Ingest CloudWatch Metrics
groundcover supports ingesting CloudWatch metrics directly into our platform, allowing you to visualize them using dashboards and create alerts.
How does it work
CloudWatch integration is done by deploying a service called integrations-agent which is responsible for pulling metrics from CloudWatch using periodic polling of these APIs:
The integration is setup using the following steps:
Create a role with permissions to access the metrics on the target AWS account
Provide the needed permissions to allow the
integrations-agentservice account to assume the new roleSelect the AWS namespaces you wish to collect metrics from
Deploy the
integrations-agentservice and start collecting metrics
The actual steps differ for inCloud Managed and inCloud deployments. Follow the instructions below depending on your deployment type.
Things to know
Ingestion interval
The integration pulls data from CloudWatch every five minutes.
Data storage
Data fetched is stored in the Victoria Metrics database, meaning metrics are queried via the CloudWatch API only one time per data point.
Metric Statistics
Each metric has a label called stat which denotes the AWS statistic used during querying. Some metrics have multiple stats which are useful for different cases.
Supported AWS services
Resource Discovery Methods
groundcover seamlessly integrates both methods below to avoid duplicate metric fetching.
The integration uses two methods to discover the AWS resources to fetch metrics for:
Tagging-based discovery - this method uses the AWS tagging mechanism to discover resources across all metric namespaces. This method supports all AWS namespaces but only works for resources which are tagged with at least one AWS tag.
List-based discovery - this method uses standard AWS APIs to list the resources in each namespace. It works for all resources regardless of tags, but the coverage is limited to specific namespaces as listed below:
AWS/RDS
AWS/S3
AWS/SQS
AWS/Lambda
AWS/ElastiCache
If you're not seeing metrics for a specific resource, it likely has no tags and is not in the list of services above. Contact us on Slack to help with resolving the issue.
Setting up the integration
The integration is supported for both inCloud Managed and inCloud deployments, by following slightly different steps. Make sure to select the deployment relevant for you.
Not sure? Contact us on slack!
inCloud Managed
In this setup, the integrations-agent is deployed inside the managed backend. A service account is automatically provisioned inside the managed account, so the installation mainly requires creating a role in the target AWS account with the correct trust relationship.
Create an IAM role and policy
The following part requires two parameters:
YOUR_GROUNDCOVER_ACCOUNT_ID- the AWS account id hosting the groundcover backend, created during onboardingYOUR_GROUNDCOVER_SITE_ID- your unique groundcover endpoint ID:Fetch your
inCloud Sitefrom these docs It will look like<SITE_ID>.platform.grcv.ioThe ID is the first part marked above as
<SITE_ID>
Go to Amazon IAM
Click on Roles in the side bar
Click on Create Role
Select Custom trust policy
Paste the following policy:
Click on Next twice (we'll attach permissions later)
Provide a name for the role
Click on Create Role
Go to your newly created role
In the Permissions section, click on Add permissions and then Create inline policy
Click on JSON and paste the following:
Click on Next
Give the policy a name
Click on Create Policy
Choosing namespaces to ingest
Select the AWS namespaces you wish to ingest metrics from. The list of supported services is here.
Share details with groundcover
Share the following details with the groundcover team to complete the integration:
The ARN of the role created above
The list of namespaces you wish to ingest
The region of the account you wish to ingest metrics from
inCloud
In this setup, the integrations-agent is deployed inside your cluster. The deployment comes with a built-in service account, and permissions will be provided to it using IRSA. Afterwards you will need to create a role + trust policy to allow the integrations-agent service account to assume the role and query the metrics.
Create an identity provider (OIDC) for your EKS cluster
If you already have an identity provider set up in the account where the EKS cluster is set up, skip this stage
The recommended way to give the integrations-agent the ability to interact with AWS resources inside an EKS cluster is using IRSA . The deployment comes in with a built-in service account, which can be used alongside OIDC to provide it with AWS permissions.
Create an OIDC provider for the EKS cluster where groundcover resides in. Once created, the details you will need in the next steps are:
Provider NameProvider ARNNamespace- the namespace where groundcover is installed (default:groundcover)
Create an IAM role and policy
Go to Amazon IAM
Click on Roles in the side bar
Click on Create Role
Select Custom trust policy
Paste the following policy:
Click on Next twice (we'll attach permissions later)
Provide a name for the role
Click on Create Role
Go to your newly created role
In the Permissions section, click on Add permissions and then Create inline policy
Click on JSON and paste the following:
Click on Next
Give the policy a name
Click on Create Policy
Choosing namespaces to ingest
Select the AWS namespaces you wish to ingest metrics from. The list of supported services is here. These will be provided as a list in the next stage.
Deploy the changes
Add the following overrides to your groundcover installation. You will need the following:
Region - The region of the account you wish to ingest metrics from
NamespaceA, NamespaceB... - the AWS namespaces you chose
RoleARN - the ARN of the role created above
Note: the roleArn section in the configuration below is optional, and only required when using cross-account scraping. If you are scraping metrics inside the same account as the EKS cluster where groundcover is deployed, do not add the roleArn part.
In that scenario, you will need to define a role in each account with the permissions above, and enable cross-account access to assume the role from the RoleARN created above. The cross-account role appears below as otherAccountRole
For example:
Last updated