dev-resources.site
for different kinds of informations.
Config AWS Cloudwatch Application Signals Transaction Search with CDK
Published at
1/11/2025
Categories
awsapplicationsignals
cdk
cloudwatch
transactionsearch
Author
johanneskonings
Author
15 person written this
johanneskonings
open
Use case
You want to use AWS Cloudwatch Application Signals Transaction Search and your IaC is based on AWS CDK.
Setup
This is how the Transaction Search page looks like, if it's not yet configured:
And like this in the x-ray settings:
The AWS documentation outlines the steps to enable Transaction Search functionality here: https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Transaction-Search-getting-started.html#w24aac24c21c13b9
While the documentation provides AWS CLI commands, we can implement the same configuration using AWS CDK Custom Resources for infrastructure as code.
The whole configuration looks like this:
const { account, region } = Stack.of(this);
// https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Transaction-Search-getting-started.html#w24aac24c21c13b9
const applicationSignalsTransactionSearchLogsResourcePolicy =
new AwsCustomResource(
this,
"ApplicationSignalsTransactionSearchLogsResourcePolicy",
{
onCreate: {
service: "@aws-sdk/client-cloudwatch-logs",
action: "PutResourcePolicy",
parameters: {
policyName:
"ApplicationSignalsTransactionSearchLogsResourcePolicy",
policyDocument: JSON.stringify({
Version: "2012-10-17",
Statement: [
{
Sid: "TransactionSearchXRayAccess",
Effect: "Allow",
Principal: {
Service: "xray.amazonaws.com",
},
Action: ["logs:PutLogEvents", "logs:CreateLogStream"],
Resource: [
`arn:aws:logs:${region}:${account}:log-group:aws/spans:*`,
`arn:aws:logs:${region}:${account}:log-group:/aws/application-signals/data:*`,
],
Condition: {
ArnLike: {
"aws:SourceArn": `arn:aws:xray:${region}:${account}:*`,
},
StringEquals: {
"aws:SourceAccount": account,
},
},
},
],
}),
},
physicalResourceId: PhysicalResourceId.of(
"ApplicationSignalsTransactionSearchLogsResourcePolicy",
),
},
policy: AwsCustomResourcePolicy.fromSdkCalls({
resources: AwsCustomResourcePolicy.ANY_RESOURCE,
}),
},
);
const applicationSignalsTransactionSearchXraySegmentDestination =
new AwsCustomResource(
this,
"ApplicationSignalsTransactionSearchXraySegmentDestination",
{
onCreate: {
service: "@aws-sdk/client-xray",
action: "UpdateTraceSegmentDestination",
parameters: {
Destination: "CloudWatchLogs",
},
physicalResourceId: PhysicalResourceId.of(
"ApplicationSignalsTransactionSearchXraySegmentDestination",
),
},
installLatestAwsSdk: true,
policy: AwsCustomResourcePolicy.fromStatements([
new PolicyStatement({
effect: Effect.ALLOW,
actions: ["logs:PutRetentionPolicy"],
resources: [
`arn:aws:logs:${region}:${account}:log-group:aws/spans:log-stream:`,
],
}),
new PolicyStatement({
effect: Effect.ALLOW,
actions: ["xray:UpdateTraceSegmentDestination"],
resources: ["*"],
}),
]),
},
);
applicationSignalsTransactionSearchXraySegmentDestination.node.addDependency(
applicationSignalsTransactionSearchLogsResourcePolicy,
);
const applicationSignalsTransactionSearchXrayIndexRule =
new AwsCustomResource(
this,
"ApplicationSignalsTransactionSearchXrayIndexRule",
{
onCreate: {
service: "@aws-sdk/client-xray",
action: "UpdateIndexingRule",
parameters: {
Name: "Default",
Rule: {
Probabilistic: {
DesiredSamplingPercentage: 100,
},
},
},
physicalResourceId: PhysicalResourceId.of(
"ApplicationSignalsTransactionSearchXrayIndexRule",
),
},
installLatestAwsSdk: true,
policy: AwsCustomResourcePolicy.fromSdkCalls({
resources: AwsCustomResourcePolicy.ANY_RESOURCE,
}),
},
);
NagSuppressions.addResourceSuppressions(
[
applicationSignalsTransactionSearchXraySegmentDestination,
applicationSignalsTransactionSearchLogsResourcePolicy,
applicationSignalsTransactionSearchXrayIndexRule,
],
[
{
id: "AwsSolutions-IAM5",
reason: "CDK managed policy",
},
],
true,
);
}
It contains the following steps:
- Update the Cloudwatch Logs Resource Policy
- Update the x-ray settings
Update the Cloudwatch Logs Resource Policy
The documentation here is a little bit misleading. The shown condition arn:partition:logs:region:account-id:* should be arn:partition:xray:region:account-id:*. Also the action logs:PutLogEvents should be logs:PutLogEvents and logs:CreateLogStream.
