Initial content and readmes

Split the stack integration role into read+write policies. Fix the PassRole policy.

Gitignore

Delete DS_Store

README corrections

Collect properties in addition to tags.

Update README

Author: alistairjevans

.github/workflows/test.yml

@@ -0,0 +1,26 @@
+name: Tests
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        spec:
+          - spec/lambda/firehose_metrics_tag_enrichment_spec.rb
+          - spec/lambda/firehose_logs_tag_enrichment_spec.rb
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: '3.2'
+          bundler-cache: true
+
+      - name: Run tests
+        run: bundle exec rspec ${{ matrix.spec }} --format documentation

.gitignore

@@ -0,0 +1,5 @@
+# OS
+.DS_Store
+Thumbs.db
+
+.claude/

Gemfile

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+source 'https://rubygems.org'
+
+# Lambda runtime dependencies
+gem 'aws-sdk-ec2'
+gem 'aws-sdk-lambda'
+gem 'aws-sdk-rds'
+gem 'aws-sdk-resourcegroupstaggingapi'
+gem 'rexml' # Required by AWS SDK for XML parsing
+
+group :test do
+  gem 'rspec'
+end

Gemfile.lock

@@ -0,0 +1,61 @@
+GEM
+  remote: https://rubygems.org/
+  specs:
+    aws-eventstream (1.4.0)
+    aws-partitions (1.1200.0)
+    aws-sdk-core (3.241.0)
+      aws-eventstream (~> 1, >= 1.3.0)
+      aws-partitions (~> 1, >= 1.992.0)
+      aws-sigv4 (~> 1.9)
+      base64
+      bigdecimal
+      jmespath (~> 1, >= 1.6.1)
+      logger
+    aws-sdk-ec2 (1.588.0)
+      aws-sdk-core (~> 3, >= 3.241.0)
+      aws-sigv4 (~> 1.5)
+    aws-sdk-lambda (1.172.0)
+      aws-sdk-core (~> 3, >= 3.241.0)
+      aws-sigv4 (~> 1.5)
+    aws-sdk-rds (1.303.0)
+      aws-sdk-core (~> 3, >= 3.241.0)
+      aws-sigv4 (~> 1.5)
+    aws-sdk-resourcegroupstaggingapi (1.90.0)
+      aws-sdk-core (~> 3, >= 3.241.0)
+      aws-sigv4 (~> 1.5)
+    aws-sigv4 (1.12.1)
+      aws-eventstream (~> 1, >= 1.0.2)
+    base64 (0.3.0)
+    bigdecimal (4.0.1)
+    diff-lcs (1.6.2)
+    jmespath (1.6.2)
+    logger (1.7.0)
+    rexml (3.4.4)
+    rspec (3.13.2)
+      rspec-core (~> 3.13.0)
+      rspec-expectations (~> 3.13.0)
+      rspec-mocks (~> 3.13.0)
+    rspec-core (3.13.6)
+      rspec-support (~> 3.13.0)
+    rspec-expectations (3.13.5)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.13.0)
+    rspec-mocks (3.13.7)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.13.0)
+    rspec-support (3.13.6)
+
+PLATFORMS
+  arm64-darwin-24
+  ruby
+
+DEPENDENCIES
+  aws-sdk-ec2
+  aws-sdk-lambda
+  aws-sdk-rds
+  aws-sdk-resourcegroupstaggingapi
+  rexml
+  rspec
+
+BUNDLED WITH
+   2.6.9

