ACAI ACF Module: terraform-aws-acf-observability
GitHub Repository | Terraform Registry
Solution
Terraform module to deploy cross-account CloudWatch Observability Access Manager (OAM) resources on AWS.
This module is part of the [ACAI Cloud Foundation (ACF)][acai-docs-url] and enables centralized, cross-account observability by establishing OAM sinks and links across an AWS Organization. It supports sharing CloudWatch Metrics, Log Groups and X-Ray Traces from multiple member accounts into a single monitoring account.
Architecture
Overview
AWS CloudWatch Observability Access Manager (OAM) allows you to link multiple AWS accounts (sources) to a central monitoring account (sink) so that telemetry data - metrics, logs and traces - from all source accounts becomes visible in the monitoring account's CloudWatch console without the need to switch between accounts.
This module automates the setup of that cross-account observability pattern:
| Component | Deployed to | Purpose |
|---|---|---|
| OAM Sink | Monitoring account | Receives shared telemetry from source accounts |
| OAM Link | Each source (member) account | Connects the member to the central sink |
| CloudWatch Dashboard | Monitoring account | Aggregated Lambda Invocations & Errors view |
| Lambda Layer (optional) | Each source (member) account | Standardized logging via ACAI Powertools |
Once deployed, the monitoring account can view Log Groups, Metrics and Traces from all linked member accounts - as shown in the screenshot below where log groups from two member accounts (aws-testbed_core-logging and aws-testbed_core-backup) appear in the monitoring account's CloudWatch console:
Features
- Multi-region deployment - Sink and link resources are deployed to a configurable primary region plus any number of secondary regions.
- OAM Sink with IAM policy - Creates an OAM sink in the monitoring account with a sink policy that authorises specific member accounts to share
CloudWatch::Metric,Logs::LogGroupandXRay::Traceresources. - OAM Link with filtering - Creates OAM links in each member account. Supports optional
log_group_filterandmetric_filterto control which telemetry is shared. - CloudWatch Dashboard - Automatically provisions a cross-account Lambda overview dashboard (Invocations & Errors) in the monitoring account.
- Lambda Layer provisioning (optional) - Deploys a standardised ACAI Powertools Lambda layer across all regions with SSM parameter publication for easy layer discovery.
- Logging Factory - The layer ships with a built-in
logging_factorymodule that wraps AWS Lambda Powertools into a singlesetup_logging()call, giving every Lambda a consistent, structured JSON log format out of the box. - Resource tagging - All resources are tagged with module metadata (
acf_module_provider,acf_module_name,acf_sub_module_name,acf_module_source) and support custom tags viaresource_tags. - ACAI VECTO integration - Ships with CI/CD principal templates (
oam_sink.tftpl,oam_member.tftpl) that VECTO uses to provision pipeline-principals into each member core-account.