CHEF recipe to change pem file of running ec2 instances and adding a new user to all the instances and give sudo privileges
This blog is to enable AWS chef professionals to change pem of running servers or to add a new user with sudo privileges to an EC2 server farm using chef. The post actually refers to a production usecase in which there is a huge number of instances running on single or multiple pem files which needed to be replaced instantly to a single pem file for all the servers without any downtime. This can be done to overcome security issue, for example, the pem file is being rotated to different peoples or the person who was managing these servers and there keys left the organization.
Quick and easy resolution for above concern is listed below,
1) This blogpost assumes pre existing CHEF test environment of 3 ubuntu servers, a chef server, a chef client and a chef workstation. For more information on setting up above mentioned test environment, please refer link below,
https://www.digitalocean.com/community/tutorials/how-to-install-a-chef-server-workstation-and-client-on-ubuntu-vps-instances
2) Create a new keypair using AWS console and download the new pem file,
3) Obtain a public key against recently downloaded pem key using below command,The command will ask for the location of private key and will give the public key against that private key on stdout. Copy and save that into a file, with filename “authorized_keys” and put this file inside, ‘$HOME/chef-repo/cookbooks/changekeypair/files/default/’ directory.
3) Now, we push this public key file inside .ssh folder of all the instances using chef recipe below,Above recipe will push the “authorized_keys” file to all the chef clients and change its permissions to 600, so that public key held by the clients earlier will be replaced with a new public key. Now users having old private key cannot log into the system.
To add a new user to a server farm with sudo privileges, following steps are to be followed,
1) Create a password shadow hash because original password should not be written in plain text in our recipe.
2) create a new cookbook and copy the recipe listed below,Above recipe will create a new user with username “intelligrape” and password as “theplaintextpassword” and add this user to sudoers.
Thanks and regards
Sharad Aggarwal