1
0

aws.rst 37 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176
  1. ============================
  2. Getting Started With AWS EC2
  3. ============================
  4. Amazon EC2 is a very widely used public cloud platform and one of the core
  5. platforms Salt Cloud has been built to support.
  6. Previously, the suggested driver for AWS EC2 was the ``aws`` driver. This
  7. has been deprecated in favor of the ``ec2`` driver. Configuration using the
  8. old ``aws`` driver will still function, but that driver is no longer in
  9. active development.
  10. Dependencies
  11. ============
  12. This driver requires the Python ``requests`` library to be installed.
  13. Configuration
  14. =============
  15. The following example illustrates some of the options that can be set. These
  16. parameters are discussed in more detail below.
  17. .. code-block:: yaml
  18. # Note: This example is for /etc/salt/cloud.providers or any file in the
  19. # /etc/salt/cloud.providers.d/ directory.
  20. my-ec2-southeast-public-ips:
  21. # Set up the location of the salt master
  22. #
  23. minion:
  24. master: saltmaster.example.com
  25. # Set up grains information, which will be common for all nodes
  26. # using this provider
  27. grains:
  28. node_type: broker
  29. release: 1.0.1
  30. # Specify whether to use public or private IP for deploy script.
  31. #
  32. # Valid options are:
  33. # private_ips - The salt-cloud command is run inside the EC2
  34. # public_ips - The salt-cloud command is run outside of EC2
  35. #
  36. ssh_interface: public_ips
  37. # Optionally configure the Windows credential validation number of
  38. # retries and delay between retries. This defaults to 10 retries
  39. # with a one second delay betwee retries
  40. win_deploy_auth_retries: 10
  41. win_deploy_auth_retry_delay: 1
  42. # Set the EC2 access credentials (see below)
  43. #
  44. id: 'use-instance-role-credentials'
  45. key: 'use-instance-role-credentials'
  46. # If 'role_arn' is specified the above credentials are used to
  47. # to assume to the role. By default, role_arn is set to None.
  48. role_arn: arn:aws:iam::012345678910:role/SomeRoleName
  49. # Make sure this key is owned by corresponding user (default 'salt') with permissions 0400.
  50. #
  51. private_key: /etc/salt/my_test_key.pem
  52. keyname: my_test_key
  53. securitygroup: default
  54. # Optionally configure default region
  55. # Use salt-cloud --list-locations <provider> to obtain valid regions
  56. #
  57. location: ap-southeast-1
  58. availability_zone: ap-southeast-1b
  59. # Configure which user to use to run the deploy script. This setting is
  60. # dependent upon the AMI that is used to deploy. It is usually safer to
  61. # configure this individually in a profile, than globally. Typical users
  62. # are:
  63. #
  64. # Amazon Linux -> ec2-user
  65. # RHEL -> ec2-user
  66. # CentOS -> ec2-user
  67. # Ubuntu -> ubuntu
  68. # Debian -> admin
  69. #
  70. ssh_username: ec2-user
  71. # Optionally add an IAM profile
  72. iam_profile: 'arn:aws:iam::123456789012:instance-profile/ExampleInstanceProfile'
  73. driver: ec2
  74. my-ec2-southeast-private-ips:
  75. # Set up the location of the salt master
  76. #
  77. minion:
  78. master: saltmaster.example.com
  79. # Specify whether to use public or private IP for deploy script.
  80. #
  81. # Valid options are:
  82. # private_ips - The salt-master is also hosted with EC2
  83. # public_ips - The salt-master is hosted outside of EC2
  84. #
  85. ssh_interface: private_ips
  86. # Optionally configure the Windows credential validation number of
  87. # retries and delay between retries. This defaults to 10 retries
  88. # with a one second delay betwee retries
  89. win_deploy_auth_retries: 10
  90. win_deploy_auth_retry_delay: 1
  91. # Set the EC2 access credentials (see below)
  92. #
  93. id: 'use-instance-role-credentials'
  94. key: 'use-instance-role-credentials'
  95. # Make sure this key is owned by root with permissions 0400.
  96. #
  97. private_key: /etc/salt/my_test_key.pem
  98. keyname: my_test_key
  99. # This one should NOT be specified if VPC was not configured in AWS to be
  100. # the default. It might cause an error message which says that network
  101. # interfaces and an instance-level security groups may not be specified
  102. # on the same request.
  103. #
  104. securitygroup: default
  105. # Optionally configure default region
  106. #
  107. location: ap-southeast-1
  108. availability_zone: ap-southeast-1b
  109. # Configure which user to use to run the deploy script. This setting is
  110. # dependent upon the AMI that is used to deploy. It is usually safer to
  111. # configure this individually in a profile, than globally. Typical users
  112. # are:
  113. #
  114. # Amazon Linux -> ec2-user
  115. # RHEL -> ec2-user
  116. # CentOS -> ec2-user
  117. # Ubuntu -> ubuntu
  118. #
  119. ssh_username: ec2-user
  120. # Optionally add an IAM profile
  121. iam_profile: 'my other profile name'
  122. driver: ec2
  123. .. note::
  124. .. versionchanged:: 2015.8.0
  125. The ``provider`` parameter in cloud provider definitions was renamed to ``driver``. This
  126. change was made to avoid confusion with the ``provider`` parameter that is used in cloud profile
  127. definitions. Cloud provider definitions now use ``driver`` to refer to the Salt cloud module that
  128. provides the underlying functionality to connect to a cloud host, while cloud profiles continue
  129. to use ``provider`` to refer to provider configurations that you define.
