Prevent the auto-termination of stranded instances in RighScale

When you launch an instance with RightScale Self Service, and the Chef cookbook execution fails, the instance goes into “stranded” mode. By default RightScale Self Service terminates the stranded instances, so there is no way to remote into them and read log files to find the cause of the problem.

To keep stranded instances running in RightScale

  1. Find the booting instance in Cloud Management and click the instance name,
  2. Click the lock icon on the top of the screen

RightScale Self Service cannot terminate locked instances. To terminate the instance after the troubleshooting process, unlock the instance and terminate the instance by hand.

Error waiting for instance (i-…) to become ready: unexpected state ‘terminated’, wanted target ‘running’

When you launch a server instance with Terraform, sometimes the error message does not contain the underlying cause. When the cloud provider cannot complete the request, many times Terraform displays a generic error message:

Error waiting for instance (i-...) to become ready: unexpected state 'terminated', wanted target 'running'

To find the root cause of the error in AWS

  1. Log into the AWS console and navigate to the EC2 section,
  2. Search for the instance by the instance Id,
  3. You can find the error message at the bottom of the Description tab

In our specific case, it was Client.VolumeLimitExceeded: Volume limit exceeded

We had to increase the volume limit to be able to launch more large EC2 instances.

Upgrade a server on an AWS EC2 instance with minimum risk and downtime

When you need to upgrade an application on an AWS EC2 instance with minimum downtime, there are many options.

Upgrade an EC2 instance

  1. Stop the application, so users don’t make more changes,
  2. Create a backup of the database (snapshot of the RDS instance),
  3. Create a backup of the server (backup image of the EC2 instance),
  4. Upgrade the application on the server,
  5. Start the application,
  6. Test the new version of the application.

In case the upgrade fails, or the post-upgrade test fails

  1. Stop the application,
  2. If you use RightScale to launch servers:
    1. stop the RightLink service on the failed server to prevent RightScale auto terminating the restored server
      (When RightScale finds a new identical server instance, it automatically shuts it down to avoid multiple instances with the same identifier.)
    2. Terminate the failed server
  3. Stop the failed server,
  4. Restore the database from the pre-upgrade backup with a new name,
  5. Restore the server instance from the pre-upgrade backup,
  6. Start the restored server,
  7. Change the database address in the application’s config file to point to the restored database,
  8. Start the application,
  9. Test the restored version of the application.

To make the backup image of the AWS EC2 instance

  1. Open the AWS console and navigate to EC2, Running instances
  2. Find the server instance you want to backup
  3. Right-click the row of the instance and select Image, Create Image

  4. Name the image and click the Create Image button
  5. Save the image Id from the popup

Find the AWS AMI that a RightScale server template is using

When you use RightScale to launch servers in the cloud, you want to use the same base image to test your Chef cookbooks in Test Kitchen.

Packer by Hashicorp is a utility to create custom server images based on cloud images. You supply the image ID and other configuration parameters to create a new custom image.

To find the AMI ID of the base image of the RightScale Server Template

  1. Open the RightScale user interface in your browser,
  2. Select the RightScale account where the server template was created,
  3. In RightScale Cloud Management select  Design / ServerTemplates,
  4. Select the server template,
  5. Select Images,
  6. Select the MultiCloud image,
  7. Select Clouds,
  8. Select the image in the region you are working in,
  9. The Resource UID is the AMI ID of the image.

Migrate databases to and from AWS RDS instances

Amazon Web Services do not provide tools to migrate data to, from and between AWS RDS instances.

There is a free utility that can do the job.

SQL Server Management Studio (SSMS)

Install Microsoft SQL Server Management Studio (SSMS), because the utility uses libraries from it.

