Use the new cloudwatch_agent Ansible role

This includes adding an Ansible provisioner configuration for the BOD bastion. Each instance's Ansible provisioner will provide an appropriate argument such that instance logs will go to: /instance-logs/<Terraform workspace>/<cyhy|bod>/<instance name>
cisagov · Aug 14, 2023 · c62fb24 · c62fb24
1 parent a5f6dad
commit c62fb24
Show file tree

Hide file tree

Showing 9 changed files with 32 additions and 0 deletions.
diff --git a/terraform/bod_bastion_ec2.tf b/terraform/bod_bastion_ec2.tf
@@ -44,3 +44,20 @@ resource "aws_instance" "bod_bastion" {
     },
   )
 }
+
+# Provision the bastion EC2 instance via Ansible
+module "bod_bastion_ansible_provisioner" {
+  source = "github.com/cloudposse/terraform-null-ansible"
+
+  arguments = [
+    "--user=${var.remote_ssh_user}",
+    "--ssh-common-args='-o StrictHostKeyChecking=no'",
+  ]
+  envs = [
+    "cloudwatch_agent_log_group_base_name=${local.bod_cloudwatch_agent_log_group_base}",
+    "host=${aws_instance.bod_bastion.public_ip}",
+    "host_groups=bod_bastion",
+  ]
+  playbook = "../ansible/playbook.yml"
+  dry_run  = false
+}
diff --git a/terraform/bod_docker_ec2.tf b/terraform/bod_docker_ec2.tf
@@ -162,6 +162,7 @@ module "bod_docker_ansible_provisioner" {
     "--ssh-common-args='-o StrictHostKeyChecking=no -o ProxyCommand=\"ssh -W %h:%p -o StrictHostKeyChecking=no -q ${var.remote_ssh_user}@${aws_instance.bod_bastion.public_ip}\"'",
   ]
   envs = [
+    "cloudwatch_agent_log_group_base_name=${local.bod_cloudwatch_agent_log_group_base}",
     "host=${aws_instance.bod_docker.private_ip}",
     "bastion_host=${aws_instance.bod_bastion.public_ip}",
     "host_groups=docker,bod_docker",

diff --git a/terraform/cyhy_bastion_ec2.tf b/terraform/cyhy_bastion_ec2.tf
@@ -54,6 +54,7 @@ module "cyhy_bastion_ansible_provisioner" {
     "--ssh-common-args='-o StrictHostKeyChecking=no'",
   ]
   envs = [
+    "cloudwatch_agent_log_group_base_name=${local.cyhy_cloudwatch_agent_log_group_base}",
     "host=${aws_instance.cyhy_bastion.public_ip}",
     "host_groups=cyhy_bastion",
   ]

diff --git a/terraform/cyhy_dashboard_ec2.tf b/terraform/cyhy_dashboard_ec2.tf
@@ -81,6 +81,7 @@ module "cyhy_dashboard_ansible_provisioner" {
     "--ssh-common-args='-o StrictHostKeyChecking=no -o ProxyCommand=\"ssh -W %h:%p -o StrictHostKeyChecking=no -q ${var.remote_ssh_user}@${aws_instance.cyhy_bastion.public_ip}\"'",
   ]
   envs = [
+    "cloudwatch_agent_log_group_base_name=${local.cyhy_cloudwatch_agent_log_group_base}",
     "host=${aws_instance.cyhy_dashboard.private_ip}",
     "bastion_host=${aws_instance.cyhy_bastion.public_ip}",
     "host_groups=cyhy_dashboard",

diff --git a/terraform/cyhy_mongo_ec2.tf b/terraform/cyhy_mongo_ec2.tf
@@ -182,6 +182,7 @@ module "cyhy_mongo_ansible_provisioner" {
   ]
   envs = [
     "ANSIBLE_SSH_RETRIES=5",
+    "cloudwatch_agent_log_group_base_name=${local.cyhy_cloudwatch_agent_log_group_base}",
     "host=${aws_instance.cyhy_mongo[count.index].private_ip}",
     "bastion_host=${aws_instance.cyhy_bastion.public_ip}",
     "cyhy_archive_s3_bucket_name=${aws_s3_bucket.cyhy_archive.bucket}",

diff --git a/terraform/cyhy_nessus_ec2.tf b/terraform/cyhy_nessus_ec2.tf
@@ -158,6 +158,7 @@ module "cyhy_nessus_ansible_provisioner" {
     "--ssh-common-args='-o StrictHostKeyChecking=no -o ProxyCommand=\"ssh -W %h:%p -o StrictHostKeyChecking=no -q ${var.remote_ssh_user}@${aws_instance.cyhy_bastion.public_ip}\"'"
   ]
   envs = [
+    "cloudwatch_agent_log_group_base_name=${local.cyhy_cloudwatch_agent_log_group_base}",
     # If you terminate all the existing Nessus instances and then run apply,
     # the list aws_instance.cyhy_nessus[*].private_ip is empty at that time.
     # Then there is an error condition when Terraform evaluates what must be

diff --git a/terraform/cyhy_nmap_ec2.tf b/terraform/cyhy_nmap_ec2.tf
@@ -180,6 +180,7 @@ module "cyhy_nmap_ansible_provisioner" {
     "--ssh-common-args='-o StrictHostKeyChecking=no -o ProxyCommand=\"ssh -W %h:%p -o StrictHostKeyChecking=no -q ${var.remote_ssh_user}@${aws_instance.cyhy_bastion.public_ip}\"'"
   ]
   envs = [
+    "cloudwatch_agent_log_group_base_name=${local.cyhy_cloudwatch_agent_log_group_base}",
     # If you terminate all the existing nmap instances and then run apply, the
     # list aws_instance.cyhy_nmap[*].private_ip is empty at that time.  Then
     # there is an error condition when Terraform evaluates what must be done

diff --git a/terraform/cyhy_reporter_ec2.tf b/terraform/cyhy_reporter_ec2.tf
@@ -123,6 +123,7 @@ module "cyhy_reporter_ansible_provisioner" {
     "--ssh-common-args='-o StrictHostKeyChecking=no -o ProxyCommand=\"ssh -W %h:%p -o StrictHostKeyChecking=no -q ${var.remote_ssh_user}@${aws_instance.cyhy_bastion.public_ip}\"'",
   ]
   envs = [
+    "cloudwatch_agent_log_group_base_name=${local.cyhy_cloudwatch_agent_log_group_base}",
     "host=${aws_instance.cyhy_reporter.private_ip}",
     "bastion_host=${aws_instance.cyhy_bastion.public_ip}",
     "host_groups=docker,cyhy_reporter",

diff --git a/terraform/locals.tf b/terraform/locals.tf
@@ -116,6 +116,14 @@ locals {
   bod_public_subdomain  = "bod.ncats."
   mgmt_public_subdomain = "mgmt.ncats."
 
+  # This base will be used by all instances for their CloudWatch Agent
+  # configuration
+  cloudwatch_agent_log_group_base = "/instance-logs/${terraform.workspace}"
+  # CloudWatch Agent log group name base for cyhy instances
+  cyhy_cloudwatch_agent_log_group_base = "${local.cloudwatch_agent_log_group_base}/${local.cyhy_private_domain}"
+  # CloudWatch Agent log group name base for bod instances
+  bod_cloudwatch_agent_log_group_base = "${local.cloudwatch_agent_log_group_base}/${local.bod_private_domain}"
+
   # DNS zone calculations based on requested instances.  The numbers
   # represent the count of IP addresses in a subnet.
   #