Integrate CloudWatch Grafana Datasource

To set up the CloudWatch datasource in Grafana, you need to configure the necessary credentials and permissions. This involves creating an IAM role in AWS with appropriate permissions to access CloudWatch metrics and data.

To set up an IAM role with cross-account assume for accessing CloudWatch data in Grafana, you need to follow these steps:

1. Create an IAM Role in the target account: In the target account, navigate to the IAM service and create a new IAM role.

2. Define the trust relationship: When creating the IAM role, define the trust relationship policy document to include the groundcover account as the trusted entity, along with the external ID.

   Here's an example trust policy document. NOTE: Choose YOUR_EXTERNAL_ID as a unique and secret external ID. This will be used by the integration to identify your account.

   Copy

   {
     "Version": "2012-10-17",
     "Statement": [
       {
         "Sid": "",
         "Effect": "Allow",
         "Action": "sts:AssumeRole",
         "Principal": {
           "AWS": "271490644974"
         },
         "Condition": {
           "StringEquals": {
             "sts:ExternalId": "YOUR_EXTERNAL_ID"
           }
         }
       }
     ]
   }

3. Attach an inline policy: While creating the IAM role add an inline policy with the necessary permissions for accessing CloudWatch metrics, logs, and EC2 resources. Here's an example of policy document:

   Copy

   {
     "Version": "2012-10-17",
     "Id": "groundcover-cloudwatch-integration",
     "Statement": [
       {
         "Sid": "AllowReadingMetricsFromCloudWatch",
         "Effect": "Allow",
         "Action": [
           "cloudwatch:ListMetrics",
           "cloudwatch:GetMetricData",
           "cloudwatch:GetInsightRuleReport",
           "cloudwatch:DescribeAlarmsForMetric",
           "cloudwatch:DescribeAlarms",
           "cloudwatch:DescribeAlarmHistory"
         ],
         "Resource": "*"
       },
       {
         "Sid": "AllowReadingLogsFromCloudWatch",
         "Effect": "Allow",
         "Action": [
           "logs:StopQuery",
           "logs:StartQuery",
           "logs:GetQueryResults",
           "logs:GetLogGroupFields",
           "logs:GetLogEvents",
           "logs:DescribeLogGroups"
         ],
         "Resource": "*"
       },
       {
         "Sid": "AllowReadingTagsInstancesRegionsFromEC2",
         "Effect": "Allow",
         "Action": [
           "ec2:DescribeTags",
           "ec2:DescribeRegions",
           "ec2:DescribeInstances"
         ],
         "Resource": "*"
       },
       {
         "Sid": "AllowReadingResourcesForTags",
         "Effect": "Allow",
         "Action": "tag:GetResources",
         "Resource": "*"
       }
     ]
   }

4. Depending on your plan, follow these steps:

   1. For enterprise plan - Add a new DataSource in your Grafana. NOTE: This requires a user with admin privileges in the platform.

      1. Access the Add New Datasource page in the Grafana

      2. Choose the CloudWatch data source

      3. Choose a Name for your data source.

      4. Fill in the Assume Role ARN and External ID fields with the IAM role and external ID selected earlier.

      5. Choose a Default Region based on your account's region.

      6. Click Save & Test to create the data source.

   2. For other plans - Share the IAM role ARN, along with the external ID, with the relevant groundcover contact. This ARN will be used during the configuration of the CloudWatch datasource in Grafana.