  130. Access Credentials
  131. ==================
  132. The ``id`` and ``key`` settings may be found in the Security Credentials area
  133. of the AWS Account page:
  134. https://portal.aws.amazon.com/gp/aws/securityCredentials
  135. Both are located in the Access Credentials area of the page, under the Access
  136. Keys tab. The ``id`` setting is labeled Access Key ID, and the ``key`` setting
  137. is labeled Secret Access Key.
  138. Note: if either ``id`` or ``key`` is set to 'use-instance-role-credentials' it is
  139. assumed that Salt is running on an AWS instance, and the instance role
  140. credentials will be retrieved and used. Since both the ``id`` and ``key`` are
  141. required parameters for the AWS ec2 provider, it is recommended to set both
  142. to 'use-instance-role-credentials' for this functionality.
  143. A "static" and "permanent" Access Key ID and Secret Key can be specified,
  144. but this is not recommended. Instance role keys are rotated on a regular
  145. basis, and are the recommended method of specifying AWS credentials.
  146. Windows Deploy Timeouts
  147. =======================
  148. For Windows instances, it may take longer than normal for the instance to be
  149. ready. In these circumstances, the provider configuration can be configured
  150. with a ``win_deploy_auth_retries`` and/or a ``win_deploy_auth_retry_delay``
  151. setting, which default to 10 retries and a one second delay between retries.
  152. These retries and timeouts relate to validating the Administrator password
  153. once AWS provides the credentials via the AWS API.
  154. Key Pairs
  155. =========
  156. In order to create an instance with Salt installed and configured, a key pair
  157. will need to be created. This can be done in the EC2 Management Console, in the
  158. Key Pairs area. These key pairs are unique to a specific region. Keys in the
  159. us-east-1 region can be configured at:
  160. https://console.aws.amazon.com/ec2/home?region=us-east-1#s=KeyPairs
  161. Keys in the us-west-1 region can be configured at
  162. https://console.aws.amazon.com/ec2/home?region=us-west-1#s=KeyPairs
  163. ...and so on. When creating a key pair, the browser will prompt to download a
  164. pem file. This file must be placed in a directory accessible by Salt Cloud,
  165. with permissions set to either 0400 or 0600.
  166. Security Groups
  167. ===============
  168. An instance on EC2 needs to belong to a security group. Like key pairs, these
  169. are unique to a specific region. These are also configured in the EC2
  170. Management Console. Security groups for the us-east-1 region can be configured
  171. at:
  172. https://console.aws.amazon.com/ec2/home?region=us-east-1#s=SecurityGroups
  173. ...and so on.
  174. A security group defines firewall rules which an instance will adhere to. If
  175. the salt-master is configured outside of EC2, the security group must open the
  176. SSH port (usually port 22) in order for Salt Cloud to install Salt.
  177. IAM Profile
  178. ===========
  179. Amazon EC2 instances support the concept of an `instance profile`_, which
  180. is a logical container for the IAM role. At the time that you launch an EC2
  181. instance, you can associate the instance with an instance profile, which in
  182. turn corresponds to the IAM role. Any software that runs on the EC2 instance
  183. is able to access AWS using the permissions associated with the IAM role.
  184. Scaffolding the profile is a 2-step configuration process:
  185. 1. Configure an IAM Role from the `IAM Management Console`_.
  186. 2. Attach this role to a new profile. It can be done with the `AWS CLI`_:
  187. .. code-block:: bash
  188. > aws iam create-instance-profile --instance-profile-name PROFILE_NAME
  189. > aws iam add-role-to-instance-profile --instance-profile-name PROFILE_NAME --role-name ROLE_NAME
  190. Once the profile is created, you can use the **PROFILE_NAME** to configure
  191. your cloud profiles.
