AWS ssm agent for pfsense

f30

Since pfsense is a very handy AMI available on AWS, adding the AWS ssm agent so the node can be MANAGED using standard AWS ssm management conventions.

the ssm agent has been ported to BSD:
https://www.freshports.org/sysutils/amazon-ssm-agent
https://freebsd.pkgs.org/12/freebsd-i386/amazon-ssm-agent-2.3.612.0_1.txz.html

Perhaps it is a package that only appears in the AMI.

bauerfyr

It's not in the AMI either, unfortunately. I'd really like to use it.

I managed to install it via pkg add https://pkg.freebsd.org/FreeBSD:11:amd64/quarterly/All/amazon-ssm-agent-2.3.1205.0.txz

Last thing to figure out is how to enable the service to persist after a reboot. Any help would be appreciated! Commandsudo service amazon-ssm-agent enabled didn't do anything, no output at all.

I had to create the ssm-user and start the service manually with sudo service amazon-ssm-agent onestart. I can connect through SSM Session Manager and forward the web interface port to my local machine without opening any SSH ports on the instance or through the NACL.

f30

@bauerfyr

to automate starting the service, create a wrapper file and place it in /usr/local/etc/rc.d, and you MUST have an extension of .sh, and it'll run. My file is "amazon-ssm-agent-wrapper.sh" and the contents are:

#!/bin/sh
DIR="$( cd "$( dirname "$0" )" && pwd )"
sh $DIR/amazon-ssm-agent onestart

For the LOGGING of ssm agent to cloudwatch (if you are interested) you have to take the wayback machine b/c the ssm agent 2.3.x is so ancient.

go to /usr/local/etc/amazon/ssm, create a new file (start fresh) called seelog.xml (you'll see templates there), sample below. I wanted to split into two separate logs files, but it doesn't look possible.

!--amazon-ssm-agent uses seelog logging -->
<!--Seelog has github wiki pages, which contain detailed how-tos references: https://github.com/cihub/seelog/wiki -->
<!--Seelog examples can be found here: https://github.com/cihub/seelog-examples -->
<!--References to mods: -->
<!--How to add cloudwatch: https://docs.aws.amazon.com/systems-manager/latest/userguide/monitoring-ssm-agent.html -->
<!--For "deep" examples: https://github.com/cihub/seelog/wiki/Example-config -->
<seelog type="adaptive" mininterval="2000000" maxinterval="100000000" critmsgcount="500" minlevel="info">
<outputs formatid="fmtinfo">
<console/>
<!-- <file path="/var/log/amazon/ssm/amazon-ssm-agent.log"/> -->
<rollingfile type="size" filename="/var/log/amazon/ssm/amazon-ssm-agent.log" maxsize="10000000" maxrolls="5"/>-
<filter levels="error,critical" formatid="fmterror">
<rollingfile type="size" filename="/var/log/amazon/ssm/errors.log" maxsize="10000000" maxrolls="5"/>-
<!-- LINE BELOW DOESN'T WORK YET - it gets overwritten by next "cloudwatch_receiver stmt."-->
<!-- <custom name="cloudwatch_receiver" data-log-group="ssm-agent-errors"/> -->
</filter>
<!-- ENTER THE CLOUDWATCH LOG GROUP NAME AFTER 'data-log-group' -->
<custom name="cloudwatch_receiver" formatid="fmtinfo" data-log-group="ssm-agent-log"/>
</outputs>
<formats>
<format id="fmterror" format="%Date %Time %LEVEL [%FuncShort @ %File.%Line] %Msg%n"/>
<format id="fmtdebug" format="%Date %Time %LEVEL [%FuncShort @ %File.%Line] %Msg%n"/>
<format id="fmtinfo" format="%Date %Time %LEVEL %Msg%n"/>
</formats>
</seelog>