Install CW agent on web instance.

7Factor · Mar 1, 2024 · 8553846 · 8553846
1 parent 7a7cd1d
commit 8553846
Show file tree

Hide file tree

Showing 5 changed files with 92 additions and 16 deletions.
diff --git a/asg.tf b/asg.tf
@@ -1,20 +1,21 @@
 locals {
   web_interpolation_vars = {
-    "authorized_worker_keys"       = tls_private_key.worker_key.public_key_openssh
-    "session_signing_key"          = tls_private_key.session_signing_key.private_key_pem
-    "tsa_host_key"                 = tls_private_key.tsa_host_key.private_key_pem
-    "conc_version"                 = var.conc_version
-    "concdb_host"                  = var.concdb_host
-    "concdb_port"                  = var.concdb_port
-    "concdb_user"                  = var.concdb_user
-    "concdb_password"              = var.concdb_password
-    "concdb_database"              = var.concdb_database
-    "conc_fqdn"                    = var.conc_fqdn
-    "container_placement_strategy" = var.container_placement_strategy
-    "authentication_config"        = var.authentication_config
-    "cred_store_config"            = var.cred_store_config
-    "feature_flags"                = var.web_feature_flags
-    "concourse_base_resource_type_defaults"  = yamlencode(var.concourse_base_resource_type_defaults)
+    "authorized_worker_keys"                = tls_private_key.worker_key.public_key_openssh
+    "session_signing_key"                   = tls_private_key.session_signing_key.private_key_pem
+    "tsa_host_key"                          = tls_private_key.tsa_host_key.private_key_pem
+    "conc_version"                          = var.conc_version
+    "concdb_host"                           = var.concdb_host
+    "concdb_port"                           = var.concdb_port
+    "concdb_user"                           = var.concdb_user
+    "concdb_password"                       = var.concdb_password
+    "concdb_database"                       = var.concdb_database
+    "conc_fqdn"                             = var.conc_fqdn
+    "container_placement_strategy"          = var.container_placement_strategy
+    "authentication_config"                 = var.authentication_config
+    "cred_store_config"                     = var.cred_store_config
+    "feature_flags"                         = var.web_feature_flags
+    "concourse_base_resource_type_defaults" = yamlencode(var.concourse_base_resource_type_defaults)
+    "ssm_cloudwatch_config"                 = aws_ssm_parameter.cw_agent.name
   }
 
   worker_interpolation_vars = {

diff --git a/config/cw_agent_config.json b/config/cw_agent_config.json
@@ -0,0 +1,18 @@
+{
+  "agent": {
+    "metrics_collection_interval": 10
+  },
+  "metrics": {
+    "metrics_collected": {
+      "disk": {
+        "resources": ["/", "/tmp"],
+        "measurement": ["disk_used_percent"],
+        "ignore_file_system_types": ["sysfs", "devtmpfs"]
+      },
+      "mem": {
+        "measurement": ["mem_available_percent"]
+      }
+    },
+    "aggregation_dimensions": [["InstanceId", "InstanceType"], ["InstanceId"]]
+  }
+}
diff --git a/iam.tf b/iam.tf
@@ -37,4 +37,30 @@ data "aws_iam_policy" "aws_ssm_default" {
 resource "aws_iam_role_policy_attachment" "add_ssm_for_patching" {
   role       = aws_iam_role.concourse_role.name
   policy_arn = data.aws_iam_policy.aws_ssm_default.arn
-}
+}
+
+data "aws_iam_policy" "cloudwatch_agent_policy" {
+  name = "CloudWatchAgentServerPolicy"
+}
+
+resource "aws_iam_role_policy_attachment" "cloudwatch_policies" {
+  role       = aws_iam_role.concourse_role.name
+  policy_arn = data.aws_iam_policy.cloudwatch_agent_policy.arn
+}
+
+resource "aws_iam_role_policy" "ssm_get_parameters" {
+  name = "ConcourseCI-SSM-GetParameters"
+  role = aws_iam_role.concourse_role.id
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = [
+          "ssm:GetParameter"
+        ]
+        Effect   = "Allow"
+        Resource = "*"
+      }
+    ]
+  })
+}
diff --git a/ssm.tf b/ssm.tf
@@ -137,3 +137,10 @@ resource "aws_ssm_maintenance_window_task" "patch_worker_boxes" {
   }
 
 }
+
+resource "aws_ssm_parameter" "cw_agent" {
+  description = "CloudWatch agent config"
+  name        = "/cloudwatch-agent/config"
+  type        = "String"
+  value       = file("${path.module}/config/cw_agent_config.json")
+}
diff --git a/templates/web_user_data.sh b/templates/web_user_data.sh
@@ -1,4 +1,26 @@
 #!/bin/bash
+set -e
+
+# Output all logs
+exec > >(tee /var/log/user-data.log|logger -t user-data-extra -s 2>/dev/console) 2>&1
+
+# Make sure we have the latest packages
+sudo yum update -y
+sudo yum upgrade -y
+
+echo 'Configuring CloudWatch agent'
+
+# Install CloudWatch agent
+sudo yum install -y amazon-cloudwatch-agent
+
+# Use CloudWatch config from SSM
+/opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl \
+  -a fetch-config \
+  -m ec2 \
+  -c ssm:${ssm_cloudwatch_config} -s
+
+echo 'Configuring Concourse'
+
 sudo mkdir -p /etc/concourse/ /etc/concourse/keys/web
 sudo curl -o /etc/concourse.tgz -L https://github.com/concourse/concourse/releases/download/v${conc_version}/concourse-${conc_version}-linux-amd64.tgz
 sudo tar -xzf /etc/concourse.tgz --directory=/etc/
@@ -55,3 +77,5 @@ WantedBy=multi-user.target
 
 systemctl enable concourse-web
 systemctl start concourse-web
+
+echo 'Initialization complete'