  192. .. _`IAM Management Console`: https://console.aws.amazon.com/iam/home?#roles
  193. .. _`AWS CLI`: https://docs.aws.amazon.com/cli/latest/index.html
  194. .. _`instance profile`: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html
  195. Cloud Profiles
  196. ==============
  197. Set up an initial profile at ``/etc/salt/cloud.profiles``:
  198. .. code-block:: yaml
  199. base_ec2_private:
  200. provider: my-ec2-southeast-private-ips
  201. image: ami-e565ba8c
  202. size: t2.micro
  203. ssh_username: ec2-user
  204. base_ec2_public:
  205. provider: my-ec2-southeast-public-ips
  206. image: ami-e565ba8c
  207. size: t2.micro
  208. ssh_username: ec2-user
  209. base_ec2_db:
  210. provider: my-ec2-southeast-public-ips
  211. image: ami-e565ba8c
  212. size: m1.xlarge
  213. ssh_username: ec2-user
  214. volumes:
  215. - { size: 10, device: /dev/sdf }
  216. - { size: 10, device: /dev/sdg, type: io1, iops: 1000 }
  217. - { size: 10, device: /dev/sdh, type: io1, iops: 1000 }
  218. - { size: 10, device: /dev/sdi, tags: {"Environment": "production"} }
  219. # optionally add tags to profile:
  220. tag: {'Environment': 'production', 'Role': 'database'}
  221. # force grains to sync after install
  222. sync_after_install: grains
  223. base_ec2_vpc:
  224. provider: my-ec2-southeast-public-ips
  225. image: ami-a73264ce
  226. size: m1.xlarge
  227. ssh_username: ec2-user
  228. script: /etc/salt/cloud.deploy.d/user_data.sh
  229. network_interfaces:
  230. - DeviceIndex: 0
  231. PrivateIpAddresses:
  232. - Primary: True
  233. #auto assign public ip (not EIP)
  234. AssociatePublicIpAddress: True
  235. SubnetId: subnet-813d4bbf
  236. SecurityGroupId:
  237. - sg-750af413
  238. del_root_vol_on_destroy: True
  239. del_all_vols_on_destroy: True
  240. volumes:
  241. - { size: 10, device: /dev/sdf }
  242. - { size: 10, device: /dev/sdg, type: io1, iops: 1000 }
  243. - { size: 10, device: /dev/sdh, type: io1, iops: 1000 }
  244. tag: {'Environment': 'production', 'Role': 'database'}
  245. sync_after_install: grains
  246. The profile can now be realized with a salt command:
  247. .. code-block:: bash
  248. # salt-cloud -p base_ec2 ami.example.com
  249. # salt-cloud -p base_ec2_public ami.example.com
  250. # salt-cloud -p base_ec2_private ami.example.com
  251. This will create an instance named ``ami.example.com`` in EC2. The minion that
  252. is installed on this instance will have an ``id`` of ``ami.example.com``. If
  253. the command was executed on the salt-master, its Salt key will automatically be
  254. signed on the master.
  255. Once the instance has been created with salt-minion installed, connectivity to
  256. it can be verified with Salt:
  257. .. code-block:: bash
  258. # salt 'ami.example.com' test.version
  259. Required Settings
  260. =================
  261. The following settings are always required for EC2:
  262. .. code-block:: yaml
  263. # Set the EC2 login data
  264. my-ec2-config:
  265. id: HJGRYCILJLKJYG
  266. key: 'kdjgfsgm;woormgl/aserigjksjdhasdfgn'
  267. keyname: test
  268. securitygroup: quick-start
  269. private_key: /root/test.pem
  270. driver: ec2
  271. Optional Settings
  272. =================
  273. EC2 allows a userdata file to be passed to the instance to be created. This
  274. functionality was added to Salt in the 2015.5.0 release.
  275. .. code-block:: yaml
  276. my-ec2-config:
  277. # Pass userdata to the instance to be created
  278. userdata_file: /etc/salt/my-userdata-file
  279. .. note::
  280. From versions 2016.11.0 and 2016.11.3, this file was passed through the
  281. master's :conf_master:`renderer` to template it. However, this caused
  282. issues with non-YAML data, so templating is no longer performed by default.
  283. To template the userdata_file, add a ``userdata_template`` option to the
  284. cloud profile:
  285. .. code-block:: yaml
  286. my-ec2-config:
  287. # Pass userdata to the instance to be created
  288. userdata_file: /etc/salt/my-userdata-file
  289. userdata_template: jinja
  290. If no ``userdata_template`` is set in the cloud profile, then the master
  291. configuration will be checked for a :conf_master:`userdata_template` value.
  292. If this is not set, then no templating will be performed on the
  293. userdata_file.
  294. To disable templating in a cloud profile when a
  295. :conf_master:`userdata_template` has been set in the master configuration
  296. file, simply set ``userdata_template`` to ``False`` in the cloud profile:
  297. .. code-block:: yaml
  298. my-ec2-config:
  299. # Pass userdata to the instance to be created
  300. userdata_file: /etc/salt/my-userdata-file
  301. userdata_template: False
  302. EC2 allows a location to be set for servers to be deployed in. Availability
  303. zones exist inside regions, and may be added to increase specificity.
  304. .. code-block:: yaml
  305. my-ec2-config:
  306. # Optionally configure default region
  307. location: ap-southeast-1
  308. availability_zone: ap-southeast-1b
  309. EC2 instances can have a public or private IP, or both. When an instance is
  310. deployed, Salt Cloud needs to log into it via SSH to run the deploy script.
  311. By default, the public IP will be used for this. If the salt-cloud command is
  312. run from another EC2 instance, the private IP should be used.
