Adding AWS Integration with a Backend on Another Cloud Provider

If your groundcover backend is installed on a cloud provider other than AWS, you can still add AWS integration by allocating an AWS cluster and configuring the sensor to run the AWS integration.

Prerequisite

The below steps assume you have an AWS Kubernetes cluster with groundcover sensor installed on it.

Step 1: Create an IAM role and policy

Go to Amazon IAM
Click on Roles in the side bar

Click on Create Role

Select Custom trust policy

Paste the following policy:

{   
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "<EKS cluster OIDC ARN>"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringLike": {
                    "<EKS cluster OIDC>:sub": "system:serviceaccount:<groundcover sensor namespace>:integrations-agent"
                }
            }
        }
    ]
}

Click on Next twice (we'll attach permissions later)
Provide a name for the role
Click on Create Role

Go to your newly created role

In the Permissions section, click on Add permissions and then Create inline policy

Click on JSON and paste the following:

{
    "Version": "2012-10-17",
    "Id": "groundcover-integrations-agent",
    "Statement": [
        {
            "Action": [
                "tag:GetResources",
                "storagegateway:ListTagsForResource",
                "storagegateway:ListGateways",
                "shield:ListProtections",
                "iam:ListAccountAliases",
                "ec2:DescribeTransitGatewayAttachments",
                "ec2:DescribeSpotFleetRequests",
                "dms:DescribeReplicationTasks",
                "dms:DescribeReplicationInstances",
                "cloudwatch:ListMetrics",
                "cloudwatch:GetMetricStatistics",
                "cloudwatch:GetMetricData",
                "autoscaling:DescribeAutoScalingGroups",
                "aps:ListWorkspaces",
                "apigateway:GET",
                "s3:ListAllMyBuckets",
                "s3:GetBucketLocation",
                "s3:GetBucketTagging",
                "sqs:ListQueues",
                "sqs:GetQueueAttributes",
                "rds:DescribeDBInstances",
                "rds:DescribeDBClusters",
                "lambda:ListFunctions",
                "elasticache:DescribeCacheClusters",
                "elasticache:DescribeServerlessCaches",
                "elasticloadbalancing:DescribeLoadBalancers",
                "dynamodb:ListTables",
                "dynamodb:ListTagsOfResource",
                "dynamodb:DescribeTable",
                "airflow:GetEnvironment",
                "airflow:ListEnvironments",
                "ecs:ListClusters",
                "ecs:DescribeClusters",
                "ecs:ListServices",
                "ecs:DescribeServices",
                "ecs:ListTasks",
                "ecs:DescribeTasks",
                "es:ListDomainNames",
                "cloudfront:ListDistributions"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

Click on Next
Give the policy a name
Click on Create Policy

Step 2: Configure AWS Integration

Add the following values to sensor helm values:

global:
  integrations:
    agent:
      enabled: true
integrationsAgent:
  serviceAccount:
    annotations:
      "eks.amazonaws.com/role-arn": <role ARN created in step 1>
  targets:
    cloudwatch:
      - name: <give a meaningful name for your integration>
        stsRegion: <AWS STS region>
        interval: 5m
        regions:
          - <list of AWS regions>
        namespaces:
          - <list of AWS namespaces from https://docs.groundcover.com/integrations/data-sources/aws/ingest-cloudwatch-metrics#supported-aws-services>
        roleArn: <role created in step 1>
        extraLabels:
          environment: "prod" # optional
    awsInventory: # add this to add auto discovery of AWS resources 
      - name: "aws-inventory"
        enabled: true
        stsRegion: <AWS STS region>
        roleArns:
          - <list ofrole ARNs>
        regions:
          - <list of AWS regions>
        interval: 5m
        namespaces:
          - <list of AWS namespaces from https://docs.groundcover.com/integrations/data-sources/aws/ingest-cloudwatch-metrics#supported-aws-services:~:text=List%2Dbased%20discovery>

Verification

After 5 minutes, data collection should happen at least once and you could monitor your integration:

Navigate to the Data Explorer page, search for the following metric groundcover_data_sources_collected_entries_total. The number of returned results should match the expected number of results.
Navigate to the Traces page and apply the following filter source:groundcover-platform integration.name:<your integration name>. The page will show the latest results of running the integration. In case of errors, open the trace to see more details.

Last updated 1 day ago

hashtagPrerequisite

hashtagStep 1: Create an IAM role and policy

hashtagStep 2: Configure AWS Integration

hashtagVerification

Prerequisite

Step 1: Create an IAM role and policy

Step 2: Configure AWS Integration

Verification