These instructions will describe the steps to deploy the Lambda function to parse and report your Enhanced RDS metrics to SignalFx. You can choose to deploy the function either from the Serverless Application Repository (recommended) or from source. Choose a deployment method and follow the steps below to encrypt your SignalFx access token, customize the metrics that will be sent to SignalFx, and create and deploy the new function.

Before you begin, you must enable the Enhanced Monitoring option for the RDS instances you want to monitor using this integration. Click here for instructions on enabling Enhanced Monitoring.

• Deploying through the Serverless Application Repository
• Building from source
• Metrics collected by this integration

This Lambda function uses your SignalFx access token to send metrics to SignalFx, as an environment variable to the function. While Lambda encrypts all environment variables at rest and decrypts them upon invocation, AWS recommends that all sensitive information such as access tokens be encrypted using a KMS key before function deployment, and decrypted at runtime within the code.

Both procedures below include instructions for using either an encrypted or non-encrypted access token.

Only follow this step if you chose to manually encrypt your access token. Either create a new KMS encryption key or select a preexisting one. The key must be in the same availability zone as the RDS instances you are monitoring. You can create and manage encryption keys from IAM in the AWS management console. Documentation on KMS encryption from the CLI can be found here. Make sure you have access to the cipher text output by the encryption as well as the key id of the encryption key you used.

Click Create Function from the list of Lambda functions in your AWS console. Make sure you are in the intended availability zone. Select the Serverless Application Repository option in the upper right hand corner. Search for signalfx rds and choose the appropriate entry based on whether you encrypted your access token.

To access the templates directly, find the template for encrypted access tokens here. The template for non-encrypted access tokens is here.

Under Configure application parameters, choose a name for your function, and fill out the fields accordingly.

Parameters for template using encrypted access tokens

• EncryptedSignalFxAuthToken: The Ciphertext blob output from your encryption of your SignalFx organization's access token
• KeyId: The key id of your KMS encryption key; it is the last section of the key's ARN.
• SelectedMetricGroups: The metric groups you wish to send. Enter All if you want all available metrics. Otherwise, list the names of desired metric groups, spelled exactly as they are below, separated by single spaces. See Metrics collected by this integration for options.

Parameters for template using non-encrypted access tokens

• SignalFxAuthToken: Your SignalFx organization's access token
• SelectedMetricGroups: The metric groups you wish to send. Enter All if you want all available metrics. Otherwise, list the names of desired metric groups, spelled exactly as they are below, separated by single spaces. See Metrics collected by this integration for options.

Click Deploy. Once the function has finished deploying, navigate to the function's main page.

Under the Configuration tab, scroll through the list on the left and select CloudWatch Logs as the source of the trigger. Below there will be specific configurations for the trigger.

• Select RDSOSMetrics as the log group.
• Choose an appropriate name for the filter, and leave the filter pattern blank.
• Make sure the Enabled switch is activated.

Click Add, then click Save in the upper right corner.

That's it! Your metrics are on the way to SignalFx ingest!

The execution role just needs basic Lambda execution permissions and KMS decrypt permissions (if you wish to encrypt your SignalFx access token). If you don't want to create one, you can select from a list of templates when you create the lambda function.

Only follow this step if you chose to encrypt your access token. Either create a new KMS encryption key or select a preexisting one. The key must be in the same availability zone as the RDS instances you are monitoring. You can create and manage encryption keys from IAM in the AWS management console. Documentation on KMS encryption from the CLI can be found here. Make sure you have access to the cipher text output by the encryption as well as the key id of the encryption key you used.

You can find the repo here. Once you have cloned the repo:

$ cd enhanced-rds-monitoring
$ ./build.sh

The package will be named enhanced_rds.zip. This will be the file to upload for the Lambda.

From the Lambda creation screen, make sure you have selected Build from scratch. Select a name for your function. For Runtime select Python2.7. For the execution role, either select the role you wish to use or select Create from Template and add KMS decrypt permissions if need be. You will also need to choose a name for the role.

For subsequent tabs, follow the instructions below.

The only thing to be done here is set up the trigger from CloudWatch Logs. Select CloudWatch Logs from the list on the left. Below, a section labelled Configure triggers will appear. For the Log group field, select RDSOSMetrics. You must also choose a filter name, but leave the filter pattern blank. You can disable the trigger to start if you wish (though you will need to manually enable it later to start sending metrics), then click Add.

Once the function is created you can change the configurations. Upload the ZIP file containing the deployment package. Change the text in Handler to be lambda_script.lambda_handler.

First create an environment variable called groups. This will store the list of metric groups to be reported. To report all available metrics, enter All. Otherwise, list the names of desired metric groups, spelled exactly as above, separated by single spaces.

Next create a variable to store your SignalFx access token. Create a field called encrypted_access_token to store an encrypted SignalFx access token, or simply access_token to store an unencrypted token. Paste your access token into the value field.

If you use encrypted_access_token, follow the steps below to encrypt it:

• Under Encryption configuration, check the box to Enable helpers for encryption in transit. A new field will appear labelled KMS key to encrypt in transit.
• Select the encryption key you wish to use from the dropdown. A button labelled Encrypt will appear next to your environment variables.
• Click the Encrypt button next to encrypted_access_token once. The value will be replaced by a Ciphertext blob.

Under basic settings, set Timeout to 0 min 5 sec.

Click Save, and once the trigger is enabled, your function will start sending your metrics to SignalFx!

The following metric groups are collected by this integration. To collect all of them, use All at configuration time. To select a subset, choose metric groups by name. You can find documentation on the available metrics here.

Metric Groups (except for SQLServer)

• cpuUtilization
• diskIO
• fileSys
• loadAverageMinute
• memory
• network
• swap
• tasks
• OSprocesses*
• RDSprocesses*

SQLServer Metric Groups

• cpuUtilization
• disks
• memory
• network
• system
• OSprocesses*
• RDSprocesses*

* Process-based metric group added by SignalFx, does not appear in AWS documentation.