  313. .. code-block:: yaml
  314. my-ec2-config:
  315. # Specify whether to use public or private IP for deploy script
  316. # private_ips or public_ips
  317. ssh_interface: public_ips
  318. Many EC2 instances do not allow remote access to the root user by default.
  319. Instead, another user must be used to run the deploy script using sudo. Some
  320. common usernames include ec2-user (for Amazon Linux), ubuntu (for Ubuntu
  321. instances), admin (official Debian) and bitnami (for images provided by
  322. Bitnami).
  323. .. code-block:: yaml
  324. my-ec2-config:
  325. # Configure which user to use to run the deploy script
  326. ssh_username: ec2-user
  327. Multiple usernames can be provided, in which case Salt Cloud will attempt to
  328. guess the correct username. This is mostly useful in the main configuration
  329. file:
  330. .. code-block:: yaml
  331. my-ec2-config:
  332. ssh_username:
  333. - ec2-user
  334. - ubuntu
  335. - admin
  336. - bitnami
  337. Multiple security groups can also be specified in the same fashion:
  338. .. code-block:: yaml
  339. my-ec2-config:
  340. securitygroup:
  341. - default
  342. - extra
  343. EC2 instances can be added to an `AWS Placement Group`_ by specifying the
  344. ``placementgroup`` option:
  345. .. code-block:: yaml
  346. my-ec2-config:
  347. placementgroup: my-aws-placement-group
  348. .. _`AWS Placement Group`: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/placement-groups.html
  349. Your instances may optionally make use of EC2 Spot Instances. The
  350. following example will request that spot instances be used and your
  351. maximum bid will be $0.10. Keep in mind that different spot prices
  352. may be needed based on the current value of the various EC2 instance
  353. sizes. You can check current and past spot instance pricing via the
  354. EC2 API or AWS Console.
  355. .. code-block:: yaml
  356. my-ec2-config:
  357. spot_config:
  358. spot_price: 0.10
  359. You can optionally specify tags to apply to the EC2 spot instance request.
  360. A spot instance request itself is an object in AWS. The following example
  361. will set two tags on the spot instance request.
  362. .. code-block:: yaml
  363. my-ec2-config:
  364. spot_config:
  365. spot_price: 0.10
  366. tag:
  367. tag0: value
  368. tag1: value
  369. By default, the spot instance type is set to 'one-time', meaning it will
  370. be launched and, if it's ever terminated for whatever reason, it will not
  371. be recreated. If you would like your spot instances to be relaunched after
  372. a termination (by you or AWS), set the ``type`` to 'persistent'.
  373. NOTE: Spot instances are a great way to save a bit of money, but you do
  374. run the risk of losing your spot instances if the current price for the
  375. instance size goes above your maximum bid.
  376. The following parameters may be set in the cloud configuration file to
  377. control various aspects of the spot instance launching:
  378. * ``wait_for_spot_timeout``: seconds to wait before giving up on spot instance
  379. launch (default=600)
  380. * ``wait_for_spot_interval``: seconds to wait in between polling requests to
  381. determine if a spot instance is available (default=30)
  382. * ``wait_for_spot_interval_multiplier``: a multiplier to add to the interval in
  383. between requests, which is useful if AWS is throttling your requests
  384. (default=1)
  385. * ``wait_for_spot_max_failures``: maximum number of failures before giving up
  386. on launching your spot instance (default=10)
  387. If you find that you're being throttled by AWS while polling for spot
  388. instances, you can set the following in your core cloud configuration
  389. file that will double the polling interval after each request to AWS.
  390. .. code-block:: yaml
  391. wait_for_spot_interval: 1
  392. wait_for_spot_interval_multiplier: 2
  393. See the `AWS Spot Instances`_ documentation for more information.
  394. Block device mappings enable you to specify additional EBS volumes or instance
  395. store volumes when the instance is launched. This setting is also available on
  396. each cloud profile. Note that the number of instance stores varies by instance
  397. type. If more mappings are provided than are supported by the instance type,
  398. mappings will be created in the order provided and additional mappings will be
  399. ignored. Consult the `AWS documentation`_ for a listing of the available
  400. instance stores, and device names.
  401. .. code-block:: yaml
  402. my-ec2-config:
  403. block_device_mappings:
  404. - DeviceName: /dev/sdb
  405. VirtualName: ephemeral0
  406. - DeviceName: /dev/sdc
  407. VirtualName: ephemeral1
  408. You can also use block device mappings to change the size of the root device at the
  409. provisioning time. For example, assuming the root device is '/dev/sda', you can set
  410. its size to 100G by using the following configuration.
  411. .. code-block:: yaml
  412. my-ec2-config:
  413. block_device_mappings:
  414. - DeviceName: /dev/sda
  415. Ebs.VolumeSize: 100
  416. Ebs.VolumeType: gp2
  417. Ebs.SnapshotId: dummy0
  418. - DeviceName: /dev/sdb
  419. # required for devices > 2TB
  420. Ebs.VolumeType: gp2
  421. Ebs.VolumeSize: 3001
  422. Tagging of block devices can be set on a per device basis. For example, you may
  423. have multiple devices defined in your block_device_mappings structure. You have the
  424. option to set tags on any of one device or all of them as shown in the following
  425. configuration.
