Hello,

I was looking for an existing CloudWatch module from terraform-aws-modules as I have had great results with your other modules, but noticed that this one is not Verified in the Terraform Registry. Terraform's criteria for verified modules does note that unverified modules may still be of high quality, as I would agree is the case with this one from digging through the code and use of some of your other verified modules.

I will likely use this module regardless, but I was curious if you're aware of why this module isn't verified but a number of your others have been? Module verification is supposedly expanding per the previous link, but the GitHub source for that page hasn't been updated since Sep 15, 2017, so unsure what movement has been made with that from the HashiCorp side since then. Is there anything you're aware of that could help with this process for this and your other currently unverified modules?

Thanks for all of the great contributions to Terraform! Much appreciated!

Is your request related to a new offering from AWS?

Is your request related to a problem? Please describe.

Trying to deploy cloudwatch and fluentd agent in eks cluster for the container insight.

Describe the solution you'd like.

Setting up an container insight on eks cluster through the deployment of cloudwatch agent.

Describe alternatives you've considered.

Followed this code :
https://github.com/kabisa/terraform-aws-eks-cloudwatch

Additional context

Hi, iI am a little new to terraform, can you add an example of how to define an alarm with "metric math", how the expression in the field "metric query" should look like?

Thank you :)

Is your request related to a new offering from AWS?

Is this functionality available in the AWS provider for Terraform? See CHANGELOG.md, too.

• No 🛑: please wait to file a request until the functionality is avaialble in the AWS provider
• Yes ✅: please list the AWS provider version which introduced this functionality

It's not a new feature. And i can't find in CHANGELOG.md when aws_cloudwatch_log_subscription_filter resource was added.

Please consider adding this resource for CloudWatch subscription filter.

Is your request related to a problem? Please describe.

Describe the solution you'd like.

Describe alternatives you've considered.

Additional context

I think the random prefix should be included on this line: https://github.com/terraform-aws-modules/terraform-aws-cloudwatch/blob/master/modules/cis-alarms/main.tf#L98

The alarm doesn't fire for me otherwise when using a random prefix.

Description

CIS Alarms not triggered due to wrong metric name when using name_prefix or use_random_name_prefix pet names

Versions

• Terraform: v1.0.7

• Provider(s): registry.terraform.io/hashicorp/aws v3.66.0

• provider registry.terraform.io/hashicorp/external v2.2.0
• provider registry.terraform.io/hashicorp/local v2.1.0
• provider registry.terraform.io/hashicorp/null v3.1.0
• provider registry.terraform.io/hashicorp/random v3.1.0

Reproduction

Steps to reproduce the behavior:

Setting name_prefix variable

Code Snippet to Reproduce

module "cis_alarms" {
   source  = "terraform-aws-modules/cloudwatch/aws//modules/cis-alarms"
   version = "~> 2.3"
   alarm_actions     = ["your_sns"]
   name_prefix       = "test-"
}

Expected behavior

Expect that Cloudwatch Alarm to change state when metric changes

Actual behavior

Metric in cloudwatch alarms are empty an no alarms are triggered, as the prefixed name is different from the cloudwatch metric name

Terminal Output Screenshot(s)

Additional context

After creating Alarms in cloudwatch we specify created Alarms in scaling policy(step scaling) of the AutoScaling groups.
"Take the action" in Scaling policy is behaving different from one step scaling policy to another.
Expected action is "Add 1 capacity units when 1 <= expression-name < +infinity".
But in some scaling policies it shows as "Add 1 capacity units when 1 <= some-custom-metric < +infinity.
Further we checked in Graphed metrics and noticed that Math expression (ex : app2-scale-out-expression ) was middle of the list which is showing incorrectly in scaling policy of the auto scaling group.
But in the correct scaling policies, Math expression (ex : app1-scale-out-expression) was top most row in the Graph metrics in Cloudwatch Alarm.
How can we set the ordering of expression to be in top most row in the Graph metrics.

