Skip to content

Commit

Permalink
Merge pull request #156 from cds-snc/feature/extract-sns-definition-i…
Browse files Browse the repository at this point in the history
…nto-separated-module

Extracted SNS topic definition to its own module because it will be r…
  • Loading branch information
craigzour authored Dec 17, 2021
2 parents 6382373 + 0356873 commit ce994fd
Show file tree
Hide file tree
Showing 17 changed files with 335 additions and 83 deletions.
2 changes: 1 addition & 1 deletion .devcontainer/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ ARG TERRAGRUNT_VERSION

# Install packages
RUN apt-get update && export DEBIAN_FRONTEND=noninteractive \
&& apt-get -y install --no-install-recommends awscli ca-certificates curl git gnupg2 jq make nodejs npm openssh-client python3-pip vim zsh \
&& apt-get -y install --no-install-recommends awscli build-essential ca-certificates curl git gnupg2 jq libffi-dev make nodejs npm openssh-client python3-dev python3-pip vim zsh \
&& apt-get autoremove -y && apt-get clean -y

# Install yarn
Expand Down
8 changes: 8 additions & 0 deletions .github/workflows/terragrunt-apply-production.yml
Original file line number Diff line number Diff line change
Expand Up @@ -95,6 +95,9 @@ jobs:
redis:
- 'aws/redis/**'
- 'env/production/redis/**'
sns:
- 'aws/sns/**'
- 'env/production/sns/**'
sqs:
- 'aws/sqs/**'
- 'env/production/sqs/**'
Expand All @@ -120,6 +123,11 @@ jobs:
working-directory: env/production/sqs
run: terragrunt apply --terragrunt-non-interactive -auto-approve

- name: Terragrunt apply sns
if: ${{ steps.filter.outputs.sns == 'true' || steps.filter.outputs.common == 'true' }}
working-directory: env/production/sns
run: terragrunt apply --terragrunt-non-interactive -auto-approve

# Depends on kms
- name: Terragrunt apply network
if: ${{ steps.filter.outputs.network == 'true' || steps.filter.outputs.common == 'true' }}
Expand Down
8 changes: 8 additions & 0 deletions .github/workflows/terragrunt-apply-staging.yml
Original file line number Diff line number Diff line change
Expand Up @@ -87,6 +87,9 @@ jobs:
redis:
- 'aws/redis/**'
- 'env/staging/redis/**'
sns:
- 'aws/sns/**'
- 'env/staging/sns/**'
sqs:
- 'aws/sqs/**'
- 'env/staging/sqs/**'
Expand All @@ -112,6 +115,11 @@ jobs:
working-directory: env/staging/sqs
run: terragrunt apply --terragrunt-non-interactive -auto-approve

- name: Terragrunt apply sns
if: ${{ steps.filter.outputs.sns == 'true' || steps.filter.outputs.common == 'true' }}
working-directory: env/staging/sns
run: terragrunt apply --terragrunt-non-interactive -auto-approve

# Depends on kms
- name: Terragrunt apply network
if: ${{ steps.filter.outputs.network == 'true' || steps.filter.outputs.common == 'true' }}
Expand Down
13 changes: 13 additions & 0 deletions .github/workflows/terragrunt-plan-production.yml
Original file line number Diff line number Diff line change
Expand Up @@ -113,6 +113,9 @@ jobs:
redis:
- 'aws/redis/**'
- 'env/production/redis/**'
sns:
- 'aws/sns/**'
- 'env/production/sns/**'
sqs:
- 'aws/sqs/**'
- 'env/production/sqs/**'
Expand Down Expand Up @@ -158,6 +161,16 @@ jobs:
github-token: "${{ secrets.GITHUB_TOKEN }}"
terragrunt: "true"

- name: Terragrunt plan sns
if: ${{ steps.filter.outputs.sns == 'true' || steps.filter.outputs.common == 'true' }}
uses: cds-snc/terraform-plan@v2
with:
directory: "env/production/sns"
comment-delete: "true"
comment-title: "Production: sns"
github-token: "${{ secrets.GITHUB_TOKEN }}"
terragrunt: "true"

# Depends on kms
- name: Terragrunt plan network
if: ${{ steps.filter.outputs.network == 'true' || steps.filter.outputs.common == 'true' }}
Expand Down
13 changes: 13 additions & 0 deletions .github/workflows/terragrunt-plan-staging.yml
Original file line number Diff line number Diff line change
Expand Up @@ -96,6 +96,9 @@ jobs:
redis:
- 'aws/redis/**'
- 'env/staging/redis/**'
sns:
- 'aws/sns/**'
- 'env/staging/sns/**'
sqs:
- 'aws/sqs/**'
- 'env/staging/sqs/**'
Expand Down Expand Up @@ -141,6 +144,16 @@ jobs:
github-token: "${{ secrets.GITHUB_TOKEN }}"
terragrunt: "true"

- name: Terragrunt plan sns
if: ${{ steps.filter.outputs.sns == 'true' || steps.filter.outputs.common == 'true' }}
uses: cds-snc/terraform-plan@v2
with:
directory: "env/staging/sns"
comment-delete: "true"
comment-title: "Staging: sns"
github-token: "${{ secrets.GITHUB_TOKEN }}"
terragrunt: "true"

