1============================ 2Getting Started With AWS EC2 3============================ 4 5Amazon EC2 is a very widely used public cloud platform and one of the core 6platforms Salt Cloud has been built to support. 7 8Previously, the suggested driver for AWS EC2 was the ``aws`` driver. This 9has been deprecated in favor of the ``ec2`` driver. Configuration using the 10old ``aws`` driver will still function, but that driver is no longer in 11active development. 12 13 14Dependencies 15============ 16This driver requires the Python ``requests`` library to be installed. 17 18 19Configuration 20============= 21The following example illustrates some of the options that can be set. These 22parameters are discussed in more detail below. 23 24.. code-block:: yaml 25 26 # Note: This example is for /etc/salt/cloud.providers or any file in the 27 # /etc/salt/cloud.providers.d/ directory. 28 29 my-ec2-southeast-public-ips: 30 # Set up the location of the salt master 31 # 32 minion: 33 master: saltmaster.example.com 34 35 # Set up grains information, which will be common for all nodes 36 # using this provider 37 grains: 38 node_type: broker 39 release: 1.0.1 40 41 # Specify whether to use public or private IP for deploy script. 42 # 43 # Valid options are: 44 # private_ips - The salt-cloud command is run inside the EC2 45 # public_ips - The salt-cloud command is run outside of EC2 46 # 47 ssh_interface: public_ips 48 49 # Optionally configure the Windows credential validation number of 50 # retries and delay between retries. This defaults to 10 retries 51 # with a one second delay betwee retries 52 win_deploy_auth_retries: 10 53 win_deploy_auth_retry_delay: 1 54 55 # Set the EC2 access credentials (see below) 56 # 57 id: 'use-instance-role-credentials' 58 key: 'use-instance-role-credentials' 59 60 # If 'role_arn' is specified the above credentials are used to 61 # to assume to the role. By default, role_arn is set to None. 62 role_arn: arn:aws:iam::012345678910:role/SomeRoleName 63 64 # Make sure this key is owned by corresponding user (default 'salt') with permissions 0400. 65 # 66 private_key: /etc/salt/my_test_key.pem 67 keyname: my_test_key 68 securitygroup: default 69 70 # Optionally configure default region 71 # Use salt-cloud --list-locations <provider> to obtain valid regions 72 # 73 location: ap-southeast-1 74 availability_zone: ap-southeast-1b 75 76 # Configure which user to use to run the deploy script. This setting is 77 # dependent upon the AMI that is used to deploy. It is usually safer to 78 # configure this individually in a profile, than globally. Typical users 79 # are: 80 # 81 # Amazon Linux -> ec2-user 82 # RHEL -> ec2-user 83 # CentOS -> ec2-user 84 # Ubuntu -> ubuntu 85 # Debian -> admin 86 # 87 ssh_username: ec2-user 88 89 # Optionally add an IAM profile 90 iam_profile: 'arn:aws:iam::123456789012:instance-profile/ExampleInstanceProfile' 91 92 driver: ec2 93 94 95 my-ec2-southeast-private-ips: 96 # Set up the location of the salt master 97 # 98 minion: 99 master: saltmaster.example.com 100 101 # Specify whether to use public or private IP for deploy script. 102 # 103 # Valid options are: 104 # private_ips - The salt-master is also hosted with EC2 105 # public_ips - The salt-master is hosted outside of EC2 106 # 107 ssh_interface: private_ips 108 109 # Optionally configure the Windows credential validation number of 110 # retries and delay between retries. This defaults to 10 retries 111 # with a one second delay betwee retries 112 win_deploy_auth_retries: 10 113 win_deploy_auth_retry_delay: 1 114 115 # Set the EC2 access credentials (see below) 116 # 117 id: 'use-instance-role-credentials' 118 key: 'use-instance-role-credentials' 119 120 # Make sure this key is owned by root with permissions 0400. 121 # 122 private_key: /etc/salt/my_test_key.pem 123 keyname: my_test_key 124 125 # This one should NOT be specified if VPC was not configured in AWS to be 126 # the default. It might cause an error message which says that network 127 # interfaces and an instance-level security groups may not be specified 128 # on the same request. 129 # 130 securitygroup: default 131 132 # Optionally configure default region 133 # 134 location: ap-southeast-1 135 availability_zone: ap-southeast-1b 136 137 # Configure which user to use to run the deploy script. This setting is 138 # dependent upon the AMI that is used to deploy. It is usually safer to 139 # configure this individually in a profile, than globally. Typical users 140 # are: 141 # 142 # Amazon Linux -> ec2-user 143 # RHEL -> ec2-user 144 # CentOS -> ec2-user 145 # Ubuntu -> ubuntu 146 # 147 ssh_username: ec2-user 148 149 # Optionally add an IAM profile 150 iam_profile: 'my other profile name' 151 152 driver: ec2 153 154.. note:: 155 .. versionchanged:: 2015.8.0 156 157 The ``provider`` parameter in cloud provider definitions was renamed to ``driver``. This 158 change was made to avoid confusion with the ``provider`` parameter that is used in cloud profile 159 definitions. Cloud provider definitions now use ``driver`` to refer to the Salt cloud module that 160 provides the underlying functionality to connect to a cloud host, while cloud profiles continue 161 to use ``provider`` to refer to provider configurations that you define. 