AWSTemplateFormatVersion: '2010-09-09' Description: Regional resources for Splunk AWS Metric Streams Integration. Parameters: SplunkAccessToken: Type: String NoEcho: true Description: "Copy your Splunk Observability access token with INGEST authorization scope from Settings > Access Tokens." SplunkIngestUrl: Type: String Description: "Find the real-time data ingest URL in Profile > Account Settings > Endpoints. Note: do NOT include endpoint path here: for instance use https://ingest.us1.signalfx.com instead of https://ingest.us1.signalfx.com/v1/cloudwatch_metric_stream." Metadata: AWS::CloudFormation::Interface: ParameterGroups: - Label: default: Required Parameters Parameters: - SplunkAccessToken - SplunkIngestUrl ParameterLabels: SplunkAccessToken: default: "Access token" SplunkIngestUrl: default: "Real-time data ingest endpoint" Resources: SplunkMetricStreamsS3: Type: AWS::S3::Bucket Properties: BucketName: !Sub 'splunk-metric-streams-s3-${AWS::AccountId}-${AWS::Region}' SplunkMetricStreamsKinesisFirehoseLogGroup: Type: AWS::Logs::LogGroup Properties: LogGroupName: !Sub '/aws/kinesisfirehose/splunk-metric-streams-${AWS::Region}' RetentionInDays: 14 SplunkMetricStreamsKinesisFirehoseHttpLogStream: Type: AWS::Logs::LogStream Properties: LogStreamName: HttpEndpointDelivery LogGroupName: !Ref SplunkMetricStreamsKinesisFirehoseLogGroup SplunkMetricStreamsS3Role: Type: AWS::IAM::Role Properties: RoleName: !Sub 'splunk-metric-streams-s3-${AWS::Region}' #DO NOT CHANGE the role name unless you are also going to change the AWS IAM policy used by the CloudWatch Metric Streams AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: - firehose.amazonaws.com Action: - 'sts:AssumeRole' Policies: - PolicyName: s3_access PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - 's3:AbortMultipartUpload' - 's3:GetBucketLocation' - 's3:GetObject' - 's3:ListBucket' - 's3:ListBucketMultipartUploads' - 's3:PutObject' Resource: - !Sub '${SplunkMetricStreamsS3.Arn}' - !Sub '${SplunkMetricStreamsS3.Arn}/*' - PolicyName: logs_access PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - 'logs:PutLogEvents' Resource: !Sub '${SplunkMetricStreamsKinesisFirehoseLogGroup.Arn}' Description: 'A role for Kinesis Firehose including the permissions to store failed requests in S3 and output logs' SplunkMetricStreamsKinesisFirehose: Type: AWS::KinesisFirehose::DeliveryStream Properties: DeliveryStreamType: DirectPut DeliveryStreamName: !Sub 'splunk-metric-streams-${AWS::Region}' HttpEndpointDestinationConfiguration: RoleARN: !GetAtt SplunkMetricStreamsS3Role.Arn BufferingHints: IntervalInSeconds: 60 SizeInMBs: 1 EndpointConfiguration: AccessKey: !Ref SplunkAccessToken Url: !Sub '${SplunkIngestUrl}/v1/cloudwatch_metric_stream' RequestConfiguration: ContentEncoding: GZIP S3BackupMode: FailedDataOnly S3Configuration: BucketARN: !GetAtt SplunkMetricStreamsS3.Arn CompressionFormat: GZIP RoleARN: !GetAtt SplunkMetricStreamsS3Role.Arn CloudWatchLoggingOptions: Enabled: true LogGroupName: !Ref SplunkMetricStreamsKinesisFirehoseLogGroup LogStreamName: !Ref SplunkMetricStreamsKinesisFirehoseHttpLogStream CloudWatchLoggingOptions: Enabled: true LogGroupName: !Ref SplunkMetricStreamsKinesisFirehoseLogGroup LogStreamName: !Ref SplunkMetricStreamsKinesisFirehoseHttpLogStream Tags: - Key: splunk-metric-streams-firehose Value: !Sub '${AWS::Region}' SplunkMetricStreamRole: Type: AWS::IAM::Role Properties: RoleName: !Sub 'splunk-metric-streams-${AWS::Region}' #DO NOT CHANGE the role name unless you are also going to change the AWS IAM policy used by the CloudWatch Metric Streams AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: - streams.metrics.cloudwatch.amazonaws.com Action: - 'sts:AssumeRole' Path: / Policies: - PolicyName: firehose_put PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - 'firehose:PutRecord' - 'firehose:PutRecordBatch' Resource: !GetAtt SplunkMetricStreamsKinesisFirehose.Arn Description: 'A role that allows CloudWatch MetricStreams to publish to Kinesis Firehose' Tags: - Key: splunk-metric-streams-role Value: !Sub '${AWS::Region}'