README.md

@@ -1,2 +1,16 @@
-# aws
-Contains all Better Stack CloudFormation stacks and Lambdas for AWS Integration
+# Better Stack AWS Integration
+
+This repository contains all Better Stack CloudFormation stacks and Lambdas for the Better Stack AWS Integration.
+
+## Getting Started
+
+To get started with Better Stack on AWS, [create a new AWS Source in Better Stack Telemetry](https://telemetry.betterstack.com/team/t0/sources/new?platform=aws).
+
+## Ingested Data
+
+When you deploy our CloudFormation stack you get:
+
+- Automatic ingestion of all CloudWatch metrics into Better Stack.
+  - Support for RDS Enhanced Metrics (RDSOS)
+- Detection and per-log-group optional ingestion of all Cloudwatch log groups.
+- Automatic integration with AWS X-Ray, ingest traces into Better Stack Telemetry and view your traces.

cloudformation/full/README.md

@@ -0,0 +1,190 @@
+# Better Stack CloudWatch Integration
+
+Stream AWS CloudWatch metrics, logs, and optionally X-Ray traces and CloudTrail audit logs to Better Stack via Kinesis Data Firehose.
+
+## Prerequisites
+
+1. **Better Stack Account** - Sign up at [betterstack.com](https://betterstack.com)
+2. **Cluster ID** - Your Better Stack cluster identifier (e.g., `g1`, `s1234`, `acme`)
+3. **Source Token** - Authentication token from Better Stack
+4. **Source ID** - Source ID from Better Stack for resource matching
+5. **AWS CLI** - Configured with appropriate permissions
+
+## Quick Start
+
+### First Region Deployment
+
+```bash
+aws cloudformation deploy \
+  --template-file better-stack-full.yaml \
+  --stack-name better-stack-full \
+  --parameter-overrides \
+    ClusterId=YOUR_CLUSTER_ID \
+    SourceToken=YOUR_SOURCE_TOKEN \
+    SourceId=YOUR_SOURCE_ID \
+  --capabilities CAPABILITY_NAMED_IAM
+```
+
+### Additional Regions
+
+When deploying to additional regions, set `CreateGlobalResources=false` to reuse the IAM roles created in the first region:
+
+```bash
+aws cloudformation deploy \
+  --template-file better-stack-full.yaml \
+  --stack-name better-stack-full \
+  --region us-west-2 \
+  --parameter-overrides \
+    ClusterId=YOUR_CLUSTER_ID \
+    SourceToken=YOUR_SOURCE_TOKEN \
+    SourceId=YOUR_SOURCE_ID \
+    CreateGlobalResources=false \
+  --capabilities CAPABILITY_NAMED_IAM
+```
+
+## Data Flows
+
+| Data Type | Flow |
+|-----------|------|
+| Metrics | CloudWatch Metric Stream (JSON) -> Firehose -> Lambda (enrichment) -> Better Stack |
+| Logs | CloudWatch Logs -> Subscription Filter -> Firehose -> Lambda (enrichment) -> Better Stack |
+| Traces | X-Ray -> CloudWatch Logs (`aws/spans`) -> Subscription Filter -> Better Stack |
+| Audit | CloudTrail -> CloudWatch Logs -> Subscription Filter -> Better Stack |
+
+## Parameters
+
+### Required Parameters
+
+| Parameter | Description |
+|-----------|-------------|
+| `ClusterId` | Your Better Stack cluster ID |
+| `SourceToken` | Better Stack source token for authentication |
+| `SourceId` | Better Stack source ID for resource matching |
+
+### Deployment Options
+
+| Parameter | Default | Description |
+|-----------|---------|-------------|
+| `CreateGlobalResources` | `true` | Create IAM roles. Set to `false` for secondary regions. |
+
+### Feature Toggles
+
+| Parameter | Default | Description |
+|-----------|---------|-------------|
+| `EnableTagEnrichment` | `true` | Enable Lambda-based tag enrichment for metrics and logs |
+| `EnableCloudTrail` | `true` | Create a new CloudTrail trail and forward to Better Stack |
+| `EnableXRayTransactionSearch` | `true` | Enable X-Ray Transaction Search and forward spans |