  1. Download the installer for free from

SQL Azure Migration Wizard


  1. Download the SQL Azure Migration Wizard from
  2. Unzip the downloaded ZIP file into a folder on your hard drive
  3. Create a shortcut in your Start Menu for SQLAzureMW.exe

Migrate a database

  1. Start the SQL Azure Migration Wizard by executing the SQLAzureMW.exe file
  2. Select Database in the Analyze / Migrate section and click Next

Connect to the source database

  1. On the Connect to Server page
    1. Enter the address of the database server
    2. Select SQL Server Authentication
    3. Enter the database owner login name and password
    4. If you keep Master DB selected, the next screen will show the list of databases to select from
    5. To save the username and password select Save Login Information
    6. Click Connect

  2. Select the database to connect to and click Next
  3. Leave Script all database objects selected and click Next
  4. On the Script Wizard Summary page click Next
  5. Click Yes to start the read process
  6. On the Results Summary page select Auto Scroll Display to see the scrolling results
  7. When the read is done click Next

Connect to the target database

  1. Enter the connection properties of the target database server
  2. Select the target database
    1. To migrate the data into a new database click the Create Database button
    2. On mirrored RDS instances we cannot drop and recreate databases. To migrate data into an existing database
      1. Use SQL Management Studio to drop the existing tables to avoid key conflicts
      2. Select the target database on this page
  3. Click Next
  4. Click Yes to start the write process
  5. When the write process is done click Exit


DevOps Engineering part 7. – Launching production instances in the cloud

In the previous parts of this tutorial we have launched instances (servers) in the cloud, but those were created by Test Kitchen, running on our workstation. Those instances are as good as they can be, but the cookbook did not reside on the Chef server.

To launch pre-production and production instances in the cloud, first we need to upload the cookbook to the Chef server. In Beginner’s Guide to DevOps Engineering part 4. Connect to the Chef server we have already connected our workstation to the Chef server.

Upload the cookbook to the Chef server

To make your cookbook available for all the servers of the organization we will upload the cookbook to the Chef server.

  • In the folder of the cookbook open a Bash window
  • Execute the command to upload the cookbook to the Chef server
    knife cookbook upload COOKBOOK_NAME --freeze

    Don’t forget to add the –freeze option to the end to protect the version of the cookbook from accidental changes.

Launch the server in the Cloud

There are many ways to launch servers in a scripted way, we are going to review a few options. One is to use RightScale, a Cloud Management Platform, that can manage servers in multiple cloud environments.


Create a new Deployment

  • Using your web browser log into the RightScale Cloud Management user interface,
  • In the Manage menu select Deployment and click the New button,
  • Enter the name of the new deployment,
  • To add the new deployment to your bookmarks,
    • On the left side in the Bookmarks section click the Add link,
    • If necessary shorten the name of the bookmark and click OK,
    • To reorder the bookmarks
      • Click the Edit link and drag the bookmark to the desired position,
      • Click the Done link to save your changes.

Create the CAT file

CAT files are Ruby like scripts that describe the configuration of the instance. It contain the name of the deployment the server should be placed it, the cloud attributes to assign security groups, regions, availability zones, set the drive size, specify security keys. The easiest way to configure a server is to copy an existing RightScale Self Service CAT file and update it with the new values.

If this is the first CAT file in your organization, get help from RightScale support and get a sample file from them.

If your organization already has a library of CAT files

  • Make a copy of an existing CAT file
  • Update the values to customize it for your server
    • Application name
    • Chef runlist
    • Security group
    • Deployment name
    • Load balancer name
    • Instance type


Upload the CAT file to RightScale

  • Open the RightScale Self Service user interface,
  • Select Designer on the left,
  • Click the Upload CAT button and select the CAT file,
  • Click the Upload button in the lower right corner,
  • In the green popup in the upper right corner click the Publish to catalog link,
  • In the lower right corner click the Yes, Publish button.

Launch the server in RightScale Self Service

  • In the RightScale Self Service interface select Catalog on the left side,
  • Select the catalog item you want to launch,
  • Enter a name for the instance to be able to identify it later and select the instance in the dropdown list,
  • Click the Launch CloudApp button.