162 163Access Credentials 164================== 165The ``id`` and ``key`` settings may be found in the Security Credentials area 166of the AWS Account page: 167 168https://portal.aws.amazon.com/gp/aws/securityCredentials 169 170Both are located in the Access Credentials area of the page, under the Access 171Keys tab. The ``id`` setting is labeled Access Key ID, and the ``key`` setting 172is labeled Secret Access Key. 173 174Note: if either ``id`` or ``key`` is set to 'use-instance-role-credentials' it is 175assumed that Salt is running on an AWS instance, and the instance role 176credentials will be retrieved and used. Since both the ``id`` and ``key`` are 177required parameters for the AWS ec2 provider, it is recommended to set both 178to 'use-instance-role-credentials' for this functionality. 179 180A "static" and "permanent" Access Key ID and Secret Key can be specified, 181but this is not recommended. Instance role keys are rotated on a regular 182basis, and are the recommended method of specifying AWS credentials. 183 184Windows Deploy Timeouts 185======================= 186For Windows instances, it may take longer than normal for the instance to be 187ready. In these circumstances, the provider configuration can be configured 188with a ``win_deploy_auth_retries`` and/or a ``win_deploy_auth_retry_delay`` 189setting, which default to 10 retries and a one second delay between retries. 190These retries and timeouts relate to validating the Administrator password 191once AWS provides the credentials via the AWS API. 192 193 194Key Pairs 195========= 196In order to create an instance with Salt installed and configured, a key pair 197will need to be created. This can be done in the EC2 Management Console, in the 198Key Pairs area. These key pairs are unique to a specific region. Keys in the 199us-east-1 region can be configured at: 200 201https://console.aws.amazon.com/ec2/home?region=us-east-1#s=KeyPairs 202 203Keys in the us-west-1 region can be configured at 204 205https://console.aws.amazon.com/ec2/home?region=us-west-1#s=KeyPairs 206 207...and so on. When creating a key pair, the browser will prompt to download a 208pem file. This file must be placed in a directory accessible by Salt Cloud, 209with permissions set to either 0400 or 0600. 210 211 212Security Groups 213=============== 214An instance on EC2 needs to belong to a security group. Like key pairs, these 215are unique to a specific region. These are also configured in the EC2 216Management Console. Security groups for the us-east-1 region can be configured 217at: 218 219https://console.aws.amazon.com/ec2/home?region=us-east-1#s=SecurityGroups 220 221...and so on. 222 223A security group defines firewall rules which an instance will adhere to. If 224the salt-master is configured outside of EC2, the security group must open the 225SSH port (usually port 22) in order for Salt Cloud to install Salt. 226 227 228IAM Profile 229=========== 230Amazon EC2 instances support the concept of an `instance profile`_, which 231is a logical container for the IAM role. At the time that you launch an EC2 232instance, you can associate the instance with an instance profile, which in 233turn corresponds to the IAM role. Any software that runs on the EC2 instance 234is able to access AWS using the permissions associated with the IAM role. 235 236Scaffolding the profile is a 2-step configuration process: 237 2381. Configure an IAM Role from the `IAM Management Console`_. 2392. Attach this role to a new profile. It can be done with the `AWS CLI`_: 240 241 .. code-block:: bash 242 243 > aws iam create-instance-profile --instance-profile-name PROFILE_NAME 244 > aws iam add-role-to-instance-profile --instance-profile-name PROFILE_NAME --role-name ROLE_NAME 245 246Once the profile is created, you can use the **PROFILE_NAME** to configure 247your cloud profiles. 248 249.. _`IAM Management Console`: https://console.aws.amazon.com/iam/home?