For an extra piece of work with HTB I was called in to do a research, scoping, and initial implimentation piece for them. They wanted their servers to ultimately use a server configuration tool, and this tool had already been decided upon (Puppet) as they were using it elsewhere. The issue was it had been done by a third party, and also for a single use case (to build a server 5 years ago), and so we wanted to restructure it to bring several types of PHP application onto a single server to save cost, and also have the dynamic capabilities that Hiera allows us to have.
One handy trick I was able to take from the old setup though was to pull in the AWS security groups, and use them. The Lead Dev has been using these security groups to differentiate between the types of environment (eg. php_dev, php_prod) and so we were able to use this to alter a variable, and also add the ability for vagrant (and similar systems) to override this if needed.
A lot of time was spent on research and learning on this project. There were several things that needed to happen, and the biggest gotchas were loops of death. In future DevOps projects, I will put more time into planning the project out, possibly with some pseudo code so we can ensure the dependencies are in sensible places. Ultimately thought, the tasks we had Puppet doing were:
- Set env variable using AWS sec groups
- Install some base libraries/packages with yum
- Create some ssh users with access keys (using data setup in a Hiera yaml file)
- Setup some files/templates we will need (eg httpd conf files, and some custom ruby scripts)
- Setup a mount drive for S3
- Setup some caching (varnish and memcache)
- Final site config with httpd
This was a great project for me, and I have not used puppet and ansible on a proper piece of work. Whilst I have touched on chef, I need something to get my teeth into there before making a proper decision. I must say though, Puppet wasn't as bad as I thought it was going to be, but I think I prefer Ansible out of the 2.