Skip to content

Refactor CloudWatch agent to shared base class with DRY configuration (development) #217

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
akuzminsky merged 2 commits into from
Dec 23, 2025
Merged

Refactor CloudWatch agent to shared base class with DRY configuration (development) #217

akuzminsky merged 2 commits into from
Dec 23, 2025

Conversation

@akuzminsky
Copy link
Member

@akuzminsky akuzminsky commented Dec 23, 2025

Summary

  • Refactor CloudWatch agent configuration to eliminate code duplication between Jumphost and OpenVPN
  • Create shared base class profile::cloudwatch_agent with common logs, metrics, and resources
  • Standardize dimensions and metrics across all services

Changes

New shared base class (profile::cloudwatch_agent)

  • Common logs: audit.log, auth.log, syslog, kern.log, dpkg.log, cloudwatch agent
  • Common metrics: CPU, memory, disk, swap, netstat, processes, diskio
  • Common procstat: auditd
  • Shared resources: package, user, service, ACL scripts, systemd drop-in
  • Parameterized with extra_logs and extra_procstat for service-specific additions

Service classes simplified

  • Jumphost: passes extra_logs=[fail2ban]
  • OpenVPN: passes extra_logs=[openvpn], extra_procstat=[openvpn]

Metrics cleanup

  • Standardized dimensions to lowercase: host (built-in), environment (Puppet built-in)
  • Removed redundant DiskSpaceUsed from custom metrics (covered by DISK_USED_PERCENT)

OpenVPN improvements

  • Added ACL scripts for OpenVPN log access
  • Added logrotate config with copytruncate (OpenVPN doesn't reopen logs on SIGHUP)
  • Added auditd profile

Test plan

  • Deploy to development Jumphost, verify CloudWatch agent logs and metrics
  • Deploy to development OpenVPN, verify CloudWatch agent logs and metrics
  • Verify log streams appear in CloudWatch Logs
  • Verify metrics appear with correct dimensions (host, environment)
  • Test log rotation preserves CloudWatch agent access

@akuzminsky
Update CloudWatch standardization plan with development-first workflow
9bbbf88 
- Mark Phase 1 (logrotate ACL) and Phase 2 (btmp/wtmp removal) as DONE
- Restructure phases 3-9 to implement in development environment first
- Add gradual rollout: development -> sandbox -> production
- Update file paths to target environments/development/modules/profile/
- Add explicit testing and promotion phases between environments
@akuzminsky
Refactor CloudWatch agent config to shared base class (development)
0d43adf 
Create profile::cloudwatch_agent base class with:
- Common logs: audit, auth, syslog, kern, dpkg, cloudwatch agent
- Common metrics: CPU, memory, disk, swap, netstat, processes
- Common procstat: auditd
- Shared resources: package, user, service, ACL scripts, systemd drop-in

Service classes now pass only their extras:
- Jumphost: extra_logs=[fail2ban]
- OpenVPN: extra_logs=[openvpn], extra_procstat=[openvpn]

Additional changes:
- Standardize dimensions to lowercase (host, environment)
- Use Puppet built-in $environment instead of passing parameter
- Remove DiskSpaceUsed from custom metrics (redundant with DISK_USED_PERCENT)
- Add OpenVPN log ACL scripts and logrotate config
- Add OpenVPN auditd profile
- Move ACL script templates to shared cloudwatch_agent/
- Delete duplicate CloudWatch agent JSON templates

This reduces ~400 lines of duplicated config to a single shared template.
@akuzminsky akuzminsky merged commit 75dc70b into main Dec 23, 2025
2 checks passed
@akuzminsky akuzminsky deleted the feat/common-pattern branch December 23, 2025 22:56
@akuzminsky akuzminsky mentioned this pull request Jan 2, 2026
Merged
akuzminsky added a commit that referenced this pull request Jan 2, 2026
@akuzminsky
Archive completed OpenVPN CloudWatch task plan
ba6fd99 
Move puppet-cloudwatch-agent-task.md to archive since it's been
completed and superseded by the CloudWatch logging standardization
effort (cloudwatch-logging-standardization.md).

The original task (adding CloudWatch to OpenVPN) was completed as
part of the larger refactoring work in PR #217 (development) and
PR #223 (sandbox).
@akuzminsky akuzminsky mentioned this pull request Jan 2, 2026
Merged
akuzminsky added a commit that referenced this pull request Jan 2, 2026
@akuzminsky
Archive completed OpenVPN CloudWatch task plan (#225)
6816942 
Move puppet-cloudwatch-agent-task.md to archive since it's been
completed and superseded by the CloudWatch logging standardization
effort (cloudwatch-logging-standardization.md).

The original task (adding CloudWatch to OpenVPN) was completed as
part of the larger refactoring work in PR #217 (development) and
PR #223 (sandbox).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@infrahouse8 infrahouse8 infrahouse8 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@akuzminsky @infrahouse8