  426. .. code-block:: yaml
  427. my-ec2-config:
  428. block_device_mappings:
  429. - DeviceName: /dev/sda
  430. Ebs.VolumeSize: 100
  431. Ebs.VolumeType: gp2
  432. tag:
  433. tag0: myserver
  434. tag1: value
  435. - DeviceName: /dev/sdb
  436. Ebs.VolumeType: gp2
  437. Ebs.VolumeSize: 3001
  438. tag:
  439. tagX: value
  440. tagY: value
  441. You can configure any AWS valid tag name as shown in the above example, including
  442. 'Name'. If you do not configure the tag 'Name', it will be automatically created
  443. with a value set to the virtual machine name. If you configure the tag 'Name', the
  444. value you configure will be used rather than defaulting to the virtual machine
  445. name as shown in the following configuration.
  446. .. code-block:: yaml
  447. my-ec2-config:
  448. block_device_mappings:
  449. - DeviceName: /dev/sda
  450. Ebs.VolumeSize: 100
  451. Ebs.VolumeType: gp2
  452. tag:
  453. Name: myserver
  454. tag0: value
  455. tag1: value
  456. - DeviceName: /dev/sdb
  457. Ebs.VolumeType: gp2
  458. Ebs.VolumeSize: 3001
  459. tag:
  460. Name: customvalue
  461. tagX: value
  462. tagY: value
  463. Existing EBS volumes may also be attached (not created) to your instances or
  464. you can create new EBS volumes based on EBS snapshots. To simply attach an
  465. existing volume use the ``volume_id`` parameter.
  466. .. code-block:: yaml
  467. device: /dev/xvdj
  468. volume_id: vol-12345abcd
  469. Or, to create a volume from an EBS snapshot, use the ``snapshot`` parameter.
  470. .. code-block:: yaml
  471. device: /dev/xvdj
  472. snapshot: snap-abcd12345
  473. Note that ``volume_id`` will take precedence over the ``snapshot`` parameter.
  474. Tags can be set once an instance has been launched.
  475. .. code-block:: yaml
  476. my-ec2-config:
  477. tag:
  478. tag0: value
  479. tag1: value
  480. .. _`AWS documentation`: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/InstanceStorage.html
  481. .. _`AWS Spot Instances`: https://aws.amazon.com/ec2/spot/
  482. Setting up a Master inside EC2
  483. ------------------------------
  484. Salt Cloud can configure Salt Masters as well as Minions. Use the ``make_master`` setting to use
  485. this functionality.
  486. .. code-block:: yaml
  487. my-ec2-config:
  488. # Optionally install a Salt Master in addition to the Salt Minion
  489. make_master: True
  490. When creating a Salt Master inside EC2 with ``make_master: True``, or when the Salt Master is already
  491. located and configured inside EC2, by default, minions connect to the master's public IP address during
  492. Salt Cloud's provisioning process. Depending on how your security groups are defined, the minions
  493. may or may not be able to communicate with the master. In order to use the master's private IP in EC2
  494. instead of the public IP, set the ``salt_interface`` to ``private_ips``.
  495. .. code-block:: yaml
  496. my-ec2-config:
  497. # Optionally set the IP configuration to private_ips
  498. salt_interface: private_ips
  499. Modify EC2 Tags
  500. ===============
  501. One of the features of EC2 is the ability to tag resources. In fact, under the
  502. hood, the names given to EC2 instances by salt-cloud are actually just stored
  503. as a tag called Name. Salt Cloud has the ability to manage these tags:
  504. .. code-block:: bash
  505. salt-cloud -a get_tags mymachine
  506. salt-cloud -a set_tags mymachine tag1=somestuff tag2='Other stuff'
  507. salt-cloud -a del_tags mymachine tag1,tag2,tag3
  508. It is possible to manage tags on any resource in EC2 with a Resource ID, not
  509. just instances:
  510. .. code-block:: bash
  511. salt-cloud -f get_tags my_ec2 resource_id=af5467ba
  512. salt-cloud -f set_tags my_ec2 resource_id=af5467ba tag1=somestuff
  513. salt-cloud -f del_tags my_ec2 resource_id=af5467ba tags=tag1,tag2,tag3
  514. Rename EC2 Instances
  515. ====================
  516. As mentioned above, EC2 instances are named via a tag. However, renaming an
  517. instance by renaming its tag will cause the salt keys to mismatch. A rename
  518. function exists which renames both the instance, and the salt keys.
