Attach Cloudwatch to Sagemaker Endpoint Deployment

Hi,
I am currently trying to deploy a Sagemaker Endpoint with an attached cloudwatch log to aws using terraform. For the deployment of the endpoint I have the required code, as shown below, but I don’t fully understand which resources are required to enable logging to CloudWatch. Any help would be much appreciated! :slight_smile:

resource "aws_sagemaker_endpoint" "knn-endpoint" {
  name                 = "knn-endpoint"
  endpoint_config_name = aws_sagemaker_endpoint_configuration.knn_config.name

  tags = {
    Name = "foo"
  }
}

resource "aws_sagemaker_endpoint_configuration" "knn_config" {
  name = "knn-endpoint-config"

  production_variants {
    variant_name           = "variant-1"
    model_name             = aws_sagemaker_model.knn_model.name
    initial_instance_count = 1 
    instance_type          = "ml.t2.medium"
  }

  tags = { 
    Name = "foo"
  }
}

resource "aws_sagemaker_model" "knn_model" {
  name               = "knn-model"
  execution_role_arn = aws_iam_role.example.arn

  primary_container {
    image = "<account_number>.dkr.ecr.eu-central-1.amazonaws.com/knn_scaler:latest"
  }
}

resource "aws_iam_role" "example" {
  assume_role_policy = data.aws_iam_policy_document.assume_role.json

  inline_policy {
    name = "sagemaker-permissions"

    policy = jsonencode({
      Version = "2012-10-17"
      Statement = [ 
        {   
          Action   = ["sagemaker:*", "ecr:*"]
          Effect   = "Allow"
          Resource = "*"
        },
      ]
    })
  }
}

data "aws_iam_policy_document" "assume_role" {
  statement {
    actions = ["sts:AssumeRole"]

    principals {
      type        = "Service"
      identifiers = ["sagemaker.amazonaws.com"]
    }
  }
}