feat: Add EventBridge lifecycle events for ECS Container Insights and update ADOT to CloudWatch Agent (#913)

jakeskyaws · jaksky · web-flow · commit 549594bf1f47 · 2025-08-16T06:28:50.000-06:00
Co-authored-by: jaksky &lt;jakesky@amazon.com&gt;
diff --git a/terraform/ecs/default/README.md b/terraform/ecs/default/README.md
@@ -50,6 +50,7 @@ This section documents the variables and outputs of the Terraform configuration.
 | `environment_name`           | Name of the environment which will be used for all resources created                                                                       | `string` | `retail-store-ecs` |   yes    |
 | `opentelemetry_enabled`      | Flag to enable OpenTelemetry, which will install the AWS Distro for OpenTelemetry and configure trace collection                           | `bool`   | `false`            |    no    |
 | `container_insights_setting` | Container Insights setting for ECS cluster. Must be either 'enhanced' or 'disabled'. When OpenTelemetry is enabled, defaults to 'enhanced' | `string` | `disabled`         |    no    |
+| `lifecycle_events_enabled`   | Enable ECS lifecycle events to CloudWatch Logs for Container Insights performance dashboard. Only available when container_insights_setting is 'enhanced' | `bool`   | `false`            |    no    |
 | `log_group_retention_days`   | Number of days to retain logs in CloudWatch Log Groups                                                                                     | `number` | `30`               |    no    |
 
 ### Outputs
diff --git a/terraform/ecs/default/main.tf b/terraform/ecs/default/main.tf
@@ -37,6 +37,8 @@ module "retail_app_ecs" {
   container_image_overrides  = var.container_image_overrides
   opentelemetry_enabled      = var.opentelemetry_enabled
   container_insights_setting = var.container_insights_setting
+  lifecycle_events_enabled   = var.lifecycle_events_enabled
+
 
   catalog_db_endpoint = module.dependencies.catalog_db_endpoint
   catalog_db_port     = module.dependencies.catalog_db_port
diff --git a/terraform/ecs/default/variables.tf b/terraform/ecs/default/variables.tf
@@ -34,4 +34,15 @@ variable "container_insights_setting" {
     condition     = contains(["enhanced", "disabled"], var.container_insights_setting)
     error_message = "container_insights_setting must be either 'enhanced' or 'disabled'"
   }
+}
+
+variable "lifecycle_events_enabled" {
+  type        = bool
+  default     = false
+  description = "Enable ECS lifecycle events to CloudWatch Logs"
+
+  validation {
+    condition     = !var.lifecycle_events_enabled || var.container_insights_setting == "enhanced"
+    error_message = "lifecycle_events_enabled can only be true when container_insights_setting is 'enhanced'"
+  }
 }
diff --git a/terraform/lib/ecs/eventbridge.tf b/terraform/lib/ecs/eventbridge.tf
@@ -0,0 +1,57 @@
+data "aws_caller_identity" "current" {}
+data "aws_region" "current" {}
+
+resource "random_id" "eventbridge_suffix" {
+  byte_length = 8
+}
+
+resource "aws_cloudwatch_log_group" "ecs_container_insights" {
+  count = (var.container_insights_setting == "enhanced" && var.lifecycle_events_enabled) ? 1 : 0
+  name  = "/aws/events/ecs/containerinsights/${var.environment_name}-cluster/performance"
+
+  tags = {
+    ClusterName                      = "${var.environment_name}-cluster"
+    "EventBridge-AssociatedRuleName" = "EventsToLogs-retail-${random_id.eventbridge_suffix.hex}"
+  }
+}
+
+resource "aws_cloudwatch_event_rule" "ecs_events" {
+  count       = (var.container_insights_setting == "enhanced" && var.lifecycle_events_enabled) ? 1 : 0
+  name        = "EventsToLogs-retail-${random_id.eventbridge_suffix.hex}"
+  description = "This rule is used to export to CloudWatch Logs the lifecycle events of the ECS Cluster ${var.environment_name}-cluster."
+
+  event_pattern = jsonencode({
+    source = ["aws.ecs"]
+    detail = {
+      clusterArn = ["arn:aws:ecs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:cluster/${var.environment_name}-cluster"]
+    }
+  })
+}
+
+resource "aws_cloudwatch_event_target" "ecs_events_target" {
+  count     = (var.container_insights_setting == "enhanced" && var.lifecycle_events_enabled) ? 1 : 0
+  rule      = aws_cloudwatch_event_rule.ecs_events[0].name
+  target_id = random_id.eventbridge_suffix.hex
+  arn       = aws_cloudwatch_log_group.ecs_container_insights[0].arn
+}
+
+resource "aws_cloudwatch_log_resource_policy" "eventbridge_ecs" {
+  count       = (var.container_insights_setting == "enhanced" && var.lifecycle_events_enabled) ? 1 : 0
+  policy_name = "EventBridge-ECS-ContainerInsights"
+  policy_document = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Principal = {
+          Service = "events.amazonaws.com"
+        }
+        Action = [
+          "logs:CreateLogStream",
+          "logs:PutLogEvents"
+        ]
+        Resource = "${aws_cloudwatch_log_group.ecs_container_insights[0].arn}:*"
+      }
+    ]
+  })
+}
diff --git a/terraform/lib/ecs/service/ecs.tf b/terraform/lib/ecs/service/ecs.tf
@@ -82,10 +82,22 @@ locals {
   }
 
