From 3301b72b3dd7a7484e7eb884ce7919c62d2ed750 Mon Sep 17 00:00:00 2001 From: Khai Do Date: Tue, 12 Mar 2024 09:38:04 -0700 Subject: [PATCH] [IT-3471] Setup a cross account cloudwatch dashboard Setup AWS Cloudwatch cross-account observability[1]. This feature will allow us to create a cloudwatch dashboard in one AWS account that monitors apps deployed to multiple AWS accounts. [1] https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Unified-Cross-Account.html --- ...ssAccountListAccountsRole-AccountList.yaml | 42 +++++++++++ ...h-CrossAccountSharingRole-AccountList.yaml | 75 +++++++++++++++++++ .../Cloudwatch-Link-Management-Account.yaml | 22 ++++++ .../740-cloudwatch-dashboard/README.md | 11 +++ .../740-cloudwatch-dashboard/_tasks.yaml | 39 ++++++++++ 5 files changed, 189 insertions(+) create mode 100644 org-formation/740-cloudwatch-dashboard/CloudWatch-CrossAccountListAccountsRole-AccountList.yaml create mode 100644 org-formation/740-cloudwatch-dashboard/CloudWatch-CrossAccountSharingRole-AccountList.yaml create mode 100644 org-formation/740-cloudwatch-dashboard/Cloudwatch-Link-Management-Account.yaml create mode 100644 org-formation/740-cloudwatch-dashboard/README.md create mode 100644 org-formation/740-cloudwatch-dashboard/_tasks.yaml diff --git a/org-formation/740-cloudwatch-dashboard/CloudWatch-CrossAccountListAccountsRole-AccountList.yaml b/org-formation/740-cloudwatch-dashboard/CloudWatch-CrossAccountListAccountsRole-AccountList.yaml new file mode 100644 index 00000000..a765786a --- /dev/null +++ b/org-formation/740-cloudwatch-dashboard/CloudWatch-CrossAccountListAccountsRole-AccountList.yaml @@ -0,0 +1,42 @@ +# This template is downloaded from the AWS Console (from organizations account) +# Cloudwatch -> Settings -> Share your Organization account list +# It should be deployed to the AWS Organizations account + +AWSTemplateFormatVersion: '2010-09-09' +Description: Enables monitoring accounts to list the accounts information in an AWS Organization + +Parameters: + MonitoringAccountIds: + Description: Allows one or more monitoring accounts to view AWS Organization account list. Enter AWS account ids, 12 numeric digits in comma-separated list + Type: CommaDelimitedList + +Resources: + CWCrossAccountListAccountsRole: + Type: AWS::IAM::Role + Properties: + RoleName: CloudWatch-CrossAccountSharing-ListAccountsRole + AssumeRolePolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Principal: + AWS: !Split + - ',' + - !Sub + - 'arn:aws:iam::${inner}:root' + - inner: !Join + - ':root,arn:aws:iam::' + - Ref: MonitoringAccountIds + Action: + - sts:AssumeRole + Path: "/" + Policies: + - PolicyName: CloudWatch-CrossAccountSharing-ListAccounts-Policy + PolicyDocument: + Version: '2012-10-17' + Statement: + - Action: + - organizations:ListAccounts + - organizations:ListAccountsForParent + Resource: '*' + Effect: Allow diff --git a/org-formation/740-cloudwatch-dashboard/CloudWatch-CrossAccountSharingRole-AccountList.yaml b/org-formation/740-cloudwatch-dashboard/CloudWatch-CrossAccountSharingRole-AccountList.yaml new file mode 100644 index 00000000..e2c4fb48 --- /dev/null +++ b/org-formation/740-cloudwatch-dashboard/CloudWatch-CrossAccountSharingRole-AccountList.yaml @@ -0,0 +1,75 @@ +# This template is downloaded from the AWS Console (from org-sagebase-monitorcentral account) +# Cloudwatch -> Settings -> Share your CloudWatch data -> Create CloudFormation stack +# It should be deployed to all member accounts except for the org-sagebase-monitorcentral account + +AWSTemplateFormatVersion: '2010-09-09' +Description: Enables CloudWatch in central monitoring accounts to assume permissions to view CloudWatch data in the current account + +Parameters: + MonitoringAccountIds: + Description: Allows one or more monitoring accounts to view your data. Enter AWS account ids, 12 numeric digits in comma-separated list + Type: CommaDelimitedList + + Policy: + Description: The level of access to give to the Monitoring accounts + Type: String + Default: CloudWatch-and-AutomaticDashboards + AllowedValues: + - CloudWatch-and-AutomaticDashboards + - CloudWatch-and-ServiceLens + - CloudWatch-AutomaticDashboards-and-ServiceLens + - CloudWatch-core-permissions + - View-Access-for-all-services + +Conditions: + DoFullReadOnly: !Equals [ !Ref Policy, View-Access-for-all-services ] + DoAutomaticDashboards: !Equals [ !Ref Policy, CloudWatch-and-AutomaticDashboards ] + DoServiceLens: !Equals [ !Ref Policy, CloudWatch-and-ServiceLens ] + DoServiceLensAndAutomaticDashboards: !Equals [ !Ref Policy, CloudWatch-AutomaticDashboards-and-ServiceLens ] + DoCWReadOnly: !Equals [ !Ref Policy, CloudWatch-core-permissions ] + +Resources: + CWCrossAccountSharingRole: + Type: AWS::IAM::Role + Properties: + RoleName: CloudWatch-CrossAccountSharingRole + AssumeRolePolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Principal: + AWS: !Split + - ',' + - !Sub + - 'arn:aws:iam::${inner}:root' + - inner: !Join + - ':root,arn:aws:iam::' + - Ref: MonitoringAccountIds + Action: + - sts:AssumeRole + Path: "/" + ManagedPolicyArns: !If + - DoFullReadOnly + - + - arn:aws:iam::aws:policy/CloudWatchReadOnlyAccess + - arn:aws:iam::aws:policy/CloudWatchAutomaticDashboardsAccess + - arn:aws:iam::aws:policy/job-function/ViewOnlyAccess + - arn:aws:iam::aws:policy/AWSXrayReadOnlyAccess + - !If + - DoAutomaticDashboards + - + - arn:aws:iam::aws:policy/CloudWatchReadOnlyAccess + - arn:aws:iam::aws:policy/CloudWatchAutomaticDashboardsAccess + - !If + - DoServiceLens + - + - arn:aws:iam::aws:policy/CloudWatchReadOnlyAccess + - arn:aws:iam::aws:policy/AWSXrayReadOnlyAccess + - !If + - DoServiceLensAndAutomaticDashboards + - + - arn:aws:iam::aws:policy/CloudWatchReadOnlyAccess + - arn:aws:iam::aws:policy/CloudWatchAutomaticDashboardsAccess + - arn:aws:iam::aws:policy/AWSXrayReadOnlyAccess + - + - arn:aws:iam::aws:policy/CloudWatchReadOnlyAccess diff --git a/org-formation/740-cloudwatch-dashboard/Cloudwatch-Link-Management-Account.yaml b/org-formation/740-cloudwatch-dashboard/Cloudwatch-Link-Management-Account.yaml new file mode 100644 index 00000000..8e1a1f74 --- /dev/null +++ b/org-formation/740-cloudwatch-dashboard/Cloudwatch-Link-Management-Account.yaml @@ -0,0 +1,22 @@ +# This template is downloaded from the AWS Console (from org-sagebase-monitorcentral account) +# Cloudwatch -> Settings -> Determine how to link your source accounts +# It should be deployed to all member accounts except for the org-sagebase-monitorcentral account + +AWSTemplateFormatVersion: 2010-09-09 + +Parameters: + MonitoringAccountId: + Description: Allows one or more monitoring accounts to view your data. Enter AWS account ids, 12 numeric digits in comma-separated list + Type: String + +Resources: + Link: + Type: AWS::Oam::Link + Properties: + LabelTemplate: "$AccountName" + ResourceTypes: + - "AWS::CloudWatch::Metric" + - "AWS::Logs::LogGroup" + - "AWS::XRay::Trace" + - "AWS::ApplicationInsights::Application" + SinkIdentifier: !Sub "arn:aws:oam:us-east-1:${MonitoringAccountId}:sink/5ea88d72-76d8-419e-9c6d-07d4de64f972" diff --git a/org-formation/740-cloudwatch-dashboard/README.md b/org-formation/740-cloudwatch-dashboard/README.md new file mode 100644 index 00000000..d92cd2d3 --- /dev/null +++ b/org-formation/740-cloudwatch-dashboard/README.md @@ -0,0 +1,11 @@ +### Purpose of these templates +The templates in this folder sets up a cross account CloudWatch monitoring dashboard. +It uses a management/member architecture, instead of using the Organizations account +as the cloudwatch management account we created org-sagebase-monitorcentral account +for that purpose. Creating a separate account will allow us to isolate user access +to the dashboards. + +* The Cloudwatch management account is org-sagebase-monitorcentral +* The monitorcentral account uses the AWS account list from the Organizations account. + This will allow monitorcentral to include new AWS accounts as they are added. +* All other AWS accounts are Cloudwatch member accounts. diff --git a/org-formation/740-cloudwatch-dashboard/_tasks.yaml b/org-formation/740-cloudwatch-dashboard/_tasks.yaml new file mode 100644 index 00000000..76f85d68 --- /dev/null +++ b/org-formation/740-cloudwatch-dashboard/_tasks.yaml @@ -0,0 +1,39 @@ +Parameters: + <<: !Include '../_parameters.yaml' + + appName: + Type: String + Default: 'CloudWatcDashboard' + +# Give MonitorCentral access to the account list in Organizations +CrossAccountListAccountRole: + Type: update-stacks + Template: CloudWatch-CrossAccountListAccountsRole-AccountList.yaml + StackName: !Sub '${resourcePrefix}-${appName}-CrossAccountListAccountsRole' + DefaultOrganizationBindingRegion: !Ref primaryRegion + DefaultOrganizationBinding: + Account: !Ref MasterAccount + Parameters: + MonitoringAccountIds: !Ref MonitorCentralAccount + +# Link cloudwatch in member accounts to MonitorCentral +LinkManagementAccount: + Type: update-stacks + Template: CloudWatch-CrossAccountSharingRole-AccountList.yaml + StackName: !Sub '${resourcePrefix}-${appName}-LinkManagementAccount' + DefaultOrganizationBindingRegion: !Ref primaryRegion + DefaultOrganizationBinding: + Account: '*' + Exclude: !Ref MonitorCentralAccount + +# Allow member accounts to share cloudwatch data with MonitorCentral +CrossAccountSharingRole: + Type: update-stacks + Template: CloudWatch-CrossAccountSharingRole-AccountList.yaml + StackName: !Sub '${resourcePrefix}-${appName}-CrossAccountSharingRole' + DefaultOrganizationBindingRegion: !Ref primaryRegion + DefaultOrganizationBinding: + Account: '*' + Exclude: !Ref MonitorCentralAccount + Parameters: + MonitoringAccountIds: !Ref MonitorCentralAccount