refactor(perf-platform): rename Grafana role and consolidate setup ownership

Yuriy Bezsonov · Yuriy Bezsonov · commit 71ee50c41f65 · 2026-05-15T07:09:00.000+02:00
Rename the Grafana pod role from grafana-cloudwatch-pod-role to
grafana-eks-pod-role to match the existing &lt;component&gt;-eks-pod-role
convention used by ai-jvm-analyzer, perf-analyzer, perf-collector, and
pyroscope. Add grafana* and pyroscope* to the workshop IAM policy's
PassRole resource list so participants can attach the new roles.

Reorganize setup-script ownership so the three analysis modules compose
cleanly. monitoring.sh now owns the shared Workshop Dashboards Grafana
folder; analysis.sh and perf-platform.sh look it up by title and fail
loud if missing. Each downstream script upserts its own notification-
policy routes keyed on receiver name, so order between analysis.sh and
perf-platform.sh no longer clobbers either side. perf-platform.sh drops
the SSM mirror for the internal NLB DNS — consumers look it up at point
of need with kubectl get svc.

The result is monitoring.sh + analysis.sh = modules 1+2,
monitoring.sh + perf-platform.sh = module 3 standalone.

Regenerate the CFN template from the updated CDK.
diff --git a/infra/cdk/src/main/java/sample/com/constructs/PerfPlatform.java b/infra/cdk/src/main/java/sample/com/constructs/PerfPlatform.java
@@ -12,7 +12,7 @@
  *  - perf-analyzer-eks-pod-role     (perf-analyzer Spring Boot service)
  *  - perf-collector-eks-pod-role    (perf-collector DaemonSet)
  *  - pyroscope-eks-pod-role         (Pyroscope server, for S3-backed storage)
- *  - grafana-cloudwatch-pod-role    (Grafana, to read ALB metrics from CloudWatch)
+ *  - grafana-eks-pod-role           (Grafana, to read ALB metrics from CloudWatch)
  *
  * On Amazon ECS Fargate the collector sidecar runs inside the target task and
  * reuses that task's existing role — we add S3-write for profiling artifacts to
@@ -29,7 +29,7 @@ public class PerfPlatform extends Construct {
     private final Role perfAnalyzerEksPodRole;
     private final Role perfCollectorEksPodRole;
     private final Role pyroscopeEksPodRole;
-    private final Role grafanaCloudwatchPodRole;
+    private final Role grafanaEksPodRole;
 
     public static class PerfPlatformProps {
         private Bucket workshopBucket;
@@ -59,7 +59,7 @@ public PerfPlatform(final Construct scope, final String id, final PerfPlatformPr
         this.perfAnalyzerEksPodRole = createAnalyzerEksPodRole(props);
         this.perfCollectorEksPodRole = createCollectorEksPodRole(props);
         this.pyroscopeEksPodRole = createPyroscopeEksPodRole(props);
-        this.grafanaCloudwatchPodRole = createGrafanaCloudwatchPodRole();
+        this.grafanaEksPodRole = createGrafanaEksPodRole();
         grantProfilingWriteToUnicornEcsTaskRole(props);
     }
 
@@ -142,11 +142,11 @@ private Role createPyroscopeEksPodRole(PerfPlatformProps props) {
      * and HTTPCode_Target_5XX_Count for whichever ALB(s) participants deploy
      * during the workshop.
      */
-    private Role createGrafanaCloudwatchPodRole() {
+    private Role createGrafanaEksPodRole() {
         ServicePrincipal podsPrincipal = ServicePrincipal.Builder.create("pods.eks.amazonaws.com").build();
 
-        Role role = Role.Builder.create(this, "GrafanaCloudwatchPodRole")
-            .roleName("grafana-cloudwatch-pod-role")
+        Role role = Role.Builder.create(this, "GrafanaEksPodRole")
+            .roleName("grafana-eks-pod-role")
             .assumedBy(podsPrincipal)
             .description("Role for Grafana to read CloudWatch metrics for the perf-platform Latency Metrics dashboard and ServiceLatency alert")
             .build();
@@ -311,7 +311,7 @@ public Role getPyroscopeEksPodRole() {
         return pyroscopeEksPodRole;
     }
 