   otel_container = {
-    name      = "aws-otel-collector"
-    image     = "public.ecr.aws/aws-observability/aws-otel-collector:latest"
+    name      = "cloudwatch-agent"
+    image     = "public.ecr.aws/cloudwatch-agent/cloudwatch-agent:latest"
     essential = true
-    command   = ["--config=/etc/ecs/container-insights/otel-task-metrics-config.yaml"]
+    environment = [
+      {
+        name = "CW_CONFIG_CONTENT"
+        value = jsonencode({
+          agent = {}
+          traces = {
+            traces_collected = {
+              otlp = {}
+            }
+          }
+        })
+      }
+    ]
     portMappings = [
       {
         containerPort = 4318
@@ -97,7 +109,7 @@ locals {
       options = {
         "awslogs-group"         = var.cloudwatch_logs_group_id
         "awslogs-region"        = data.aws_region.current.name
-        "awslogs-stream-prefix" = "otel-collector"
+        "awslogs-stream-prefix" = "cloudwatch-agent"
       }
     }
   }
diff --git a/terraform/lib/ecs/service/iam.tf b/terraform/lib/ecs/service/iam.tf
@@ -66,10 +66,10 @@ resource "aws_iam_role_policy_attachment" "cloudwatch_logs" {
   policy_arn = aws_iam_policy.cloudwatch_logs.arn
 }
 
-resource "aws_iam_policy" "adot_collector" {
+resource "aws_iam_policy" "cloudwatch_agent" {
   count       = var.opentelemetry_enabled ? 1 : 0
-  name        = "${var.environment_name}-${var.service_name}-adot-collector"
-  description = "ADOT Collector policy for ${var.service_name}"
+  name        = "${var.environment_name}-${var.service_name}-cloudwatch-agent"
+  description = "CloudWatch Agent policy for ${var.service_name}"
   tags        = var.tags
 
   policy = jsonencode({
@@ -79,10 +79,7 @@ resource "aws_iam_policy" "adot_collector" {
         Effect = "Allow"
         Action = [
           "xray:PutTraceSegments",
-          "xray:PutTelemetryRecords",
-          "xray:GetSamplingRules",
-          "xray:GetSamplingTargets",
-          "xray:GetSamplingStatisticSummaries"
+          "xray:PutTelemetryRecords"
         ]
         Resource = "*"
       },
@@ -93,35 +90,21 @@ resource "aws_iam_policy" "adot_collector" {
           "logs:CreateLogStream",
           "logs:CreateLogGroup",
           "logs:DescribeLogStreams",
-          "logs:DescribeLogGroups",
-          "logs:PutRetentionPolicy"
+          "logs:DescribeLogGroups"
         ]
         Resource = [
           "arn:aws:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:log-group:${var.cloudwatch_logs_group_id}:*",
-          "arn:aws:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:log-group:${var.cloudwatch_logs_group_id}:log-stream:*",
-          "arn:aws:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:log-group:/aws/ecs/containerinsights/${var.environment_name}*:*"
+          "arn:aws:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:log-group:${var.cloudwatch_logs_group_id}:log-stream:*"
         ]
-      },
-      {
-        Effect = "Allow"
-        Action = [
-          "cloudwatch:PutMetricData",
-          "ec2:DescribeVolumes",
-          "ec2:DescribeTags",
-          "ecs:ListClusters",
-          "ecs:ListContainerInstances",
-          "ecs:DescribeContainerInstances"
-        ]
-        Resource = "*"
       }
     ]
   })
 }
 
-resource "aws_iam_role_policy_attachment" "adot_collector" {
+resource "aws_iam_role_policy_attachment" "cloudwatch_agent" {
   count      = var.opentelemetry_enabled ? 1 : 0
   role       = aws_iam_role.task_role.name
-  policy_arn = aws_iam_policy.adot_collector[0].arn
+  policy_arn = aws_iam_policy.cloudwatch_agent[0].arn
 }
 
 resource "aws_iam_role_policy_attachment" "task_role_additional" {
diff --git a/terraform/lib/ecs/variables.tf b/terraform/lib/ecs/variables.tf
@@ -141,3 +141,9 @@ variable "container_insights_setting" {
     error_message = "container_insights_setting must be either 'enhanced' or 'disabled'"
   }
 }
+
+variable "lifecycle_events_enabled" {
+  type        = bool
+  default     = false
+  description = "Enable ECS lifecycle events to CloudWatch Logs"
+}

Original file line number	Diff line number	Diff line change
`@@ -141,3 +141,9 @@ variable "container_insights_setting" {`
`141`	`141`	`error_message = "container_insights_setting must be either 'enhanced' or 'disabled'"`
`142`	`142`	`}`
`143`	`143`	`}`
	`144`	`+`
	`145`	`+variable "lifecycle_events_enabled" {`
	`146`	`+ type = bool`
	`147`	`+ default = false`
	`148`	`+ description = "Enable ECS lifecycle events to CloudWatch Logs"`
	`149`	`+}`