Deploying a Munki repo in five minutes with Terraform31 Oct 2018
- An s3 bucket to store your Munki repo
- An s3 bucket to store your logs
- A CloudFront Distribution so your clients will pull from an AWS endpoint near them
- A Lambda@Edge function that will set up basic authentication
A Munki repo is a basic web server. But you still need to worry about setting up one or more servers, patching those servers, scaling them around the world if you have clients in more than one country.
Amazon Web Services has crazy high levels of up time - more than we could ever manage ourselves. CloudFront powers some of the world’s busiest websites without breaking a sweat, so it can handle your Munki repo without any trouble.
So it makes sense to offload the running of these services so we can get on with our day.
How do I use it?!
Initial Terraform / AWS Setup
- Register for an AWS account if you haven’t already got one.
- Once logged in and youv’e set up billing, head over to IAM and create a user with the
- Generate an access key and secret for the user. Download the CSV.
- Install homebrew
brew install awscli
brew install terraform
aws configureand follow the prompts to log in and to set a default region (I like
us-east-1but choose one where you are happy having your data stored)
Using the thing
Create a file called
main.tf wherever you want to store these things. Put the following content in it - adjust the variables to match what you want the bucket to be called (the name must be globally unique across all of Amazon), and the username and password your Munki clients will use to access the repo).
And now it’s time to put Terraform to work. Commands you need to type are prefaced with a
You will see a
terraform.tfstate file appear. This is how Terraform keeps track of what it has created and what the present state is. Do not delete this file, and whilst you can make changes in the AWS GUI, there is definitely the potential for your state file to get messed up, so I would suggest to editing the resources we are creating only with Terraform. And if you are thinking that a local state file sounds difficult to work with in a team, you would be right - you should definitely look at moving to a backend such as the s3 backend.
If everything goes well and Terraform says it will create everything you expect, you can apply (type in
yes when you are asked):
Then you can get your distribution’s url (you want the CloudFront one, not the s3 one):
Head to your new Munki repo’s address and all being well you should be able to log in with your chosen username and password. Note: it can take a few minutes for CloudFront distributions to work everywhere - if you can’t connect, check in the AWS console that it has finished deploying before panicking.
Getting your Munki repo into s3
Assuming your repo is in
/Users/Shared/munki_repo - adjust this path for your environment.
Now it’s just a matter of configuring your Munki clients to connect to your new repo. The Munki wiki has you covered there.
In just a few minutes you have deployed a Munki repo that will handle 10’s of thousands of clients (or just 10 - it’s just as good for small deployments), describing your infrastructure in code. This means the deployment is repeatable and reliable. If you need to change the password or username for basic auth, simply edit the variable and run
terraform plan and
terraform apply again. No messing with the AWS GUI, no potential for clicking on the wrong thing.