-    public Role getGrafanaCloudwatchPodRole() {
-        return grafanaCloudwatchPodRole;
+    public Role getGrafanaEksPodRole() {
+        return grafanaEksPodRole;
     }
 }
diff --git a/infra/cdk/src/main/resources/iam-policy.json b/infra/cdk/src/main/resources/iam-policy.json
@@ -76,6 +76,8 @@
 				"arn:aws:iam::{{.AccountId}}:role/ai-jvm-analyzer*",
 				"arn:aws:iam::{{.AccountId}}:role/perf-analyzer*",
 				"arn:aws:iam::{{.AccountId}}:role/perf-collector*",
+				"arn:aws:iam::{{.AccountId}}:role/pyroscope*",
+				"arn:aws:iam::{{.AccountId}}:role/grafana*",
 				"arn:aws:iam::{{.AccountId}}:role/workshop*",
 				"arn:aws:iam::{{.AccountId}}:role/aiagent*",
 				"arn:aws:iam::{{.AccountId}}:role/mcpserver*"
diff --git a/infra/cfn/java-on-aws-stack.yaml b/infra/cfn/java-on-aws-stack.yaml
@@ -422,7 +422,7 @@ Resources:
         Fn::GetAtt:
           - CodeBuildRoleE9A44575
           - Arn
-      ContentHash: "1778416824589"
+      ContentHash: "1778821434343"
       ProjectName:
         Ref: CodeBuildProjectA0FF5539
       ServiceToken:
@@ -2063,9 +2063,11 @@ Resources:
             Resource:
               - !Sub arn:aws:iam::${AWS::AccountId}:role/ai-jvm-analyzer*
               - !Sub arn:aws:iam::${AWS::AccountId}:role/aiagent*
+              - !Sub arn:aws:iam::${AWS::AccountId}:role/grafana*
               - !Sub arn:aws:iam::${AWS::AccountId}:role/mcpserver*
               - !Sub arn:aws:iam::${AWS::AccountId}:role/perf-analyzer*
               - !Sub arn:aws:iam::${AWS::AccountId}:role/perf-collector*
+              - !Sub arn:aws:iam::${AWS::AccountId}:role/pyroscope*
               - !Sub arn:aws:iam::${AWS::AccountId}:role/service-role/unicorn*
               - !Sub arn:aws:iam::${AWS::AccountId}:role/unicorn*
               - !Sub arn:aws:iam::${AWS::AccountId}:role/workshop*
@@ -2252,19 +2254,21 @@ Resources:
       Roles:
         - Ref: PerfPlatformAnalyzerEksPodRoleA97B019B
     Type: AWS::IAM::Policy
-  PerfPlatformCollectorEcsTaskRoleA67C7D99:
+  PerfPlatformCollectorEksPodRole3090D9EA:
     Properties:
       AssumeRolePolicyDocument:
         Statement:
-          - Action: sts:AssumeRole
+          - Action:
+              - sts:AssumeRole
+              - sts:TagSession
             Effect: Allow
             Principal:
-              Service: ecs-tasks.amazonaws.com
+              Service: pods.eks.amazonaws.com
         Version: "2012-10-17"
-      Description: Role for perf-collector ECS Fargate sidecar to upload profiling artifacts to S3
-      RoleName: perf-collector-ecs-task-role
+      Description: Role for perf-collector EKS DaemonSet pod to upload profiling artifacts to S3
+      RoleName: perf-collector-eks-pod-role
     Type: AWS::IAM::Role
-  PerfPlatformCollectorEcsTaskRoleDefaultPolicy698DCB5D:
+  PerfPlatformCollectorEksPodRoleDefaultPolicy102C5ADB:
     Properties:
       PolicyDocument:
         Statement:
@@ -2280,11 +2284,11 @@ Resources:
                       - Arn
                   - /perf-platform/profiling/*
         Version: "2012-10-17"
-      PolicyName: PerfPlatformCollectorEcsTaskRoleDefaultPolicy698DCB5D
+      PolicyName: PerfPlatformCollectorEksPodRoleDefaultPolicy102C5ADB
       Roles:
-        - Ref: PerfPlatformCollectorEcsTaskRoleA67C7D99
+        - Ref: PerfPlatformCollectorEksPodRole3090D9EA
     Type: AWS::IAM::Policy
-  PerfPlatformCollectorEksPodRole3090D9EA:
+  PerfPlatformGrafanaEksPodRole8BAC861C:
     Properties:
       AssumeRolePolicyDocument:
         Statement:
@@ -2295,15 +2299,66 @@ Resources:
             Principal:
               Service: pods.eks.amazonaws.com
         Version: "2012-10-17"
-      Description: Role for perf-collector EKS DaemonSet pod to upload profiling artifacts to S3
-      RoleName: perf-collector-eks-pod-role
+      Description: Role for Grafana to read CloudWatch metrics for the perf-platform Latency Metrics dashboard and ServiceLatency alert
