aws-observability
diff --git a/‎docs/eks/multiaccount.md
Lines changed: 119 additions & 0 deletions b/‎docs/eks/multiaccount.md
Lines changed: 119 additions & 0 deletions
diff --git a/‎examples/eks-cross-account-with-central-amp/README.md
Lines changed: 126 additions & 0 deletions b/‎examples/eks-cross-account-with-central-amp/README.md
Lines changed: 126 additions & 0 deletions
diff --git a/‎examples/eks-cross-account-with-central-amp/data.tf
Lines changed: 19 additions & 0 deletions b/‎examples/eks-cross-account-with-central-amp/data.tf
Lines changed: 19 additions & 0 deletions
diff --git a/‎examples/eks-cross-account-with-central-amp/iam.tf
Lines changed: 73 additions & 0 deletions b/‎examples/eks-cross-account-with-central-amp/iam.tf
Lines changed: 73 additions & 0 deletions
@@ -0,0 +1,119 @@
+# AWS EKS Cross Account Observability
+
+This example shows how to use the [AWS Observability Accelerator](https://github.com/aws-observability/terraform-aws-observability-accelerator), with two or more EKS clusters in multiple AWS accounts and verify the collected metrics from all the clusters in the dashboards of a common `Amazon Managed Grafana` workspace in a central monitoring account.
+
+## Prerequisites
+
+#### 1. Cross Account IAM access
+
+In order to create/modify resources across multiple AWS accounts, this Terraform example implements the cross-account IAM role assumption. You will need separate IAM roles in all 3 AWS accounts, and each of these IAM roles should have the below specified trust-relationship so that your local AWS user/role will be able to assume them during the terraform execution.
+
+```
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Principal": {
+                "AWS": "<local-aws-user/role-arn>"
+            },
+            "Action": "sts:AssumeRole",
+            "Condition": {}
+        }
+    ]
+}
+```
+
+!!! note
+    The IAM roles in Account 1 and Account 2 (EKS cluster accounts) should have permissions to perform kubernetes API operations against your EKS clusters. For more info, please review documentation for [enabling IAM principal access to your clusters](https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html)
+
+#### 2. EKS clusters in multiple AWS Accounts
+
+Using the example [eks-cluster-with-vpc](https://aws-observability.github.io/terraform-aws-observability-accelerator/helpers/new-eks-cluster/), create two EKS clusters with the below names in two different AWS accounts:
+
+1.  `eks-cluster-1` (Account 1)
+
+2.  `eks-cluster-2` (Account 2)
+
+Update the cluster names and their corresponding region names in the `variables.tf` file along with the corresponding IAM role ARNs that can be assumed by terraform to perform cross-account API operations.
+
+#### 3. Amazon Managed Grafana (AMG) workspace
+
+To run this example you need an existing Amazon Managed Grafana (AMG) workspace. If not, you can create a new AMG workspace by following the [Getting Started with Amazon Managed Grafana](https://docs.aws.amazon.com/grafana/latest/userguide/getting-started-with-AMG.html) documentation.
+
+Add the Grafana Workspace ID and its corresponding region name in the `variables.tf` file along with the corresponding IAM role ARN that can be assumed by terraform to perform cross-account API operations.
+
+!!! note
+    You can obtain the AMG Workspace ID based on its URL. For the URL `https://g-xyz.grafana-workspace.eu-central-1.amazonaws.com`, the workspace ID would be `g-xyz`
+
+
+## Setup
+
+#### 1. Download sources and initialize Terraform
+
+
+```sh
+
+git clone https://github.com/aws-observability/terraform-aws-observability-accelerator.git
+
+cd terraform-aws-observability-accelerator/examples/eks-cross-account-with-central-amp
+
+terraform init
+
+```
+
+#### 2. Deploy
+
+By looking at the `variables.tf`, you will notice there are two EKS clusters targeted for deployment by the names/ids:
+
+1.  `eks-cluster-1`
+
+2.  `eks-cluster-2`
+
+While installing the observability settings for the EKS cluster specified in variable `cluster_one.name`, Terraform also sets up:
+
+* Creates an `Amazon Managed Prometheus Workspace`
+
+* Dashboard folder and files in provided `Amazon Managed Grafana Workspace`
+
+
+!!! warning
+    To override the defaults, create a `terraform.tfvars` and change the default values of the variables.
