initial cloudwatch exporter role files

roles/debian/yace_exporter/README.md

@@ -0,0 +1,59 @@
+# YACE
+
+## Description
+
+Deploy [YACE - yet another cloudwatch exporter](https://github.com/prometheus-community/yet-another-cloudwatch-exporter) using ansible.
+
+### Requirements
+
+Role expects to be provided with the following information:
+* `yace_exporter_configuration` - the actual YACE configuration
+* `yace_exporter_iam_configuration` - a JSON formatted IAM policy
+
+### Example
+Minimum YACE config that will fetch EC2 CPU usage, with a minimum IAM policy required for that.
+
+```yaml
+yace_exporter_configuration:
+  apiVersion: v1alpha1
+  discovery:
+    jobs:
+      - type: AWS/EC2
+        regions:
+          - eu-west-1
+        metrics:
+          - name: CPUUtilization
+            statistics:
+              - Average
+            period: 300
+            length: 300
+```
+
+```yaml
+  yace_exporter_iam_configuration: |
+  {
+      "Version": "2012-10-17",
+      "Statement": [
+          {
+              "Action": [
+                  "tag:GetResources",
+                  "cloudwatch:GetMetricData",
+                  "cloudwatch:GetMetricStatistics",
+                  "cloudwatch:ListMetrics",
+                  "ec2:DescribeSpotFleetRequests"
+              ],
+              "Effect": "Allow",
+              "Resource": "*"
+          }
+      ]
+  }
+  ```
+
+For more details on setting up the YACE exporter config, refer to:
+https://github.com/prometheus-community/yet-another-cloudwatch-exporter
+
+<!--TOC-->
+<!--ENDTOC-->
+
+<!--ROLEVARS-->
+<!--ENDROLEVARS-->

roles/debian/yace_exporter/defaults/main.yml

@@ -0,0 +1,85 @@
+---
+# Default variables for YACE Exporter role
+yace_exporter_version: "0.62.1"  # Adjust as needed
+# Construct the download URL using the version variable.
+yace_exporter_download_url: "https://github.com/prometheus-community/yet-another-cloudwatch-exporter/releases/download/v{{ yace_exporter_version }}/yet-another-cloudwatch-exporter-{{ yace_exporter_version }}.linux-amd64.tar.gz"
+
+# Directories and file locations
+yace_exporter_install_dir: "/usr/local/bin"
+yace_exporter_system_user: "yace-exporter"
+yace_exporter_system_group: "yace-exporter"
+# Service runtime options
+yace_exporter_listen_address: "0.0.0.0:9105"
+yace_exporter_service_name: "yace_exporter"
+
+# YACE configuration
+yace_exporter_configuration: {}
+# Example config
+# yace_exporter_configuration:
+#  apiVersion: v1alpha1
+#  discovery:
+#    jobs:
+#      - type: AWS/EC2
+#        roles:
+#          - roleArn: "arn:aws:iam::$ACCOUNT_ID:role/YaceExporterRole"
+#        regions:
+#          - eu-west-1
+#        metrics:
+#          - name: CPUUtilization
+#            statistics:
+#              - Average
+#            period: 300
+#            length: 300
+#      - type: AWS/RDS
+#        roles:
+#          - roleArn: "arn:aws:iam::$ACCOUNT_ID:role/YaceExporterRole"
+#        regions:
+#          - eu-west-1
+#        searchTags:
+#          - key: Ansible
+#            value: managed
+#        metrics:
+#          - name: CPUUtilization
+#            statistics:
+#              - Average
+#            period: 300
+#            length: 300
+#          - name: DatabaseConnections
+#            statistics:
+#              - Average
+#              - Sum
+#            period: 300
+#            length: 300
+#        dimensionNameRequirements:
+#          - DBInstanceIdentifier
+
+ # Server IAM policy to allow YACE service to pull metrics
+yace_exporter_iam_configuration: {}
+# Example iam config that grants full permissions
+# yace_exporter_iam_configuration: |
+#  {
+#    "Version": "2012-10-17",
+#    "Statement": [
+#      {
+#        "Action": [
+#          "tag:GetResources",
+#          "cloudwatch:GetMetricData",
+#          "cloudwatch:GetMetricStatistics",
+#          "cloudwatch:ListMetrics",
+#          "apigateway:GET",
+#          "aps:ListWorkspaces",
+#          "autoscaling:DescribeAutoScalingGroups",
+#          "dms:DescribeReplicationInstances",
+#          "dms:DescribeReplicationTasks",
+#          "ec2:DescribeTransitGatewayAttachments",
+#          "ec2:DescribeSpotFleetRequests",
+#          "shield:ListProtections",
+#          "storagegateway:ListGateways",
+#          "storagegateway:ListTagsForResource",
+#          "iam:ListAccountAliases"
+#        ],
+#        "Effect": "Allow",
+#        "Resource": "*"
+#      }
+#    ]
+#  }

roles/debian/yace_exporter/tasks/main.yml

@@ -0,0 +1,109 @@
+---
+- name: Get current EC2 instance variables.