#roles 250.. _`AWS CLI`: https://docs.aws.amazon.com/cli/latest/index.html 251.. _`instance profile`: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html 252 253 254Cloud Profiles 255============== 256Set up an initial profile at ``/etc/salt/cloud.profiles``: 257 258.. code-block:: yaml 259 260 base_ec2_private: 261 provider: my-ec2-southeast-private-ips 262 image: ami-e565ba8c 263 size: t2.micro 264 ssh_username: ec2-user 265 266 base_ec2_public: 267 provider: my-ec2-southeast-public-ips 268 image: ami-e565ba8c 269 size: t2.micro 270 ssh_username: ec2-user 271 272 base_ec2_db: 273 provider: my-ec2-southeast-public-ips 274 image: ami-e565ba8c 275 size: m1.xlarge 276 ssh_username: ec2-user 277 volumes: 278 - { size: 10, device: /dev/sdf } 279 - { size: 10, device: /dev/sdg, type: io1, iops: 1000 } 280 - { size: 10, device: /dev/sdh, type: io1, iops: 1000 } 281 - { size: 10, device: /dev/sdi, tags: {"Environment": "production"} } 282 # optionally add tags to profile: 283 tag: {'Environment': 'production', 'Role': 'database'} 284 # force grains to sync after install 285 sync_after_install: grains 286 287 base_ec2_vpc: 288 provider: my-ec2-southeast-public-ips 289 image: ami-a73264ce 290 size: m1.xlarge 291 ssh_username: ec2-user 292 script: /etc/salt/cloud.deploy.d/user_data.sh 293 network_interfaces: 294 - DeviceIndex: 0 295 PrivateIpAddresses: 296 - Primary: True 297 #auto assign public ip (not EIP) 298 AssociatePublicIpAddress: True 299 SubnetId: subnet-813d4bbf 300 SecurityGroupId: 301 - sg-750af413 302 del_root_vol_on_destroy: True 303 del_all_vols_on_destroy: True 304 volumes: 305 - { size: 10, device: /dev/sdf } 306 - { size: 10, device: /dev/sdg, type: io1, iops: 1000 } 307 - { size: 10, device: /dev/sdh, type: io1, iops: 1000 } 308 tag: {'Environment': 'production', 'Role': 'database'} 309 sync_after_install: grains 310 311 312The profile can now be realized with a salt command: 313 314.. code-block:: bash 315 316 # salt-cloud -p base_ec2 ami.example.com 317 # salt-cloud -p base_ec2_public ami.example.com 318 # salt-cloud -p base_ec2_private ami.example.com 319 320 321This will create an instance named ``ami.example.com`` in EC2. The minion that 322is installed on this instance will have an ``id`` of ``ami.example.com``. If 323the command was executed on the salt-master, its Salt key will automatically be 324signed on the master. 325 326Once the instance has been created with salt-minion installed, connectivity to 327it can be verified with Salt: 328 329.. code-block:: bash 330 331 # salt 'ami.example.com' test.version 332 333 334Required Settings 335================= 336The following settings are always required for EC2: 337 338.. code-block:: yaml 339 340 # Set the EC2 login data 341 my-ec2-config: 342 id: HJGRYCILJLKJYG 343 key: 'kdjgfsgm;woormgl/aserigjksjdhasdfgn' 344 keyname: test 345 securitygroup: quick-start 346 private_key: /root/test.pem 347 driver: ec2 348 349 350Optional Settings 351================= 352 353EC2 allows a userdata file to be passed to the instance to be created. This 354functionality was added to Salt in the 2015.5.0 release. 355 356.. code-block:: yaml 357 358 my-ec2-config: 359 # Pass userdata to the instance to be created 360 userdata_file: /etc/salt/my-userdata-file 361 362.. note:: 363 From versions 2016.11.0 and 2016.11.3, this file was passed through the 364 master's :conf_master:`renderer` to template it. However, this caused 365 issues with non-YAML data, so templating is no longer performed by default. 366 To template the userdata_file, add a ``userdata_template`` option to the 367 cloud profile: 368 369 .. code-block:: yaml 370 371 my-ec2-config: 372 # Pass userdata to the instance to be created 373 userdata_file: /etc/salt/my-userdata-file 374 userdata_template: jinja 375 376 If no ``userdata_template`` is set in the cloud profile, then the master 377 configuration will be checked for a :conf_master:`userdata_template` value. 378 If this is not set, then no templating will be performed on the 379 userdata_file. 380 381 To disable templating in a cloud profile when a 382 :conf_master:`userdata_template` has been set in the master configuration 383 file, simply set ``userdata_template`` to ``False`` in the cloud profile: 384 385 .. code-block:: yaml 386 387 my-ec2-config: 388 # Pass userdata to the instance to be created 389 userdata_file: /etc/salt/my-userdata-file 390 userdata_template: False 391 392EC2 allows a location to be set for servers to be deployed in. Availability 393zones exist inside regions, and may be added to increase specificity. 394 395.. code-block:: yaml 396 397 my-ec2-config: 398 # Optionally configure default region 399 location: ap-southeast-1 400 availability_zone: ap-southeast-1b 401 402 403EC2 instances can have a public or private IP, or both. When an instance is 404deployed, Salt Cloud needs to log into it via SSH to run the deploy script. 405By default, the public IP will be used for this. If the salt-cloud command is 406run from another EC2 instance, the private IP should be used. 407 408.. code-block:: yaml 409 410 my-ec2-config: 411 # Specify whether to use public or private IP for deploy script 412 # private_ips or public_ips 413 ssh_interface: public_ips 414 415 416Many EC2 instances do not allow remote access to the root user by default. 417Instead, another user must be used to run the deploy script using sudo. Some 418common usernames include ec2-user (for Amazon Linux), ubuntu (for Ubuntu 419instances), admin (official Debian) and bitnami (for images provided by 420Bitnami). 