module "deploy-cloudwatch-metrics-test-scale-out" {
source = "../../terraform12-modules/aws/cloudwatch/modules/metric-alarm"

alarm_name = test-alarm
alarm_description = "Alarm for test out"
comparison_operator = "GreaterThanThreshold"
evaluation_periods = 1
threshold = 0
datapoints_to_alarm = 1

metric_query = [{
id = "a1"
return_data = true
expression = "IF(m1>70 OR m2<m3 OR AVG(m4)>90, 1, 0)"
label = "app1-scale-out-expression"
},

{
id = "m1"
metric = [{
  namespace   = "AWS/EC2"
  metric_name = "CPUUtilization"
  period      = 300
  threshold   = "70"
  stat        = "Average"

  dimensions = {
    AutoScalingGroupName = module.deploy-asg.this_autoscaling_group_name
  }
}]
}, 

{
id = "m2"
metric = [{
  namespace   = "CWAgent"
  metric_name = "statsd_current_instances"
  current_instances      = 2
  period      = 300
  stat        = "Average"

  dimensions = {
    AutoScalingGroupName = module.deploy-asg.this_autoscaling_group_name
  }
}]
},

{
id = "m3"
metric = [{
  namespace   = "CWAgent"
  metric_name = "statsd_needed_instances"
  needed_instances      = 2
  period      = 300
  stat        = "Average"

  dimensions = {
    AutoScalingGroupName = module.deploy-asg.this_autoscaling_group_name
  }
}]
},

{
id = "m4"
metric = [{
  namespace   = "CWAgent"
  metric_name = "mem_used_percent"
  period      = 300
  stat        = "Average"

  dimensions = {
    AutoScalingGroupName = module.deploy-asg.this_autoscaling_group_name
  }
}]

}]

alarm_actions = [aws_autoscaling_policy.asg-test-scale-out.arn]

tags = {
Project = var.Project
}

}

Terraform version : 12.2

Is your request related to a new offering from AWS?

Is this functionality available in the AWS provider for Terraform? See CHANGELOG.md, too.

• No 🛑: please wait to file a request until the functionality is avaialble in the AWS provider

Is your request related to a problem? Please describe.

There is no db instance identifier property available in the aws-cloudwatch module

Describe the solution you'd like.

A property to declare to specific aws rds instance to apply to cloudwatch monitoring alarm to

Describe alternatives you've considered.

Creating aws cloudwatch alarm on the console

Additional context

None

Description

Hi, i'm using the metric-alarms-by-multiple-dimensions module to create an alarm, code below.

When running plan with this code i've got No changes. Your infrastructure matches the configuration.
Here the logs of the plan:

