Create a Centralised AWS Monitoring Account.

aws-monitoring-account.tf

data "aws_organizations_organization" "current" {}
data "aws_region" "this" {}

resource "aws_oam_sink" "monitoring_account_oam_sink" {
  name = "AWSoamSinkObservabilityMonitoring"
}

resource "aws_oam_sink_policy" "monitoring_account_oam_sink_policy" {
  sink_identifier = aws_oam_sink.monitoring_account_oam_sink.id

  policy = data.aws_iam_policy_document.monitoring_account_oam_sink_policy.json
}

data "aws_iam_policy_document" "monitoring_account_oam_sink_policy" {
  statement {
    actions   = ["oam:CreateLink", "oam:UpdateLink"]
    resources = ["*"]
    effect    = "Allow"
    principals {
      identifiers = ["*"]
      type        = "*"
    }
    condition {
      test     = "ForAllValues:StringEquals"
      values   = ["AWS::Logs::LogGroup", "AWS::CloudWatch::Metric", "AWS::XRay::Trace"]
      variable = "oam:ResourceTypes"
    }
    condition {
      test     = "ForAnyValue:StringEquals"
      values   = [data.aws_organizations_organization.current.id]
      variable = "aws:PrincipalOrgID"
    }
  }
}

output "oam" {
  value = aws_oam_sink.monitoring_account_oam_sink.arn
}