cisagov · jsf9k · Sep 14, 2024 · Jul 10, 2024 · Sep 11, 2024 · Sep 13, 2024
@@ -166,7 +166,10 @@ repos:
           # necessary to add the ansible package itself as an
           # additional dependency, with the same pinning as is done in
           # requirements-test.txt of cisagov/skeleton-ansible-role.
-          # - ansible>=9,<10
+          #
+          # This role uses community.general.snap, which lives in
+          # ansible instead of ansible-core.
+          - ansible>=9,<10
           # ansible-core 2.16.3 through 2.16.6 suffer from the bug
           # discussed in ansible/ansible#82702, which breaks any
           # symlinked files in vars, tasks, etc. for any Ansible role

@@ -4,7 +4,10 @@
 [![CodeQL](https://github.com/cisagov/ansible-role-amazon-ssm-agent/workflows/CodeQL/badge.svg)](https://github.com/cisagov/ansible-role-amazon-ssm-agent/actions/workflows/codeql-analysis.yml)
 
 This is an Ansible role for installing
-[amazon-ssm-agent](https://github.com/aws/amazon-ssm-agent).
+[amazon-ssm-agent](https://github.com/aws/amazon-ssm-agent).  Note
+that the agent is installed via a [Snap](https://snapcraft.io/about)
+on Ubuntu, in accordance with [the AWS
+documentation](https://docs.aws.amazon.com/systems-manager/latest/userguide/agent-install-ubuntu-64-snap.html).
 
 ## Requirements ##
 

@@ -12,13 +12,42 @@
 ).get_hosts("all")
 
 
-@pytest.mark.parametrize("pkg", ["amazon-ssm-agent"])
-def test_packages(host, pkg):
+def test_packages(host):
     """Test that the appropriate packages were installed."""
-    assert host.package(pkg).is_installed
+    distribution = host.system_info.distribution
+
+    packages = None
+    snaps = None
+    if distribution in ["amzn", "debian", "fedora", "kali"]:
+        packages = ["amazon-ssm-agent"]
+    elif distribution in ["ubuntu"]:
+        packages = ["snapd"]
+        snaps = ["amazon-ssm-agent"]
+    else:
+        assert False, f"Unknown distribution {distribution}"
+
+    assert all([host.package(pkg).is_installed for pkg in packages])
+
+    if distribution in ["ubuntu"]:
+        assert all([host.run(f"snap list {snap}").rc == 0 for snap in snaps])
 
 
 @pytest.mark.parametrize("service", ["amazon-ssm-agent"])
 def test_services(host, service):
     """Test that the expected services were enabled."""
-    assert host.service(service).is_enabled
+    distribution = host.system_info.distribution
+
+    services = None
+    snap_services = None
+    if distribution in ["amzn", "debian", "fedora", "kali"]:
+        services = ["amazon-ssm-agent"]
+    elif distribution in ["ubuntu"]:
+        services = ["snapd.service", "snap.amazon-ssm-agent.amazon-ssm-agent.service"]
+        snap_services = ["amazon-ssm-agent"]
+    else:
+        assert False, f"Unknown distribution {distribution}"
+
+    assert all([host.service(svc).is_enabled for svc in services])
+
+    if distribution in ["ubuntu"]:
+        assert all([host.run(f"snap services {svc}").rc == 0 for svc in snap_services])
@@ -0,0 +1,36 @@
+---
+# According to the documentation from AWS, the SSM Agent should be
+# installed via snap on all Ubuntu versions that we support:
+# https://docs.aws.amazon.com/systems-manager/latest/userguide/agent-install-ubuntu-64-snap.html
+
+- name: Install and configure community.general.snap prerequisites
+  block:
+    - name: Install the snapd package
+      ansible.builtin.package:
+        name:
+          - snapd
+    - name: Start the snapd service so it can initialize itself
+      ansible.builtin.systemd_service:
+        name: snapd.service
+        state: started
+    - name: Start and enable the snapd socket
+      ansible.builtin.systemd_service:
+        enabled: true
+        name: snapd.socket
+        state: started
+
+# When testing in Molecule using Docker, this command usually fails
+# the first time we run it; therefore we add some Ansible foo to rerun
+# the task until it succeeds.
+- name: Install amazon-ssm-agent via snap
+  community.general.snap:
+    # The version of amazon-ssm-agent currently available in the
+    # stable channel requires this.
+    classic: true
+    name:
+      - amazon-ssm-agent
+  delay: 5
+  ignore_errors: true
+  register: snap_install
+  retries: 5
+  until: not snap_install.failed
@@ -24,4 +24,4 @@
 - name: Enable Amazon SSM Agent service
   ansible.builtin.service:
     enabled: true
-    name: amazon-ssm-agent
+    name: "{{ service_name }}"
@@ -9,3 +9,6 @@ architectures:
 
 # The URL to the deb package to install for amazon-ssm-agent
 package_url: https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/debian_{{ architectures[ansible_architecture] }}/amazon-ssm-agent.deb
+
+# The name of the systemd service for amazon-ssm-agent.
+service_name: amazon-ssm-agent
@@ -9,3 +9,6 @@ architectures:
 
 # The URL to the rpm package to install for amazon-ssm-agent
 package_url: https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_{{ architectures[ansible_architecture] }}/amazon-ssm-agent.rpm
+
+# The name of the systemd service for amazon-ssm-agent.
+service_name: amazon-ssm-agent
@@ -0,0 +1,3 @@
+---
+# The name of the systemd service for amazon-ssm-agent.
+service_name: snap.amazon-ssm-agent.amazon-ssm-agent.service