~/theoboursy.fr/monitoring

Monitoring · AWS + GCP

Monitoring platform

A serverless Grafana platform that lives on AWS but watches Google Cloud. Grafana runs on AWS Lambda and reads GCP metrics through Workload Identity Federation, so there is no server to keep alive and no static cross-cloud key to leak.

oidc-provider.tf the interesting bit

Cross-cloud access, with no static keys

Grafana runs on AWS but reads metrics from Google Cloud, and it does so without a single stored credential. At startup the container writes a GCP external account credential file. The Google SDK then trades an AWS GetCallerIdentity token for a short-lived GCP access token through a Workload Identity Pool.

The Lambda execution role is bound to a GCP service account with monitoring.viewer, so the AWS identity alone unlocks GCP metrics. Nothing to rotate, nothing to leak.

AWS Lambda role
   └─ STS GetCallerIdentity token
      └─ GCP Workload Identity Pool
         └─ short-lived access token
            └─ GCP service account (monitoring.viewer)
               └─ Cloud Monitoring API
lambda_grafana.tf

Serverless Grafana

Grafana ships as a container and runs behind the AWS Lambda Web Adapter, exposed through a Lambda Function URL. There is no instance to keep warm: it scales to zero and bills per request.

  • Lambda Web Adapter
  • Function URL
  • 1769MB
  • 900s timeout
database.tf

State and edge

Dashboards and users persist in RDS PostgreSQL over SSL. CloudFront with an ACM certificate terminates TLS on the custom domain, and Google OAuth restricts sign-in to the org domain.

  • RDS PostgreSQL 16
  • db.t4g.micro
  • CloudFront + ACM
  • Google OAuth
deploy.yml

IaC and CI/CD, all OIDC

Terraform provisions everything across both clouds, and the pipeline is keyless end to end. GitHub OIDC federates into GCP and assumes an AWS role, so no long-lived cloud credentials ever live in the repo.

  • GitHub OIDC to GCP
  • OIDC to AWS role
  • plan on PR
  • approve to apply