AWS Cloudwatch Terraform module
Terraform module which creates Cloudwatch resources on AWS.
Usage
Log metric filter
module "log_metric_filter" {
source = "terraform-aws-modules/cloudwatch/aws//modules/log-metric-filter"
version = "~> 3.0"
log_group_name = "my-application-logs"
name = "error-metric"
pattern = "ERROR"
metric_transformation_namespace = "MyApplication"
metric_transformation_name = "ErrorCount"
}
Read Filter and Pattern Syntax for explanation of pattern.
Log group
module "log_group" {
source = "terraform-aws-modules/cloudwatch/aws//modules/log-group"
version = "~> 3.0"
name = "my-app"
retention_in_days = 120
}
Log stream
module "log_stream" {
source = "terraform-aws-modules/cloudwatch/aws//modules/log-stream"
version = "~> 3.0"
name = "stream1"
log_group_name = "my-app"
}
Metric alarm
module "metric_alarm" {
source = "terraform-aws-modules/cloudwatch/aws//modules/metric-alarm"
version = "~> 3.0"
alarm_name = "my-application-logs-errors"
alarm_description = "Bad errors in my-application-logs"
comparison_operator = "GreaterThanOrEqualToThreshold"
evaluation_periods = 1
threshold = 10
period = 60
unit = "Count"
namespace = "MyApplication"
metric_name = "ErrorCount"
statistic = "Maximum"
alarm_actions = ["arn:aws:sns:eu-west-1:835367859852:my-sns-queue"]
}
Metric alarms by multiple dimensions
This submodule is useful when you need to create very similar alarms where only dimensions are different (eg, multiple AWS Lambda functions), but the rest of arguments are the same.
module "metric_alarms" {
source = "terraform-aws-modules/cloudwatch/aws//modules/metric-alarms-by-multiple-dimensions"
version = "~> 3.0"
alarm_name = "lambda-duration-"
alarm_description = "Lambda duration is too high"
comparison_operator = "GreaterThanOrEqualToThreshold"
evaluation_periods = 1
threshold = 10
period = 60
unit = "Milliseconds"
namespace = "AWS/Lambda"
metric_name = "Duration"
statistic = "Maximum"
dimensions = {
"lambda1" = {
FunctionName = "index"
},
"lambda2" = {
FunctionName = "signup"
},
}
alarm_actions = ["arn:aws:sns:eu-west-1:835367859852:my-sns-queue"]
}
Check out list of all AWS services that publish CloudWatch metrics for detailed information about each supported service.
CIS AWS Foundations Controls: Metrics + Alarms
module "cis_alarms" {
source = "terraform-aws-modules/cloudwatch/aws//modules/cis-alarms"
version = "~> 3.0"
log_group_name = "my-cloudtrail-logs"
alarm_actions = ["arn:aws:sns:eu-west-1:835367859852:my-sns-queue"]
}
AWS CloudTrail normally publishes logs into AWS CloudWatch Logs. This module creates log metric filters together with metric alarms according to CIS AWS Foundations Benchmark v1.4.0 (05-28-2021). Read more about CIS AWS Foundations Controls.