421 422.. code-block:: yaml 423 424 my-ec2-config: 425 # Configure which user to use to run the deploy script 426 ssh_username: ec2-user 427 428 429Multiple usernames can be provided, in which case Salt Cloud will attempt to 430guess the correct username. This is mostly useful in the main configuration 431file: 432 433.. code-block:: yaml 434 435 my-ec2-config: 436 ssh_username: 437 - ec2-user 438 - ubuntu 439 - admin 440 - bitnami 441 442 443Multiple security groups can also be specified in the same fashion: 444 445.. code-block:: yaml 446 447 my-ec2-config: 448 securitygroup: 449 - default 450 - extra 451 452EC2 instances can be added to an `AWS Placement Group`_ by specifying the 453``placementgroup`` option: 454 455.. code-block:: yaml 456 457 my-ec2-config: 458 placementgroup: my-aws-placement-group 459 460.. _`AWS Placement Group`: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/placement-groups.html 461 462Your instances may optionally make use of EC2 Spot Instances. The 463following example will request that spot instances be used and your 464maximum bid will be $0.10. Keep in mind that different spot prices 465may be needed based on the current value of the various EC2 instance 466sizes. You can check current and past spot instance pricing via the 467EC2 API or AWS Console. 468 469.. code-block:: yaml 470 471 my-ec2-config: 472 spot_config: 473 spot_price: 0.10 474 475You can optionally specify tags to apply to the EC2 spot instance request. 476A spot instance request itself is an object in AWS. The following example 477will set two tags on the spot instance request. 478 479.. code-block:: yaml 480 481 my-ec2-config: 482 spot_config: 483 spot_price: 0.10 484 tag: 485 tag0: value 486 tag1: value 487 488By default, the spot instance type is set to 'one-time', meaning it will 489be launched and, if it's ever terminated for whatever reason, it will not 490be recreated. If you would like your spot instances to be relaunched after 491a termination (by you or AWS), set the ``type`` to 'persistent'. 492 493NOTE: Spot instances are a great way to save a bit of money, but you do 494run the risk of losing your spot instances if the current price for the 495instance size goes above your maximum bid. 496 497The following parameters may be set in the cloud configuration file to 498control various aspects of the spot instance launching: 499 500* ``wait_for_spot_timeout``: seconds to wait before giving up on spot instance 501 launch (default=600) 502* ``wait_for_spot_interval``: seconds to wait in between polling requests to 503 determine if a spot instance is available (default=30) 504* ``wait_for_spot_interval_multiplier``: a multiplier to add to the interval in 505 between requests, which is useful if AWS is throttling your requests 506 (default=1) 507* ``wait_for_spot_max_failures``: maximum number of failures before giving up 508 on launching your spot instance (default=10) 509 510If you find that you're being throttled by AWS while polling for spot 511instances, you can set the following in your core cloud configuration 512file that will double the polling interval after each request to AWS. 513 514.. code-block:: yaml 515 516 wait_for_spot_interval: 1 517 wait_for_spot_interval_multiplier: 2 518 519See the `AWS Spot Instances`_ documentation for more information. 520 521 522Block device mappings enable you to specify additional EBS volumes or instance 523store volumes when the instance is launched. This setting is also available on 524each cloud profile. Note that the number of instance stores varies by instance 525type. If more mappings are provided than are supported by the instance type, 526mappings will be created in the order provided and additional mappings will be 527ignored. Consult the `AWS documentation`_ for a listing of the available 528instance stores, and device names. 529 530.. code-block:: yaml 531 532 my-ec2-config: 533 block_device_mappings: 534 - DeviceName: /dev/sdb 535 VirtualName: ephemeral0 536 - DeviceName: /dev/sdc 537 VirtualName: ephemeral1 538 539You can also use block device mappings to change the size of the root device at the 540provisioning time. For example, assuming the root device is '/dev/sda', you can set 541its size to 100G by using the following configuration. 542 543.. code-block:: yaml 544 545 my-ec2-config: 546 block_device_mappings: 547 - DeviceName: /dev/sda 548 Ebs.VolumeSize: 100 549 Ebs.VolumeType: gp2 550 Ebs.SnapshotId: dummy0 551 - DeviceName: /dev/sdb 552 # required for devices > 2TB 553 Ebs.VolumeType: gp2 554 Ebs.VolumeSize: 3001 555 556Tagging of block devices can be set on a per device basis. For example, you may 557have multiple devices defined in your block_device_mappings structure. You have the 558option to set tags on any of one device or all of them as shown in the following 559configuration. 