const applicationSignalsTransactionSearchLogsResourcePolicy =
new AwsCustomResource(
this,
"ApplicationSignalsTransactionSearchLogsResourcePolicy",
{
onCreate: {
service: "@aws-sdk/client-cloudwatch-logs",
action: "PutResourcePolicy",
parameters: {
policyName:
"ApplicationSignalsTransactionSearchLogsResourcePolicy",
policyDocument: JSON.stringify({
Version: "2012-10-17",
Statement: [
{
Sid: "TransactionSearchXRayAccess",
Effect: "Allow",
Principal: {
Service: "xray.amazonaws.com",
},
Action: ["logs:PutLogEvents", "logs:CreateLogStream"],
Resource: [
`arn:aws:logs:${region}:${account}:log-group:aws/spans:*`,
`arn:aws:logs:${region}:${account}:log-group:/aws/application-signals/data:*`,
],
Condition: {
ArnLike: {
"aws:SourceArn": `arn:aws:xray:${region}:${account}:*`,
},
StringEquals: {
"aws:SourceAccount": account,
},
},
},
],
}),
},
physicalResourceId: PhysicalResourceId.of(
"ApplicationSignalsTransactionSearchLogsResourcePolicy",
),
},
policy: AwsCustomResourcePolicy.fromSdkCalls({
resources: AwsCustomResourcePolicy.ANY_RESOURCE,
}),
},
);
Update the x-ray settings
The 2 API calls for x-ray are nearly straight forward. Only the comamnds UpdateTraceSegmentDestination and UpdateIndexingRule requires the newest SDK version, because it's introduced in version: https://github.com/aws/aws-sdk-js-v3/releases/tag/v3.698.0
const applicationSignalsTransactionSearchXraySegmentDestination =
new AwsCustomResource(
this,
"ApplicationSignalsTransactionSearchXraySegmentDestination",
{
onCreate: {
service: "@aws-sdk/client-xray",
action: "UpdateTraceSegmentDestination",
parameters: {
Destination: "CloudWatchLogs",
},
physicalResourceId: PhysicalResourceId.of(
"ApplicationSignalsTransactionSearchXraySegmentDestination",
),
},
installLatestAwsSdk: true,
policy: AwsCustomResourcePolicy.fromStatements([
new PolicyStatement({
effect: Effect.ALLOW,
actions: ["logs:PutRetentionPolicy"],
resources: [
`arn:aws:logs:${region}:${account}:log-group:aws/spans:log-stream:`,
],
}),
new PolicyStatement({
effect: Effect.ALLOW,
actions: ["xray:UpdateTraceSegmentDestination"],
resources: ["*"],
}),
]),
},
);
applicationSignalsTransactionSearchXraySegmentDestination.node.addDependency(
applicationSignalsTransactionSearchLogsResourcePolicy,
);
const applicationSignalsTransactionSearchXrayIndexRule =
new AwsCustomResource(
this,
"ApplicationSignalsTransactionSearchXrayIndexRule",
{
onCreate: {
service: "@aws-sdk/client-xray",
action: "UpdateIndexingRule",
parameters: {
Name: "Default",
Rule: {
Probabilistic: {
DesiredSamplingPercentage: 100,
},
},
},
physicalResourceId: PhysicalResourceId.of(
"ApplicationSignalsTransactionSearchXrayIndexRule",
),
},
installLatestAwsSdk: true,
policy: AwsCustomResourcePolicy.fromSdkCalls({
resources: AwsCustomResourcePolicy.ANY_RESOURCE,
}),
},
);
Result
After some minutes the Transaction Search is visible in the Management Console.
cdk Article's
30 articles in total
Invoking Private API Gateway Endpoints From Step Functions
read article
Automating Cross-Account CDK Bootstrapping Using AWS Lambda
read article
Deploy de NextJS utilizando CDK
read article
Config AWS Cloudwatch Application Signals Transaction Search with CDK
currently reading
[Solved] AWS Resource limit exceeded
read article
Create a cross-account glue Job using AWS CDK
read article
Enabling Decorators for Lambda Functions with CDK in an Nx Monorepo
read article
Run vs code on a private AWS ec2 instance without ssh (with AWS CDK examples)
read article
Config AWS Cloudwatch Application Signals for NodeJs Lambda with CDK
read article
Deploying a Simple Static Website on AWS with CDK and TypeScript
read article
AWS Architectural Diagrams on a Commit Base: Using AWS PDK Diagram Plugin with Python
read article
AWS CDK Aspects specifications have changed
read article
Relative Python imports in a Dockerized lambda function
read article
Building Scalable Infrastructure with AWS CDK: A Developerโs Guide to Best Practices
read article
API Gateway integration with AWS Services.
read article
DevSecOps with AWS- IaC at scale - Building your own platform โ Part 3 - Pipeline as a Service
read article
AWS Cloud Development Kit (CDK) vs. Terraform
read article
Query your EventBridge Scheduled Events in DynamoDB
read article
AWS CDK context validation
read article
How to combine SQS and SNS to implement multiple Consumers (Part 2)
read article
Serverless Code-Signing (EV) with KMS and Fargate
read article
How to build an API with Lambdas, API Gateway and deploy with AWS CDK
read article
The Journey of CDK.dev: From Static Site to Bluesky
read article
Create an Asset Store with a Custom Domain using AWS CDK, Route53, S3 and CloudFront
read article
Crafting a Scalable Node.js API: Insights from My RealWorld Project with Express, Knex, and AWS CDK
read article
Techniques to Save Costs Using AWS Lambda Functions with CDK
read article
Deploy a Docker Image to ECS with Auto Scaling Using AWS CDK in Minutes
read article
AWS CDK + Localstack (API Gateway, Lambda, SQS, DynamoDB,TypeScript)
read article
Simplifying Cloud Infrastructure with AWS CDK
read article
Effortless Debugging: AWS CDK TypeScript Projects in VSCode
read article
Featured ones: