Posted by

Posted on

November 12, 2015

Posted under

AWS

Comments

How to wing the AWS certification exam

Solutions-Architect-Associate A couple of months ago I undertook the AWS Solutions Architect – Associate exam, which I happily passed with a score of 85%.

Whilst I went into the exam with almost no preparation at all, I’ve put together some tips to best prepare yourself for the exam.

Please note that when you undertake the exam, you are required to sign a NDA, which forbids from sharing the contents of the exam questions.

The certification

AWS certifications are valid for 2 years and are useful to test your knowledge, boost your credentials plus you get access to the Amazon Partner Network.

The next level after the associate exam is the professional exam. The main differences between the two are:

Associate level

Technical
Troubleshooting
Common scenarios

Professional level

Much more in depth
Complex scenarios

The associate exam duration is 80 minutes whilst the professional exam duration is 170 minutes. You are taken into the exam room (you cannot bring anything at all with you), the questions are multiple choice answers. At the end of the exam you are immediately presented with the results on the screen.

If you fail the exam, you’ll have to wait 30 days before you can try again.

Preparation

The exam questions are well written, it’s not an exam you can just study for and hope you’ll pass, you need to have plenty of hands-on experience. And the best experience you can get is in your profession.

Some tips to best prepare yourself:

Practice, practice, practice !
Read the AWS whitepapers aws.amazon.com/whitepapers
Sign up to Cloud Academy cloudacademy.com
Sign up to Linux Academy linuxacademy.com
Read the AWS sample questions and discuss them with your colleagues
Undertake the AWS practice exam (US$20: 20 questions / 30 mins)

The Cloud and Linux Academy have online courses and lots of quizzes. The official AWS practice exam is useful to undertake last, as you get to practice against the timer which can be distracting.

AWS Solutions Architect – Associate exam

The scoring breakdown for the exam I undertook is:

Designing highly available, cost efficient, fault tolerant, scalable systems
Implementation / Deployment
Security
Troubleshooting

My impressions are:

It’s not easy, the questions are well composed for architects with plenty of experience
Some of the questions are long
AWS states one year minimum experience, it depends on how many services you got exposed to. Despite having used AWS extensively since 2008, I found some of the questions challenging
The questions are high level but also hands-on
The exam covers most main AWS services

For the AWS services covered, whilst each exam is different, they cover roughly:

75% EC2 (ELB, EBS, AMI…), VPC & IAM roles
25% other services (Storage Gateway, Route53, Cloudfront, SQS, RDS, SES, DynamoDB etc…)

Exam gotchas

For the Solutions Architect exam:

There are architecture for totally different scenarios
Be mindful of cost effective vs best design vs default architecture
Security is very important to know (e.g. Security groups, /ACL statefull/stateless etc…)
Good practice with troubleshooting is essential
Some questions can be easily answered by elimination

Exam tips

Some tips for when you sit the exam:

Prepare yourself
Take your time
Don’t pay too much attention to the timer
Read the questions carefully
Mark questions for review later
Leave at least 10/15 mins to review

The AWS certification exam can be stressful but also fun, good luck if you intend to undertake it !

Posted by

Tom Murphy

Posted on

September 3, 2014

Posted under

AWS

Comments

1 Comment

Infrastructure automation with Terraform

Hashicorp, the cool guys behind Vagrant, Packer etc… have done it again and come up with a simple way build, modify and destroy cloud infrastructure. It is pure infrastructure as code which can be version controlled. But the best part is that it can work with many cloud platforms: AWS, Google Cloud, Digital Ocean, Heroku etc…

Getting Started

The official documentation can be found here.

Download the zip package from http://www.terraform.io/downloads.html for your O.S., extract and move the executables into your /usr/local/bin (or add the folder to your $PATH).

Verify the installation by executing:

$ terraform
  usage: terraform [--version] [--help] <command></command> []

1 2	$ terraform usage: terraform [--version] [--help] <command></command> []

We‘ll be using AWS as the provider so you will need an access and secret key for your user account.

Create a folder where you will keep all your .tf files. You can later add this folder to Git version control.

Provisioning a single EC2 instance

Create a file called web-instance.tf with the following:

provider "aws" {
  access_key = "xxxx"
  secret_key = "xxxx"
  region = "ap-southeast-2"
}

resource "aws_instance" "web" {
  ami = "ami-972444ad"
  instance_type = "t2.micro"
}

provider "aws" {

access_key = "xxxx"

secret_key = "xxxx"

region = "ap-southeast-2"

}

resource "aws_instance" "web" {

ami = "ami-972444ad"

instance_type = "t2.micro"

}

The provider line tells Terraform to use the aws provider using the keys and region provided.
The aws_instance instructs Terraform to create a instance with a tag “web” using the Ubuntu 14.04 LTS AMI.

Before building infrastructure Terraform can give you a preview of the changes it will apply to the infrastructure:

$ terraform plan
...
+ aws_instance.web
  ami:               "" => "ami-972444ad"
  availability_zone: "" => "computed"
  instance_type:     "" => "t2.small"
  key_name:          "" => "computed"
  private_dns:       "" => "computed"
  private_ip:        "" => "computed"
  public_dns:        "" => "computed"
  public_ip:         "" => "computed"
  security_groups.#: "" => "computed"
  subnet_id:         "" => "computed"

$ terraform plan

...

+ aws_instance.web

ami: "" => "ami-972444ad"

availability_zone: "" => "computed"

instance_type: "" => "t2.small"

key_name: "" => "computed"

private_dns: "" => "computed"

private_ip: "" => "computed"

public_dns: "" => "computed"

public_ip: "" => "computed"

security_groups.#: "" => "computed"

subnet_id: "" => "computed"

It uses Git diff syntaxing to show the differences with the current state of the infrastructure. Currently there’s no aws_instance tagged “web”, hence the line has a +
The “computed” values means that they will be known after the resource has been created.

To apply the .tf run:

$ terraform apply
aws_instance.web: Creating...
  ami:               "" => "ami-972444ad"
  availability_zone: "" => "computed"
  instance_type:     "" => "t2.small"
  key_name:          "" => "computed"
  private_dns:       "" => "computed"
  private_ip:        "" => "computed"
  public_dns:        "" => "computed"
  public_ip:         "" => "computed"
  security_groups.#: "" => "computed"
  subnet_id:         "" => "computed"
aws_instance.web: Creation complete

Apply complete! Resources: 1 added, 0 changed, 0 destroyed.
…
State path: terraform.tfstate

$ terraform apply

aws_instance.web: Creating...

ami: "" => "ami-972444ad"

availability_zone: "" => "computed"

instance_type: "" => "t2.small"

key_name: "" => "computed"

private_dns: "" => "computed"

private_ip: "" => "computed"

public_dns: "" => "computed"

public_ip: "" => "computed"

security_groups.#: "" => "computed"

subnet_id: "" => "computed"

aws_instance.web: Creation complete

Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

…

State path: terraform.tfstate

Now check the AWS console, the instance has successfully been created !

The terraform.tfstate file which gets generated is very important as it contains the current state of the infrastructure in AWS. For this reason it’s important to version control it in Git if others are working on the infrastructure (not at the same time).

Modifying the infrastructure

Edit your web-instance.tf file and changed the instance type from t2.micro to t2.small then check what will change:

$ terraform plan
Refreshing Terraform state prior to plan...

aws_instance.web: Refreshing state... (ID: i-976a32a9)
...
-/+ aws_instance.web
  ami:               "ami-972444ad" => "ami-972444ad"
  availability_zone: "ap-southeast-2b" => "computed"
  instance_type:     "t2.micro" => "t2.small" (forces new resource)
  key_name:          "" => "computed"
  private_dns:       "ip-172-31-3-63.ap-southeast-2.compute.internal" => "computed"
  private_ip:        "172.31.3.63" => "computed"
  public_dns:        "ec2-54-206-108-0.ap-southeast-2.compute.amazonaws.com" => "computed"
  public_ip:         "54.206.108.0" => "computed"
  security_groups.#: "1" => "computed"
  subnet_id:         "subnet-c4bf8bad" => "computed"

$ terraform plan

Refreshing Terraform state prior to plan...

aws_instance.web: Refreshing state... (ID: i-976a32a9)

...