560 561.. code-block:: yaml 562 563 my-ec2-config: 564 block_device_mappings: 565 - DeviceName: /dev/sda 566 Ebs.VolumeSize: 100 567 Ebs.VolumeType: gp2 568 tag: 569 tag0: myserver 570 tag1: value 571 - DeviceName: /dev/sdb 572 Ebs.VolumeType: gp2 573 Ebs.VolumeSize: 3001 574 tag: 575 tagX: value 576 tagY: value 577 578You can configure any AWS valid tag name as shown in the above example, including 579'Name'. If you do not configure the tag 'Name', it will be automatically created 580with a value set to the virtual machine name. If you configure the tag 'Name', the 581value you configure will be used rather than defaulting to the virtual machine 582name as shown in the following configuration. 583 584.. code-block:: yaml 585 586 my-ec2-config: 587 block_device_mappings: 588 - DeviceName: /dev/sda 589 Ebs.VolumeSize: 100 590 Ebs.VolumeType: gp2 591 tag: 592 Name: myserver 593 tag0: value 594 tag1: value 595 - DeviceName: /dev/sdb 596 Ebs.VolumeType: gp2 597 Ebs.VolumeSize: 3001 598 tag: 599 Name: customvalue 600 tagX: value 601 tagY: value 602 603Existing EBS volumes may also be attached (not created) to your instances or 604you can create new EBS volumes based on EBS snapshots. To simply attach an 605existing volume use the ``volume_id`` parameter. 606 607.. code-block:: yaml 608 609 device: /dev/xvdj 610 volume_id: vol-12345abcd 611 612Or, to create a volume from an EBS snapshot, use the ``snapshot`` parameter. 613 614.. code-block:: yaml 615 616 device: /dev/xvdj 617 snapshot: snap-abcd12345 618 619Note that ``volume_id`` will take precedence over the ``snapshot`` parameter. 620 621Tags can be set once an instance has been launched. 622 623.. code-block:: yaml 624 625 my-ec2-config: 626 tag: 627 tag0: value 628 tag1: value 629 630.. _`AWS documentation`: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/InstanceStorage.html 631.. _`AWS Spot Instances`: https://aws.amazon.com/ec2/spot/ 632 633Setting up a Master inside EC2 634------------------------------ 635 636Salt Cloud can configure Salt Masters as well as Minions. Use the ``make_master`` setting to use 637this functionality. 638 639.. code-block:: yaml 640 641 my-ec2-config: 642 # Optionally install a Salt Master in addition to the Salt Minion 643 make_master: True 644 645When creating a Salt Master inside EC2 with ``make_master: True``, or when the Salt Master is already 646located and configured inside EC2, by default, minions connect to the master's public IP address during 647Salt Cloud's provisioning process. Depending on how your security groups are defined, the minions 648may or may not be able to communicate with the master. In order to use the master's private IP in EC2 649instead of the public IP, set the ``salt_interface`` to ``private_ips``. 650 651.. code-block:: yaml 652 653 my-ec2-config: 654 # Optionally set the IP configuration to private_ips 655 salt_interface: private_ips 656 657 658Modify EC2 Tags 659=============== 660One of the features of EC2 is the ability to tag resources. In fact, under the 661hood, the names given to EC2 instances by salt-cloud are actually just stored 662as a tag called Name. Salt Cloud has the ability to manage these tags: 663 664.. code-block:: bash 665 666 salt-cloud -a get_tags mymachine 667 salt-cloud -a set_tags mymachine tag1=somestuff tag2='Other stuff' 668 salt-cloud -a del_tags mymachine tag1,tag2,tag3 669 670It is possible to manage tags on any resource in EC2 with a Resource ID, not 671just instances: 672 673.. code-block:: bash 674 675 salt-cloud -f get_tags my_ec2 resource_id=af5467ba 676 salt-cloud -f set_tags my_ec2 resource_id=af5467ba tag1=somestuff 677 salt-cloud -f del_tags my_ec2 resource_id=af5467ba tags=tag1,tag2,tag3 678 679 680Rename EC2 Instances 681==================== 682As mentioned above, EC2 instances are named via a tag. However, renaming an 683instance by renaming its tag will cause the salt keys to mismatch. A rename 684function exists which renames both the instance, and the salt keys. 685 686.. code-block:: bash 687 688 salt-cloud -a rename mymachine newname=yourmachine 689 690 691Rename on Destroy 692================= 693When instances on EC2 are destroyed, there will be a lag between the time that 694the action is sent, and the time that Amazon cleans up the instance. During 695this time, the instance still retains a Name tag, which will cause a collision 696if the creation of an instance with the same name is attempted before the 697cleanup occurs. In order to avoid such collisions, Salt Cloud can be configured 698to rename instances when they are destroyed. The new name will look something 699like: 700 701.. code-block:: bash 702 703 myinstance-DEL20f5b8ad4eb64ed88f2c428df80a1a0c 704 705 706In order to enable this, add rename_on_destroy line to the main 707configuration file: 708 709.. code-block:: yaml 710 711 my-ec2-config: 