+      RoleName: grafana-eks-pod-role
     Type: AWS::IAM::Role
-  PerfPlatformCollectorEksPodRoleDefaultPolicy102C5ADB:
+  PerfPlatformGrafanaEksPodRoleDefaultPolicyBFFD5487:
     Properties:
       PolicyDocument:
         Statement:
           - Action:
-              - s3:HeadObject
+              - cloudwatch:DescribeAlarmHistory
+              - cloudwatch:DescribeAlarms
+              - cloudwatch:DescribeAlarmsForMetric
+              - cloudwatch:GetMetricData
+              - cloudwatch:GetMetricStatistics
+              - cloudwatch:ListMetrics
+              - ec2:DescribeRegions
+              - ec2:DescribeTags
+              - tag:GetResources
+            Effect: Allow
+            Resource: "*"
+        Version: "2012-10-17"
+      PolicyName: PerfPlatformGrafanaEksPodRoleDefaultPolicyBFFD5487
+      Roles:
+        - Ref: PerfPlatformGrafanaEksPodRole8BAC861C
+    Type: AWS::IAM::Policy
+  PerfPlatformPyroscopeEksPodRole01200CAC:
+    Properties:
+      AssumeRolePolicyDocument:
+        Statement:
+          - Action:
+              - sts:AssumeRole
+              - sts:TagSession
+            Effect: Allow
+            Principal:
+              Service: pods.eks.amazonaws.com
+        Version: "2012-10-17"
+      Description: Role for Pyroscope server pod to read/write blocks in S3 under pyroscope/*
+      RoleName: pyroscope-eks-pod-role
+    Type: AWS::IAM::Role
+  PerfPlatformPyroscopeEksPodRoleDefaultPolicy133E4C48:
+    Properties:
+      PolicyDocument:
+        Statement:
+          - Action:
+              - s3:GetBucketLocation
+              - s3:ListBucket
+            Condition:
+              StringLike:
+                s3:prefix:
+                  - pyroscope/*
+                  - pyroscope
+            Effect: Allow
+            Resource:
+              Fn::GetAtt:
+                - WorkshopBucketFD5BC43F
+                - Arn
+          - Action:
+              - s3:AbortMultipartUpload
+              - s3:DeleteObject
+              - s3:GetObject
+              - s3:ListMultipartUploadParts
               - s3:PutObject
             Effect: Allow
             Resource:
@@ -2312,11 +2367,11 @@ Resources:
                 - - Fn::GetAtt:
                       - WorkshopBucketFD5BC43F
                       - Arn
-                  - /perf-platform/profiling/*
+                  - /pyroscope/*
         Version: "2012-10-17"
-      PolicyName: PerfPlatformCollectorEksPodRoleDefaultPolicy102C5ADB
+      PolicyName: PerfPlatformPyroscopeEksPodRoleDefaultPolicy133E4C48
       Roles:
-        - Ref: PerfPlatformCollectorEksPodRole3090D9EA
+        - Ref: PerfPlatformPyroscopeEksPodRole01200CAC
     Type: AWS::IAM::Policy
   ThreadAnalysisLambda3EE9B29D:
     DependsOn:
@@ -2972,6 +3027,20 @@ Resources:
               Fn::GetAtt:
                 - UnicornUnicornEventBusB728845C
                 - Arn
+          - Action:
+              - s3:HeadObject
+              - s3:PutObject
+            Effect: Allow
+            Resource:
+              Fn::Join:
+                - ""
+                - - Fn::GetAtt:
+                      - WorkshopBucketFD5BC43F
+                      - Arn
+                  - /perf-platform/profiling/*
+          - Action: ecs:DescribeTasks
+            Effect: Allow
+            Resource: "*"
         Version: "2012-10-17"
       PolicyName: UnicornUnicornStoreEcsTaskRoleDefaultPolicy477138EA
       Roles:
@@ -3312,7 +3381,7 @@ Resources:
             - Ref: AWS::AccountId
             - "-"
             - Ref: AWS::Region
-            - "-20260510144024"
+            - "-20260515070354"
       PublicAccessBlockConfiguration:
         BlockPublicAcls: true
         BlockPublicPolicy: true
diff --git a/infra/scripts/setup/analysis.sh b/infra/scripts/setup/analysis.sh
@@ -63,29 +63,19 @@ for i in {1..20}; do
   sleep 5
 done
 