2023-02-15T14:51:08.427+0100 [INFO]  backend/local: plan calling Plan
2023-02-15T14:51:08.427+0100 [DEBUG] Building and walking plan graph for NormalMode
2023-02-15T14:51:08.428+0100 [DEBUG] ProviderTransformer: "module.kms_api_calls_alarm.aws_cloudwatch_metric_alarm.this (expand)" (*terraform.nodeExpandPlannableResource) needs provider["registry.terraform.io/hashicorp/aws"]
2023-02-15T14:51:08.428+0100 [DEBUG] ReferenceTransformer: "module.kms_api_calls_alarm.var.insufficient_data_actions (expand)" references: []
2023-02-15T14:51:08.428+0100 [DEBUG] ReferenceTransformer: "module.kms_api_calls_alarm.var.evaluate_low_sample_count_percentiles (expand)" references: []
2023-02-15T14:51:08.428+0100 [DEBUG] ReferenceTransformer: "module.kms_api_calls_alarm.var.evaluation_periods (expand)" references: []
2023-02-15T14:51:08.428+0100 [DEBUG] ReferenceTransformer: "module.kms_api_calls_alarm.output.cloudwatch_metric_alarm_ids (expand)" references: [module.kms_api_calls_alarm.aws_cloudwatch_metric_alarm.this (expand)]
2023-02-15T14:51:08.429+0100 [DEBUG] ReferenceTransformer: "module.kms_api_calls_alarm.var.actions_enabled (expand)" references: []
2023-02-15T14:51:08.429+0100 [DEBUG] ReferenceTransformer: "module.kms_api_calls_alarm.var.datapoints_to_alarm (expand)" references: []
2023-02-15T14:51:08.429+0100 [DEBUG] ReferenceTransformer: "module.kms_api_calls_alarm.var.unit (expand)" references: []
2023-02-15T14:51:08.429+0100 [DEBUG] ReferenceTransformer: "module.kms_api_calls_alarm.var.extended_statistic (expand)" references: []
2023-02-15T14:51:08.429+0100 [DEBUG] ReferenceTransformer: "module.kms_api_calls_alarm.var.create_metric_alarm (expand)" references: []
2023-02-15T14:51:08.429+0100 [DEBUG] ReferenceTransformer: "module.kms_api_calls_alarm.var.alarm_description (expand)" references: []
2023-02-15T14:51:08.429+0100 [DEBUG] ReferenceTransformer: "module.kms_api_calls_alarm.var.tags (expand)" references: []
2023-02-15T14:51:08.429+0100 [DEBUG] ReferenceTransformer: "module.kms_api_calls_alarm.var.statistic (expand)" references: []
2023-02-15T14:51:08.429+0100 [DEBUG] ReferenceTransformer: "module.kms_api_calls_alarm.var.comparison_operator (expand)" references: []
2023-02-15T14:51:08.429+0100 [DEBUG] ReferenceTransformer: "module.kms_api_calls_alarm.var.threshold (expand)" references: []
2023-02-15T14:51:08.429+0100 [DEBUG] ReferenceTransformer: "module.kms_api_calls_alarm.var.metric_name (expand)" references: []
2023-02-15T14:51:08.429+0100 [DEBUG] ReferenceTransformer: "module.kms_api_calls_alarm.var.treat_missing_data (expand)" references: []
2023-02-15T14:51:08.429+0100 [INFO]  ReferenceTransformer: reference not found: "each.key"
2023-02-15T14:51:08.429+0100 [INFO]  ReferenceTransformer: reference not found: "each.value"
2023-02-15T14:51:08.429+0100 [DEBUG] ReferenceTransformer: "module.kms_api_calls_alarm.aws_cloudwatch_metric_alarm.this (expand)" references: [module.kms_api_calls_alarm.var.dimensions (expand) module.kms_api_calls_alarm.var.create_metric_alarm (expand) module.kms_api_calls_alarm.var.alarm_actions (expand) module.kms_api_calls_alarm.var.treat_missing_data (expand) module.kms_api_calls_alarm.var.alarm_name (expand) module.kms_api_calls_alarm.var.metric_name (expand) module.kms_api_calls_alarm.var.actions_enabled (expand) module.kms_api_calls_alarm.var.unit (expand) module.kms_api_calls_alarm.var.tags (expand) module.kms_api_calls_alarm.var.comparison_operator (expand) module.kms_api_calls_alarm.var.namespace (expand) module.kms_api_calls_alarm.var.period (expand) module.kms_api_calls_alarm.var.statistic (expand) module.kms_api_calls_alarm.var.ok_actions (expand) module.kms_api_calls_alarm.var.extended_statistic (expand) module.kms_api_calls_alarm.var.evaluate_low_sample_count_percentiles (expand) module.kms_api_calls_alarm.var.insufficient_data_actions (expand) module.kms_api_calls_alarm.var.alarm_description (expand) module.kms_api_calls_alarm.var.evaluation_periods (expand) module.kms_api_calls_alarm.var.threshold (expand) module.kms_api_calls_alarm.var.datapoints_to_alarm (expand) module.kms_api_calls_alarm.var.metric_query (expand)]

Is there any know issue about this module or my code is wrong ?

