OmniSSM - EC2 Systems Manager Automation
Automation for AWS Systems Manager using hybrid mode. Using hybrid mode for ec2 instances brings a few benefits.
- No instance credentials needed
- Centralized management of servers across numerous accounts.
- Facilitate cross cloud/datacenter usage of SSM
Switching from ec2 to hybrid mode, does mean we have to reproduce a bit of functionality
- Secure instance registration.
- Instance deactivation/garbage collection on delete.
- Instance metadata enrichment.
We provide a few bits of automation tooling to enable seamless hybrid mode.
A register api via api gw lambda for registering cloud instances. We handle secure introductions via cloud instance identity document signature verification.
a host registration/initialization cli for interacting with the register api and initializing ssm-agent on instance boot.
a custom inventory plugin for collecting process information.
a config subscriber for enriching a ssm instance with tags and cloud inventory, and deleting/gc instances from ssmo.
an sns topic subscriber for enriching instances that are registering after a config event has already fired (ie slow boot).
The OmniSSM agent is configured by environment variables as well as a YAML configuration file and command-line flags. OmniSSM checks for the file
omnissm.yaml in either
/etc/omnissm/ or the current directory at runtime.
|Flag||Environment Variable||YAML key||Description|
||Enable debug logging|
||Specify a single API endpoint to register with, overriding
||A map of regions to endpoints|
Either the register endpoints map, or the single register endpoint override must be set.
- Hybrid SSM Manual Install https://amzn.to/2Hlu9o2
- EC2 Instance Identity Documents https://amzn.to/2qLuGt9
- Google Instance Identity https://bit.ly/2HQexKc
- scale testing
- test with large cfg messages
- sns subscriber for slow boot instances
- systemd timer example for initialize & inventory
- custom inventory output directly to agent pickup location
- osquery inventory example
Package lambda provides helpers for interacting with AWS Lambda/API Gateway
|Package lambda provides helpers for interacting with AWS Lambda/API Gateway|