Advanced Setup Guide

Complete installation and configuration instructions for CloudWatch AI Agent

← Back to Home Account Dashboard →

Prerequisites

Before installing the CloudWatch AI Agent, ensure you have the following requirements:

1 Python 3.13

The CloudWatch AI Agent requires Python 3.13 to be installed on the machine where Terraform will run.

⚠️ Important: Python 3.13 must be available on the Terraform execution environment (your local machine, CI/CD runner, or wherever you run terraform apply). This is required for building the Lambda layer dependencies.

Installing Python 3.13

On macOS (using Homebrew):

brew install python@3.13
python3.13 --version

On Ubuntu/Debian:

sudo add-apt-repository ppa:deadsnakes/ppa
sudo apt update
sudo apt install python3.13 python3.13-venv
python3.13 --version

On Amazon Linux 2023:

sudo dnf install python3.13
python3.13 --version

Verify Installation:

# Should output: Python 3.13.x
python3.13 --version

# Verify pip is available
python3.13 -m pip --version

2 AWS CLI

Install and configure the AWS Command Line Interface:

# Install AWS CLI (if not already installed)
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
sudo ./aws/install

# Configure AWS credentials
aws configure

3 Terraform

Install Terraform version 1.0 or higher:

# Download and install Terraform
wget https://releases.hashicorp.com/terraform/1.6.6/terraform_1.6.6_linux_amd64.zip
unzip terraform_1.6.6_linux_amd64.zip
sudo mv terraform /usr/local/bin/
terraform version

4 AWS Permissions

Your AWS IAM user or role needs the following permissions:

  • Lambda (create, update, delete functions and layers)
  • SNS (create and manage topics)
  • IAM (create and attach roles and policies)
  • CloudWatch Logs (create log groups)
  • Bedrock (invoke models - see next section)

Amazon Bedrock Model Access

The CloudWatch AI Agent uses Amazon Bedrock with Nova Lite for AI-powered alarm analysis. You must request and enable model access before deploying.

⚠️ Critical Step: Bedrock model access must be granted in your AWS account before running Terraform. Without this, the Lambda function will fail when trying to invoke the AI model.

1 Request Bedrock Model Access

Via AWS Console:

  1. Navigate to the Amazon Bedrock console in us-east-1 region
  2. In the left sidebar, click "Model access"
  3. Click "Manage model access" or "Enable specific models"
  4. Find "Nova Lite" in the list (under Amazon models)
  5. Check the box next to Nova Lite
  6. Click "Request model access" or "Save changes"
  7. Wait for approval (usually instant for Nova Lite)
ℹ️ Model ID: The default model used is amazon.nova-lite-v1:0. This is a fast, cost-effective model perfect for CloudWatch alarm analysis.

Via AWS CLI:

# Check current model access status
aws bedrock list-foundation-models --region us-east-1 \
  --query 'modelSummaries[?contains(modelId, `nova-lite`)].modelId'

# Note: Model access must be granted via Console
# CLI doesn't support requesting access programmatically

2 Verify Model Access

Confirm that Nova Lite is accessible:

# Test Bedrock access
aws bedrock-runtime invoke-model \
  --model-id amazon.nova-lite-v1:0 \
  --region us-east-1 \
  --body '{"messages":[{"role":"user","content":[{"text":"Hello"}]}],"inferenceConfig":{"maxTokens":100,"temperature":0.7}}' \
  output.json

# Check the response
cat output.json
✓ Success: If the command completes without errors and outputs JSON with a response, Bedrock access is properly configured!

3 Supported Regions

Amazon Bedrock is available in specific regions. The CloudWatch AI Agent uses:

Component Region Configurable
Lambda Function Your chosen region Yes (via Terraform variables)
Bedrock API us-east-1 (default) Yes (via bedrock_region variable)
Nova Lite Model Same as Bedrock API
ℹ️ Cross-Region: Your Lambda function can run in any region (e.g., us-west-2) while calling Bedrock in us-east-1. This is handled automatically by the SDK.

Installation

1 Get Your License Key

After subscribing, retrieve your license key from your Account Dashboard.

ℹ️ License Key: Your API key serves as your Terraform module license. It's automatically generated when you subscribe and can be found at aiopscrew.com/account.