  519. .. code-block:: bash
  520. salt-cloud -a rename mymachine newname=yourmachine
  521. Rename on Destroy
  522. =================
  523. When instances on EC2 are destroyed, there will be a lag between the time that
  524. the action is sent, and the time that Amazon cleans up the instance. During
  525. this time, the instance still retains a Name tag, which will cause a collision
  526. if the creation of an instance with the same name is attempted before the
  527. cleanup occurs. In order to avoid such collisions, Salt Cloud can be configured
  528. to rename instances when they are destroyed. The new name will look something
  529. like:
  530. .. code-block:: bash
  531. myinstance-DEL20f5b8ad4eb64ed88f2c428df80a1a0c
  532. In order to enable this, add rename_on_destroy line to the main
  533. configuration file:
  534. .. code-block:: yaml
  535. my-ec2-config:
  536. rename_on_destroy: True
  537. Listing Images
  538. ==============
  539. Normally, images can be queried on a cloud provider by passing the
  540. ``--list-images`` argument to Salt Cloud. This still holds true for EC2:
  541. .. code-block:: bash
  542. salt-cloud --list-images my-ec2-config
  543. However, the full list of images on EC2 is extremely large, and querying all of
  544. the available images may cause Salt Cloud to behave as if frozen. Therefore,
  545. the default behavior of this option may be modified, by adding an ``owner``
  546. argument to the provider configuration:
  547. .. code-block:: yaml
  548. owner: aws-marketplace
  549. The possible values for this setting are ``amazon``, ``aws-marketplace``,
  550. ``self``, ``<AWS account ID>`` or ``all``. The default setting is ``amazon``.
  551. Take note that ``all`` and ``aws-marketplace`` may cause Salt Cloud to appear
  552. as if it is freezing, as it tries to handle the large amount of data.
  553. It is also possible to perform this query using different settings without
  554. modifying the configuration files. To do this, call the ``avail_images``
  555. function directly:
  556. .. code-block:: bash
  557. salt-cloud -f avail_images my-ec2-config owner=aws-marketplace
  558. EC2 Images
  559. ==========
  560. The following are lists of available AMI images, generally sorted by OS. These
  561. lists are on 3rd-party websites, are not managed by Salt Stack in any way. They
  562. are provided here as a reference for those who are interested, and contain no
  563. warranty (express or implied) from anyone affiliated with Salt Stack. Most of
  564. them have never been used, much less tested, by the Salt Stack team.
  565. * `Arch Linux`__
  566. .. __: https://wiki.archlinux.org/index.php/Arch_Linux_AMIs_for_Amazon_Web_Services
  567. * `FreeBSD`__
  568. .. __: http://www.daemonology.net/freebsd-on-ec2/
  569. * `Fedora`__
  570. .. __: https://fedoraproject.org/wiki/Cloud_images
  571. * `CentOS`__
  572. .. __: https://wiki.centos.org/Cloud/AWS
  573. * `Ubuntu`__
  574. .. __: http://cloud-images.ubuntu.com/locator/ec2/
  575. * `Debian`__
  576. .. __: https://wiki.debian.org/Cloud/AmazonEC2Image
  577. * `OmniOS`__
  578. .. __: https://omniosce.org/setup/aws.html
  579. * `All Images on Amazon`__
  580. .. __: https://aws.amazon.com/marketplace
  581. NOTE: If ``image`` of a profile does not start with ``ami-``, latest
  582. image with that name will be used. For example, to create a CentOS 7
  583. profile, instead of using the AMI like ``image: ami-1caef165``, we
  584. can use its name like ``image: 'CentOS Linux 7 x86_64 HVM EBS ENA 1803_01'``.
  585. We can also use a pattern like below to get the latest CentOS 7:
  586. .. code-block:: yaml
  587. profile-id:
  588. provider: provider-name
  589. subnetid: subnet-XXXXXXXX
  590. image: 'CentOS Linux 7 x86_64 HVM EBS *'
  591. size: m1.medium
  592. ssh_username: centos
  593. securitygroupid:
  594. - sg-XXXXXXXX
  595. securitygroupname:
  596. - AnotherSecurityGroup
  597. - AndThirdSecurityGroup
  598. show_image
  599. ==========
  600. This is a function that describes an AMI on EC2. This will give insight as to
  601. the defaults that will be applied to an instance using a particular AMI.
  602. .. code-block:: bash
  603. $ salt-cloud -f show_image ec2 image=ami-fd20ad94
  604. show_instance
  605. =============
  606. This action is a thin wrapper around ``--full-query``, which displays details on a
  607. single instance only. In an environment with several machines, this will save a
  608. user from having to sort through all instance data, just to examine a single
  609. instance.
  610. .. code-block:: bash
  611. $ salt-cloud -a show_instance myinstance
  612. ebs_optimized
  613. =============
  614. This argument enables switching of the EbsOptimized setting which default
  615. to 'false'. Indicates whether the instance is optimized for EBS I/O. This
  616. optimization provides dedicated throughput to Amazon EBS and an optimized
  617. configuration stack to provide optimal Amazon EBS I/O performance. This
  618. optimization isn't available with all instance types. Additional usage
  619. charges apply when using an EBS-optimized instance.
  620. This setting can be added to the profile or map file for an instance.
  621. If set to True, this setting will enable an instance to be EbsOptimized
  622. .. code-block:: yaml
  623. ebs_optimized: True
  624. This can also be set as a cloud provider setting in the EC2 cloud
  625. configuration:
  626. .. code-block:: yaml
  627. my-ec2-config:
  628. ebs_optimized: True
  629. del_root_vol_on_destroy
  630. =======================
  631. This argument overrides the default DeleteOnTermination setting in the AMI for
  632. the EBS root volumes for an instance. Many AMIs contain 'false' as a default,
  633. resulting in orphaned volumes in the EC2 account, which may unknowingly be
  634. charged to the account. This setting can be added to the profile or map file
  635. for an instance.