-/+ aws_instance.web

ami: "ami-972444ad" => "ami-972444ad"

availability_zone: "ap-southeast-2b" => "computed"

instance_type: "t2.micro" => "t2.small" (forces new resource)

key_name: "" => "computed"

private_dns: "ip-172-31-3-63.ap-southeast-2.compute.internal" => "computed"

private_ip: "172.31.3.63" => "computed"

public_dns: "ec2-54-206-108-0.ap-southeast-2.compute.amazonaws.com" => "computed"

public_ip: "54.206.108.0" => "computed"

security_groups.#: "1" => "computed"

subnet_id: "subnet-c4bf8bad" => "computed"

The value for instance_type has changed, apply the new changes:

$ terraform apply
aws_instance.web: Refreshing state... (ID: i-976a32a9)
aws_instance.web: Destroying...
aws_instance.web: Destruction complete
aws_instance.web: Modifying...
  ami:               "ami-972444ad" => "ami-972444ad"
  availability_zone: "ap-southeast-2b" => "computed"
  instance_type:     "t2.micro" => "t2.small"
  key_name:          "" => "computed"
  private_dns:       "ip-172-31-3-63.ap-southeast-2.compute.internal" => "computed"
  private_ip:        "172.31.3.63" => "computed"
  public_dns:        "ec2-54-206-108-0.ap-southeast-2.compute.amazonaws.com" => "computed"
  public_ip:         "54.206.108.0" => "computed"
  security_groups.#: "1" => "computed"
  subnet_id:         "subnet-c4bf8bad" => "computed"
aws_instance.web: Modifications complete

Apply complete! Resources: 0 added, 1 changed, 1 destroyed.

$ terraform apply

aws_instance.web: Refreshing state... (ID: i-976a32a9)

aws_instance.web: Destroying...

aws_instance.web: Destruction complete

aws_instance.web: Modifying...

ami: "ami-972444ad" => "ami-972444ad"

availability_zone: "ap-southeast-2b" => "computed"

instance_type: "t2.micro" => "t2.small"

key_name: "" => "computed"

private_dns: "ip-172-31-3-63.ap-southeast-2.compute.internal" => "computed"

private_ip: "172.31.3.63" => "computed"

public_dns: "ec2-54-206-108-0.ap-southeast-2.compute.amazonaws.com" => "computed"

public_ip: "54.206.108.0" => "computed"

security_groups.#: "1" => "computed"

subnet_id: "subnet-c4bf8bad" => "computed"

aws_instance.web: Modifications complete

Apply complete! Resources: 0 added, 1 changed, 1 destroyed.

Instead of stopping the existing instance and upscaling it, it destroys and creates a new aws_instance resource.

Destroying the infrastructure

Before destroying infrastructure, Terraform needs to generate a destroy plan which lists the resources to destroy, to a file here named destroy.tplan

$ terraform plan -destroy -out=destroy.tfplan
Refreshing Terraform state prior to plan...

aws_instance.web: Refreshing state... (ID: i-3a6f3704)
...
Path: destroy.tfplan

- aws_instance.web

$ terraform plan -destroy -out=destroy.tfplan

Refreshing Terraform state prior to plan...

aws_instance.web: Refreshing state... (ID: i-3a6f3704)

...

Path: destroy.tfplan

- aws_instance.web

The line with – confirms that the aws_instance resource tagged web will be destroyed, lets apply the destruction plan:

$ terraform apply destroy.tfplan
aws_instance.web: Destroying...
aws_instance.web: Destruction complete

Apply complete! Resources: 0 added, 0 changed, 1 destroyed.

$ terraform apply destroy.tfplan

aws_instance.web: Destroying...

aws_instance.web: Destruction complete

Apply complete! Resources: 0 added, 0 changed, 1 destroyed.

Provisioning a multi-tiered VPC

Terraform can provision a VPC using most of the available VPC resources, except a few which are missing.

Here we provision 2 web instances, 2 application instances and a nat instance within 2 tier VPC, complete with appropriate security groups, load balancers, route tables, internet gateway, elastic IP etc…

The gist can be viewed here.

Conclusion

Terraform is an use out of the box ready and easy to use tool to build infrastructure using only a couple of lines. It’s very practical to quickly build a proof of concept infrastructure.

Using the AWS provider, it’s missing a couple of resources such as Elastic Network Interfaces, Access Control Lists, Security Groups egress rules, VPC DHCP options plus it does not support User Data (it can only execute remote ssh commands). However at version 0.2.1 it is still very early days and no doubt we will be seeing lots of improvements to Terraform in the future !

