feat: Add observability IAM permissions for RIG cluster execution role#1030
Open
Madhubalasri-B wants to merge 1 commit intoawslabs:mainfrom
Open
feat: Add observability IAM permissions for RIG cluster execution role#1030Madhubalasri-B wants to merge 1 commit intoawslabs:mainfrom
Madhubalasri-B wants to merge 1 commit intoawslabs:mainfrom
Conversation
Port CDK commit c4f4067adf70 from SagemakerHyperpodClusterSetupCDK. When observability is enabled on RIG clusters, attach APS RemoteWrite and CloudWatch Logs permissions to the cluster execution role. Changes: - main.tf: Allow observability module for RIG clusters, pass rig_mode and execution_role_name - modules/observability/variables.tf: Add rig_mode and execution_role_name variables - modules/observability/iam_roles.tf: Add execution_role_observability inline policy (conditional on rig_mode) - rig_custom.tfvars: Enable observability module
bluecrayon52
requested changes
Mar 27, 2026
Contributor
bluecrayon52
left a comment
bluecrayon52
left a comment
There was a problem hiding this comment.
In main.tf you can remove the local.create_observability_module and replace with a direct reference to var.create_observability_module since we are no longer automatically disabling this feature based on the state of local.rig_mode.
Please also update the README.md to reflect changes, specifically the section that calls out the HyperPod Observability module as not supported by RIGs, and specify which Advanced Observability Metrics Configurations are supported with RIGs.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
When observability is enabled on RIG (Restricted Instance Group) clusters, attach APS RemoteWrite and CloudWatch Logs permissions to the cluster execution role.
Changes
rig_modeandexecution_role_nameto the observability modulerig_mode(bool) andexecution_role_name(string) variablesexecution_role_observabilityinline policy withaps:RemoteWriteand CloudWatch Logs permissions, conditional onrig_modecreate_observability_module = true)Testing
terraform applywithrig_custom.tfvarsterraform validatepasses