feat(perf-platform): add CloudWatch datasource and Latency Metrics dashboard

Replace the perf_profile_cpu_ratio Prometheus alert with an
ALB-based path: Grafana now reads CloudWatch metrics through a
dedicated read-only Pod Identity role, and a "Latency Metrics"
dashboard surfaces ALB p99 TargetResponseTime, request rate, and
5xx error counts for whichever ALB(s) participants deploy. The
ServiceLatency alert rule itself is created by the workshop
chapter (Ch 4) because it depends on the participant-deployed ALB
ARN, which only exists after the unicorn-store-spring workload
rolls out.

CDK

- PerfPlatform construct adds grafana-cloudwatch-pod-role with
  cloudwatch:GetMetricData, cloudwatch:GetMetricStatistics,
  cloudwatch:ListMetrics, cloudwatch:DescribeAlarms*, tag and ec2
  read-only permissions, trusted by pods.eks.amazonaws.com.

perf-platform.sh

- Bind the Grafana ServiceAccount to grafana-cloudwatch-pod-role
  via EKS Pod Identity, then restart Grafana so the credential
  attaches to a fresh pod.
- Provision the CloudWatch datasource via the Grafana sidecar
  ConfigMap pattern (grafana_datasource=1).
- Provision the "Latency Metrics" dashboard via the Grafana
  HTTP API directly into the existing "Workshop Dashboards"
  folder. The dashboard JSON is embedded in the script as a
  heredoc to keep all setup-time provisioning in one file.
- The dashboard uses CloudWatch SEARCH() expressions so it
  auto-discovers any ALB tagged with the AWS/ApplicationELB
  namespace - no pre-baked LB names, works for both the EKS
  ingress ALB and the ECS service ALB once participants deploy.
- Remove the old perf_profile_cpu_ratio Prometheus alert and
  the ALERT_RULE_TITLE env var.
- Update the summary block to reflect the new state.

Verified end-to-end on the live cluster: pod identity attached,
CloudWatch datasource shows both ALBs in dimension-values queries,
all four panels render real data under load.

Author: Yuriy Bezsonov

infra/cdk/src/main/java/sample/com/constructs/PerfPlatform.java

@@ -8,10 +8,11 @@
 
 /**
  * PerfPlatform construct for the agentic performance platform (perf-analyzer module).
- * Creates three IAM roles used by the platform components on Amazon EKS:
- *  - perf-analyzer-eks-pod-role   (perf-analyzer Spring Boot service)
- *  - perf-collector-eks-pod-role  (perf-collector DaemonSet)
- *  - pyroscope-eks-pod-role       (Pyroscope server, for S3-backed storage)
+ * Creates four IAM roles used by the platform components on Amazon EKS:
+ *  - perf-analyzer-eks-pod-role     (perf-analyzer Spring Boot service)
+ *  - perf-collector-eks-pod-role    (perf-collector DaemonSet)
+ *  - pyroscope-eks-pod-role         (Pyroscope server, for S3-backed storage)
+ *  - grafana-cloudwatch-pod-role    (Grafana, to read ALB metrics from CloudWatch)
  *
  * On Amazon ECS Fargate the collector sidecar runs inside the target task and
  * reuses that task's existing role — we add S3-write for profiling artifacts to
@@ -28,6 +29,7 @@ public class PerfPlatform extends Construct {
     private final Role perfAnalyzerEksPodRole;
     private final Role perfCollectorEksPodRole;
     private final Role pyroscopeEksPodRole;
+    private final Role grafanaCloudwatchPodRole;
 
     public static class PerfPlatformProps {
         private Bucket workshopBucket;
@@ -57,6 +59,7 @@ public PerfPlatform(final Construct scope, final String id, final PerfPlatformPr
         this.perfAnalyzerEksPodRole = createAnalyzerEksPodRole(props);
         this.perfCollectorEksPodRole = createCollectorEksPodRole(props);
         this.pyroscopeEksPodRole = createPyroscopeEksPodRole(props);
+        this.grafanaCloudwatchPodRole = createGrafanaCloudwatchPodRole();
         grantProfilingWriteToUnicornEcsTaskRole(props);
     }
 
@@ -130,6 +133,44 @@ private Role createPyroscopeEksPodRole(PerfPlatformProps props) {
         return role;
     }
 
+    /**
+     * Grafana CloudWatch pod role.
+     * Trusts pods.eks.amazonaws.com (Pod Identity).
+     * Grants the Grafana ServiceAccount in the monitoring namespace read-only
+     * access to CloudWatch metrics so the perf-platform alert rule and the
+     * Latency Metrics dashboard can query ALB TargetResponseTime, RequestCount,
+     * and HTTPCode_Target_5XX_Count for whichever ALB(s) participants deploy
+     * during the workshop.
+     */
+    private Role createGrafanaCloudwatchPodRole() {
+        ServicePrincipal podsPrincipal = ServicePrincipal.Builder.create("pods.eks.amazonaws.com").build();
+
+        Role role = Role.Builder.create(this, "GrafanaCloudwatchPodRole")
+            .roleName("grafana-cloudwatch-pod-role")
+            .assumedBy(podsPrincipal)
+            .description("Role for Grafana to read CloudWatch metrics for the perf-platform Latency Metrics dashboard and ServiceLatency alert")
+            .build();
+
+        addTagSession(role);
+        // Standard CloudWatch read-only set used by Grafana's CloudWatch datasource.
+        role.addToPolicy(PolicyStatement.Builder.create()
+            .effect(Effect.ALLOW)
+            .actions(List.of(
+                "cloudwatch:GetMetricData",
+                "cloudwatch:GetMetricStatistics",
+                "cloudwatch:ListMetrics",
+                "cloudwatch:DescribeAlarmsForMetric",
+                "cloudwatch:DescribeAlarmHistory",
+                "cloudwatch:DescribeAlarms",
+                "tag:GetResources",
+                "ec2:DescribeRegions",
+                "ec2:DescribeTags"
+            ))
+            .resources(List.of("*"))
+            .build());
+        return role;
+    }
+
     /**
      * Grant the Unicorn ECS task role permissions the perf-collector sidecar needs.
      * Attaches to the existing task role so the sidecar runs under the task's role
@@ -269,4 +310,8 @@ public Role getPerfCollectorEksPodRole() {
     public Role getPyroscopeEksPodRole() {
         return pyroscopeEksPodRole;
     }
+
+    public Role getGrafanaCloudwatchPodRole() {
+        return grafanaCloudwatchPodRole;
+    }
 }