+
+
+
+Run the following command to deploy
+
+```sh
+
+terraform  apply  --auto-approve
+
+```
+
+
+
+## Verifying Multi Account Observability
+
+
+
+One you have successfully run the above setup, you should be able to see dashboards similar to the images shown below in `Amazon Managed Grafana` workspace.
+
+
+
+You will notice that you are able to use the `cluster` dropdown to filter the dashboards to metrics collected from a specific EKS cluster.
+
+![eks-cross-account-1](https://github.com/veekaly/terraform-aws-observability-accelerator/assets/119073483/96a68eb1-4fb7-4a6b-bd4a-15f4f6ac7565)
+![eks-cross-account-2](https://github.com/veekaly/terraform-aws-observability-accelerator/assets/119073483/1373b834-1082-4a63-98b9-2b90fb32eada)
+
+
+## Cleanup
+
+To clean up entirely, run the following command:
+
+
+
+```sh
+
+terraform  destroy  --auto-approve
+
+```
@@ -0,0 +1,126 @@
+# AWS EKS Cross Account Observability
+
+
+
+This example shows how to use the [AWS Observability Accelerator](https://github.com/aws-observability/terraform-aws-observability-accelerator), with two or more EKS cluster in multiple AWS accounts and verify the collected metrics from all the clusters in the dashboards of a common `Amazon Managed Grafana` workspace in a central monitoring account.
+
+
+
+## Prerequisites
+
+#### 1. Cross Account IAM access
+
+In order to create/modify resources across multiple AWS accounts, this Terraform example implements the cross-account IAM role assumption. You will need separate IAM roles in all 3 AWS accounts, and each of these IAM roles should have the below specified trust-relationship so that your local AWS user/role will be able to assume them during the terraform execution.
+
+```
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Principal": {
+                "AWS": "<local-aws-user/role-arn>"
+            },
+            "Action": "sts:AssumeRole",
+            "Condition": {}
+        }
+    ]
+}
+```
+
+> [!NOTE]  
+> The IAM roles in Account 1 and Account 2 (EKS cluster accounts) should have permissions to perform kubernetes API operations against your EKS clusters. For more info, please review documentation for [enabling IAM principal access to your clusters](https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html)
+
+
+#### 2. EKS clusters in multiple AWS Accounts
+
+Using the example [eks-cluster-with-vpc](../../examples/eks-cluster-with-vpc/), create two EKS clusters with the below names in two different AWS accounts:
+
+1.  `eks-cluster-1` (Account 1)
+
+2.  `eks-cluster-2` (Account 2)
+
+Update the cluster names and their corresponding region names in the `variables.tf` file along with the corresponding IAM role ARNs that can be assumed by terraform to perform cross-account API operations.
+
+#### 3. Amazon Managed Grafana (AMG) workspace
+
+To run this example you need an existing Amazon Managed Grafana (AMG) workspace. If not, you can create a new AMG workspace by following the [Getting Started with Amazon Managed Grafana](https://docs.aws.amazon.com/grafana/latest/userguide/getting-started-with-AMG.html) documentation.
+
+Add the Grafana Workspace ID and its corresponding region name in the `variables.tf` file along with the corresponding IAM role ARN that can be assumed by terraform to perform cross-account API operations.
+
+!!! note
+
+You can obtain the AMG Workspace ID based on its URL. For the URL `https://g-xyz.grafana-workspace.eu-central-1.amazonaws.com`, the workspace ID would be `g-xyz`
+
+
+ ## Setup
+
+#### 1. Download sources and initialize Terraform
+
+
+```sh
+
+git  clone  https://github.com/aws-observability/terraform-aws-observability-accelerator.git
+
+cd  terraform-aws-observability-accelerator/examples/eks-cross-account-with-central-amp
+
+terraform  init
+
+```
+
+#### 2. Deploy
+
+By looking at the `variables.tf`, you will notice there are two EKS clusters targeted for deployment by the names/ids:
+
+1.  `eks-cluster-1`
+
+2.  `eks-cluster-2`
+
+While installing the observability settings for the EKS cluster specified in variable `cluster_one.name`, Terraform also sets up:
+
+* Creates an `Amazon Managed Prometheus Workspace`
+
+* Dashboard folder and files in provided `Amazon Managed Grafana Workspace`
+
+
+!!! warning
+
+To override the defaults, create a `terraform.tfvars` and change the default values of the variables.
