amazon-cloudwatch-agent: let users specify configuration file paths (#358559)

Author: philiptaron

ci/OWNERS

@@ -134,14 +134,16 @@ nixos/modules/installer/tools/nix-fallback-paths.nix  @NixOS/nix-team @raitobeza
 /nixos/modules/installer/sd-card/
 
 # Amazon
-/nixos/modules/virtualisation/amazon-init.nix     @arianvp
-/nixos/modules/virtualisation/ec2-data.nix        @arianvp
-/nixos/modules/virtualisation/amazon-options.nix  @arianvp
-/nixos/modules/virtualisation/amazon-image.nix    @arianvp
-/nixos/maintainers/scripts/ec2/                   @arianvp
-/nixos/modules/services/misc/amazon-ssm-agent.nix @arianvp
-/nixos/tests/amazon-ssm-agent.nix                 @arianvp
-/nixos/modules/system/boot/grow-partition.nix     @arianvp
+/nixos/modules/virtualisation/amazon-init.nix                  @arianvp
+/nixos/modules/virtualisation/ec2-data.nix                     @arianvp
+/nixos/modules/virtualisation/amazon-options.nix               @arianvp
+/nixos/modules/virtualisation/amazon-image.nix                 @arianvp
+/nixos/maintainers/scripts/ec2/                                @arianvp
+/nixos/modules/services/misc/amazon-ssm-agent.nix              @arianvp
+/nixos/tests/amazon-ssm-agent.nix                              @arianvp
+/nixos/modules/system/boot/grow-partition.nix                  @arianvp
+/nixos/modules/services/monitoring/amazon-cloudwatch-agent.nix @philipmw
+/nixos/tests/amazon-cloudwatch-agent.nix                       @philipmw
 
 # nixos-rebuild-ng
 /pkgs/by-name/ni/nixos-rebuild-ng                 @thiagokokada

nixos/modules/services/monitoring/amazon-cloudwatch-agent.nix

@@ -10,8 +10,16 @@ let
   tomlFormat = pkgs.formats.toml { };
   jsonFormat = pkgs.formats.json { };
 