Log Group Data Protection Policy
module "log_group_data_protection" {
source = "terraform-aws-modules/cloudwatch/aws//modules/log-data-protection-policy"
version = "~> 4.0"
log_group_name = "my-log-group"
create_log_data_protection_policy = true
log_data_protection_policy_name = "RedactAddress"
data_identifiers = ["arn:aws:dataprotection::aws:data-identifier/Address"]
findings_destination_cloudwatch_log_group = "audit-log-group"
}
Log Subscription Filter
module "log_subscription_filter" {
source = "terraform-aws-modules/cloudwatch/aws//modules/log-subscription-filter"
name = "my-filter"
destination_arn = "arn:aws:firehose:eu-west-1:835367859852:deliverystream/cw-logs"
filter_pattern = "%test%"
log_group_name = "my-log-group"
role_arn = "arn:aws:iam::835367859852:role/cw-logs-to-firehose"
}
Metric Stream
module "metric_stream" {
name = "metric-stream"
firehose_arn = "arn:aws:firehose:eu-west-1:835367859852:deliverystream/metric-stream-example"
output_format = "json"
role_arn = "arn:aws:iam::835367859852:role/metric-stream-to-firehose-20240113005123755300000002"
# conflicts with exclude_filter
include_filter = {
ec2 = {
namespace = "AWS/EC2"
metric_names = ["CPUUtilization", "NetworkIn"]
}
}
statistics_configuration = [
{
additional_statistics = ["p99"]
include_metric = [
{
namespace = "AWS/EC2"
metric_name = "CPUUtilization"
},
{
namespace = "AWS/EC2"
metric_name = "NetworkIn"
}
]
},
{
additional_statistics = ["p90", "TM(10%:90%)"]
include_metric = [
{
namespace = "AWS/EC2"
metric_name = "CPUUtilization"
}
]
}
]
}
Query Definition
module "query_definition" {
source = "terraform-aws-modules/cloudwatch/aws//modules/query-definition"
version = "~> 4.0"
name = "my-query-definition"
log_group_names = ["my-log-group-name"]
query_string = <<EOF
fields @timestamp, @message
| sort @timestamp desc
| limit 25
EOF
}
Composite Alarm
module "composite_alarm" {
source = "terraform-aws-modules/cloudwatch/aws//modules/composite-alarm"
version = "~> 4.0"
alarm_name = "composite-alarm"
alarm_description = "Example of a composite alarm"
alarm_actions = ["arn:aws:sns:eu-west-1:835367859852:my-sns-topic"]
ok_actions = ["arn:aws:sns:eu-west-1:835367859852:my-sns-topic"]
alarm_rule = join(" AND ", tolist([
"ALARM(metric-alarm-1)",
"ALARM(metric-alarm-2)"
]))
actions_suppressor = {
alarm = "suppressor"
extension_period = 20
wait_period = 10
}
}
Log Account Policy
module "log_account_policy" {
source = "terraform-aws-modules/cloudwatch/aws//modules/log-account-policy"
version = "~> 4.0"
log_account_policy_name = "account-data-protection"
log_account_policy_type = "DATA_PROTECTION_POLICY"
create_log_data_protection_policy = true
log_data_protection_policy_name = "redact-addresses"
data_identifiers = ["arn:aws:dataprotection::aws:data-identifier/Address"]
findings_destination_cloudwatch_log_group = "my-cloudwatch-audit-log-group"
}
Log Anomaly Detector
module "log_anomaly_detector" {
source = "terraform-aws-modules/cloudwatch/aws//modules/log-anomaly-detector"
version = "~> 4.0"
detector_name = "anomaly-detector"
log_group_arns = ["arn:aws:logs:eu-west-1:835367859852:log-group:my-log-group"]
anomaly_visibility_time = 7
enabled = true
evaluation_frequency = "FIVE_MIN"
filter_pattern = "%test%"
kms_key_id = "arn:aws:kms:eu-west-1:835367859852:key/9051f3e7-17b8-4543-8070-50e22599966"
}
Examples
- Complete Cloudwatch log metric filter and alarm
- Cloudwatch log group with log stream
- Cloudwatch metric alarms for AWS Lambda
- Cloudwatch metric alarms for AWS Lambda with multiple dimensions
- CIS AWS Foundations Controls: Metrics + Alarms
- Cloudwatch query definition
- Cloudwatch Metric Stream
- Cloudwatch Composite Alarm
- Cloudwatch log subscription filter
- Cloudwatch log data protection policy
- Cloudwatch Log Account Policy
- Cloudwatch Log Anomaly Detector
Authors
Module is maintained by Anton Babenko with help from these awesome contributors.
License
Apache 2 Licensed. See LICENSE for full details.