+
+
+
+Run the following command to deploy
+
+```sh
+
+terraform  apply  --auto-approve
+
+```
+
+
+
+## Verifying Multi Account Observability
+
+
+
+One you have successfully run the above setup, you should be able to see dashboards similar to the images shown below in `Amazon Managed Grafana` workspace.
+
+
+
+You will notice that you are able to use the `cluster` dropdown to filter the dashboards to metrics collected from a specific EKS cluster.
+
+![eks-cross-account-1](https://github.com/veekaly/terraform-aws-observability-accelerator/assets/119073483/96a68eb1-4fb7-4a6b-bd4a-15f4f6ac7565)
+![eks-cross-account-2](https://github.com/veekaly/terraform-aws-observability-accelerator/assets/119073483/1373b834-1082-4a63-98b9-2b90fb32eada)
+
+
+## Cleanup
+
+To clean up entirely, run the following command:
+
+
+
+```sh
+
+terraform  destroy  --auto-approve
+
+```
@@ -0,0 +1,19 @@
+data "aws_eks_cluster_auth" "eks_one" {
+  name     = var.cluster_one.name
+  provider = aws.eks_cluster_one
+}
+
+data "aws_eks_cluster_auth" "eks_two" {
+  name     = var.cluster_two.name
+  provider = aws.eks_cluster_two
+}
+
+data "aws_eks_cluster" "eks_one" {
+  name     = var.cluster_one.name
+  provider = aws.eks_cluster_one
+}
+
+data "aws_eks_cluster" "eks_two" {
+  name     = var.cluster_two.name
+  provider = aws.eks_cluster_two
+}
@@ -0,0 +1,73 @@
+data "aws_caller_identity" "monitoring" {
+  provider = aws.central_monitoring
+}
+
+resource "aws_iam_policy" "irsa_assume_role_policy_one" {
+  provider    = aws.eks_cluster_one
+  name        = "${var.cluster_one.name}-irsa_assume_role_policy"
+  path        = "/"
+  description = "This role allows the IRSA role to assume the cross-account role for AMP access"
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = [
+          "sts:AssumeRole",
+        ]
+        Effect   = "Allow"
+        Resource = "arn:aws:iam::${data.aws_caller_identity.monitoring.account_id}:role/${local.amp_workspace_alias}-role-for-cross-account"
+      },
+    ]
+  })
+}
+
+resource "aws_iam_policy" "irsa_assume_role_policy_two" {
+  provider    = aws.eks_cluster_two
+  name        = "${var.cluster_two.name}-irsa_assume_role_policy"
+  path        = "/"
+  description = "This role allows the IRSA role to assume the cross-account role for AMP access"
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = [
+          "sts:AssumeRole",
+        ]
+        Effect   = "Allow"
+        Resource = "arn:aws:iam::${data.aws_caller_identity.monitoring.account_id}:role/${local.amp_workspace_alias}-role-for-cross-account"
+      },
+    ]
+  })
+}
+
+resource "aws_iam_role" "cross_account_amp_role" {
+  provider = aws.central_monitoring
+  name     = "${local.amp_workspace_alias}-role-for-cross-account"
+
+  assume_role_policy = <<EOF
+        {
+            "Version": "2012-10-17",
+            "Statement": [
+                {
+                    "Effect": "Allow",
+                    "Principal": {
+                        "AWS": [
+                            "${module.eks_monitoring_one.adot_irsa_arn}",
+                            "${module.eks_monitoring_two.adot_irsa_arn}"
+                        ]
+                    },
+                    "Action": "sts:AssumeRole",
+                    "Condition": {}
+                }
+            ]
+        }
+    EOF
+}
+
+resource "aws_iam_role_policy_attachment" "role_attach" {
+  provider   = aws.central_monitoring
+  role       = aws_iam_role.cross_account_amp_role.name
+  policy_arn = "arn:aws:iam::aws:policy/AmazonPrometheusRemoteWriteAccess"
+}