  636. If set, this setting will apply to the root EBS volume
  637. .. code-block:: yaml
  638. del_root_vol_on_destroy: True
  639. This can also be set as a cloud provider setting in the EC2 cloud
  640. configuration:
  641. .. code-block:: yaml
  642. my-ec2-config:
  643. del_root_vol_on_destroy: True
  644. del_all_vols_on_destroy
  645. =======================
  646. This argument overrides the default DeleteOnTermination setting in the AMI for
  647. the not-root EBS volumes for an instance. Many AMIs contain 'false' as a
  648. default, resulting in orphaned volumes in the EC2 account, which may
  649. unknowingly be charged to the account. This setting can be added to the profile
  650. or map file for an instance.
  651. If set, this setting will apply to any (non-root) volumes that were created
  652. by salt-cloud using the 'volumes' setting.
  653. The volumes will not be deleted under the following conditions
  654. * If a volume is detached before terminating the instance
  655. * If a volume is created without this setting and attached to the instance
  656. .. code-block:: yaml
  657. del_all_vols_on_destroy: True
  658. This can also be set as a cloud provider setting in the EC2 cloud
  659. configuration:
  660. .. code-block:: yaml
  661. my-ec2-config:
  662. del_all_vols_on_destroy: True
  663. The setting for this may be changed on all volumes of an existing instance
  664. using one of the following commands:
  665. .. code-block:: bash
  666. salt-cloud -a delvol_on_destroy myinstance
  667. salt-cloud -a keepvol_on_destroy myinstance
  668. salt-cloud -a show_delvol_on_destroy myinstance
  669. The setting for this may be changed on a volume on an existing instance
  670. using one of the following commands:
  671. .. code-block:: bash
  672. salt-cloud -a delvol_on_destroy myinstance device=/dev/sda1
  673. salt-cloud -a delvol_on_destroy myinstance volume_id=vol-1a2b3c4d
  674. salt-cloud -a keepvol_on_destroy myinstance device=/dev/sda1
  675. salt-cloud -a keepvol_on_destroy myinstance volume_id=vol-1a2b3c4d
  676. salt-cloud -a show_delvol_on_destroy myinstance device=/dev/sda1
  677. salt-cloud -a show_delvol_on_destroy myinstance volume_id=vol-1a2b3c4d
  678. EC2 Termination Protection
  679. ==========================
  680. EC2 allows the user to enable and disable termination protection on a specific
  681. instance. An instance with this protection enabled cannot be destroyed. The EC2
  682. driver adds a show_term_protect action to the regular EC2 functionality.
  683. .. code-block:: bash
  684. salt-cloud -a show_term_protect mymachine
  685. salt-cloud -a enable_term_protect mymachine
  686. salt-cloud -a disable_term_protect mymachine
  687. Alternate Endpoint
  688. ==================
  689. Normally, EC2 endpoints are build using the region and the service_url. The
  690. resulting endpoint would follow this pattern:
  691. .. code-block:: text
  692. ec2.<region>.<service_url>
  693. This results in an endpoint that looks like:
  694. .. code-block:: bash
  695. ec2.us-east-1.amazonaws.com
  696. There are other projects that support an EC2 compatibility layer, which this
  697. scheme does not account for. This can be overridden by specifying the endpoint
  698. directly in the main cloud configuration file:
  699. .. code-block:: yaml
  700. my-ec2-config:
  701. endpoint: myendpoint.example.com:1138/services/Cloud
  702. Volume Management
  703. =================
  704. The EC2 driver has several functions and actions for management of EBS volumes.
  705. Creating Volumes
  706. ----------------
  707. A volume may be created, independent of an instance. A zone must be specified.
  708. A size or a snapshot may be specified (in GiB). If neither is given, a default
  709. size of 10 GiB will be used. If a snapshot is given, the size of the snapshot
  710. will be used.
  711. The following parameters may also be set (when providing a snapshot OR size):
  712. * ``type``: choose between standard (magnetic disk), gp2 (SSD), or io1 (provisioned IOPS).
  713. (default=standard)
  714. * ``iops``: the number of IOPS (only applicable to io1 volumes) (default varies on volume size)
  715. * ``encrypted``: enable encryption on the volume (default=false)
  716. .. code-block:: bash
  717. salt-cloud -f create_volume ec2 zone=us-east-1b
  718. salt-cloud -f create_volume ec2 zone=us-east-1b size=10
  719. salt-cloud -f create_volume ec2 zone=us-east-1b snapshot=snap12345678
  720. salt-cloud -f create_volume ec2 size=10 type=standard
  721. salt-cloud -f create_volume ec2 size=10 type=gp2
  722. salt-cloud -f create_volume ec2 size=10 type=io1 iops=1000
  723. Attaching Volumes
  724. -----------------
  725. Unattached volumes may be attached to an instance. The following values are
  726. required; name or instance_id, volume_id, and device.
