CloudWatch

To set up the CloudWatch datasource in Grafana, you need to configure the necessary credentials and permissions. This involves creating an IAM role in AWS with appropriate permissions to access CloudWatch metrics and data.

To set up an IAM role with cross-account assume for accessing CloudWatch data in Grafana, you need to follow these steps:

1. Create an IAM Role in the target account: In the target account, navigate to the IAM service and create a new IAM role.

2. Define the trust relationship: When creating the IAM role, define the trust relationship policy document to include the groundcover account as the trusted entity, along with the external ID.

   Here's an example trust policy document:

   Copy

   {
     "Version": "2012-10-17",
     "Statement": [
       {
         "Sid": "",
         "Effect": "Allow",
         "Action": "sts:AssumeRole",
         "Principal": {
           "AWS": "271490644974"
         },
         "Condition": {
           "StringEquals": {
             "sts:ExternalId": "YOUR_EXTERNAL_ID"
           }
         }
       }
     ]
   }

   Replace YOUR_EXTERNAL_ID with a unique and secret external ID.

3. Attach an inline policy: While creating the IAM role add an inline policy with the necessary permissions for accessing CloudWatch metrics, logs, and EC2 resources. Here's an example of policy document:

   Copy

   {
     "Version": "2012-10-17",
     "Id": "groundcover-cloudwatch-integration",
     "Statement": [
       {
         "Sid": "AllowReadingMetricsFromCloudWatch",
         "Effect": "Allow",
         "Action": [
           "cloudwatch:ListMetrics",
           "cloudwatch:GetMetricData",
           "cloudwatch:GetInsightRuleReport",
           "cloudwatch:DescribeAlarmsForMetric",
           "cloudwatch:DescribeAlarms",
           "cloudwatch:DescribeAlarmHistory"
         ],
         "Resource": "*"
       },
       {
         "Sid": "AllowReadingLogsFromCloudWatch",
         "Effect": "Allow",
         "Action": [
           "logs:StopQuery",
           "logs:StartQuery",
           "logs:GetQueryResults",
           "logs:GetLogGroupFields",
           "logs:GetLogEvents",
           "logs:DescribeLogGroups"
         ],
         "Resource": "*"
       },
       {
         "Sid": "AllowReadingTagsInstancesRegionsFromEC2",
         "Effect": "Allow",
         "Action": [
           "ec2:DescribeTags",
           "ec2:DescribeRegions",
           "ec2:DescribeInstances"
         ],
         "Resource": "*"
       },
       {
         "Sid": "AllowReadingResourcesForTags",
         "Effect": "Allow",
         "Action": "tag:GetResources",
         "Resource": "*"
       }
     ]
   }

4. Share the IAM role ARN and external ID : Once the IAM role is created, share the IAM role ARN, along with the external ID, with the relevant groundcover contact. This ARN will be used during the configuration of the CloudWatch datasource in Grafana.