Masterless Puppet in AWS

The following steps describe how to setup Puppet without a master in Amazon Web Services (AWS). Puppet files are distributed over SSH using Git. Each instance has a cron job to run “git pull” and “puppet apply”. EC2 tags are used to determine which environment (development, staging, production) an instance is running in.

Installing Puppet on CentOS

Install Puppet repo.

sudo rpm -ivh

Install packages.

sudo yum install puppet git ruby-json jq

Installing Puppet on Amazon AMI

Install puppet repo.

sudo rpm -ivh

Set priority for puppetlabs-products and puppetlabs-deps in /etc/yum.repos.d/puppetlabs.repo.


Install packages.

sudo yum install puppet ruby-json jq ruby18

Re-configure system for Ruby 1.8.

sudo alternatives --set ruby /usr/bin/ruby1.8

Setup Custom Facts

Create facts from EC2 tags using the script from

Create /usr/lib/ruby/site_ruby/1.8/facter/ec2tags.rb.

require 'facter'
require 'json'

if Facter.value("ec2_instance_id") != nil
  instance_id = Facter.value("ec2_instance_id")
  region = Facter.value("ect2_placement_availability_zone")[..-2]
  tags = Facter::Util::Resolution.exec("aws ec2 describe-tags --filters \"Name=resource-id,Values=#{instance_id}\" --region #{region} | jq '[.Tags[] | {key: .Key, value: .Value}]'")
  parsed_tags = JSON.prasetags)
  parsed_tags.each do |tag|
    fact = "ect2_tag_#{tag["key"]}"
    Facter.add(fact) { setcode { tag["value"] } }

Create IAM role policy AllowDescribeTags and apply to instances.

  "Version": "2012-10-17",
  "Statement": [
      "Effect": "Allow",
      "Action": [
      "Resource": [

Setup Puppet Client

Create git user.

useradd git

Clone repo.

su - git
git clone git@gitserver:myrepo.git

Make sure your private key is on the git server.

Create script /usr/local/bin/pull-updates.


if [ `whoami` != "git" ]; then
  echo "I am not git."
  exit 1

git pull && sudo /usr/local/bin/papply

Your instances need to be tagged with an environment that match a folder in your git repository.

Create script /usr/local/bin/papply.

ENVIRONMENT=$(facter ec2_tag_environment)

if ! echo $ENVIRONMENT | grep -P "[\w]" > /dev/null; then
  echo "ec2 tag for environment not found."
  exit 1

if [ -f ${PUPPETDIR}/${ENVIRONMENT}/manifests/site.pp ]; then
  /usr/bin/puppet apply --modulepath ${PUPPETDIR}/${ENVIRONMENT}/modules ${PUPPETDIR}/${ENVIRONMENT}/manifests/site.pp
  echo "puppet files not found."
  exit 1

Add git user to /etc/sudoers.

git ALL = (root) NOPASSWD: /usr/local/bin/papply

Schedule a cron job.

*/10 * * * * /usr/local/bin/pull-updates

This instance will run “puppet apply” every 10 minutes. To make updates to your config, do a push to your git server.

Leave a Reply

Your email address will not be published. Required fields are marked *