight from aws and will set up the roles we need. So let’s click on Next and then Next. And at the very bottom I will check the fact that I want to create im resources and we’ll create the stack and we’ll wait for it to be done and look at the resources that were created.
And now the create is completed.So we have three resources being created with us. So we have two im roles and one instance profile role that has been created by this cloud formation template. So if we go back to Systems Manager, actually I’m just going to fully update this. Refresh this page to redo it. So we’ll do an aws update linux ami. Here we go. And I’m going to click on next. And finally the source ami idea is this one. And it will leave the manage instance profile as is here, and it will leave this as his as well. So everything looks good. Let’s click on execute. And now the execution has been initiated. So the execution will run six steps.
It will launch an instance, verify that ssm is installed on that instance, update the Us software that will patch it, effectively stop the instance and create an ami from it, and finally terminate the instance. And this is the whole power of automation. We are able to see these steps one by one into the ui and see how they happen. So let’s wait a little bit for this to be done. Okay, so my execution has completed and the six steps will run in about five minutes total. So this is a start time and this is the end time of the last step. So this is really cool. For each step we could go ahead and drill down and see exactly what happened were the input parameters and so on.
But the important thing is that out of it, the output is that we have an image ID that was created and that’s an ami that’s going to be fully patched according to these steps. So this is really, really nice. And the other cool things is that if we went into Cloud Watch so let me go into Cloud Watch events. So I’ll go into Cloud Watch on the left hand side and click on Rules and create a rule. I can look for ssm, so Systems Manager at the very bottom of it. So systems Manager here we go. And in here I can say, okay, I want my automation and I want to know when my execution change status works. And I’m looking for the status, for example, success.
And whenever there’s success happening for my ami building, then maybe I want to run a lambda function, or maybe I want to run an inspector assessment template and look at the security of this ami that was being created. Who knows? There are so many things you could do, right? So the important thing here is that the automation is fully integrated with cloudwide events. And this will allow us to automate our DevOps task and perform some really complex workflows all within ssm. Okay? So that’s it for automation. Now let’s go into a few more examples of it.
So here’s this pdf that I have in the link of the resources, which is building a secure approved ami factory using ssm marketplace and service catalog. So this is something that was out of November 2017. Honestly, I don’t know why it’s not something that’s recommended to read for the DevOps exam, but you should definitely go through it. And the one thing I want to drag your attention onto is this little diagram which represents the solution architecture. So here we have a trigger. It could be a user, a cloud watch time event or a custom trigger. And what this will trigger is a build phase of the ami.
So from the base ami to the EC Two instance, to the updated easy to instance and to the golden ami, this is something we’ve done at automation. Then we have a validation phase where we take this golden ami, then we create an easy to instance out of it. We run some script tools, services or inspector to ensure that it is fully secure and then it is being verified. And then as soon as this is finished, the golden ami should be placed the ami ID output into the EC two systems manager parameter store. And then when this is done, all of this is one big ssm automation. When this is done, then we have a cloudwatch event that will be triggered, just the one that we have created from before.
And what this cloudwatch event will do will maybe send something into an sns topic or an email notification or a lambda function that will send something to slack saying hey, the latest Golden ami has been fully created. And the cool thing about this is that this is an entirely automated process in here. So as we can see, there is some cloud watch, there is some automation script, there is inspector, there’s cloud watch events, sns topics and so on. So this is the kind of things again that the DevOps exam could ask you to think about and create and reason about.
Okay, finally there is this last link and again it shows you, I think, the same kind of things in here, just different implementation. And here the cool thing is that you can have an article on YouTube and you can play with this tutorial if you wanted to implement the solution that was described right here. So that’s it for this lecture. I hope that automations now do make sense. As we can see, they’re very different from run commands. Run commands is just for oneoff and automation is for a list of steps that you want to execute in order. OK, so that’s it for this lecture. I will see you in the next lecture.
10. SSM – Session Manager & Cleanup
Okay, so one last thing for ssm. This is not something that I think is in the exam, but I think it is quite cool to know about. This is session manager. So we have seen how we can use EC Two Instance Connect to directly connect to our EC Two instance from within the browser. And this works really really well. But we can also do the same from Systems Manager. So let’s have a look at it. In here, I can start a session and I can choose the kind of instance I want to have. So it could be either my EC Two instances or also my on premise managed instance. So I can choose this one, for example and click on Start Session. And this starts a new terminal in this terminal window. As you can see. If I do, who am I? It shows I am ssm user.
So right now and the cool thing about it is that it looks the same as this easy to Instance Connect. But if I say echo, hello, world, and then exit So I’ll say exits and we’ll just terminate the session. The entire session right here has been recorded and there is a session history and we can see who has done sessions and when. So this can be really helpful. And all the logs and all the things coming out of these sessions could be sent into an S Three bucket or a client Cloud Watch logs stream as well if you wanted to audit this later on. So if you went to the settings we could definitely say okay, you need to write all the session output to an Amazon S Three buckets and you can also stream this to Cloud Watch Logs. And this will allow us to understand exactly what the users are doing when they launch a Session Manager on our EC Two instances.
And this is something we don’t get when we do EC Two Instance Connect. So choose the one you want accordingly. But that was it just for me, just to show you this really cool little neat trick in Systems Manager. And also the advantage is that it can also do it on on premise instances, something that EC Two Instance Connect cannot. So that’s the end of all the lectures on ssm. So what you can do in here is take the ssm and the on premise instances and you could go ahead and terminate those if you wanted to. So right click Instance Date and then terminate and then we’ll be done with those. So that’s message for this lecture, I hope you liked it and I will see you in the next lecture.