My Saved Presets
You must be logged in to view saved presets

Loading Library ...

CloudWatch Metric Stream to Kinesis Firehose

This template sets up a CloudWatch Metric Stream that filters and sends specific AWS/EC2 and AWS/EBS metrics to an Amazon Kinesis Firehose delivery stream, which then stores the data in an S3 bucket.

main

aws_cloudwatch_metric_stream



exclude_filter

include_filter



statistics_configuration

depends_on


lifecycle

ignore_changes

replace_triggered_by

precondition


postcondition



firehose_to_s3

aws_iam_role



inline_policy



managed_policy_arns





depends_on


lifecycle

ignore_changes

replace_triggered_by

precondition


postcondition



metric_stream_to_firehose

aws_iam_role



inline_policy



managed_policy_arns





depends_on


lifecycle

ignore_changes

replace_triggered_by

precondition


postcondition



firehose_to_s3

aws_iam_role_policy





depends_on


lifecycle

ignore_changes

replace_triggered_by

precondition


postcondition



metric_stream_to_firehose

aws_iam_role_policy





depends_on


lifecycle

ignore_changes

replace_triggered_by

precondition


postcondition



s3_stream

aws_kinesis_firehose_delivery_stream

depends_on


lifecycle

ignore_changes

replace_triggered_by

precondition


postcondition



bucket

aws_s3_bucket


grant

permissions


cors_rule

allowed_headers

allowed_methods

allowed_origins

expose_headers

lifecycle_rule


expiration

transition


noncurrent_version_expiration
noncurrent_version_transition

logging


object_lock_configuration

rule
apply_server_side_encryption_by_default


replication_configuration

rules
destination



access_control_translation


replication_time
metrics
filter



source_selection_criteria
sse_kms_encrypted_objects
server_side_encryption_configuration
rule
apply_server_side_encryption_by_default

versioning
website



routing_rules

depends_on


lifecycle

ignore_changes

replace_triggered_by

precondition


postcondition



bucket_acl

aws_s3_bucket_acl


access_control_policy
grant
grantee




owner





depends_on


lifecycle

ignore_changes

replace_triggered_by

precondition


postcondition



firehose_assume_role

aws_iam_policy_document

override_policy_documents


source_policy_documents

statement

actions

condition


values


not_actions

not_principals

identifiers

not_resources

principals

identifiers

resources


depends_on


lifecycle

ignore_changes

replace_triggered_by

precondition


postcondition



firehose_to_s3

aws_iam_policy_document

override_policy_documents


source_policy_documents

statement

actions

condition


values


not_actions

not_principals

identifiers

not_resources

principals

identifiers

resources


depends_on


lifecycle

ignore_changes

replace_triggered_by

precondition


postcondition



metric_stream_to_firehose

aws_iam_policy_document

override_policy_documents


source_policy_documents

statement

actions

condition


values


not_actions

not_principals

identifiers

not_resources

principals

identifiers

resources


depends_on


lifecycle

ignore_changes

replace_triggered_by

precondition


postcondition



streams_assume_role

aws_iam_policy_document

override_policy_documents


source_policy_documents

statement

actions

condition


values


not_actions

not_principals

identifiers

not_resources

principals

identifiers

resources


depends_on


lifecycle

ignore_changes

replace_triggered_by

precondition


postcondition



Terraform Template

data "aws_iam_policy_document" "firehose_assume_role" {

  statement {
    actions = ["sts:AssumeRole"]
    effect = "Allow"

    principals {
      identifiers = ["firehose.amazonaws.com"]
      type = "Service"
    }
  }
}

data "aws_iam_policy_document" "firehose_to_s3" {

  statement {
    actions = ["s3:AbortMultipartUpload", "s3:GetBucketLocation", "s3:GetObject", "s3:ListBucket", "s3:ListBucketMultipartUploads", "s3:PutObject"]
    effect = "Allow"
    resources = [aws_s3_bucket.bucket.arn, "${aws_s3_bucket.bucket.arn}/*"]
  }
}

data "aws_iam_policy_document" "metric_stream_to_firehose" {

  statement {
    actions = ["firehose:PutRecord", "firehose:PutRecordBatch"]
    effect = "Allow"
    resources = [aws_kinesis_firehose_delivery_stream.s3_stream.arn]
  }
}

data "aws_iam_policy_document" "streams_assume_role" {

  statement {
    actions = ["sts:AssumeRole"]
    effect = "Allow"

    principals {
      identifiers = ["streams.metrics.cloudwatch.amazonaws.com"]
      type = "Service"
    }
  }
}

resource "aws_cloudwatch_metric_stream" "main" {
  firehose_arn = aws_kinesis_firehose_delivery_stream.s3_stream.arn
  include_filter = ["CPUUtilization", "NetworkOut", "AWS/EC2", "AWS/EBS"]
  name = "my-metric-stream"
  output_format = "json"
  role_arn = aws_iam_role.metric_stream_to_firehose.arn
}

resource "aws_iam_role" "firehose_to_s3" {
  assume_role_policy = data.aws_iam_policy_document.firehose_assume_role.json
}

resource "aws_iam_role" "metric_stream_to_firehose" {
  assume_role_policy = data.aws_iam_policy_document.streams_assume_role.json
  name = "metric_stream_to_firehose_role"
}

resource "aws_iam_role_policy" "firehose_to_s3" {
  name = "default"
  policy = data.aws_iam_policy_document.firehose_to_s3.json
  role = aws_iam_role.firehose_to_s3.id
}

resource "aws_iam_role_policy" "metric_stream_to_firehose" {
  name = "default"
  policy = data.aws_iam_policy_document.metric_stream_to_firehose.json
  role = aws_iam_role.metric_stream_to_firehose.id
}

resource "aws_kinesis_firehose_delivery_stream" "s3_stream" {
}

resource "aws_s3_bucket" "bucket" {
  bucket = "metric-stream-test-bucket"
}

resource "aws_s3_bucket_acl" "bucket_acl" {
  acl = "private"
  bucket = aws_s3_bucket.bucket.id
}

© 2024 asecurecloud. All rights reserved.