To monitor the server launch

  • In your web browser open the RightScale user interface,
  • In the design menu select Deployments,
  • Select the deployment of the instance,
  • Click the instance to see in formation on it.


to the Tutorials page


DevOps Engineering part 6. – Infrastructure as code


If you use Terraform in the corporate environment your company most likely has multiple AWS accounts. One for pre-production, one for production.

To be able to work in multiple AWS accounts, add those keys to the credentials file at C:\Users\YOUR_USERNAME\.aws

aws_access_key_id = MY_ACCESS_KEY_FOR_AWS01
aws_secret_access_key = MY_SECRET_KEY_FOR_AWS01

aws_access_key_id = MY_ACCESS_KEY_FOR_AWS02
aws_secret_access_key = MY_SECRET_KEY_FOR_AWS02

aws_access_key_id = MY_ACCESS_KEY_FOR_AWS01
aws_secret_access_key = MY_SECRET_KEY_FOR_AWS01

We will use Terraform to create security groups and load balancers in AWS.

  • Create a folder on your workstation for the Git repositories C:\Git
  • In the Git folder create a folder for the Terraform Configurations Terraform Configs
  • In the Terraform Configs folder create a sub-folder for the

When you are reusing existing Terraform configurations

  • Make a copy of the existing Terraform Config folder
  • Rename the folder
  • Rename the .tf files to match the name of the folder name
  • Delete the .tfstate and .tfstate.backup files
  • Update the .tf files with the new values
  • Open a Bash window in the new folder
  • Get the Terraform modules with
    terraform get -update
  • Test the script with
    terraform plan
  • Execute the script with
    terraform apply

More info on Terraform at


Launching production instances in the cloud in Beginner’s Guide to DevOps Engineering part 7.


to the Tutorials page

DevOps Engineering part 5. – Create an enterprise cookbook

In this exercise we will create a Chef cookbook for a corporation. It will be robust and include all the necessary elements to be used in a large enterprise. If your company already has established standards, as you progress with this tutorial, copy the appropriate file from an existing cookbook. If this is the first cookbook in your organization, or you don’t want to follow the current standards, copy the sample files from this page.

Create the cookbook

  • Navigate to the C:\Chef\…\cookbooks folder and open a Bash window
  • Create an empty cookbook
    chef generate cookbook COOKBOOK_NAME

    Chef creates a new sub-folder with the name of the cookbook.

  • Rename the new folder to cookbook-COOKBOOK_NAME to distinguish it in version control from other repository types.

Update the .gitignore file

The last line is the most important! We want to exclude sensitive information from source control.


# Bundler


# Ignore the unencrypted Data Bags

Update the metadata.rb file

Add your name, email address, and the version of the cookbook to the top of the metadata.rb file

maintainer 'YOUR_NAME'
maintainer_email 'YOUR_EMAIL_ADDRESS'
license 'All rights reserved'
description 'Installs/Configures THE_NAME_OF_THE_COOKBOOK'
long_description, ''))
version '1.0.0'

The expression in the long_description line refers to the file that GitHub can create when you set up a new repository. Place the cookbook related information into that file, so others who want to use your cookbook can easily find it.

Update the .kitchen.yml file to be able to test your cookbook.

If you want to test your cookbook in the Cloud, copy the following sections from an existing .kitchen.yml file of your organization. To learn Chef and launch instances with Vagrant on your workstation, the automatically created .kitchen.yml file is perfect.

  • driver
  • provisioner
  • platforms
  • a suite as an example

If your organization use tags to track instances in the Cloud,  update the tags section to reflect the values of the cookbook.