+  amazon.aws.ec2_metadata_facts:
+
+- name: Create IAM Managed Policy.
+  amazon.aws.iam_managed_policy:
+    policy_name: YaceManagedPolicy
+    policy: "{{ yace_exporter_iam_configuration | from_json }}"
+    state: present
+  delegate_to: localhost
+  become: false
+  when: yace_exporter_iam_configuration | length > 0
+
+- name: Create a role and attach policy.
+  amazon.aws.iam_role:
+    name: YaceExporterRole
+    assume_role_policy_document: "{{ lookup('template', 'yace_exporter_policy.json.j2') }}"
+    managed_policies:
+      - "arn:aws:iam::{{  ansible_ec2_instance_identity_document_accountid }}:policy/YaceManagedPolicy"
+  delegate_to: localhost
+  become: false
+  when: yace_exporter_iam_configuration | length > 0
+
+- name: Gather system user and group facts.
+  ansible.builtin.getent:
+    database: "{{ item }}"
+  loop:
+    - passwd
+    - group
+
+- name: Make sure system group exists.
+  ansible.builtin.group:
+    name: "{{ yace_exporter_system_group }}"
+    state: present
+    system: true
+  when: yace_exporter_system_group not in ansible_facts.getent_group
+
+- name: Make sure system user exists.
+  ansible.builtin.user:
+    name: "{{ yace_exporter_system_user }}"
+    group: "{{ yace_exporter_system_group }}"
+    shell: /usr/sbin/nologin
+    system: true
+    create_home: false
+  when: yace_exporter_system_user not in ansible_facts.getent_passwd
+
+- name: Ensure configuration directory exists.
+  ansible.builtin.file:
+    path: "/etc/yace_exporter"
+    state: directory
+    owner: "{{ yace_exporter_system_user }}"
+    group: "{{ yace_exporter_system_group }}"
+    mode: '0755'
+
+- name: Download exporter archive.
+  ansible.builtin.get_url:
+    url: "{{ yace_exporter_download_url }}"
+    dest: "/tmp/yet-another-cloudwatch-exporter-{{ yace_exporter_version }}.tar.gz"
+    mode: '0644'
+  retries: 5
+  delay: 2
+
+- name: Unarchive exporter binary.
+  ansible.builtin.unarchive:
+    src: "/tmp/yet-another-cloudwatch-exporter-{{ yace_exporter_version }}.tar.gz"
+    dest: "/tmp/"
+    remote_src: true
+
+- name: Copy binary to install directory.
+  ansible.builtin.copy:
+    src: "/tmp/yet-another-cloudwatch-exporter-{{ yace_exporter_version }}.linux-amd64/yace"
+    dest: "{{ yace_exporter_install_dir }}"
+    owner: "{{ yace_exporter_system_user }}"
+    group: "{{ yace_exporter_system_group }}"
+    mode: '0755'
+    remote_src: true
+
+- name: Write or update configuration file.
+  ansible.builtin.copy:
+    dest: "/etc/yace_exporter/config.yml"
+    content: "{{ yace_exporter_configuration | to_nice_yaml(indent=2, sort_keys=False) }}"
+    owner: "{{ yace_exporter_system_user }}"
+    group: "{{ yace_exporter_system_group }}"
+    mode: '0644'
+  register: config
+
+- name: Create systemd service file.
+  ansible.builtin.template:
+    src: yace_exporter.service.j2
+    dest: "/etc/systemd/system/{{ yace_exporter_service_name }}.service"
+    mode: '0644'
+  register: config_service
+
+- name: Reload systemd daemon.
+  ansible.builtin.systemd:
+    daemon_reload: true
+  when: config_service.changed
+
+- name: Restart YACE service to apply config updates.
+  ansible.builtin.service:
+    name: "{{ yace_exporter_service_name }}"
+    state: restarted
+  when: config.changed
+
+- name: Ensure YACE exporter is enabled and started.
+  ansible.builtin.systemd:
+    name: "{{ yace_exporter_service_name }}"
+    enabled: true
+    state: started

roles/debian/yace_exporter/templates/yace_exporter.service.j2

@@ -0,0 +1,19 @@
+[Unit]
+Description=YACE Exporter Service
+After=network.target
+
+[Service]
+Type=simple
+User={{ yace_exporter_system_user }}
+Group={{ yace_exporter_system_group }}
+ExecStart={{ yace_exporter_install_dir }}/yace --config.file=/etc/yace_exporter/config.yml --listen-address={{ yace_exporter_listen_address }}
+Restart=on-failure
+
+
+SyslogIdentifier=pushgateway
+Restart=always
+RestartSec=1
+StartLimitInterval=0
+
+[Install]
+WantedBy=multi-user.target

roles/debian/yace_exporter/templates/yace_exporter_policy.json.j2

@@ -0,0 +1,12 @@
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Principal": {
+                "AWS": "arn:aws:sts::{{ ansible_ec2_instance_identity_document_accountid }}:assumed-role/{{ ansible_ec2_iam_instance_profile_role }}/{{ ansible_ec2_instance_id }}"
+            },
+            "Action": "sts:AssumeRole"
+        }
+    ]
+}