Update AWS connections

  • Latest Dynatrace
  • How-to guide

Dynatrace regularly expands its AWS resource type coverage for topology monitoring. This means we periodically make additional AWS API calls to collect topology data for newly supported resource types. Because the AWS IAM policy for the Dynatrace Integration IAM role is scoped to only the permissions required (following AWS's IAM security best practices), you’ll need to update the CloudFormation stack over time to grant this role any new IAM permissions in your AWS account(s). For a complete list of required AWS monitoring role IAM permissions. To ensure you receive topology data for all supported resource types, please update your CloudFormation stacks to the latest version. When we release an update, we will include the release notes and instructions on how to update.

Templates for standalone (single) AWS accounts

Latest templates set v1.0.4

Core CFN stacks

Conditional (nested) CFN stacks

Deployed based on user opt-in during onboarding

AWS resources created by the CloudFormation templates
Level 1: Main template resources (da-aws-activation.yaml)

Direct resources created in deployment region:

  1. DynatraceApiClientStack (AWS::CloudFormation::Stack)

    • Nested stack that creates API client function (Dynatrace API interaction, create/delete connection)
    • Reference: da-aws-nested-dt-api-function.yaml

  2. ReportStartedStatusResource (Custom::DynatraceApiAccessFunction)

    • Custom resource to report deployment start status to Dynatrace

  3. DynatraceIntegrationStack (AWS::CloudFormation::Stack)

    • Nested stack for core integration
    • Reference: da-aws-nested-integration.yaml

  4. DynatraceStackSetRoleStack (AWS::CloudFormation::Stack)

    • Conditional: Only created if log or event ingest is enabled
    • Creates StackSet administration and execution roles
    • Reference: da-aws-nested-stackset-role.yaml

  5. DynatraceLogIngestStackSet (AWS::CloudFormation::StackSet)

    • Conditional: Only if pDtLogsIngestEnabled = 'TRUE'
    • Deploys log ingestion infrastructure to specified regions
    • Reference: da-aws-stack-logs.yaml

  6. DynatraceEventIngestStackSet (AWS::CloudFormation::StackSet)

    • Conditional: Only if pDtEventsIngestEnabled = 'TRUE'
    • Deploys event ingestion infrastructure to specified regions
    • Reference: da-aws-stack-events.yaml

  7. ReportCompleteStatusResource (Custom::DynatraceApiAccessFunction)

    • Custom resource to report deployment completion status to Dynatrace
Level 2: Nested stack resources

From DynatraceApiClientStack (da-aws-nested-dt-api-function.yaml)—expected resources:

  • Lambda Function: Dynatrace API client function
  • IAM Role: Lambda execution role
  • Secrets Manager Secret: Storage for Dynatrace API token
  • KMS Key (Conditional): Customer Managed Key if pUseCMK = 'TRUE'
  • KMS Alias (Conditional): Alias for the CMK
  • Lambda Log Group: CloudWatch Logs for the Lambda function

From DynatraceIntegrationStack (da-aws-nested-integration.yaml)—expected resources:

  • IAM Role: Dynatrace monitoring role with trust relationship to Dynatrace account
  • IAM Policy: Monitoring permissions policy
  • Custom Resource: To establish connection with Dynatrace

From DynatraceStackSetRoleStack (da-aws-nested-stackset-role.yaml)—expected resources:

  • IAM Role: StackSet administration role
  • IAM Role: StackSet execution role
  • IAM Policies: Attached to both roles
Level 3: Deployed core resources (management region)

Minimum resources (no log/event ingest enabled), deployed only on a single region (management region):

  • Two custom resources: Report deployment start and finish status
  • Lambda function + IAM roles + Secrets Manager: Created/delete connection, store dynatrace platform tokens in Secret Manager
  • Dynatrace monitoring IAM role: Dynatrace monitoring role with trust relationship to Dynatrace account

Level 4: StackSet-deployed resources (conditional per region)

From DynatraceLogIngestStackSet (da-aws-stack-logs.yaml); deployed to each region in pDtLogsIngestRegions list. Expected resources per region:

  • Kinesis Data Firehose Delivery Stream: For log forwarding to Dynatrace
  • IAM Role: Firehose delivery role
  • S3 Bucket: Backup/buffer bucket for failed deliveries
  • Secrets Manager Secret: Dynatrace ingest token storage
  • KMS Key (conditional): If pUseCMK = 'TRUE'

From DynatraceEventIngestStackSet (da-aws-stack-events.yaml); deployed to each region in pDtEventsIngestRegions list. Expected resources per region:

  • EventBridge Rule: To capture AWS events
  • EventBridge API Destination: Dynatrace endpoint
  • EventBridge Connection: Authentication for API destination
  • IAM Role: EventBridge execution role
  • Secrets Manager Secret: Dynatrace ingest token storage

CloudFormation template set major versions

v0.x.x: Introduced at the release of the AWS Platform Monitoring Preview Program and is no longer supported.

v1.x.x: v1 is a long-term supported version, considered the default for all newly created AWS connections as of the General Avaliability of the AWS Platform Monitoring.