712 rename_on_destroy: True 713 714 715Listing Images 716============== 717Normally, images can be queried on a cloud provider by passing the 718``--list-images`` argument to Salt Cloud. This still holds true for EC2: 719 720.. code-block:: bash 721 722 salt-cloud --list-images my-ec2-config 723 724However, the full list of images on EC2 is extremely large, and querying all of 725the available images may cause Salt Cloud to behave as if frozen. Therefore, 726the default behavior of this option may be modified, by adding an ``owner`` 727argument to the provider configuration: 728 729.. code-block:: yaml 730 731 owner: aws-marketplace 732 733The possible values for this setting are ``amazon``, ``aws-marketplace``, 734``self``, ``<AWS account ID>`` or ``all``. The default setting is ``amazon``. 735Take note that ``all`` and ``aws-marketplace`` may cause Salt Cloud to appear 736as if it is freezing, as it tries to handle the large amount of data. 737 738It is also possible to perform this query using different settings without 739modifying the configuration files. To do this, call the ``avail_images`` 740function directly: 741 742.. code-block:: bash 743 744 salt-cloud -f avail_images my-ec2-config owner=aws-marketplace 745 746 747EC2 Images 748========== 749The following are lists of available AMI images, generally sorted by OS. These 750lists are on 3rd-party websites, are not managed by Salt Stack in any way. They 751are provided here as a reference for those who are interested, and contain no 752warranty (express or implied) from anyone affiliated with Salt Stack. Most of 753them have never been used, much less tested, by the Salt Stack team. 754 755* `Arch Linux`__ 756 757.. __: https://wiki.archlinux.org/index.php/Arch_Linux_AMIs_for_Amazon_Web_Services 758 759* `FreeBSD`__ 760 761.. __: http://www.daemonology.net/freebsd-on-ec2/ 762 763* `Fedora`__ 764 765.. __: https://fedoraproject.org/wiki/Cloud_images 766 767* `CentOS`__ 768 769.. __: https://wiki.centos.org/Cloud/AWS 770 771* `Ubuntu`__ 772 773.. __: http://cloud-images.ubuntu.com/locator/ec2/ 774 775* `Debian`__ 776 777.. __: https://wiki.debian.org/Cloud/AmazonEC2Image 778 779* `OmniOS`__ 780 781.. __: https://omniosce.org/setup/aws.html 782 783* `All Images on Amazon`__ 784 785.. __: https://aws.amazon.com/marketplace 786 787 788NOTE: If ``image`` of a profile does not start with ``ami-``, latest 789image with that name will be used. For example, to create a CentOS 7 790profile, instead of using the AMI like ``image: ami-1caef165``, we 791can use its name like ``image: 'CentOS Linux 7 x86_64 HVM EBS ENA 1803_01'``. 792We can also use a pattern like below to get the latest CentOS 7: 793 794 795.. code-block:: yaml 796 797 profile-id: 798 provider: provider-name 799 subnetid: subnet-XXXXXXXX 800 image: 'CentOS Linux 7 x86_64 HVM EBS *' 801 size: m1.medium 802 ssh_username: centos 803 securitygroupid: 804 - sg-XXXXXXXX 805 securitygroupname: 806 - AnotherSecurityGroup 807 - AndThirdSecurityGroup 808 809 810show_image 811========== 812This is a function that describes an AMI on EC2. This will give insight as to 813the defaults that will be applied to an instance using a particular AMI. 814 815.. code-block:: bash 816 817 $ salt-cloud -f show_image ec2 image=ami-fd20ad94 818 819 820show_instance 821============= 822This action is a thin wrapper around ``--full-query``, which displays details on a 823single instance only. In an environment with several machines, this will save a 824user from having to sort through all instance data, just to examine a single 825instance. 826 827.. code-block:: bash 828 829 $ salt-cloud -a show_instance myinstance 830 831 832ebs_optimized 833============= 834This argument enables switching of the EbsOptimized setting which default 835to 'false'. Indicates whether the instance is optimized for EBS I/O. This 836optimization provides dedicated throughput to Amazon EBS and an optimized 837configuration stack to provide optimal Amazon EBS I/O performance. This 838optimization isn't available with all instance types. Additional usage 839charges apply when using an EBS-optimized instance. 840 841This setting can be added to the profile or map file for an instance. 842 843If set to True, this setting will enable an instance to be EbsOptimized 844 845.. code-block:: yaml 846 847 ebs_optimized: True 848 849This can also be set as a cloud provider setting in the EC2 cloud 850configuration: 851 852.. code-block:: yaml 853 854 my-ec2-config: 855 ebs_optimized: True 856 857 858del_root_vol_on_destroy 859======================= 860This argument overrides the default DeleteOnTermination setting in the AMI for 861the EBS root volumes for an instance. Many AMIs contain 'false' as a default, 862resulting in orphaned volumes in the EC2 account, which may unknowingly be 863charged to the account. This setting can be added to the profile or map file 864for an instance. 