-  commonConfigurationFile = tomlFormat.generate "common-config.toml" cfg.commonConfiguration;
-  configurationFile = jsonFormat.generate "amazon-cloudwatch-agent.json" cfg.configuration;
+  commonConfigurationFile =
+    if (cfg.commonConfigurationFile == null) then
+      (tomlFormat.generate "common-config.toml" cfg.commonConfiguration)
+    else
+      cfg.commonConfigurationFile;
+  configurationFile =
+    if (cfg.configurationFile == null) then
+      (jsonFormat.generate "amazon-cloudwatch-agent.json" cfg.configuration)
+    else
+      cfg.configurationFile;
   # See https://docs.aws.amazon.com/prescriptive-guidance/latest/implementing-logging-monitoring-cloudwatch/create-store-cloudwatch-configurations.html#store-cloudwatch-configuration-s3.
   #
   # We don't use the multiple JSON configuration files feature,
@@ -24,13 +32,30 @@ in
   options.services.amazon-cloudwatch-agent = {
     enable = lib.mkEnableOption "Amazon CloudWatch Agent";
     package = lib.mkPackageOption pkgs "amazon-cloudwatch-agent" { };
-    commonConfiguration = lib.mkOption {
-      type = tomlFormat.type;
-      default = { };
+    commonConfigurationFile = lib.mkOption {
+      type = lib.types.nullOr lib.types.path;
+      default = null;
       description = ''
         Amazon CloudWatch Agent common configuration. See
         <https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/install-CloudWatch-Agent-commandline-fleet.html#CloudWatch-Agent-profile-instance-first>
         for supported values.
+
+        {option}`commonConfigurationFile` takes precedence over {option}`commonConfiguration`.
+
+        Note: Restricted evaluation blocks access to paths outside the Nix store.
+        This means detecting content changes for mutable paths (i.e. not input or content-addressed) can't be done.
+        As a result, `nixos-rebuild` won't reload/restart the systemd unit when mutable path contents change.
+        `systemctl restart amazon-cloudwatch-agent.service` must be used instead.
+      '';
+      example = "/etc/amazon-cloudwatch-agent/amazon-cloudwatch-agent.json";
+    };
+    commonConfiguration = lib.mkOption {
+      type = tomlFormat.type;
+      default = { };
+      description = ''
+        See {option}`commonConfigurationFile`.
+
+        {option}`commonConfigurationFile` takes precedence over {option}`commonConfiguration`.
       '';
       example = {
         credentials = {
@@ -44,13 +69,34 @@ in
         };
       };
     };
+    configurationFile = lib.mkOption {
+      type = lib.types.nullOr lib.types.path;
+      default = null;
+      description = ''
+        Amazon CloudWatch Agent configuration file. See
+        <https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Agent-Configuration-File-Details.html>
+        for supported values.
+
+        The following options aren't supported:
+        * `agent.run_as_user`
+          * Use {option}`user` instead.
+
+        {option}`configurationFile` takes precedence over {option}`configuration`.
+
+        Note: Restricted evaluation blocks access to paths outside the Nix store.
+        This means detecting content changes for mutable paths (i.e. not input or content-addressed) can't be done.
+        As a result, `nixos-rebuild` won't reload/restart the systemd unit when mutable path contents change.
+        `systemctl restart amazon-cloudwatch-agent.service` must be used instead.
+      '';
+      example = "/etc/amazon-cloudwatch-agent/amazon-cloudwatch-agent.json";
+    };
     configuration = lib.mkOption {
       type = jsonFormat.type;
       default = { };
       description = ''
-        Amazon CloudWatch Agent configuration. See
-        <https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Agent-Configuration-File-Details.html>
-        for supported values.
+        See {option}`configurationFile`.
+
+        {option}`configurationFile` takes precedence over {option}`configuration`.
       '';
       # Subset of "CloudWatch agent configuration file: Complete examples" and "CloudWatch agent configuration file: Traces section" in the description link.
       #
@@ -110,6 +156,15 @@ in
         };
       };
     };
+    # Replaces "agent.run_as_user" from the configuration file.
+    user = lib.mkOption {
+      type = lib.types.str;
+      default = "root";
+      description = ''
+        The user that runs the Amazon CloudWatch Agent.
+      '';
+      example = "amazon-cloudwatch-agent";
+    };
     mode = lib.mkOption {
       type = lib.types.str;
       default = "auto";
@@ -122,7 +177,7 @@ in
   };
 