⚠️ Note

Before you submit an issue, please perform the following first:

1. Remove the local .terraform directory (! ONLY if state is stored remotely, which hopefully you are following that best practice!): rm -rf .terraform/
2. Re-initialize the project root to pull down modules: terraform init
3. Re-attempt your terraform plan or apply and check if the issue still persists

Versions

• Module version [Required]:

• Terraform version: v1.3.3

• Provider version(s): v4.54.0

Reproduction Code [Required]

module "kms_api_calls_alarm" {
  source  = "terraform-aws-modules/cloudwatch/aws//modules/metric-alarms-by-multiple-dimensions"
  version = "4.2.1"

  alarm_name          = "KMS-API-calls"
  alarm_description   = "API calls to KMS API too high"
  comparison_operator = "GreaterThanOrEqualToThreshold"
  evaluation_periods  = 10
  threshold           = 80
  period              = 60

  metric_query = [
    {
      id          = "usage_data"
      return_data = false

      metric = [{
        namespace   = "AWS/Usage"
        metric_name = "CallCount"
        period      = 60
        stat        = "Sum"

        dimensions = {
          Class    = "None"
          Resource = "CryptographicOperationsSymmetric"
          Service  = "KMS"
          Type     = "API"
        }
      }]
    },
    {
      id          = "pct_utilization"
      label       = "% Utilization"
      return_data = true
      expression  = "(usage_data/SERVICE_QUOTA(usage_data))*100"
    }
  ]
}

Steps to reproduce the behavior:
terraform plan

Expected behavior

Should create the cloudwatch resource.

Actual behavior

No changes detected

Terminal Output Screenshot(s)

Additional context

Description

Versions

• Module version [Required]: master

• Terraform version: 1.1.7

• Terragrunt version: 0.36.6

• Provider version(s): 4.40.0

Reproduction Code [Required]

I'm using terragrunt and log-group module. Pretty simple invocation with retention set in local vars.

terraform {
  source = "github.com/terraform-aws-modules/terraform-aws-cloudwatch//modules/log-group"
}

locals {
  c_vars    = read_terragrunt_config(find_in_parent_folders("common.hcl"))
  r_vars    = read_terragrunt_config(find_in_parent_folders("region.hcl"))
  _split = split("-", basename(get_terragrunt_dir()))
  msk       = element(local._split, 1)
  msk_name  = format("%s-%s-%s", local.msk, local.c_vars.inputs.env_name, local.r_vars.inputs.region_name)
  name      = format("/aws/msk/%s/%s/logs", local.c_vars.inputs.env_name, local.msk_name)
  retention = 90
}

include {
  path = find_in_parent_folders()
}

###########################################################
# https://github.com/terraform-aws-modules/terraform-aws-cloudwatch#log-group
###########################################################

inputs = {

  name              = local.name
  retention_in_days = local.retention

  tags = merge(
    local.c_vars.inputs.common_tags,
    local.r_vars.inputs.region_tags,
    {
      # any additional tags
      tg_path = path_relative_to_include()
      "team"  = "whatever"
  })
}

I also tried to use

retention = "90"

And putting retention directly in inputs (without local variable)

Steps to reproduce the behavior:

Using simple terragrunt invocation

Expected behavior

Works ;)

Actual behavior

Throws error on validation

Terminal Output Screenshot(s)

tg apply
INFO[0002] Executing hook: run_info                      prefix=[/msk1-cloudwatch-loggroup]
/Users/XXXX/infra/tg/.tg_cache/tg_download/I0TMVi-HLML49mgav1eObdBWC5E/gyj6zzMWiMFcl5Zj6ZMGNkImpYw/modules/log-group
Acquiring state lock. This may take a few moments...
╷
│ Error: Invalid value for variable
│
│   on variables.tf line 19:
│   19: variable "retention_in_days" {
│
│ Must be 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731,
│ 1827, 3653 or 0 (zero indicates never expire logs).
│
│ This was checked by the validation rule at variables.tf:24,3-13.
╵

Is your request related to a new offering from AWS?

Is this functionality available in the AWS provider for Terraform? See CHANGELOG.md, too.

• Yes ✅: 5.30.0
  https://registry.terraform.io/providers/hashicorp/aws/5.30.0/docs/resources/cloudwatch_log_group

Is your request related to a problem? Please describe.

Not a problem exactly. This relevant new attribute was announced recently in re:Invent. It can saves costs.

Describe the solution you'd like.

Just a variable to put log_group_class

Is your request related to a new offering from AWS?

Is this functionality available in the AWS provider for Terraform? See CHANGELOG.md, too.

