After struggling with this problem in my mind for a while, I finally had the opportunity to experiment with Cloud Init and come up with a working solution for securely (I think) deploying code and credentials to a stock Ubuntu Instance on EC2.
My primary goals are:
- Must use an stock AMI with no customization
- Human readable user-data that contains appName, environment, and role.
- user-data must be easily modified by a developer for their own app or environment
(No forcing them to base64 encode, gzip, or use special tools)
- Must be portable between providers.
The example works with EC2, but initial ‘include’ file can be customized for each provider or OS.
The diagram below shows how this is to be accomplished
The key to making this work is posting the user-data to a configuration server that can validate that the Instance ID belongs to us, hasn’t already attempted to be configured, and was started in the past couple minutes.
I’ve successfully deployed several instances using this method and it seems to work well. Getting the cloud init include file, and the script