   config = lib.mkIf cfg.enable {
-    # See https://github.com/aws/amazon-cloudwatch-agent/blob/v1.300048.1/packaging/dependencies/amazon-cloudwatch-agent.service.
+    # See https://github.com/aws/amazon-cloudwatch-agent/blob/v1.300049.1/packaging/dependencies/amazon-cloudwatch-agent.service.
     systemd.services.amazon-cloudwatch-agent = {
       description = "Amazon CloudWatch Agent";
       after = [ "network.target" ];
@@ -140,40 +195,28 @@ in
         # 3. Runs "amazon-cloudwatch-agent" with the paths to these generated files.
         #
         # Re-implementing with systemd options.
-        User = lib.attrByPath [
-          "agent"
-          "run_as_user"
-        ] "root" cfg.configuration;
+        User = cfg.user;
         RuntimeDirectory = "amazon-cloudwatch-agent";
         LogsDirectory = "amazon-cloudwatch-agent";
-        ExecStartPre = ''
-          ${cfg.package}/bin/config-translator \
-            -config ${commonConfigurationFile} \
-            -input ${configurationFile} \
-            -input-dir ${configurationDirectory} \
-            -mode ${cfg.mode} \
-            -output ''${RUNTIME_DIRECTORY}/amazon-cloudwatch-agent.toml
-        '';
-        ExecStart = ''
-          ${cfg.package}/bin/amazon-cloudwatch-agent \
-            -config ''${RUNTIME_DIRECTORY}/amazon-cloudwatch-agent.toml \
-            -envconfig ''${RUNTIME_DIRECTORY}/env-config.json \
-            -otelconfig ''${RUNTIME_DIRECTORY}/amazon-cloudwatch-agent.yaml \
-            -pidfile ''${RUNTIME_DIRECTORY}/amazon-cloudwatch-agent.pid
-        '';
+        ExecStartPre = builtins.concatStringsSep " " [
+          "${cfg.package}/bin/config-translator"
+          "-config ${commonConfigurationFile}"
+          "-input ${configurationFile}"
+          "-input-dir ${configurationDirectory}"
+          "-mode ${cfg.mode}"
+          "-output \${RUNTIME_DIRECTORY}/amazon-cloudwatch-agent.toml"
+        ];
+        ExecStart = builtins.concatStringsSep " " [
+          "${cfg.package}/bin/amazon-cloudwatch-agent"
+          "-config \${RUNTIME_DIRECTORY}/amazon-cloudwatch-agent.toml"
+          "-envconfig \${RUNTIME_DIRECTORY}/env-config.json"
+          "-otelconfig \${RUNTIME_DIRECTORY}/amazon-cloudwatch-agent.yaml"
+          "-pidfile \${RUNTIME_DIRECTORY}/amazon-cloudwatch-agent.pid"
+        ];
         KillMode = "process";
         Restart = "on-failure";
         RestartSec = 60;
       };
-      restartTriggers = [
-        cfg.package
-        commonConfigurationFile
-        configurationFile
-        configurationDirectory
-        cfg.mode
-      ];
     };
   };
-
-  meta.maintainers = pkgs.amazon-cloudwatch-agent.meta.maintainers;
 }

nixos/tests/amazon-cloudwatch-agent.nix

@@ -27,7 +27,6 @@ import ./make-test-python.nix (
   in
   {
     name = "amazon-cloudwatch-agent";
-    meta.maintainers = pkgs.amazon-cloudwatch-agent.meta.maintainers;
 
     nodes.machine =
       { config, pkgs, ... }:

pkgs/by-name/am/amazon-cloudwatch-agent/package.nix

@@ -16,13 +16,13 @@ buildGoModule rec {
   src = fetchFromGitHub {
     owner = "aws";
     repo = "amazon-cloudwatch-agent";
-    rev = "refs/tags/v${version}";
+    tag = "v${version}";
     hash = "sha256-gJrK+ai+EEKvBErjOyvu677WykUPuxYy9NrR+qV2yyo=";
   };
 
   vendorHash = "sha256-OQSl7nFvnDjJbs756QN5ZE/Dx/AZqxsijG0Ks7FYCB8=";
 
-  # See the list in https://github.com/aws/amazon-cloudwatch-agent/blob/v1.300048.1/Makefile#L68-L77.
+  # See the list in https://github.com/aws/amazon-cloudwatch-agent/blob/v1.300049.1/Makefile#L68-L77.
   subPackages = [
     "cmd/config-downloader"
     "cmd/config-translator"
@@ -32,7 +32,7 @@ buildGoModule rec {
     "cmd/amazon-cloudwatch-agent-config-wizard"
   ];
 
-  # See https://github.com/aws/amazon-cloudwatch-agent/blob/v1.300048.1/Makefile#L57-L64.
+  # See https://github.com/aws/amazon-cloudwatch-agent/blob/v1.300049.1/Makefile#L57-L64.
   #
   # Needed for "amazon-cloudwatch-agent -version" to not show "Unknown".
   postInstall = ''
@@ -43,6 +43,8 @@ buildGoModule rec {
 
   nativeInstallCheckInputs = [ versionCheckHook ];
 
+  versionCheckProgram = "${builtins.placeholder "out"}/bin/amazon-cloudwatch-agent";
+
   versionCheckProgramArg = "-version";
 
   passthru = {