What to bake into an AWS AMI and what to provision using cloud-init?

amazon-web-services amazon-cloudformation amazon-ami packer cloud-init
Saqib Ali picture Saqib Ali · Mar 3, 2015 · Viewed 7.2k times · Source

I'm using AWS Cloudformation to setup numerous elements of network infrastructure (VPCs, SecurityGroups, Subnets, Autoscaling groups, etc) for my web application. I want the whole process to be automated. I want click a button and be able to fire up the whole thing.

I have successfully created a Cloudformation template that sets up all this network infrastructure. However the EC2 instances are currently launched without any needed software on them. Now I'm trying to figure out how best to get that software on them.

To do this, I'm creating AMIs using Packer.io. But some people have instead urged me to use Cloud-Init. What heuristic should I use to decide what to bake into the AMIs and/or what to configure via Cloud-Init?

For example, I want to preconfigure an EC2 instance to allow me (saqib) to login without a password from my own laptop. Thus the EC2 must have a user. That user must have a home directory. And in that home directory must live a file .ssh/known_hosts containing encrypted codes. Should I bake these directories into the AMI? Or should I use cloud-init to set them up? And how should I decide in this and other similar cases?

Answer

Matthew Fellows picture Matthew Fellows · Mar 30, 2015

I like to separate out machine provisioning from environment provisioning.

In general, I use the following as a guide:

Build Phase

  • Build a Base Machine Image with something like Packer, including all software required to run your application. Create an AMI out of this.
  • Install the application(s) onto the Base Machine Image creating an Application Image. Tag and version this artifact. Do not embed environment specific stuff here like database connections etc. as this precludes you from easily reusing this AMI across different environment runtimes.
  • Ensure all services are stopped

Release Phase

  • Spin up an environment consisting of the images and infra required, using something like CFN.
  • Use Cloud-Init user-data to configure the application environment (database connections, log forwarders etc.) and then start the applications/services

This approach gives the greatest flexibility and cleanly separates out the various concerns of a continuous delivery pipeline.

Related questions

AWS AMI deprecation (API: ec2:RunInstances Not authorized for images)

So I've been using AWS AMI in my cloud formation template. It seems they create new images every month and deprecate the old ones 2 weeks or so after the new one's released. This creates many problems: Old template stacks becomes …

Read More
What is the difference between Elastic Beanstalk and CloudFormation for a .NET project?

I have developed a .NET MVC application and have started playing around with AWS and deploying it via the Visual Studio Toolkit. I have successfully deployed the application using the Elastic Beanstalk option in the toolkit. As I was going …

Read More
User is not authorized to perform: cloudformation:CreateStack

I'm trying out Serverless to create AWS Lambdas and while creating a project using the command serverless project create I'm getting the following error. AccessDenied: User: arn:aws:iam::XXXXXXXXX:user/XXXXXXXXX is not authorized to perform: cloudformation:CreateStack on …

Read More