865 866If set, this setting will apply to the root EBS volume 867 868.. code-block:: yaml 869 870 del_root_vol_on_destroy: True 871 872 873This can also be set as a cloud provider setting in the EC2 cloud 874configuration: 875 876.. code-block:: yaml 877 878 my-ec2-config: 879 del_root_vol_on_destroy: True 880 881 882del_all_vols_on_destroy 883======================= 884This argument overrides the default DeleteOnTermination setting in the AMI for 885the not-root EBS volumes for an instance. Many AMIs contain 'false' as a 886default, resulting in orphaned volumes in the EC2 account, which may 887unknowingly be charged to the account. This setting can be added to the profile 888or map file for an instance. 889 890If set, this setting will apply to any (non-root) volumes that were created 891by salt-cloud using the 'volumes' setting. 892 893The volumes will not be deleted under the following conditions 894* If a volume is detached before terminating the instance 895* If a volume is created without this setting and attached to the instance 896 897.. code-block:: yaml 898 899 del_all_vols_on_destroy: True 900 901 902This can also be set as a cloud provider setting in the EC2 cloud 903configuration: 904 905.. code-block:: yaml 906 907 my-ec2-config: 908 del_all_vols_on_destroy: True 909 910 911The setting for this may be changed on all volumes of an existing instance 912using one of the following commands: 913 914.. code-block:: bash 915 916 salt-cloud -a delvol_on_destroy myinstance 917 salt-cloud -a keepvol_on_destroy myinstance 918 salt-cloud -a show_delvol_on_destroy myinstance 919 920The setting for this may be changed on a volume on an existing instance 921using one of the following commands: 922 923.. code-block:: bash 924 925 salt-cloud -a delvol_on_destroy myinstance device=/dev/sda1 926 salt-cloud -a delvol_on_destroy myinstance volume_id=vol-1a2b3c4d 927 salt-cloud -a keepvol_on_destroy myinstance device=/dev/sda1 928 salt-cloud -a keepvol_on_destroy myinstance volume_id=vol-1a2b3c4d 929 salt-cloud -a show_delvol_on_destroy myinstance device=/dev/sda1 930 salt-cloud -a show_delvol_on_destroy myinstance volume_id=vol-1a2b3c4d 931 932 933EC2 Termination Protection 934========================== 935 936EC2 allows the user to enable and disable termination protection on a specific 937instance. An instance with this protection enabled cannot be destroyed. The EC2 938driver adds a show_term_protect action to the regular EC2 functionality. 939 940.. code-block:: bash 941 942 salt-cloud -a show_term_protect mymachine 943 salt-cloud -a enable_term_protect mymachine 944 salt-cloud -a disable_term_protect mymachine 945 946 947Alternate Endpoint 948================== 949Normally, EC2 endpoints are build using the region and the service_url. The 950resulting endpoint would follow this pattern: 951 952.. code-block:: text 953 954 ec2.<region>.<service_url> 955 956 957This results in an endpoint that looks like: 958 959.. code-block:: bash 960 961 ec2.us-east-1.amazonaws.com 962 963 964There are other projects that support an EC2 compatibility layer, which this 965scheme does not account for. This can be overridden by specifying the endpoint 966directly in the main cloud configuration file: 967 968.. code-block:: yaml 969 970 my-ec2-config: 971 endpoint: myendpoint.example.com:1138/services/Cloud 972 973 974Volume Management 975================= 976The EC2 driver has several functions and actions for management of EBS volumes. 977 978 979Creating Volumes 980---------------- 981A volume may be created, independent of an instance. A zone must be specified. 982A size or a snapshot may be specified (in GiB). If neither is given, a default 983size of 10 GiB will be used. If a snapshot is given, the size of the snapshot 984will be used. 985 986The following parameters may also be set (when providing a snapshot OR size): 987 988* ``type``: choose between standard (magnetic disk), gp2 (SSD), or io1 (provisioned IOPS). 989 (default=standard) 990* ``iops``: the number of IOPS (only applicable to io1 volumes) (default varies on volume size) 991* ``encrypted``: enable encryption on the volume (default=false) 992 993.. code-block:: bash 994 995 salt-cloud -f create_volume ec2 zone=us-east-1b 996 salt-cloud -f create_volume ec2 zone=us-east-1b size=10 997 salt-cloud -f create_volume ec2 zone=us-east-1b snapshot=snap12345678 998 salt-cloud -f create_volume ec2 size=10 type=standard 999 salt-cloud -f create_volume ec2 size=10 type=gp2 1000 salt-cloud -f create_volume ec2 size=10 type=io1 iops=1000 1001 1002 1003Attaching Volumes 1004----------------- 1005Unattached volumes may be attached to an instance. The following values are 1006required; name or instance_id, volume_id, and device. 1007 1008.. code-block:: bash 1009 1010 salt-cloud -a attach_volume myinstance volume_id=vol-12345 device=/dev/sdb1 1011 1012 1013Show a Volume 1014------------- 1015The details about an existing volume may be retrieved. 