AWS DevOps Blog

Using OpsWorks to Perform Operational Tasks

Today Jeff Barr blogged about a new feature that gives users the ability to deploy and operate applications on existing Amazon EC2 instances and on-premises servers with AWS OpsWorks. You may know OpsWorks as a service that lets users deploy and manage applications. However OpsWorks can also perform operational tasks that simplify server management. This blog includes three examples of how to use OpsWorks to manage instances. This blog will create EC2 instances using OpsWorks, but you can also use the newly launched features to register on-premises servers or existing EC2 instances.

Example 1: Use OpsWorks to perform tasks on instances  

Server administrators must often perform routine tasks on multiple instances, such as installing software updates. In the past you might have logged in with SSH to each instance and run the commands manually. With OpsWorks you can now perform these tasks on every instance with a single command as often as you like by using predefined scripts and Chef recipes. You can even have OpsWorks run your recipes automatically at key points in the instance’s life cycle, such as after the instance boots or when you deploy an app. This example will show how you can run a simple shell command and get the response back on the console.

Step 1: Create a stack

To get started, open the AWS Management Console. Your first task is to create a stack:
  1. Select Add a Stack to create an OpsWorks stack.
  2. Give it a name and select Advanced.
  3. Set Use custom Chef Cookbooks to Yes.
  4. Set Repository type to Git.
  5. Set the Repository URL to
  6. Accept the defaults for the other settings and click the Add Stack button at the bottom of the page to create the stack.

Step 2: Add a Layer

An OpsWorks layer is a template that specifies how to configure a related set of EC2 instances. For this example:
  1. Select Add a Layer
  2. Choose a Custom layer; give it a Name and Short Name. The short name should be all lower case with no spaces or punctuation.

Step 3: Add an Instance

You now need to add some instances to the layer: 
  1. Click Instances in the navigation pane and under the layer you just created click + Instance to create a new EC2 instance. You can also Register an on-premises instance in this step.
  2. For this walkthrough, just accept the default settings and click Add Instance to add the instance to the layer.
  3. Click start in the row’s Actions column and OpsWorks will then launch a new EC2 instance. The instance’s status will change to online when it’s ready.

Step 4: Run a command

This step shows how to run a command that executes one of the custom recipes that you installed earlier. It detects whether the instance is vulnerable to Shellshock.

  1. Click Stack
  2. Click Run Command
  3. Select “Execute Recipes” from the drop down
  4. Set Recipes to execute to shellout 
  5. Select Advanced
  6. Copy the following to the Custom Chef JSON box:

    { "shellout" : { "code" : "env x='() { :;}; echo vulnerable' bash -c 'echo this is a test'" } }
  7. Click Execute Recipes
Step 5: View the results
Once the recipe run has completed, you can view the results by selecting the View link under Logs. About half way down the log file you should see the output:

[2014-12-03T23:49:03+00:00] INFO: @@@
this is a test

Next steps

It’s usually a better practice to put each script you plan to run into a Chef recipe. It improves consistency and avoids incorrect results. You can easily include Bash, Python and Ruby scripts in a recipes. For example, the following recipe is basically a wrapper for a one-line Bash script:

bash "change system greeting" do
  user "root"
  code <<-EOH
     echo "Hello OpsWorks World" > /etc/motd

Example 2: Manage operating system users and ssh/sudo access

It is often useful to be able to grant multiple users SSH access to an EC2 instance. However Amazon EC2 installs only one SSH key when it launches an instance. With OpsWorks, each user can have their own SSH key and you can use OpsWorks to grant SSH and sudo permissions to selected users. OpsWorks then automatically adds the users’ keys to the instance’s authorized_keys file. If a user no longer needs SSH access, you remove those permissions and OpsWorks automatically removes the key.

Step 1: Import users into AWS OpsWorks

  1. Sign in to AWS OpsWorks as an administrative user or as the account owner.
  2. Click Users on the upper right to open the Users page.
  3. Click Import IAM Users to display the users that have not yet been imported.
  4. Select the users you want, then click Import to OpsWorks.
GitHub Fork

Step 2: Edit user settings

  1. On the Users page, click edit in the user’s Actions column.
  2. Enter a public SSH key for the user and give the user the corresponding private key. The public key will appear on the user’s My Settings page. For more information, see Setting an IAM User’s Public SSH Key. If you enable self-management, the user can specify his or her own key.
  3. Set the user’s permissions levels for the stack you created in Example 1 to include "SSH" access. You can also set permissions separately by using each stack’s Permissions page. 
GitHub Fork

Step 3: SSH to the instance

  1. Click Dashboard on the upper right to open the Dashboard page.
  2. Select the stack you created in Example 1 and navigate to Instances.
  3. Select the instance you created in Example 1.
  4. In the Logs section you will see the execute_recipes command that added the user and the user’s public key to the instance. When this command has completed, as indicated by the green check, select the SSH button at the top of the screen to launch an SSH client. You can then sign into the instance with your username and private key.

Example 3: Archive a file to Amazon S3

There are times when you may want to archive a file, for example to investigate a problem later. This script will send a file from an instance to S3.

Step 1: Create or select an existing S3 bucket

Open the S3 console and create a new bucket or select an existing bucket to use for this example.

Step 2: Run a command to push a file to S3

  1. Using the stack you created in Example 1, navigate to Stack
  2. Select Run Command
  3. Select “Execute Recipes” from the drop down menu
  4. Set Recipes to execute to sample::push-s3
  5. Select Advanced
  6. Set Custom Chef JSON to

    {   "s3": {
    	        "filename": "opsworks-agent.log",
    	        "bucketname": "your-s3-bucket-name",
    	        "filepath": "/var/log/aws/opsworks/opsworks-agent.log"
    	  }	}

    The sample::push-s3 recipe was included in the cookbook that you installed earlier. It gets the required information from the JSON and uses the AWS Ruby SDK to upload the file to S3.

  7. Click Execute Recipes

Step 3: View the file in S3

The file you selected in step 2 should now be in your bucket.

These examples demonstrate three ways that OpsWorks can be used for more than software configuration. See the documentation for more information on how to manage on-premises and EC2 instances with OpsWorks.