How do I get the template set version?

  1. Open the CloudFormation console https://awsRegion.console.aws.amazon.com/cloudformation/home?region=awsRegion#/stacks.

    Make sure to change awsRegion to the region where your current connection's CloudFormation stacks are deployed.

  2. Locate the (root) stack. The stack name should be identical as the connection name, for example, MyEastProd3Account.

  3. Select the Template tab to locate the Metadata/Version/Number and examine the value, for example, v1.0.0.

    AWS connections which are deployed with template set version v0.x.x are no longer supported nor support an in-place upgrade.

    In those cases we recommend to delete the connection and recreate it which will pick up the current latest version.

Release notes (standalone AWS accounts CFN template sets)

Template set version 1.0.4
  • Remove unused IAM permissions
Template set version 1.0.3
  • Added URL validation in Lambda function
Template set version 1.0.2
  • Update parameter description
Template set version 1.0.1
  • Change Dynatrace monitoring configuration API to v2
Template set version 1.0.0

  • General Availability version, cleaned and secured.

  • Changed resource, condition and output names.

  • Scoped down deployment permissions.

  • New IAM permissions to support cloudtrail API calls for topology changes for the following AWS resources:

    AWS::Route53::HostedZone
    AWS::Route53::HealthCheck
    AWS::ApiGateway::Stage
    AWS::ApiGatewayV2::Stage
    AWS::EFS::FileSystem
    AWS::EFS::AccessPoint
    AWS::EFS::MountTarget
    AWS::ECR::Repository
    AWS::ElastiCache::CacheCluster
    AWS::ElastiCache::ServerlessCache
    AWS::Elasticache::ReplicationGroup
    AWS::Elasticache::SubnetGroup
    AWS::MSK::Configuration
    AWS::MSK::VpcConnection
    AWS::SNS::Topic
    AWS::SQS::Queue
    AWS::ElasticBeanstalk::Environment
    AWS::Firehose::DeliveryStream
    AWS::Logs::LogGroup
    AWS::ElasticBeanstalk::Application
    AWS::S3::Bucket

Update the CloudFormation stack

If you have adjusted the provided templates to align with internal standards or policies (changed the Cloudformation code) do not follow this update, see FAQ.

  1. In the AWS CloudFormation console: Locate the root stack in the deployment region. The root stack name will follow the connection name, for example: MyEastProd3Account.

  2. Follow a direct update.

    It is always recommended to first update a non-business critical connection and gradually update the rest.

    We also recommend to use AWS best practices for CFN direct updates.

  3. In Replace existing template, choose the latest 1.x.x version.

    The update failed? Check out AWS CloudFormation troubleshooting guide.

FAQ

I have modified the template(s) to meet internal organizational policies. Can I still update to a newer version?

We understand that in some environments it may be necessary to adjust the provided templates to align with internal standards or policies.

Once templates are customized, they follow a customer‑managed update path. As a result, updates to newer template versions are not supported, as changes to the underlying CloudFormation state can impact update behavior.

I am following the customer‑managed update path. How can I update my templates?

For each release, we provide detailed release notes outlining the changes and enhancements included. We recommend reviewing these notes and selectively incorporating the relevant updates into your customized templates as part of your own update process.

Can I upgrade directly to the latest version?

Yes, minor version upgrade should always use the latest, for example: deployed: 1.0.1 can upgrade to: 1.0.4 (latest).

When upgrading do I need to hardcode the version I wish to upgrade to?

No, the latest version is always published under this link: https://dynatrace-data-acquisition.s3.us-east-1.amazonaws.com/aws/deployment/cfn/latest/da-aws-activation.yaml.

I learned that only the IAM stack has been updated, can I directly update this stack?

At present we do not support individual stack(s) direct update, each update must be done from the root stack, regadless of the actual changes.

Related tags
Infrastructure Observability