Add a new Ansible role to the configuration

This Ansible role writes an AWS CloudWatch Agent configuration file when run. It offers more configurability of the log group name than is available with cisagov/ansible-role-cloudwatch-agent. It is necessary to define it here instead of enhancing the aforementioned role due to how AMIs are built and deployed in this configuration. We need to ensure that the configuration file can be modified for a given Terraform workspace regardless of whether custom AMIs are used or not.
cisagov · Aug 14, 2023 · a5f6dad · a5f6dad
1 parent 13b5bfa
commit a5f6dad
Show file tree

Hide file tree

Showing 10 changed files with 582 additions and 1 deletion.
diff --git a/ansible/playbook.yml b/ansible/playbook.yml
@@ -24,10 +24,11 @@
       when: bastion_host is not defined
 
 - hosts: all
-  name: Configure groups now that cloud-init has run
+  name: Create CloudWatch Agent configuration file and configure groups now that cloud-init has run
   become: yes
   become_method: sudo
   roles:
+    - cloudwatch_agent
     - groups
 
 - hosts: mongo

diff --git a/ansible/roles/cloudwatch_agent/README.md b/ansible/roles/cloudwatch_agent/README.md
@@ -0,0 +1,36 @@
+# cloudwatch_agent #
+
+An Ansible role for creating (or replacing) the AWS CloudWatch Agent
+configuration file.
+
+## Requirements ##
+
+None
+
+## Role Variables ##
+
+None
+
+## Dependencies ##
+
+None
+
+## Example Playbook ##
+
+Here's how to use it in a playbook:
+
+```yaml
+- hosts: all
+  become: yes
+  become_method: sudo
+  roles:
+     - cloudwatch_agent
+```
+
+## License ##
+
+BSD
+
+## Author Information ##
+
+Shane Frasier <jeremy.frasier@beta.dhs.gov>
diff --git a/ansible/roles/cloudwatch_agent/defaults/main.yml b/ansible/roles/cloudwatch_agent/defaults/main.yml
@@ -0,0 +1,2 @@
+---
+cloudwatch_agent_log_group_base_name: /instance-logs
diff --git a/ansible/roles/cloudwatch_agent/handlers/main.yml b/ansible/roles/cloudwatch_agent/handlers/main.yml
@@ -0,0 +1,2 @@
+---
+# handlers file for cloudwatch_agent
diff --git a/ansible/roles/cloudwatch_agent/meta/main.yml b/ansible/roles/cloudwatch_agent/meta/main.yml
@@ -0,0 +1,19 @@
+---
+galaxy_info:
+  author: VM Fusion Dev
+  company: CISA Cyber Assessments
+  description: Create or replace the AWS CloudWatch Agent configuration file
+  galaxy_tags: []
+  license: CC0
+  # Our standalone Ansible roles require this Ansible version
+  min_ansible_version: "2.10"
+  namespace: cyhy
+  platforms:
+    - name: Debian
+      versions:
+        - stretch
+        - buster
+        - bullseye
+  role_name: cloudwatch_agent
+
+dependencies: []
diff --git a/ansible/roles/cloudwatch_agent/tasks/main.yml b/ansible/roles/cloudwatch_agent/tasks/main.yml
@@ -0,0 +1,6 @@
+---
+- name: Create the CloudWatch Agent configuration
+  ansible.builtin.template:
+    dest: /opt/aws/amazon-cloudwatch-agent/etc/amazon-cloudwatch-agent.json
+    mode: 0600
+    src: amazon-cloudwatch-agent.json.j2