The following is a sample .kitchen.yml file with Windows and Linux platforms

name: ec2
aws_ssh_key_id: YOUR_AWS_SSH_KEY_NAME
region: THE_AWS_REGION # us-east-1
availability_zone: THE_AWS_AVAILIBILITY_ZONE # e
subnet_id: THE_SUBNET_ID
require_chef_omnibus: true
Name: TK_test
Environment: DEV
created-by: test-kitchen
associate_public_ip: false #This can be false if test instance is accessible by VPN or LAN
retryable_tries: 120
retryable_sleep: 5
# interface: dns #uncomment if test instance should be registered with DNS

name: chef_zero

- name: windows-2012r2
image_id: "A_WINDOWS_AMI_ID"
instance_type: INSTANCE_TYPE # t2.large #Can be changed to any AWS instance size
security_group_ids: [ "SECURITY_GROUP_ID_1", "SECURITY_GROUP_ID_2" ]
name: winrm
elevated: true # Required for the installation of some Windows features
connection_timeout: 10
connection_retries: 5

- name: rhel7
image_id: "A_LINUX_AMI_ID"
instance_type: INSTANCE_TYPE # t2.medium #Can be changed to any AWS instance size
- device_name: /dev/sda1
volume_type: standard
volume_size: 100
delete_on_termination: true
security_group_ids: [ "SECURITY_GROUP_ID_1", "SECURITY_GROUP_ID_2" ]
ssh_key: C:\Users\YOUR_USERNAME\.aws\YOUR_KEY_FILE_NAME.pem
connection_timeout: 10
connection_retries: 5
sudo: true

- name: windows_server
data_bags_path: "data_bags"
encrypted_data_bag_secret_key_path: "../../data_bags/DATABAG_SECRET_FILE_NAME"
- rhel7

Encrypted Data Bags

If you want to use encrypted data bags, ask your Chef administrator to send you the key file to encrypt and decrypt data bags. In the sample .kitchen.yml file above the DATABAG_SECRET_FILE is the placeholder for the key file name. Create a folder for the key at


on the same level where the cookbook and environment folders are.


This is a chicken and egg paradox. We don’t want to commit secrets into version control, so we need to encrypt them. But how can we place the secret encryption key on the server to decrypt the secrets? We will use Packer to create our own server images that will contain the secret key, so when Chef starts to run on the server, the key is going to be there.

Default recipe

We will place code in the default.rb file that is common to all recipes in the cookbook. All custom recipes will call the default recipe as the first step.

Update the header comments of the default.rb recipe with your name and company information

# Cookbook Name:: COOKBOOK_NAME
# Recipe:: default
# Copyright (c) 2015-2016 COMPANY_NAME, All Rights Reserved.

Custom recipe

Make a copy of the default.rb file and name it to describe the purpose of the instance (server.rb)

  • Update the name of the recipe in the header
  • Add the following line under the header to call the default recipe, even if it is currently empty
    include_recipe 'COOKBOOK_NAME::default'

Add the cookbook to GitHub

Create the local repository

  • In the Bash window execute the following commands
git init
git add .
git commit -m "Initial commit"

Add the repository to GitHub

In your web browser log into your GitHub account and create a new repository

  • Click the New Repository button
  • Name the repository the same as the name of the folder of the cookbook (cookbook-…)
  • Execute the lines in the section …or push an existing repository….  If you work on a Windows workstation make sure HTTPS is selected
    git remote add origin
    git push -u origin master
  • In the Collaborators & teams section of Settings select the group who will have access to the new repository

Test the cookbook

In the Bash window launch the instance with Test Kitchen

List the available instances

kitchen list

Launch the instance


If there are multiple suites or platforms in the .kitchen.yml file you need to type the unique part of the name of the instance to identify it.

