CloudWatch Agent on EC2 with Terraform

Image credit to AWS


If you want to follow this guide, please make sure you have the following tools installed and configure:-

Prepare Main Terraform Script

Use Visual Studio Code, Create a new working folder and create , with fill in the following detail:-

  1. Create a local variable to load User_data using templatefile function.
  2. Create one EC2 resource with ami from ap-southeast-1 , configure instance profile, and user_data from the local variables.
  3. Create SSM Parameter resource, and load its value from file cw_agent_config.json

Prepare Instance Profile Terraform Script

To make things easier, we will not configure the private key for EC2, but instead, we use Session Manager to login. Session Manager is a fully managed system manager that lets you control your EC2 instance, read here for more detail.

  1. Create one instance profile, the reference name must be the same as the previous Terraform script.
  2. Create policy attachment that uses AmazonEC2RoleForSSM that allows EC2 to talk to SSM service, and CloudWatchAgentServerPolicy that allows EC2 to talk to CloudWatch service.
  3. Create a custom role policy that will allow EC2 to make API call ssm:GetParameter , the main reason we need to allow this permission again is that we will need CloudWatch agent to load the configuration from SSM service, and the action is using this permission which not include in AmazonEC2RoleForSSM .
  4. Lastly, the script will create assume role policy for .

Create the Cloudwatch Agent Configuration file

At this step, we will create the Cloudwatch Agent Configuration file, the config will instruct the agent on how to pull the logs and metric.

Create User Data to initialize the EC2

Lastly, we will create a user data file that initializes the EC2 set up, create a file under root folder with this content:-

  1. Output all log to the specified location
  2. Upgrade the machine with yum command
  3. Configure Cloudwatch agent with download package from AWS and install it
  4. Lastly run the cloud watch agent with configuring it to use config from SSM, as if you aware of the first Terraform script, we use a template file to load the file, so we can replace ours SSM config value.

Run and verify your

At this step will be simple execute the following command

terraform init
terraform plan
terraform apply --auto-approve
  1. Click on the Connect button in EC2 console


In this article we use Terraform to build EC2 with configuring Session Manager permission and Cloudwatch Agent to collect other non-default metrics, with extra configuration, we can use Cloudwatch Agent to push our custom log to Cloudwatch Log Group . When you configure Cloudwatch Agent , suggest only collect metrics that important to you because it does not come with free of charge, please refer here to understand the Cloudwatch pricing.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Jazz Tong

Jazz Tong


A software engineer that believe to change the world, first you need to fix the code.