AWS

This reference will get you up and running with the Chassy AWS integration

This reference assumes you've already created a Chassy workspace. If you have yet to do this, it is recommended you Create a Workspace first.

The AWS integration is one of a number of Cloud Services Chassy natively supports. By enabling the integration, Chassy is able to import artifacts from specific S3 buckets and publish logs ingested from your machines to S3, Cloudwatch on your behalf automatically.

Only an Admin or Manager is allowed to manage integrations

How to setup AWS integration

On the Chassy console, navigate to the Integrations panel. Here, you will see a list of Chassy's available integrations among which will be the AWS integration.

On clicking Connect, you will be presented with a dialog asking for a client role ARN and providing you with an external ID and account ID.

To continue, you will need to create a new IAM role on AWS. There are multiple ways you can do so.

Create Role

You will need to create a new AWS role using IAM. AWS will ask you which trusted identity type your role should have, and you will need to select "AWS Account".

You will need to specify the account ID and external ID in the configurations for this AWS Account role. You will have to check the require external ID checkbox on the AWS console.

Your configuration for the role should appear as follows:

After selecting Next, you will then be prompted to select what existing permissions you wish to attach to the role. The only permission is AmazonS3ReadOnlyAccess.

After clicking Next, you will be prompted to give your new role a name. You will also be presented with the JSON representation of the new trust policy. The summary should appear as follows:

Give Cloudwatch permissions to role

After creating your role, you will need to also manually create and attach an inline policy of your own. This enables Chassy's log management functionality. First, navigate to your new role. On the permission policies table, select add permissions and select create inline policy.

You will be asked to select a service. Select Cloudwatch Logs. You will need to provide the following permissions:

DescribeLogStreams
GetLogEvents
CreateLogGroup
CreateLogStream
PutLogEvents
PutRetentionPolicy

As shown below:

{ Chuka: More details on this exact policy }

You will need to specify which resources Chassy should have these permissions for. Afterwards, click Next to save your changes.

You will need to create a policy.

resource "aws_iam_policy" "policy"  
  name        = "policy_name"
  path        = "/"
  description = "My Chassy permission policy"

  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "logs:GetLogEvents",
        "logs:PutLogEvents",
        "logs:CreateLogStream",
        "logs:DescribeLogStreams",
        "logs:PutRetentionPolicy",
        "logs:CreateLogGroup"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}
EOF
}

{ Chuka: Refine terraform instructions }

After creating your role, copy the ARN of the role and paste it into the input on the Chassy console. After clicking connect, you should see a success message and the AWS integration should say "connected" in the Integrations panel.