Start a Remote Desktop connection to a Windows instance


If you work on a Macintosh workstation and testing a Windows server, the best way to remote into the server is

  1. Install Microsoft Remote Desktop for free from the Apple App Store (See the Remote Desktop Client section in Install the DevOps development tools on Macintosh,
  2. Execute the kitchen login STRING_UNIQUE_TO_THE_INSTANCE command in the terminal window,
  3. The Microsoft Remote Desktop window will pop up with the User account name and the IP address. If you click “Connect”, the remote connection opens with the default settings, that are may not optimal for your display. The “login” command already created a new entry in the Microsoft Remote Desktop app with the IP address of the instance. To use custom settings, click Cancel,
  4. Open the Microsoft Remote Desktop app, right click the last entry that contains the IP address, select Edit, and copy the IP address to the clipboard,
  5. Create a new connection with custom display settings and paste the IP address there. You can keep this generic connection to access the Test Kitchen instances, just update the IP address.
  6. Delete the automatically created connection

SSH into a Linux instance



  • USER_NAME is the value of username: in the .kitchen.yml file.
  • IP_ADDRESS is the IP of the instance. Get it from the “Waiting for SSH service on…” line of the Test Kitchen bash or command window, or from the .yml file in the .kitchen/logs folder of the cookbook.
  • PATH_TO_THE_SSH_KEY_FILE is the value of ssh_key: in the .kitchen.yml file.

Terminate the instance


Upload the cookbook to the Chef server

See Connect to the Chef server in Beginner’s Guide to DevOps Engineering part 4.


Infrastructure as code in Beginner’s Guide to DevOps Engineering part 6.


to the Tutorials page

DevOps Engineering part 4. – Connect to the Chef server

Find a Chef Server

To work in a corporate environment, your organization needs access to a Chef server.

To learn Chef and test your cookbooks for free, you can create an account on the “hosted” Chef server, maintained by the Chef company. The plan allows five nodes at a time, so you can even launch a small server farm for yourself. Another option is to launch your own Chef server (on-premises) and manage up to 25 nodes on it for free. That could be enough for a small organization to get started with automation. Please see the Chef web portal for more information at

To use the “hosted” Chef server

To launch your own Chef server

Accessing the Chef Server

To access the Chef server you need a user account to log into the web interface and a key to access the server with command line tools, like knife.

Until you set up your workstation to access the Chef server, you will  get the following error message:

WARNING: No knife configuration file found
WARN: Failed to read the private key C:\chef\client.pem: #<Errno::ENOENT: No such file or directory @ rb_sysopen - C:\chef\client.pem>
ERROR: Your private key could not be loaded from C:\chef\client.pem
Check your configuration file and ensure that your private key is readable

To create a user account on the Chef server

  • Open the Chef server page in your web browser,
  • Click the Click here to get started! link to create a new account,
  • Enter your name, email address and username you want to use and click the Get Started button,
  • Open the email Chef Notifications sent you and click the long link to verify your email address,
  • On the Email Verification page enter the password you want to use on the Chef server and click the Create User button,

Ask your Chef server administrator to invite you to an organization on the Chef server

The administrator

  • Using a web browser log into the Chef server user interface,
  • In the upper right corner select the organization to invite the user to,
  • On the Administration tab select Users on the left side,
  • Under Users click Invite,
  • Enter the username of the new registered user and click the Invite button

Accept the invite

  • Using a web browser log into the Chef server user interface,
  • On the Welcome to Chef page click the Accept Invite button. If you are already logged into the Chef server user interface, the upper right corner will show you the number of invitations you have received. Click on the number to accept the invitation.
  • Select the check box next to the organization you want to be part of and click the Accept button.

Download your key to access the Chef server

  • Using a web browser log into the Chef server user interface,
  • In the upper right corner click your name and select My Profile,
  • In the lower right click the Reset Key link,
  • Click the Download button to download your private .pem key file.

Configure knife

The knife command is used to interact with the Chef server. Before you can connect to the Chef server we need to configure knife