+
+## CloudTrail Notes
+
+Most AWS accounts already have CloudTrail enabled. Before enabling `EnableCloudTrail=true`, check for existing trails:
+
+```bash
+aws cloudtrail describe-trails
+```
+
+If a trail already exists, you may want to:
+1. Keep `EnableCloudTrail=false` and manually subscribe the existing CloudTrail log group
+2. Or enable it to create a dedicated trail for Better Stack
+
+CloudTrail logs have a 1-day retention in CloudWatch (they are forwarded immediately to Better Stack).
+
+## X-Ray Transaction Search
+
+When `EnableXRayTransactionSearch=true`, the template automatically:
+1. Creates a CloudWatch Logs resource policy allowing X-Ray to write spans
+2. Enables Transaction Search via `AWS::XRay::TransactionSearchConfig`
+3. X-Ray sends trace segments to the `aws/spans` CloudWatch Logs group
+
+No manual steps required - fully automated via CloudFormation.
+
+## Better Stack Integration Role
+
+The template creates a `better-stack-integration-role` IAM role that allows Better Stack to:
+- Read CloudWatch metrics and logs
+- Manage metric streams and log subscriptions
+- Discover AWS resources for context enrichment
+
+After deployment, provide these values to Better Stack:
+- **Role ARN**: From stack output `IntegrationRoleArn`
+- **External ID**: From stack output `ExternalId`
+
+## Tag Enrichment
+
+When `EnableTagEnrichment=true`, Lambda functions enrich metrics and logs with AWS resource tags.
+
+**Metrics enrichment** adds tags from:
+- EC2 instances
+- RDS databases
+- Lambda functions
+- DynamoDB tables
+- S3 buckets
+- ELB/ALB/NLB load balancers
+- SQS queues
+- SNS topics
+
+**Logs enrichment** extracts resource info from log group/stream names:
+- `/aws/lambda/{function-name}` -> Lambda tags
+- `/aws/rds/instance/{db-instance}/{type}` -> RDS tags
+- `RDSOSMetrics` (Enhanced Monitoring) -> RDS tags from message body
+- `/ecs/{cluster}/...` -> ECS tags
+- `/aws/api-gateway/{api-id}` -> API Gateway tags
+
+Lambda code is loaded from regional S3 buckets (`better-stack-lambda-{region}`).
+
+## Stack Outputs
+
+When `CreateGlobalResources=true`, the stack outputs:
+
+| Output | Description |
+|--------|-------------|
+| `IntegrationRoleArn` | STS role ARN to provide to Better Stack |
+| `ExternalId` | External ID to provide to Better Stack |
+
+Better Stack will discover all other resources (Firehose streams, Metric Streams, etc.) via the STS integration role.
+
+## Troubleshooting
+
+### Check Firehose Delivery Errors
+
+```bash
+aws logs filter-log-events \
+  --log-group-name /aws/kinesisfirehose/better-stack-metrics \
+  --start-time $(date -d '1 hour ago' +%s000)
+```
+
+### Check Lambda Errors
+
+```bash
+aws logs filter-log-events \
+  --log-group-name /aws/lambda/better-stack-metrics \
+  --start-time $(date -d '1 hour ago' +%s000)
+```
+
+### Verify Metric Stream Status
+
+```bash
+aws cloudwatch get-metric-stream --name better-stack-metric-stream
+```
+
+## Cleanup
+
+To delete the stack:
+
+```bash
+aws cloudformation delete-stack --stack-name better-stack-full
+```
+
+**Note**: S3 buckets have `DeletionPolicy: Retain` to preserve any failed delivery data and CloudTrail logs. Delete manually if needed:
+
+```bash
+# Delete Firehose backup bucket
+aws s3 rb s3://better-stack-firehose-ACCOUNT_ID-REGION --force
+
+# Delete CloudTrail bucket (if CloudTrail was enabled)
+aws s3 rb s3://better-stack-cloudtrail-ACCOUNT_ID-REGION --force
+```
+
+## Support
+
+For issues or questions, please reach out at hello@betterstack.com