amazon-web-servicesterraformmonitoringterraform-provider-awscloudwatch-alarms

Deploy Cloudwatch Alarm to non-default region in Central monitoring account using Terraform

Overview

The AWS account structure:

IAM Roles and policies exist in the Prod Workload A and B AWS accounts, which allow the Dashboarding and Alerting AWS account to read metrics and logs e.g. centralised dashboarding.

The Dashboards and Alarms are deployed to the "Dashboarding and Alerting AWS account" using Terraform:

DASHBOARD SNIPPET
resource "aws_cloudwatch_dashboard" "rds_db" {
  for_each       = local.env[var.environment]
  dashboard_name = "${each.key}_rds_db"
  dashboard_body = templatefile("templates/rds_db.tpl", {
    environment = each.value.env,
    account     = each.value.account,
    region      = each.value.region
  })
}

ALARM SNIPPET
resource "aws_cloudwatch_metric_alarm" "rds_cpu_utilisation" {
for_each                  = local.env_map[var.environment]
  alarm_name                = "High_CPU_Utilisation_RDS_${each.value.env}-rds-db"
  comparison_operator       = "GreaterThanThreshold"
  evaluation_periods        = "3"
  threshold                 = "70"
  alarm_description         = "The High CPU Utilisation threshold has been breached."
  insufficient_data_actions = []
  treat_missing_data        = "breaching"
  alarm_actions = [
    aws_sns_topic.rds_db_alert_topic.arn
  ]

  metric_query {
    id          = "m1"
    return_data = "true"
    account_id  = each.value.account
    metric {
      metric_name = "CPUUtilization"
      namespace   = "AWS/RDS"
      period      = "60"
      stat        = "Maximum"
      dimensions = {
        DBInstanceIdentifier = "${each.value.env}-rds-db"
      }
    }
  }
}

Question

When deploying Alarms for the "Prod Workload b account" to the centralised account, the region defaults to that of the "Dashboard and Alerting account", which is ap-southeast-1.

These alarms, therefore, show as having no data as the data for these alarms must be read from the non-default region us-west-2.

This isn't an issue for dashboards because it's possible to specify the region (see the Dashboard snippet above and Terraform dashboard doc). Also it's not a problem for "Prod Workload b account" Alarms as this account's default region is the same as the "Dashboard and Alerting account".

The region option doesn't exist for the Terraform Cloudwatch Alarm resource.
It is present in the AWS CLI put-alarm and makes me wonder if it should be present as an option in the Terraform Cloudwatch Alarm resource.

What would be the best way to fix this, so Cloudwatch Alarms can be successfully deployed for "Prod Workload B account" using Terraform?

Solution

  • The way to do this is to use Terraform providers. https://github.com/hashicorp/terraform-provider-aws/issues/28971