Posted by

Tom Murphy

Posted on

February 20, 2014

Posted under

Puppet

Comments

15 Comments

Automated Nagios monitoring with Puppet exported resources

One of the coolest things Puppet can do is create exported resources. In plain words it means that you can include a manifest on all your nodes which then gets customised and applied for each node thanks to the node facts.
A popular usage of exported resources is automating Nagios monitoring. Instead of manually creating a Nagios configuration with the basic checks such as load, disk usage etc… then duplicating it for each server and changing the hostname, an exported resource can do it all for you by including a single manifest.

PuppetDB configuration

Exported resources requires storing facts for the Puppet nodes so we need PuppetDB installed on the PuppetMaster.

sudo puppet resource package puppetdb ensure=latest
sudo puppet resource package puppetdb-terminus ensure=latest

1 2	sudo puppet resource package puppetdb ensure=latest sudo puppet resource package puppetdb-terminus ensure=latest

Create /etc/puppet/puppetdb.conf

[main]
server = puppet.bluemalkin.net
port = 8081
soft_write_failure = false

[main]

server = puppet.bluemalkin.net

port = 8081

soft_write_failure = false

Add to /etc/puppet/puppet.conf under [main]

[main]
storeconfigs = true
storeconfigs_backend = puppetdb

[main]

storeconfigs = true

storeconfigs_backend = puppetdb

Create /etc/puppet/routes.yaml

---
master:
  facts:
    terminus: puppetdb
    cache: yaml

---

master:

facts:

terminus: puppetdb

cache: yaml

Start PuppetDB and restart the PuppetMaster:

sudo service puppetdb start
sudo service puppetmaster restart

1 2	sudo service puppetdb start sudo service puppetmaster restart

Nagios Server Configuration

Create a Nagios module with the following manifests:

nagios/manifests/init.pp

class nagios {
    include nagios::install
    include nagios::service
    include nagios::import
}

class nagios {

include nagios::install

include nagios::service

include nagios::import

}

nagios/manifests/install.pp

class nagios::install {
    package { [ 'nagios4', 'nagios-plugins', 'nagios-nrpe-plugin' ]:
        ensure  => present,
    }
}

class nagios::install {

package { [ 'nagios4', 'nagios-plugins', 'nagios-nrpe-plugin' ]:

ensure => present,

}

Note that at the time of writing, Nagios 4 isn’t available as a package for Ubuntu 12.04 LTS so we’re assuming you built your own one which installs it under /etc/nagios4

nagios/manifests/service.pp

class nagios::service {

    exec { 'fix-permissions':
        command     => "find /etc/nagios4/conf.d -type f -name '*cfg' | xargs chmod +r",
        refreshonly => true,
    } ->

    service { 'nagios':
        ensure      => running,
        enable      => true,
        require     => Class[ 'nagios::install' ], 
    }
}

class nagios::service {

exec { 'fix-permissions':

command => "find /etc/nagios4/conf.d -type f -name '*cfg' | xargs chmod +r",

refreshonly => true,

} ->

service { 'nagios':

ensure => running,

enable => true,

require => Class[ 'nagios::install' ],

}

There is a bug in Puppet when the exported resources are created, they do not have the correct permissions to allow the nagios user on the server to read them so declare a fix-permissions exec resource.

nagios/manifests/import.pp

class nagios::import {

    Nagios_host <<||>> {
        require => Class[ 'nagios::install' ],
        notify  => Class[ 'nagios::service' ]
    }

    Nagios_service <<||>> {
        require => Class[ 'nagios::install' ],
        notify  => Class[ 'nagios::service' ]
    }
}

class nagios::import {

Nagios_host <<||>> {

require => Class[ 'nagios::install' ],

notify => Class[ 'nagios::service' ]

}

Nagios_service <<||>> {

require => Class[ 'nagios::install' ],

notify => Class[ 'nagios::service' ]

}

The exported resource operator <<||>> (not to be confused with the spaceship <||> operator) is the resource which will realize all @@ virtual exported resources. How it works is described further down.