-# Create shared folder
-log_info "Creating shared folder '$FOLDER_NAME'..."
-FOLDER_RESPONSE=$(curl -s -X POST -H "Content-Type: application/json" \
-  -u "$GRAFANA_USER:$GRAFANA_PASSWORD" \
-  -d "{\"title\": \"$FOLDER_NAME\"}" \
-  "$GRAFANA_URL/api/folders")
-
-FOLDER_UID=$(echo "$FOLDER_RESPONSE" | jq -r '.uid // empty')
-FOLDER_ID=$(echo "$FOLDER_RESPONSE" | jq -r '.id // empty')
-if [[ -z "$FOLDER_UID" ]]; then
-  EXISTING_FOLDER=$(curl -s -u "$GRAFANA_USER:$GRAFANA_PASSWORD" "$GRAFANA_URL/api/folders" | jq -r ".[] | select(.title == \"$FOLDER_NAME\")")
-  if [[ -n "$EXISTING_FOLDER" ]]; then
-    FOLDER_UID=$(echo "$EXISTING_FOLDER" | jq -r '.uid')
-    FOLDER_ID=$(echo "$EXISTING_FOLDER" | jq -r '.id')
-    log_info "Using existing folder: $FOLDER_UID"
-  else
-    FOLDER_UID=""
-    FOLDER_ID=0
-    log_warning "Using General folder"
-  fi
-else
-  log_success "Folder created: $FOLDER_UID"
+# Look up the shared "Workshop Dashboards" folder created by monitoring.sh.
+# Both this script and perf-platform.sh consume it — monitoring.sh owns
+# the create, downstream scripts only read.
+log_info "Looking up shared folder '$FOLDER_NAME'..."
+SHARED_FOLDER=$(curl -s -u "$GRAFANA_USER:$GRAFANA_PASSWORD" "$GRAFANA_URL/api/folders" \
+  | jq -r ".[] | select(.title == \"$FOLDER_NAME\")")
+if [[ -z "$SHARED_FOLDER" ]]; then
+  log_error "Shared folder '$FOLDER_NAME' not found. Run monitoring.sh first."
+  exit 1
 fi
+FOLDER_UID=$(echo "$SHARED_FOLDER" | jq -r '.uid')
+FOLDER_ID=$(echo "$SHARED_FOLDER" | jq -r '.id')
+log_info "Using folder: $FOLDER_UID"
 