# Depends on kms
- name: Terragrunt plan network
if: ${{ steps.filter.outputs.network == 'true' || steps.filter.outputs.common == 'true' }}
Expand Down
32 changes: 16 additions & 16 deletions aws/alarms/cloudwatch.tf
Original file line number Diff line number Diff line change
Expand Up @@ -12,8 +12,8 @@ resource "aws_cloudwatch_metric_alarm" "forms_cpu_utilization_high_warn" {
threshold = var.threshold_ecs_cpu_utilization_high
alarm_description = "End User Forms Warning - High CPU usage has been detected."

alarm_actions = [aws_sns_topic.alert_warning.arn]
ok_actions = [aws_sns_topic.alert_ok.arn]
alarm_actions = [var.sns_topic_alert_warning_arn]
ok_actions = [var.sns_topic_alert_ok_arn]
dimensions = {
ClusterName = var.ecs_cluster_name
ServiceName = var.ecs_service_name
Expand All @@ -36,8 +36,8 @@ resource "aws_cloudwatch_metric_alarm" "forms_memory_utilization_high_warn" {
threshold = var.threshold_ecs_memory_utilization_high
alarm_description = "End User Forms Warning - High memory usage has been detected."

alarm_actions = [aws_sns_topic.alert_warning.arn]
ok_actions = [aws_sns_topic.alert_ok.arn]
alarm_actions = [var.sns_topic_alert_warning_arn]
ok_actions = [var.sns_topic_alert_ok_arn]

dimensions = {
ClusterName = var.ecs_cluster_name
Expand Down Expand Up @@ -78,7 +78,7 @@ resource "aws_cloudwatch_metric_alarm" "five_hundred_response_warn" {
treat_missing_data = "notBreaching"
alarm_description = "End User Forms Warning - A 5xx HTML error was detected coming from the Forms."

alarm_actions = [aws_sns_topic.alert_warning.arn]
alarm_actions = [var.sns_topic_alert_warning_arn]

tags = {
(var.billing_tag_key) = var.billing_tag_value
Expand Down Expand Up @@ -111,7 +111,7 @@ resource "aws_cloudwatch_metric_alarm" "application_error_warn" {
treat_missing_data = "notBreaching"
alarm_description = "End User Forms Warning - An error message was detected in the ECS logs"

alarm_actions = [aws_sns_topic.alert_warning.arn]
alarm_actions = [var.sns_topic_alert_warning_arn]

tags = {
(var.billing_tag_key) = var.billing_tag_value
Expand All @@ -135,7 +135,7 @@ resource "aws_cloudwatch_metric_alarm" "forms_dead_letter_queue_warn" {
treat_missing_data = "notBreaching"
alarm_description = "End User Forms Warning - A message has been sent to the Dead Letter Queue."

alarm_actions = [aws_sns_topic.alert_warning.arn]
alarm_actions = [var.sns_topic_alert_warning_arn]
dimensions = {
QueueName = var.sqs_deadletter_queue_arn
}
Expand All @@ -157,8 +157,8 @@ resource "aws_cloudwatch_metric_alarm" "response_time_warn" {
threshold = var.threshold_lb_response_time
alarm_description = "End User Forms Warning - The latency of response times from the forms are abnormally high."
treat_missing_data = "notBreaching"
alarm_actions = [aws_sns_topic.alert_warning.arn]
ok_actions = [aws_sns_topic.alert_ok.arn]
alarm_actions = [var.sns_topic_alert_warning_arn]
ok_actions = [var.sns_topic_alert_ok_arn]


metric_query {
Expand Down Expand Up @@ -195,7 +195,7 @@ resource "aws_cloudwatch_metric_alarm" "ddos_detected_forms_warn" {
threshold = "0"
alarm_description = "End User Forms Warning - AWS has detected a DDOS attack on the End User Forms's Load Balancer"

alarm_actions = [aws_sns_topic.alert_warning.arn]
alarm_actions = [var.sns_topic_alert_warning_arn]

dimensions = {
ResourceArn = var.lb_arn
Expand All @@ -219,7 +219,7 @@ resource "aws_cloudwatch_metric_alarm" "ddos_detected_route53_warn" {
threshold = "0"
alarm_description = "End User Forms Warning - AWS has detected a DDOS attack on the End User Forms's DNS Server"

alarm_actions = [aws_sns_topic.alert_warning.arn]
alarm_actions = [var.sns_topic_alert_warning_arn]

dimensions = {
ResourceArn = "arn:aws:route53:::hostedzone/${var.hosted_zone_id}"
Expand All @@ -237,7 +237,7 @@ resource "aws_cloudwatch_metric_alarm" "ddos_detected_route53_warn" {
resource "aws_cloudwatch_event_target" "codedeploy_sns" {
target_id = "CodeDeploy_SNS"
rule = aws_cloudwatch_event_rule.codedeploy_sns.name
arn = aws_sns_topic.alert_warning.arn
arn = var.sns_topic_alert_warning_arn