Nagios NRPE nodes

For all nodes which you want to monitor with nagios, we need the Nagios NRPE server installed

nagios/manifests/nrpe.pp

class nagios::nrpe {

    package { [ 'nagios-nrpe-server', 'nagios-plugins' ]:
        ensure      => present,
    }

    service { 'nagios-nrpe-server':
        ensure      => running,
        enable      => true,
        require     => Package[ 'nagios-nrpe-server', 'nagios-plugins' ] ],
    }
}

class nagios::nrpe {

package { [ 'nagios-nrpe-server', 'nagios-plugins' ]:

ensure => present,

}

service { 'nagios-nrpe-server':

ensure => running,

enable => true,

require => Package[ 'nagios-nrpe-server', 'nagios-plugins' ] ],

}

Then the export manifest where the @@nagios virtual resources are declared

nagios/manifests/export.pp

class nagios::export {

    @@nagios_host { $::hostname :
        ensure              => present,
        address             => $::ipaddress,
        use                 => 'generic-host',
        check_command       => 'check-host-alive',
        hostgroups          => 'all-servers',
        target              => "/etc/nagios4/conf.d/${::hostname}.cfg",
    }

    @@nagios_service { "${::hostname}_check-load":
        ensure              => present,
        use                 => 'generic-service', 
        host_name           => $::hostname,
        service_description => 'Current Load',
        check_command       => 'check_nrpe!check_load',
        target              => "/etc/nagios4/conf.d/${::hostname}.cfg",
    }

    @@nagios_service { "${::hostname}_check-disk":
        ensure              => present,
        use                 => 'generic-service', 
        host_name           => $::hostname,
        service_description => 'hda1 disk usage',
        check_command       => 'check_nrpe!check_hda1',
        target              => "/etc/nagios4/conf.d/${::hostname}.cfg",
    }
}

class nagios::export {

@@nagios_host { $::hostname :

ensure => present,

address => $::ipaddress,

use => 'generic-host',

check_command => 'check-host-alive',

hostgroups => 'all-servers',

target => "/etc/nagios4/conf.d/${::hostname}.cfg",

}

@@nagios_service { "${::hostname}_check-load":

ensure => present,

use => 'generic-service',

host_name => $::hostname,

service_description => 'Current Load',

check_command => 'check_nrpe!check_load',

target => "/etc/nagios4/conf.d/${::hostname}.cfg",

}

@@nagios_service { "${::hostname}_check-disk":

ensure => present,

use => 'generic-service',

host_name => $::hostname,

service_description => 'hda1 disk usage',

check_command => 'check_nrpe!check_hda1',

target => "/etc/nagios4/conf.d/${::hostname}.cfg",

}

To include Nagios on all nodes to monitor, just add to the default node on manifests/nodes.pp

node default {
    include nagios::nrpe
    include nagios::export
}

node default {

include nagios::nrpe

include nagios::export

}

How it works

When you declare an exported virtual resource on the node, after the puppet agent run, the exported configurations are stored into PuppetDB. Then when you run the puppet agent on the Nagios server, it collects all the nodes exported resources from PuppetDB and subsequently creates the Nagios .cfg files. Beware that if you have a lot of nodes that use exported resources, it can create a long catalogue compilation time, so consider extending the run interval of the puppet agent.

Therefore all nodes must trigger a puppet run before the server can import the configurations.

Note that if you remove nagios::export class from a node, it will not remove the exported configurations in PuppetDB, the resources will still be created on export. You need to keep the virtual exported resources and set ensure to absent. Or if you’re completely removing the node, on the PuppetMaster you can deactivate it with

puppet node deactivate <node-fqdn>

1	puppet node deactivate <node-fqdn>

Exported resources can have many other uses such as managing sshkey know_hosts resources or for dynamically adding/removing load balancer members to Apache for example.

Bluemalkin Blog

A blog about DevOps technologies, tips and tricks.

How to wing the AWS certification exam

The certification

Preparation

AWS Solutions Architect – Associate exam

Exam gotchas

Exam tips

Infrastructure automation with Terraform

Getting Started

Provisioning a single EC2 instance

Modifying the infrastructure

Destroying the infrastructure

Provisioning a multi-tiered VPC

Conclusion

Automated Nagios monitoring with Puppet exported resources

PuppetDB configuration

Nagios Server Configuration

Nagios NRPE nodes

How it works