Ansible Role for AWS tools

Select tools to install

In vars file main.yaml there are the variables to select which components install or not. Override them with value false to not install that role. By default all variables are true and all components are installed

• install_awscli: for the awscli
• install_cloudwatch_agent: for cloudwatch agent
• install_custom_metrics: for custom metrics in cloudwatch agent
• install_codedeploy: for codedeploy agent
• install_cfn_bootstrap: for cfn-bootstrap components
• ec2_assign_elastic_ip: for aws-ec2-assign-elastic-ip tool
• autoscaling: if EC2 instance is in autoscaling group. This needs the DescribeTags permission

How to use it manually

Add this repository in the roles folder of your playbook and use it as normale role.

For example for an ubuntu instance:

---

- hosts: all
  remote_user: ubuntu
  become: yes
  become_method: sudo

  roles:
    - ansible-role-aws-tools

Cloudwatch logs

Define a logs variable in your task to include and format logs. For example:

  vars:
    - logs:
      - file: /var/log/tomcat8/spring.log
        format: "%Y-%m-%d %H:%M:%S.%f"
        group_name: spring
      - file: /var/log/auth.log
        group_name: auth.log
        format: "%H: %M: %S%y%b%-d"

Roles

To ensure that the metrics, log, codedeploy agent work correctly assign to EC2 instance a role with the following permssion:

Role for custom metrics

Cloudformation yaml format:

- PolicyName: metrics
  PolicyDocument:
      Version: '2012-10-17'
      Statement:
      - Effect: Allow
        Action:
        - cloudwatch:PutMetricData
        - cloudwatch:GetMetricStatistics
        - cloudwatch:ListMetrics
        - ec2:DescribeTags
        Resource:
        - '*'

JSON Format:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "cloudwatch:PutMetricData",
        "cloudwatch:GetMetricStatistics",
        "cloudwatch:ListMetrics"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}

Role for logs

Cloudformation yaml format:

- PolicyName: logs
  PolicyDocument:
      Version: '2012-10-17'
      Statement:
      - Effect: Allow
        Action:
        - logs:CreateLogGroup
        - logs:CreateLogStream
        - logs:PutLogEvents
        - logs:DescribeLogStreams
        Resource:
        - arn:aws:logs:*:*:*

JSON format

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "logs:CreateLogGroup",
        "logs:CreateLogStream",
        "logs:PutLogEvents",
        "logs:DescribeLogStreams"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:logs:*:*:*"
    }
  ]
}

Role for codedeploy

- PolicyName: s3-codedeploy
  PolicyDocument:
      Version: '2012-10-17'
      Statement:
      - Effect: Allow
        Action:
        - s3:Get*
        - s3:List*
        Resource:
        - arn:aws:s3:::bucket-name-for-codedeploy-archive/*

JSON Format:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "s3:Get*",
        "s3:List*"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::bucket-name-for-codedeploy-archive/*"
    }
  ]
}

Role for aws-ec2-assign-elastic-ip

- PolicyName: associateEIP
  PolicyDocument:
    Version: '2012-10-17'
    Statement:
    - Effect: Allow
      Action:
      - ec2:AssociateAddress
      - ec2:Describe*
      Resource: "*"