Skip to content

Refactor CloudWatch agent config to use shared base class (sandbox) #223

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
akuzminsky merged 1 commit into from
Dec 27, 2025
Merged

Refactor CloudWatch agent config to use shared base class (sandbox) #223

akuzminsky merged 1 commit into from
Dec 27, 2025

Conversation

@akuzminsky
Copy link
Member

@akuzminsky akuzminsky commented Dec 27, 2025

Summary

This PR consolidates CloudWatch agent configuration across services by introducing a shared base class, eliminating code duplication and providing a standardized approach for monitoring.

Changes

CloudWatch Agent Refactoring

  • New shared base class (profile::cloudwatch_agent): Provides common CloudWatch agent setup including package, user, service, and systemd configuration
  • Refactored jumphost CloudWatch config: Now uses shared base class with jumphost-specific log collection (fail2ban)
  • Refactored OpenVPN CloudWatch config: Now uses shared base class with OpenVPN-specific logs and process monitoring
  • Consolidated template: Moved CloudWatch agent config template to shared location with support for service-specific customization via parameters

Audit Log Improvements

  • Added auditd to OpenVPN server: Enables SOC2/ISO27001 compliance logging
  • Fixed audit log permissions: Use adm group instead of ACL-based approach for simpler, more reliable access
  • Removed auditd logrotate config: Auditd handles rotation natively and preserves group ownership

OpenVPN Enhancements

  • Added logrotate config for OpenVPN logs with proper signal handling
  • Added ACL scripts for OpenVPN log access by CloudWatch agent

CloudWatch Metrics

  • Fixed append_dimensions: Use AWS metadata variables (InstanceId, AutoScalingGroupName) for global dimensions
  • Added environment dimension to individual metric types for proper custom dimension support
  • Updated jumphost custom metrics: Changed dimension names to lowercase convention (host, environment)
  • Removed DiskSpaceUsed metric from custom metrics (already collected by CloudWatch agent)

Testing

Synced with development environment - no differences between environments/sandbox/modules/profile and environments/development/modules/profile/

Impact

This refactoring makes it significantly easier to add CloudWatch monitoring to new services by simply including the shared base class with service-specific parameters.

@akuzminsky
Refactor CloudWatch agent config to use shared base class (sandbox)
b18cb37 
- Create shared profile::cloudwatch_agent base class for common setup
- Refactor jumphost and openvpn_server to use shared CloudWatch agent class
- Add auditd profile to OpenVPN server for compliance logging
- Fix audit log permissions to use adm group instead of ACLs
- Remove auditd logrotate config (auditd handles rotation natively)
- Fix CloudWatch metrics dimensions to use AWS metadata variables
- Consolidate CloudWatch agent template to shared location
- Add ACL-based log access for OpenVPN logs
- Update jumphost custom metrics dimension names

This refactoring eliminates duplicate CloudWatch agent configuration
across services and provides a standardized approach for adding
CloudWatch monitoring to new services.
@akuzminsky akuzminsky merged commit 623eaf8 into main Dec 27, 2025
2 checks passed
@akuzminsky akuzminsky deleted the sandbox-jumphost branch December 27, 2025 15:57
@akuzminsky akuzminsky mentioned this pull request Jan 2, 2026
Merged
akuzminsky added a commit that referenced this pull request Jan 2, 2026
@akuzminsky
Archive completed OpenVPN CloudWatch task plan
ba6fd99 
Move puppet-cloudwatch-agent-task.md to archive since it's been
completed and superseded by the CloudWatch logging standardization
effort (cloudwatch-logging-standardization.md).

The original task (adding CloudWatch to OpenVPN) was completed as
part of the larger refactoring work in PR #217 (development) and
PR #223 (sandbox).
@akuzminsky akuzminsky mentioned this pull request Jan 2, 2026
Merged
akuzminsky added a commit that referenced this pull request Jan 2, 2026
@akuzminsky
Archive completed OpenVPN CloudWatch task plan (#225)
6816942 
Move puppet-cloudwatch-agent-task.md to archive since it's been
completed and superseded by the CloudWatch logging standardization
effort (cloudwatch-logging-standardization.md).

The original task (adding CloudWatch to OpenVPN) was completed as
part of the larger refactoring work in PR #217 (development) and
PR #223 (sandbox).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@infrahouse8 infrahouse8 infrahouse8 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@akuzminsky @infrahouse8