Modify behavior of CloudWatchAgent agent installation

[ddneilson]

Many RFDK constructs use the CloudWatchAgent construct ( https://docs.aws.amazon.com/rfdk/api/latest/docs/aws-rfdk.CloudWatchAgent.html ) by default. This construct always ensures that the CloudWatchAgent is installed (either pre-installed, or by installing it itself), and will fail the UserData script if it cannot be installed.

I suggest a modification to the scripting to not always install the agent if it is not present.

Note: The instance initialization (ex: cloud-init) can be viewed in the EC2 console, or API, by querying the instance's syslog; on Linux, at least.

Use Case

The S3 method of installing the CloudWatchAgent requires that the host be able to reach the us-east-1 endpoints of S3, as that is where the bucket containing the agent is located. If deploying to any region other than us-east-1, this necessitates public internet access (tcp port 443) for any construct that uses the RFDK's CloudWatchAgent.

Using yum install on an Amazon Linux 2 instance only requires port 80 access to the regional S3 endpoints, which can be obtained, securely, through the use of a VPC Gateway Endpoint for S3 in the VPC.

For Windows, the current CloudWatchAgent construct also requires public internet access to fetch the gpg program. This makes it impossible to deploy an RFDK worker to an isolated subnet, as required by some security standards in the industry.

The current construct also make it impossible for a customer to use Linux distributions that do not support RPM.

Proposed Solution

I suggest a change of behavior to:

1. Only try to install the agent on Amazon Linux 2 ( this will preserve functionality for the Repository ), but only do the install via yum (check for whether we're running on AL2 before trying to install); do not install the agent using the S3
2. Do not fail the script if CloudWatchAgent is not present, or cannot be installed.
3. Document, clearly, in the CloudWatchAgent construct and all RFDK constructs that use it, that customers should pre-install the CloudWatchAgent on their AMI, or use AL2 with access to regional S3 on port 80, if they want to enable log streaming functionality on their host(s).

Other

• 👋 I may be able to implement this feature request
• ⚠️ This feature might incur a breaking change

---

This is a 🚀 Feature Request

[horsmand]

How come we can't use the regional S3 endpoints to download the CloudWatch agent installer? I could be confused, but it looks like they list them in their installation guide: https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/download-cloudwatch-agent-commandline.html

[horsmand]

Another idea we had discussed was making the CloudWatch agent optional with the default being to still attempt the installation, but emit a warning from the command line that it's turned on.

[ddneilson]

How come we can't use the regional S3 endpoints to download the CloudWatch agent installer? I could be confused, but it looks like they list them in their installation guide: https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/download-cloudwatch-agent-commandline.html

Interesting. Yes, ensuring we use the regional endpoint would be great.