This document discusses automating the centralized deployment of software agents on AWS using Systems Manager. It describes using Systems Manager features like Run Command, Automation, State Manager and Distributor to package agent software and deploy it across accounts and regions. A demo architecture is shown where agents are packaged and stored in a shared services account, then deployed to member accounts through a State Manager association triggered by an automation workflow. Key benefits noted are decoupling agent updates from golden AMIs and the ability to deploy exceptions not included in AMIs.
2. Automating the Deployment
of Software Agents Centrally
Using AWS Systems Manager
Chathra Serasinghe | 28th of January 2023
3. About me
• Senior Engineer - Versent
• AWS Ambassador
• AWS Community Builder
• AWS User group Singapore – Volunteer
• Over 10+ Cloud/DevOps Certifications(AWS,Kubernetes..)
• Musician
• Film Playback Singer – Sri Lanka
• Music Director – Sri Lanka
4. Agenda
• What is a Software Agent?
• Agent Deployment Use cases
• Foundational AWS Services
• Demo Architecture
• Demo Video
5. What is a Software Agent?
• A self-contained software program
• Typically packaged as msi,rpm,deb..
• Acting as representative of something
• Goal-oriented
• Carries out a task and embodies knowledge for a purpose
• Can communicate with other entities for its tasks
8. Systems Manager
• Helps you manage your EC2s and On-premise systems at a scale
• Apply OS patches
• Configure Windows and Linux operating systems
• Free service*- (Most of the important features are free)
• But its underrated
9. Systems Manager
• Prerequisites:
• SSM Agent installed
• Access Control
• Instance profile role with appropriate permissions
AmazonSSMManagedInstanceCore policy
• Privilege to manage the System Manager Service
• Connectivity to System Manager endpoints
• Managed instances must also allow HTTPS (port 443) outbound traffic to the
System Manager endpoints
• Create VPC endpoints(Only for private instances with no internet access)
10. Systems Manager features
• Run Command
• Automation
• Patch Manager
• State Manager
• Maintainance Windows
• Parameter Store
• Distributor
• and many more….
11. Systems Manager - Automation
• Help to orchestrate operation playbooks at scale
• Able to run automations centrally across multiple AWS Regions and AWS
accounts or AWS Organizations organizational units (OUs)
• Enhanced integrations
• Ability to call and run AWS API actions
E.g. :- creating a Cloudformation Stack
• Ability to run scripts(Powershell,Python)
• AWS service catalog self-service actions
12. Systems Manager - State Manager
• Associates SSM document(Predefined or Own) with instances
• You can run State Manager associations
• Automatically once when provisioned
• At a particular cron schedule
• At a given interval (hourly, daily)
• On demand
13. Systems Manager - State Manager
• Targets types
• Node ID
• Tag
• Resource group
• All managed nodes within a given account.
• When State Manager detects any configuration changes,
• It automatically re-applied to the nodes originally targeted
14. Systems Manager - Distributor
• Allows you to securely store and distribute packages
• Software Agents
• Drivers
• Able to share with other AWS accounts
• Distributor lets you package your own software or finds AWS-provided
agent software packages
• Version Control
• Control access to packages using IAM
17. Systems Manager - Distributor
• Methods of installing package
• Run Command
• State Manager Association(Recommended)
• Automatically install on new instances if target requirements met
18. Control Tower
• Landing zone
• Preconfigured multi-account environment based on best practice blueprints
• Secure
• Scalable
• Control tower helps to automate the landing zone
• Well-Architected
21. Management Account
Member account
Agent Distribution
Event rule
(daily)
Automation
State Manager
Association
Instances
Customization for
Control Tower Pipeline
Custom control
tower
configuration
AWS Control Tower
Deploy Stack sets
manifest.yaml
Creates
Deploys agent
Agent Package artifacts
(zip files and
manifest.json)
triggers
update commit
Shared Services Account
SSM Document(Agent
Package)
22. Key Takeaways
• This method is useful when you don’t want to include the agent in Golden
AMIs
• Decoupling - Agent updates are not dependent with Golden AMI
• When you have Exceptions (e.g.:- Virtual Appliances), you must implement a
suitable tagging strategy.
• You cannot utilize this approach if you cannot install SSM agent
• Incompatible/Older OS versions (e.g.:- Red hat 5)
• Due to company security policies
Good Afternoon Everyone!
Not sleepy or tired after having series of sessions and great lunch.
Unfortunately, no Questions due to time constraints as advised by the organizers
My topic is. automating the deployment of software agents centrally using AWS systems Manager.
In other words what I am trying to do here is to deploy software agents to multi account AWS environment.
Before I dive into deep,let me introduce my self. I am Chathra Serasinghe and working as Senior Engineer at Versent.
in today’s session. I’ll be discussing about….
By the end of this session, you'll have a better understanding of how to deploy an agent in multi-account AWS enviroment and how it can benefit you and your organization. So, let's get started
Run Command:
Allows you to run shell commands or PowerShell scripts on your instances.
It integrates with Amazon CloudWatch
Automation:
allows you to automate common IT tasks across your AWS resources. Later I will explain you further.
Patch Manager:
Patch manager service is for Patching your instances.
virtual appliance is a preconfigured software solution installed on a virtual machine