 # Get Lambda Function URL for thread dump Lambda
 FUNCTION_URL=$(aws lambda get-function-url-config --function-name "$LAMBDA_FUNCTION_NAME" --query "FunctionUrl" --output text 2>/dev/null || echo "")
@@ -620,48 +610,67 @@ fi
 
 
 # =============================================================================
-# SHARED NOTIFICATION POLICY
+# NOTIFICATION POLICY ROUTES (this script's two routes only)
+# =============================================================================
+#
+# The notification policy is shared across all analysis modules. Each module's
+# setup script owns its own routes (keyed by receiver name) and upserts them
+# idempotently into the existing policy. This script owns:
+#   - thread-dump-lambda-webhook
+#   - ai-jvm-analyzer-webhook
+# perf-platform.sh owns its own (perf-analyzer-webhook). Whoever runs last
+# does not clobber the other modules' routes any more.
 # =============================================================================
 
 log_info "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
-log_info "Configuring unified notification policy..."
+log_info "Upserting notification policy routes for thread + profiling..."
 log_info "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
 
-# Configure notification policy with nested routes for both contact points
-POLICY_PAYLOAD="{
-  \"receiver\": \"grafana-default-email\",
-  \"group_by\": [\"alertname\"],
-  \"group_wait\": \"30s\",
-  \"group_interval\": \"5m\",
-  \"repeat_interval\": \"1h\",
-  \"routes\": [
-    {
-      \"receiver\": \"$THREAD_CONTACT_POINT\",
-      \"matchers\": [\"analysis_type=thread\"],
-      \"group_wait\": \"30s\",
-      \"group_interval\": \"5m\",
-      \"repeat_interval\": \"1h\"
-    },
-    {
-      \"receiver\": \"$PROFILING_CONTACT_POINT\",
-      \"matchers\": [\"analysis_type=profiling\"],
-      \"group_by\": [\"alertname\", \"pod\"],
-      \"group_wait\": \"10s\",
-      \"group_interval\": \"30s\",
-      \"repeat_interval\": \"2m\"
-    }
-  ]
-}"
+# Read the current policy, drop any route whose receiver is one we own, append
+# our own routes, PUT the merged result.
+EXISTING_POLICY=$(curl -s -u "$GRAFANA_USER:$GRAFANA_PASSWORD" \
+  "$GRAFANA_URL/api/v1/provisioning/policies")
+
+NEW_ROUTES='[
+  {
+    "receiver": "'"$THREAD_CONTACT_POINT"'",
+    "matchers": ["analysis_type=thread"],
+    "group_wait": "30s",
+    "group_interval": "5m",
+    "repeat_interval": "1h"
+  },
+  {
+    "receiver": "'"$PROFILING_CONTACT_POINT"'",
+    "matchers": ["analysis_type=profiling"],
+    "group_by": ["alertname", "pod"],
+    "group_wait": "10s",
+    "group_interval": "30s",
+    "repeat_interval": "2m"
+  }
+]'
+
+POLICY_PAYLOAD=$(echo "$EXISTING_POLICY" | jq \
+  --argjson new "$NEW_ROUTES" \
+  --arg t "$THREAD_CONTACT_POINT" \
+  --arg p "$PROFILING_CONTACT_POINT" '
+    # Default the policy fields if the existing payload was empty.
+    .receiver        = (.receiver        // "grafana-default-email")
+  | .group_by        = (.group_by        // ["alertname"])
+  | .group_wait      = (.group_wait      // "30s")
+  | .group_interval  = (.group_interval  // "5m")
+  | .repeat_interval = (.repeat_interval // "1h")
+  | .routes          = ((.routes // []) | map(select(.receiver != $t and .receiver != $p))) + $new
+')
 
 POLICY_RESPONSE=$(curl -s -X PUT -H "Content-Type: application/json" \
   -u "$GRAFANA_USER:$GRAFANA_PASSWORD" \
   -d "$POLICY_PAYLOAD" \
   "$GRAFANA_URL/api/v1/provisioning/policies")
 
 if echo "$POLICY_RESPONSE" | grep -q "policies updated"; then
-  log_success "Unified notification policy configured"
+  log_success "Thread + profiling routes upserted into the notification policy"
 else
-  log_error "Notification policy configuration failed:"
+  log_error "Notification policy update failed:"
   echo "$POLICY_RESPONSE"
 fi
 
diff --git a/infra/scripts/setup/monitoring.sh b/infra/scripts/setup/monitoring.sh
diff --git a/infra/scripts/setup/perf-platform.sh b/infra/scripts/setup/perf-platform.sh
