about summary refs log tree commit diff
path: root/pkgs/by-name/am/amazon-ssm-agent/package.nix
blob: 19fc0673355b369d3425aa4b9420533cb351b62a (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
{ lib
, writeShellScriptBin
, buildGoModule
, makeWrapper
, darwin
, fetchFromGitHub
, coreutils
, nettools
, util-linux
, stdenv
, dmidecode
, bashInteractive
, nix-update-script
, nixosTests
, testers
, amazon-ssm-agent
}:

let
  # Tests use lsb_release, so we mock it (the SSM agent used to not
  # read from our /etc/os-release file, but now it does) because in
  # reality, it won't (shouldn't) be used when active on a system with
  # /etc/os-release. If it is, we fake the only two fields it cares about.
  fake-lsb-release = writeShellScriptBin "lsb_release" ''
    . /etc/os-release || true

    case "$1" in
      -i) echo "''${NAME:-unknown}";;
      -r) echo "''${VERSION:-unknown}";;
    esac
  '';

  binaries = {
    "core" = "amazon-ssm-agent";
    "agent" = "ssm-agent-worker";
    "cli-main" = "ssm-cli";
    "worker" = "ssm-document-worker";
    "logging" = "ssm-session-logger";
    "sessionworker" = "ssm-session-worker";
  };
in
buildGoModule rec {
  pname = "amazon-ssm-agent";
  version = "3.3.859.0";

  src = fetchFromGitHub {
    owner = "aws";
    repo = "amazon-ssm-agent";
    rev = "refs/tags/${version}";
    hash = "sha256-Qxzq91GXOrssBO9VaQTkLZjVqdpUYoYq3N/rakwewJs=";
  };

  vendorHash = null;

  patches = [
    # Some tests use networking, so we skip them.
    ./0001-Disable-NIC-tests-that-fail-in-the-Nix-sandbox.patch

    # They used constants from another package that I couldn't figure
    # out how to resolve, so hardcoded the constants.
    ./0002-version-gen-don-t-use-unnecessary-constants.patch
  ];

  nativeBuildInputs = [
    makeWrapper
  ] ++ lib.optionals stdenv.hostPlatform.isDarwin [
    darwin.DarwinTools
  ];

  # See the list https://github.com/aws/amazon-ssm-agent/blob/3.2.2143.0/makefile#L121-L147
  # The updater is not built because it cannot work on NixOS
  subPackages = [
    "core"
    "agent"
    "agent/cli-main"
    "agent/framework/processor/executer/outofproc/sessionworker"
    "agent/framework/processor/executer/outofproc/worker"
    "agent/session/logging"
  ];

  ldflags = [ "-s" "-w" ];

  postPatch = ''
    printf "#!/bin/sh\ntrue" > ./Tools/src/checkstyle.sh

    substituteInPlace agent/platform/platform_unix.go \
      --replace-fail "/usr/bin/uname" "${coreutils}/bin/uname" \
      --replace-fail '"/bin", "hostname"' '"${nettools}/bin/hostname"' \
      --replace-fail '"lsb_release"' '"${fake-lsb-release}/bin/lsb_release"'

    substituteInPlace agent/session/shell/shell_unix.go \
      --replace-fail '"script"' '"${util-linux}/bin/script"'

    substituteInPlace agent/rebooter/rebooter_unix.go \
      --replace-fail "/sbin/shutdown" "shutdown"

    echo "${version}" > VERSION
  '' + lib.optionalString stdenv.hostPlatform.isLinux ''
    substituteInPlace agent/managedInstances/fingerprint/hardwareInfo_unix.go \
      --replace-fail /usr/sbin/dmidecode ${dmidecode}/bin/dmidecode
  '';

  preBuild = ''
    # Note: if this step fails, please patch the code to fix it! Please only skip
    # tests if it is not feasible for the test to pass in a sandbox.
    make quick-integtest

    make pre-release
    make pre-build
  '';

  installPhase = ''
    runHook preInstall

    declare -A map=(${builtins.concatStringsSep " " (lib.mapAttrsToList (name: value: "[\"${name}\"]=\"${value}\"") binaries)})

    for key in ''${!map[@]}; do
      install -D -m 0555 -T "$GOPATH/bin/''${key}" "$out/bin/''${map[''${key}]}"
    done

    # These templates retain their `.template` extensions on installation. The
    # amazon-ssm-agent.json.template is required as default configuration when an
    # amazon-ssm-agent.json isn't present. Here, we retain the template to show
    # we're using the default configuration.

    # seelog.xml isn't actually required to run, but it does ship as a template
    # with debian packages, so it's here for reference. Future work in the nixos
    # module could use this template and substitute a different log level.

    install -D -m 0444 -t $out/etc/amazon/ssm amazon-ssm-agent.json.template
    install -D -m 0444 -T seelog_unix.xml $out/etc/amazon/ssm/seelog.xml.template

    runHook postInstall
  '';

  checkFlags = [
    # Skip time dependent/flaky test
    "-skip=TestSendStreamDataMessageWithStreamDataSequenceNumberMutexLocked"
  ];

  postFixup = ''
    wrapProgram $out/bin/amazon-ssm-agent \
      --prefix PATH : "${lib.makeBinPath [ bashInteractive ]}"
  '';

  passthru = {
    tests = {
      inherit (nixosTests) amazon-ssm-agent;
      version = testers.testVersion {
        package = amazon-ssm-agent;
        command = "amazon-ssm-agent --version";
      };
    };
    updateScript = nix-update-script { };
  };

  __darwinAllowLocalNetworking = true;

  meta = with lib; {
    description = "Agent to enable remote management of your Amazon EC2 instance configuration";
    changelog = "https://github.com/aws/amazon-ssm-agent/releases/tag/${version}";
    homepage = "https://github.com/aws/amazon-ssm-agent";
    license = licenses.asl20;
    platforms = platforms.unix;
    maintainers = with maintainers; [ copumpkin manveru anthonyroussel arianvp ];
  };
}