  727. .. code-block:: bash
  728. salt-cloud -a attach_volume myinstance volume_id=vol-12345 device=/dev/sdb1
  729. Show a Volume
  730. -------------
  731. The details about an existing volume may be retrieved.
  732. .. code-block:: bash
  733. salt-cloud -a show_volume myinstance volume_id=vol-12345
  734. salt-cloud -f show_volume ec2 volume_id=vol-12345
  735. Detaching Volumes
  736. -----------------
  737. An existing volume may be detached from an instance.
  738. .. code-block:: bash
  739. salt-cloud -a detach_volume myinstance volume_id=vol-12345
  740. Deleting Volumes
  741. ----------------
  742. A volume that is not attached to an instance may be deleted.
  743. .. code-block:: bash
  744. salt-cloud -f delete_volume ec2 volume_id=vol-12345
  745. Managing Key Pairs
  746. ==================
  747. The EC2 driver has the ability to manage key pairs.
  748. Creating a Key Pair
  749. -------------------
  750. A key pair is required in order to create an instance. When creating a key pair
  751. with this function, the return data will contain a copy of the private key.
  752. This private key is not stored by Amazon, will not be obtainable past this
  753. point, and should be stored immediately.
  754. .. code-block:: bash
  755. salt-cloud -f create_keypair ec2 keyname=mykeypair
  756. Importing a Key Pair
  757. --------------------
  758. .. code-block:: bash
  759. salt-cloud -f import_keypair ec2 keyname=mykeypair file=/path/to/id_rsa.pub
  760. Show a Key Pair
  761. ---------------
  762. This function will show the details related to a key pair, not including the
  763. private key itself (which is not stored by Amazon).
  764. .. code-block:: bash
  765. salt-cloud -f show_keypair ec2 keyname=mykeypair
  766. Delete a Key Pair
  767. -----------------
  768. This function removes the key pair from Amazon.
  769. .. code-block:: bash
  770. salt-cloud -f delete_keypair ec2 keyname=mykeypair
  771. Launching instances into a VPC
  772. ==============================
  773. Simple launching into a VPC
  774. ---------------------------
  775. In the amazon web interface, identify the id or the name of the subnet into
  776. which your image should be created. Then, edit your cloud.profiles file like
  777. so:-
  778. .. code-block:: yaml
  779. profile-id:
  780. provider: provider-name
  781. subnetid: subnet-XXXXXXXX
  782. image: ami-XXXXXXXX
  783. size: m1.medium
  784. ssh_username: ubuntu
  785. securitygroupid:
  786. - sg-XXXXXXXX
  787. securitygroupname:
  788. - AnotherSecurityGroup
  789. - AndThirdSecurityGroup
  790. Note that 'subnetid' takes precedence over 'subnetname', but 'securitygroupid'
  791. and 'securitygroupname' are merged together to generate a single list for
  792. SecurityGroups of instances.
  793. Specifying interface properties
  794. -------------------------------
  795. .. versionadded:: 2014.7.0
  796. Launching into a VPC allows you to specify more complex configurations for
  797. the network interfaces of your virtual machines, for example:-
  798. .. code-block:: yaml
  799. profile-id:
  800. provider: provider-name
  801. image: ami-XXXXXXXX
  802. size: m1.medium
  803. ssh_username: ubuntu
  804. # Do not include either 'subnetid', 'subnetname', 'securitygroupid' or
  805. # 'securitygroupname' here if you are going to manually specify
  806. # interface configuration
  807. #
  808. network_interfaces:
  809. - DeviceIndex: 0
  810. SubnetId: subnet-XXXXXXXX
  811. SecurityGroupId:
  812. - sg-XXXXXXXX
  813. # Uncomment this line if you would like to set an explicit private
  814. # IP address for the ec2 instance
  815. #
  816. # PrivateIpAddress: 192.168.1.66
  817. # Uncomment this to associate an existing Elastic IP Address with
  818. # this network interface:
  819. #
  820. # associate_eip: eipalloc-XXXXXXXX
  821. # You can allocate more than one IP address to an interface. Use the
  822. # 'ip addr list' command to see them.
  823. #
  824. # SecondaryPrivateIpAddressCount: 2
  825. # Uncomment this to allocate a new Elastic IP Address to this
  826. # interface (will be associated with the primary private ip address
  827. # of the interface
  828. #
  829. # allocate_new_eip: True
  830. # Uncomment this instead to allocate a new Elastic IP Address to
  831. # both the primary private ip address and each of the secondary ones
  832. #
  833. allocate_new_eips: True
  834. # Uncomment this if you're creating NAT instances. Allows an instance
  835. # to accept IP packets with destinations other than itself.
  836. # SourceDestCheck: False
  837. - DeviceIndex: 1
  838. subnetname: XXXXXXXX-Subnet
  839. securitygroupname:
  840. - XXXXXXXX-SecurityGroup
  841. - YYYYYYYY-SecurityGroup
  842. Note that it is an error to assign a 'subnetid', 'subnetname', 'securitygroupid'
  843. or 'securitygroupname' to a profile where the interfaces are manually configured
  844. like this. These are both really properties of each network interface, not of
  845. the machine itself.