2 Declare the Module

Create a new Terraform configuration file (e.g., main.tf) and declare the CloudWatch AI Agent module:

module "cloudwatch_ai_agent" {
  source = "api.aiopscrew.com/v1/module"

  # License key from your account dashboard
  license_key = "cwa_live_xxxxxxxxxxxxx"

  # Required: Slack webhook for alert notifications
  slack_webhook_url = "https://hooks.slack.com/services/YOUR/WEBHOOK/URL"

  # Optional: Customize deployment
  function_name      = "cloudwatch-alert-ai-agent"
  bedrock_model_id   = "amazon.nova-lite-v1:0"
  bedrock_region     = "us-east-1"
  lambda_timeout     = 300
  lambda_memory_size = 512
  environment        = "production"
}
⚠️ License Required: Replace the license_key value with your actual license key from your account dashboard. The module cannot be downloaded without a valid, active subscription.
ℹ️ Slack Webhook: Get your Slack webhook URL from your Slack workspace settings under "Incoming Webhooks". This is required for receiving CloudWatch alarm notifications.

3 Initialize Terraform

Initialize Terraform to download the module and providers:

# Initialize Terraform - downloads the module from API
terraform init

# Validate configuration
terraform validate
ℹ️ Module Download: During terraform init, Terraform will authenticate with the API using your license key and download the module. Your subscription must be active.

4 Review Plan

# Review what will be created
terraform plan

Expected resources to be created:

  • Lambda function (AI agent)
  • Lambda layer (Python dependencies)
  • SNS topic (alarm notifications)
  • IAM role and policies
  • CloudWatch Log groups

5 Deploy Infrastructure

# Apply Terraform configuration
terraform apply

# Confirm with 'yes' when prompted
ℹ️ Build Time: The first deployment takes 2-3 minutes as Terraform builds the Lambda layer with Python dependencies for ARM64 architecture.

6 Get SNS Topic ARN

After deployment, retrieve the SNS topic ARN for configuring CloudWatch alarms:

# Get the SNS topic ARN
terraform output -raw cloudwatch_ai_agent_sns_topic_arn

Configuration

Connect CloudWatch Alarms

Add the SNS topic to your CloudWatch alarms:

# Example: Update existing alarm
aws cloudwatch put-metric-alarm \
  --alarm-name "high-cpu-usage" \
  --alarm-description "CPU above 80%" \
  --metric-name CPUUtilization \
  --namespace AWS/EC2 \
  --statistic Average \
  --period 300 \
  --threshold 80 \
  --comparison-operator GreaterThanThreshold \
  --evaluation-periods 2 \
  --alarm-actions $(terraform output -raw sns_topic_arn)

Environment Variables

The Lambda function uses these environment variables (automatically configured by Terraform):

Variable Description Default
SLACK_WEBHOOK_URL Slack incoming webhook URL Required (no default)
BEDROCK_MODEL_ID Bedrock model identifier amazon.nova-lite-v1:0
BEDROCK_REGION AWS region for Bedrock us-east-1

Customizing the Model

To use a different Bedrock model:

  1. Request access to the desired model in Bedrock console
  2. Update bedrock_model_id in terraform.tfvars
  3. Run terraform apply

Compatible models:

  • amazon.nova-lite-v1:0 - Fast, cost-effective (recommended)
  • amazon.nova-pro-v1:0 - More capable, higher cost
  • anthropic.claude-3-haiku-* - Alternative provider

Troubleshooting

Python 3.13 Not Found

Error: python3.13: command not found

Solution:

# Ensure Python 3.13 is in PATH
which python3.13

# If not found, install Python 3.13 (see Prerequisites section)
# Then verify:
python3.13 --version

Bedrock Access Denied

Error: AccessDeniedException: You don't have access to the model

Solution:

  1. Verify model access is granted in Bedrock console (us-east-1)
  2. Check IAM permissions include bedrock:InvokeModel
  3. Ensure correct model ID is configured
  4. Wait 5-10 minutes after requesting access

Lambda Layer Build Failed

Error: Issues during layer build or dependency installation

Solution:

# Clean build artifacts
rm -rf modules/cloudwatch-slack-alert/.build/

# Re-run Terraform
terraform apply

Slack Messages Not Arriving

Checklist:

  • Verify webhook URL is correct in Terraform variables
  • Check Lambda logs: aws logs tail /aws/lambda/your-function-name --follow
  • Ensure SNS topic is attached to CloudWatch alarm
  • Test webhook URL manually with curl

View Lambda Logs

# Stream logs in real-time
aws logs tail /aws/lambda/cloudwatch-alert-ai-agent --follow

# Search for errors
aws logs filter-log-events \
  --log-group-name /aws/lambda/cloudwatch-alert-ai-agent \
  --filter-pattern "ERROR"

Next Steps

✓ Setup Complete! Your CloudWatch AI Agent is now ready to analyze alarms.

Recommended Actions

  • Test with a sample alarm to verify the integration
  • Configure additional CloudWatch alarms to use the SNS topic
  • Review Lambda logs to ensure proper operation
  • Set up CloudWatch dashboards for monitoring the agent
  • Configure Slack channel notifications preferences

Additional Resources

Back to Home Manage Account