1016 1017.. code-block:: bash 1018 1019 salt-cloud -a show_volume myinstance volume_id=vol-12345 1020 salt-cloud -f show_volume ec2 volume_id=vol-12345 1021 1022 1023Detaching Volumes 1024----------------- 1025An existing volume may be detached from an instance. 1026 1027.. code-block:: bash 1028 1029 salt-cloud -a detach_volume myinstance volume_id=vol-12345 1030 1031 1032Deleting Volumes 1033---------------- 1034A volume that is not attached to an instance may be deleted. 1035 1036.. code-block:: bash 1037 1038 salt-cloud -f delete_volume ec2 volume_id=vol-12345 1039 1040 1041Managing Key Pairs 1042================== 1043The EC2 driver has the ability to manage key pairs. 1044 1045 1046Creating a Key Pair 1047------------------- 1048A key pair is required in order to create an instance. When creating a key pair 1049with this function, the return data will contain a copy of the private key. 1050This private key is not stored by Amazon, will not be obtainable past this 1051point, and should be stored immediately. 1052 1053.. code-block:: bash 1054 1055 salt-cloud -f create_keypair ec2 keyname=mykeypair 1056 1057Importing a Key Pair 1058-------------------- 1059 1060.. code-block:: bash 1061 1062 salt-cloud -f import_keypair ec2 keyname=mykeypair file=/path/to/id_rsa.pub 1063 1064 1065Show a Key Pair 1066--------------- 1067This function will show the details related to a key pair, not including the 1068private key itself (which is not stored by Amazon). 1069 1070.. code-block:: bash 1071 1072 salt-cloud -f show_keypair ec2 keyname=mykeypair 1073 1074 1075Delete a Key Pair 1076----------------- 1077This function removes the key pair from Amazon. 1078 1079.. code-block:: bash 1080 1081 salt-cloud -f delete_keypair ec2 keyname=mykeypair 1082 1083Launching instances into a VPC 1084============================== 1085 1086Simple launching into a VPC 1087--------------------------- 1088 1089In the amazon web interface, identify the id or the name of the subnet into 1090which your image should be created. Then, edit your cloud.profiles file like 1091so:- 1092 1093.. code-block:: yaml 1094 1095 profile-id: 1096 provider: provider-name 1097 subnetid: subnet-XXXXXXXX 1098 image: ami-XXXXXXXX 1099 size: m1.medium 1100 ssh_username: ubuntu 1101 securitygroupid: 1102 - sg-XXXXXXXX 1103 securitygroupname: 1104 - AnotherSecurityGroup 1105 - AndThirdSecurityGroup 1106 1107Note that 'subnetid' takes precedence over 'subnetname', but 'securitygroupid' 1108and 'securitygroupname' are merged together to generate a single list for 1109SecurityGroups of instances. 1110 1111Specifying interface properties 1112------------------------------- 1113 1114.. versionadded:: 2014.7.0 1115 1116Launching into a VPC allows you to specify more complex configurations for 1117the network interfaces of your virtual machines, for example:- 1118 1119.. code-block:: yaml 1120 1121 profile-id: 1122 provider: provider-name 1123 image: ami-XXXXXXXX 1124 size: m1.medium 1125 ssh_username: ubuntu 1126 1127 # Do not include either 'subnetid', 'subnetname', 'securitygroupid' or 1128 # 'securitygroupname' here if you are going to manually specify 1129 # interface configuration 1130 # 1131 network_interfaces: 1132 - DeviceIndex: 0 1133 SubnetId: subnet-XXXXXXXX 1134 SecurityGroupId: 1135 - sg-XXXXXXXX 1136 1137 # Uncomment this line if you would like to set an explicit private 1138 # IP address for the ec2 instance 1139 # 1140 # PrivateIpAddress: 192.168.1.66 1141 1142 # Uncomment this to associate an existing Elastic IP Address with 1143 # this network interface: 1144 # 1145 # associate_eip: eipalloc-XXXXXXXX 1146 1147 # You can allocate more than one IP address to an interface. Use the 1148 # 'ip addr list' command to see them. 1149 # 1150 # SecondaryPrivateIpAddressCount: 2 1151 1152 # Uncomment this to allocate a new Elastic IP Address to this 1153 # interface (will be associated with the primary private ip address 1154 # of the interface 1155 # 1156 # allocate_new_eip: True 1157 1158 # Uncomment this instead to allocate a new Elastic IP Address to 1159 # both the primary private ip address and each of the secondary ones 1160 # 1161 allocate_new_eips: True 1162 1163 # Uncomment this if you're creating NAT instances. Allows an instance 1164 # to accept IP packets with destinations other than itself. 1165 # SourceDestCheck: False 1166 1167 - DeviceIndex: 1 1168 subnetname: XXXXXXXX-Subnet 1169 securitygroupname: 1170 - XXXXXXXX-SecurityGroup 1171 - YYYYYYYY-SecurityGroup 1172 1173Note that it is an error to assign a 'subnetid', 'subnetname', 'securitygroupid' 1174or 'securitygroupname' to a profile where the interfaces are manually configured 1175like this. These are both really properties of each network interface, not of 1176the machine itself. 1177