• Yes ✅

Is your request related to a problem? Please describe.

User is unable to register default ok_action and insufficient_data_actions for cis-alarms module

Describe the solution you'd like.

Add 2 more variables ok_action and insufficient_data_actions with default values set to empty list ([]) for backward compatibility. Use provided defaults if they are not explicitly set in default or override controls.

Describe alternatives you've considered.

The workaround is to set these actions for each control separately which is not optimal.

Additional context

There is already a default alarm_actions variable used to provide same functionality for alarm_actions.

Is your request related to a new offering from AWS?

Yes, since v4.40.0: hashicorp/terraform-provider-aws#26752

Is your request related to a problem? Please describe.

The challenge is well described in this issue: hashicorp/terraform-provider-aws#26752

Describe the solution you'd like.

Just supporting this new parameter.

I'm happy to create a PR to support this new parameter.

I am new to terraform world.
I was stuck in variable.tf for number type define.
Can @antonbabenko help me to sort this?

Looks like the ThresholdMetricId is required but the module doesn't support it.
Error: Creating metric alarm failed: ValidationError: ComparisonOperators for ranges require ThresholdMetricId to be set
status code: 400, request id: e863e3a6-aa16-41a5-875c-d363c65c32fb

Currently, when logging into the console via the SAML-authenticated landing page, it will trigger the NoMFAConsoleSignin
event.

Ideally the currenty alarm should check whether SAML provider is defined (or additionalMFA is used):

"{($.eventName = \"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") && ($.responseElements.ConsoleLogin != \"Failure\") && ($.additionalEventData.SamlProviderArn NOT EXISTS) }"

Related links:

• https://github.com/amazon-archives/aws-security-benchmark/blob/master/architecture/create-benchmark-rules.yaml#L1718
• MicrosoftDocs/azure-docs#35206

I have some log groups which are created by aws for the logging of lambda functions. So i wanted to the change the retention policy for the those log groups . I tried to redeploy those lambdas with attached log groups who have the same name as previous and added the retention policy to it. But it failed so I used terraform import to import existing log groups and add retention policy. It worked but it destroyed current log groups and created it again with the updated log retention policy. So I want to know is there is any workaround in this situation?

Is your request related to a problem? Please describe.

The CIS alarm name does not allow for custom prefixes, this creates a problem if you manage multiple accounts and the alarm will not include any information of which account this is coming from.

Describe the solution you'd like.

Add a variable to allow the module user to set the prefix they want so that they can use meaningful names for identification, and not have to rely on random pet names for dynamic alarm names

Describe alternatives you've considered.

Creating multiple receivers, whether it is email/chat groups etc just to separate which alarm is for which account

Additional context

Is your request related to a new offering from AWS?

Is this functionality available in the AWS provider for Terraform? See CHANGELOG.md, too.

• Yes ✅: v3.35.0

Is your request related to a problem? Please describe.

I need to save multiple queries that I use on a regular basis for debugging and investigating deployment logs store in AWS CloudWatch.

Describe the solution you'd like.

Another (sub) module here would fit, that would provide an easy input to create one or multiple CW Query definitions.

Describe alternatives you've considered.

Making my own module and using it.

Additional context

If I were to contribute a PR for this, how should the module be structured to fit in this module group.

Is there any plan for including a module for composite alarms?

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_composite_alarm

Cross account metric alarms were adding in early August and added to the Terraform provider in v3.54.0

https://aws.amazon.com/about-aws/whats-new/2021/08/announcing-amazon-cloudwatch-cross-account-alarms/
https://github.com/hashicorp/terraform-provider-aws/releases/tag/v3.54.0

• resource/aws_cloudwatch_metric_alarm: Add support for account_id (#20541)

Can we please get the account_id input added.

in the resource as below

metric_query {
    id          = "m1"
    account_id  = "123456789" // <-- new attribute
    return_data = true
    
    metric {
        metric_name = "HealthyHostCount"
        namespace   = "AWS/NetworkELB"
        dimentions  = {
            LoadBalancer = "some nlb"
            TargetGroup  = "some tg"
        }
        period  = 60
        stat    = "average"
    }
}