input_transformer {
input_paths = {
Expand Down Expand Up @@ -284,8 +284,8 @@ resource "aws_cloudwatch_metric_alarm" "alb_ddos" {
treat_missing_data = "notBreaching"

alarm_description = "DDoS detection for ALB"
alarm_actions = [aws_sns_topic.alert_warning.arn]
ok_actions = [aws_sns_topic.alert_ok.arn]
alarm_actions = [var.sns_topic_alert_warning_arn]
ok_actions = [var.sns_topic_alert_ok_arn]

dimensions = {
ResourceArn = var.lb_arn
Expand All @@ -306,8 +306,8 @@ resource "aws_cloudwatch_metric_alarm" "route53_ddos" {
treat_missing_data = "notBreaching"

alarm_description = "DDoS detection for Route53"
alarm_actions = [aws_sns_topic.alert_warning_us_east.arn]
ok_actions = [aws_sns_topic.alert_ok_us_east.arn]
alarm_actions = [var.sns_topic_alert_warning_us_east_arn]
ok_actions = [var.sns_topic_alert_ok_us_east_arn]

dimensions = {
ResourceArn = "arn:aws:route53:::hostedzone/${var.hosted_zone_id}"
Expand Down
35 changes: 25 additions & 10 deletions aws/alarms/inputs.tf
Original file line number Diff line number Diff line change
Expand Up @@ -18,16 +18,6 @@ variable "hosted_zone_id" {
type = string
}

variable "kms_key_cloudwatch_arn" {
description = "CloudWatch KMS key ARN, used by SNS topics"
type = string
}

variable "kms_key_cloudwatch_us_east_arn" {
description = "CloudWatch KMS key ARN in us-east-1, used by SNS topics"
type = string
}

variable "lb_arn" {
description = "Load balancer ARN, used by DDoS alarms"
type = string
Expand Down Expand Up @@ -63,3 +53,28 @@ variable "threshold_lb_response_time" {
description = "Load balancer response time, in seconds, above which an alarm is triggered (10 minute period)"
type = string
}

variable "sns_topic_alert_critical_arn" {
description = "SNS topic ARN that critical alerts are sent to"
type = string
}

variable "sns_topic_alert_warning_arn" {
description = "SNS topic ARN that warning alerts are sent to"
type = string
}

variable "sns_topic_alert_ok_arn" {
description = "SNS topic ARN that ok alerts are sent to"
type = string
}

variable "sns_topic_alert_warning_us_east_arn" {
description = "SNS topic ARN that warning alerts are sent to (US East)"
type = string
}

variable "sns_topic_alert_ok_us_east_arn" {
description = "SNS topic ARN that ok alerts are sent to (US East)"
type = string
}
16 changes: 12 additions & 4 deletions aws/alarms/lambda.tf
Original file line number Diff line number Diff line change
Expand Up @@ -38,36 +38,44 @@ resource "aws_lambda_function" "notify_slack_sns" {
#
# Allow SNS to invoke Lambda function
#
resource "aws_lambda_permission" "notify_slack_critical" {
statement_id = "AllowExecutionFromSNSCriticalAlert"
action = "lambda:InvokeFunction"
function_name = aws_lambda_function.notify_slack_sns.function_name
principal = "sns.amazonaws.com"
source_arn = var.sns_topic_alert_critical_arn
}

resource "aws_lambda_permission" "notify_slack_warning" {
statement_id = "AllowExecutionFromSNSWarningAlert"
action = "lambda:InvokeFunction"
function_name = aws_lambda_function.notify_slack_sns.function_name
principal = "sns.amazonaws.com"
source_arn = aws_sns_topic.alert_warning.arn
source_arn = var.sns_topic_alert_warning_arn
}

resource "aws_lambda_permission" "notify_slack_ok" {
statement_id = "AllowExecutionFromSNSOkAlert"
action = "lambda:InvokeFunction"
function_name = aws_lambda_function.notify_slack_sns.function_name
principal = "sns.amazonaws.com"
source_arn = aws_sns_topic.alert_ok.arn
source_arn = var.sns_topic_alert_ok_arn
}

resource "aws_lambda_permission" "notify_slack_warning_us_east" {
statement_id = "AllowExecutionFromSNSWarningAlertUSEast"
action = "lambda:InvokeFunction"
function_name = aws_lambda_function.notify_slack_sns.function_name
principal = "sns.amazonaws.com"
source_arn = aws_sns_topic.alert_warning_us_east.arn
source_arn = var.sns_topic_alert_warning_us_east_arn
}

resource "aws_lambda_permission" "notify_slack_ok_us_east" {
statement_id = "AllowExecutionFromSNSOkAlertUSEast"
action = "lambda:InvokeFunction"
function_name = aws_lambda_function.notify_slack_sns.function_name
principal = "sns.amazonaws.com"
source_arn = aws_sns_topic.alert_ok_us_east.arn
source_arn = var.sns_topic_alert_ok_us_east_arn
}

#
Expand Down
Loading

0 comments on commit ce994fd

Please sign in to comment.