  • Open a Bash window in the c:\Chef folder
  • Execute
    knife configure
  • Answer the questions. To get the company specific values ask someone who already has a knife.rb file set up at C:\Chef\.chef
    Where should I put the config file? C:/Chef/.chef/knife.rb
    Please enter the chef server URL: YOUR_CHEF_SERVER_URL (the URL should end with the name of the organization)
    Please enter an existing username or clientname for the API: YOUR_CHEF_USERNAME
    Please enter the validation clientname: VALIDATOR_KEY_NAME (Ask your Chef server administrator)
    Please enter the location of the validation key: VALIDATOR_FILE_NAME.pem (Get the file from your Chef server administrator)
    Please enter the path to a chef repository (or leave blank): #{current_dir}/..
  • Open the C:/Chef/.chef/knife.rb file and make the following changes
    • Insert to the top of the file
       # See for more information on knife configuration options
      current_dir = File.dirname(__FILE__)
    • In the validation_key line replace C:/Chef with
    • Append to the end of the file to be able to edit cookbook files and data bags from the command line
    • The file should look like this
      # See for more information on knife configuration options
      current_dir = File.dirname(__FILE__)
      log_level               :info
      log_location            STDOUT
      node_name               'YOUR_CHEF_USERNAME'
      client_key              'C:/Chef/.chef/YOUR_CHEF_USERNAME.pem'
      validation_client_name  'VALIDATOR_KEY_NAME'
      validation_key          'C:/Chef/.chef/VALIDATOR_FILE_NAME.pem'
      chef_server_url         'https://YOUR_CHEF_SERVER_URL/organizations/YOUR_ORGANIZATION'
      syntax_check_cache_path 'C:/Chef/.chef/syntax_check_cache'
      cookbook_path           [ '#{current_dir}/../cookbooks' ]

Save the key files on your workstation

  • Move the .pem Chef server private key file, you have downloaded during the Chef user registration, to the C:/Chef/.chef directory.
  • Get the VALIDATOR_FILE_NAME.pem file from your Chef server administrator and save it in the C:/Chef/.chef directory.

Test the Chef server connectivity

  • Open a Bash window in the folder of the cookbook at C:\Chef\cookbooks\test
  • Execute
knife cookbook list

to see the list of the available cookbooks on the Chef server.

Upload the cookbook to the Chef server

knife cookbook upload COOKBOOK_NAME --freeze

The –freeze option is the most important. It locks the cookbook on the Chef server so we are forced to increment the version before we upload a new version of the cookbook.


Create an enterprise cookbook in Beginner’s Guide to DevOps Engineering part 5.


to the Tutorials page

DevOps Engineering part 3. – Working with AWS

Install the AWS EC2 drivers

Open a Bash or CMD window in the Chef cookbook folder

  • Install the kitchen-ec2 driver
    More info on the ec2 driver at

    chef gem install kitchen-ec2
  • Add the gem folder to the path
    • On Macintosh
      • Add the path to the ~/.zshrc or ~/.bash_profile file
      • Open a new terminal window for the change to take effect
  • Install the  chef-zero-scheduled-task plugin
    chef gem install chef-zero-scheduled-task
  • Install the latest vagrant plugin
    chef gem install kitchen-vagrant

Personalize your workstation

Set up your account in the AWS console

If you are not an AWS account administrator, ask your AWS account administrator to do the following for you

  • Create an account in AWS
  • Add the account to the appropriate user group
  • Generate a password with a request to change it at the first login
  • Generate an AWS Access Key ID and Secret Key
    • Using your browser log into the AWS console
    • In the upper right corner click your user id
    • In the drop down list select Security Credentials
    • On the left select Users
    • In the user list select you account
    • Select the Security Credentials tab
    • Click the Create Access Key button

AWS Command Line Interface

Install AWS CLI

On Macintosh

  • Instructions are at
    The steps are:

    • Install pip, the Python Package Manager
      • Download the pip installation script
        curl -O
      • Check the version of Python on your computer
        python --version
      • Run the pip install script. Set the Python version according to the installed version on your workstation
        sudo python2.7
      • Install the AWS CLI using pip
        sudo pip install awscli --ignore-installed six

On Windows



If you do not configure the AWS CLI you will get the following error message: ‘NoneType’ object has no attribute ‘get_frozen_credentials’

  • Open a Bash window and execute the following command to save your AWS credentials and default region in the ( C:\Users\YOUR_USER_NAME\.aws in Windows ) folder.
    aws configure
    • Answer the questions
      AWS Access Key ID [None]: YOUR AWS KEY
      AWS Secret Access Key [None]: YOUR AWS SECRET KEY
      Default region name [None]: us-east-1
      Default output format [None]: HIT ENTER FOR NONE

Close and reopen all open Bash and Command windows to reload the changed Path environment variable.

The configure command created the .aws folder with two files.

On Macintosh

Your AWS configuration folder is located at ~/.aws

Set the permissions on the folder

  • Open a terminal window and execute
    chmod -R 700 ~/.aws
  • The result should be

If you copy key files to the folder you may get the following error message:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @         WARNING: UNPROTECTED PRIVATE KEY FILE!          @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Permissions 0755 for ‘/Users/YOUR_USERNAME/.aws/KEY_FILE_NAME.pem’ are too open. It is required that your private key files are NOT accessible by others. This private key will be ignored. Load key “/Users/YOUR_USERNAME/.aws/KEY_FILE_NAME.pem”: bad permissions USERNAME@SERVER_IP’s password: Permission denied, please try again.

To satisfy the security requirements set the permission on the key files to 700

chmod -R 700 ~/.aws/KEY_FILE_NAME.pem

On Windows

Your AWS configuration folder is located at C:\Users\YOUR_USER_NAME\.aws

Your  credentials file will look like this

 aws_access_key_id = MY_ACCESS_KEY
 aws_secret_access_key = MY_SECRET_KEY

Test Kitchen will use the keys from the [default] section to connect to AWS when we launch instances.

When you work with multiple AWS accounts you can add all of your keys to the credentials file. To use a specific key, add the profile option to your command line instructions. If you don’t specify the profile in your AWS commands, the AWS Command Line Interface will use the key from the default section.

 aws_access_key_id = MY_ACCESS_KEY_FOR_AWS01
 aws_secret_access_key = MY_SECRET_KEY_FOR_AWS01

 aws_access_key_id = MY_ACCESS_KEY_FOR_AWS02
 aws_secret_access_key = MY_SECRET_KEY_FOR_AWS02

 aws_access_key_id = MY_ACCESS_KEY_FOR_AWS01
 aws_secret_access_key = MY_SECRET_KEY_FOR_AWS01

The config file will look like this. If you don’t specify the region in the AWS command, the AWS Command Line utility will use the region from this file.

region = us-east-1

Collect the following information to be able to launch an instance in AWS


  • Your IAM user name
  • AWS Access Key and Secret Key
  • Region (us-east-1)
  • Availability zone (b)
  • VPC subnet ID
  • Security group ID
  • AWS key pair file
  • AMI ID


Generate an AWS key pair

  • Log into the AWS console
  • Select EC2
  • Under Network & Security select Key Pairs
  • In the upper right corner select the region
  • Click the Create Key Pair button
    Create your key pair with the following naming scheme:
    For example: USERID_aws01_us_east_1
  • Download the .pem private key file and save it in the (C:\Users\YOUR_USER_NAME\.aws on Windows) directory you created above during the AWS CLI configuration.

For more info visit Amazon EC2 Key Pairs

Set up your .kitchen.yml file

When you have created your cookbook, Chef already added a .kitchen.yml file that tells Test Kitchen how to launch a server instance on your workstation.

The default .kitchen.yml file only contains driver and provisioner information for Vargrant. To launch a server instance in AWS we need to add AWS specific instructions to the file. First modify the .kitchen.yml file to be ready for other drivers:

  name: chef_zero

  name: inspec

  - name: ubuntu-16.04
      name: vagrant

  - name: centos-7.2
      name: vagrant

  - name: default
      - recipe[test::default]
        - test/recipes

Make sure the empty lines are really empty. The .kitchen.yml file cannot have white space in a seemingly empty line.



Connect to the Chef server in Beginner’s Guide to DevOps Engineering part 4.


to the Tutorials page