From 5a01721ed52448992e1de632b7ee34c1780099c4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cle=CC=81ment=20Janin?= Date: Thu, 16 Dec 2021 14:44:33 -0500 Subject: [PATCH 1/3] Extracted SNS topic definition to its own module because it will be required by the app module for an upcoming feature --- .../workflows/terragrunt-apply-production.yml | 8 +++ .../workflows/terragrunt-apply-staging.yml | 8 +++ .../workflows/terragrunt-plan-production.yml | 13 ++++ .github/workflows/terragrunt-plan-staging.yml | 13 ++++ aws/alarms/cloudwatch.tf | 32 ++++----- aws/alarms/inputs.tf | 35 +++++++--- aws/alarms/lambda.tf | 16 +++-- aws/alarms/sns.tf | 67 +++++-------------- aws/sns/inputs.tf | 9 +++ aws/sns/outputs.tf | 24 +++++++ aws/sns/sns.tf | 53 +++++++++++++++ env/production/alarms/terragrunt.hcl | 22 +++++- env/production/sns/terragrunt.hcl | 27 ++++++++ env/staging/alarms/terragrunt.hcl | 22 +++++- env/staging/sns/terragrunt.hcl | 27 ++++++++ 15 files changed, 294 insertions(+), 82 deletions(-) create mode 100644 aws/sns/inputs.tf create mode 100644 aws/sns/outputs.tf create mode 100644 aws/sns/sns.tf create mode 100644 env/production/sns/terragrunt.hcl create mode 100644 env/staging/sns/terragrunt.hcl diff --git a/.github/workflows/terragrunt-apply-production.yml b/.github/workflows/terragrunt-apply-production.yml index e1c74c771..63f570b5e 100644 --- a/.github/workflows/terragrunt-apply-production.yml +++ b/.github/workflows/terragrunt-apply-production.yml @@ -95,6 +95,9 @@ jobs: redis: - 'aws/redis/**' - 'env/production/redis/**' + sns: + - 'aws/sns/**' + - 'env/production/sns/**' sqs: - 'aws/sqs/**' - 'env/production/sqs/**' @@ -120,6 +123,11 @@ jobs: working-directory: env/production/sqs run: terragrunt apply --terragrunt-non-interactive -auto-approve + - name: Terragrunt apply sns + if: ${{ steps.filter.outputs.sns == 'true' || steps.filter.outputs.common == 'true' }} + working-directory: env/production/sns + run: terragrunt apply --terragrunt-non-interactive -auto-approve + # Depends on kms - name: Terragrunt apply network if: ${{ steps.filter.outputs.network == 'true' || steps.filter.outputs.common == 'true' }} diff --git a/.github/workflows/terragrunt-apply-staging.yml b/.github/workflows/terragrunt-apply-staging.yml index 7179f34ac..49d21e513 100644 --- a/.github/workflows/terragrunt-apply-staging.yml +++ b/.github/workflows/terragrunt-apply-staging.yml @@ -87,6 +87,9 @@ jobs: redis: - 'aws/redis/**' - 'env/staging/redis/**' + sns: + - 'aws/sns/**' + - 'env/staging/sns/**' sqs: - 'aws/sqs/**' - 'env/staging/sqs/**' @@ -112,6 +115,11 @@ jobs: working-directory: env/staging/sqs run: terragrunt apply --terragrunt-non-interactive -auto-approve + - name: Terragrunt apply sns + if: ${{ steps.filter.outputs.sns == 'true' || steps.filter.outputs.common == 'true' }} + working-directory: env/staging/sns + run: terragrunt apply --terragrunt-non-interactive -auto-approve + # Depends on kms - name: Terragrunt apply network if: ${{ steps.filter.outputs.network == 'true' || steps.filter.outputs.common == 'true' }} diff --git a/.github/workflows/terragrunt-plan-production.yml b/.github/workflows/terragrunt-plan-production.yml index 9ee701d58..194f00bc3 100644 --- a/.github/workflows/terragrunt-plan-production.yml +++ b/.github/workflows/terragrunt-plan-production.yml @@ -113,6 +113,9 @@ jobs: redis: - 'aws/redis/**' - 'env/production/redis/**' + sns: + - 'aws/sns/**' + - 'env/production/sns/**' sqs: - 'aws/sqs/**' - 'env/production/sqs/**' @@ -158,6 +161,16 @@ jobs: github-token: "${{ secrets.GITHUB_TOKEN }}" terragrunt: "true" + - name: Terragrunt plan sns + if: ${{ steps.filter.outputs.sns == 'true' || steps.filter.outputs.common == 'true' }} + uses: cds-snc/terraform-plan@v2 + with: + directory: "env/production/sns" + comment-delete: "true" + comment-title: "Production: sns" + github-token: "${{ secrets.GITHUB_TOKEN }}" + terragrunt: "true" + # Depends on kms - name: Terragrunt plan network if: ${{ steps.filter.outputs.network == 'true' || steps.filter.outputs.common == 'true' }} diff --git a/.github/workflows/terragrunt-plan-staging.yml b/.github/workflows/terragrunt-plan-staging.yml index 3124c791a..49b507465 100644 --- a/.github/workflows/terragrunt-plan-staging.yml +++ b/.github/workflows/terragrunt-plan-staging.yml @@ -96,6 +96,9 @@ jobs: redis: - 'aws/redis/**' - 'env/staging/redis/**' + sns: + - 'aws/sns/**' + - 'env/staging/sns/**' sqs: - 'aws/sqs/**' - 'env/staging/sqs/**' @@ -141,6 +144,16 @@ jobs: github-token: "${{ secrets.GITHUB_TOKEN }}" terragrunt: "true" + - name: Terragrunt plan sns + if: ${{ steps.filter.outputs.sns == 'true' || steps.filter.outputs.common == 'true' }} + uses: cds-snc/terraform-plan@v2 + with: + directory: "env/staging/sns" + comment-delete: "true" + comment-title: "Staging: sns" + github-token: "${{ secrets.GITHUB_TOKEN }}" + terragrunt: "true" + # Depends on kms - name: Terragrunt plan network if: ${{ steps.filter.outputs.network == 'true' || steps.filter.outputs.common == 'true' }} diff --git a/aws/alarms/cloudwatch.tf b/aws/alarms/cloudwatch.tf index ea29d2ca6..b418bdf7f 100644 --- a/aws/alarms/cloudwatch.tf +++ b/aws/alarms/cloudwatch.tf @@ -12,8 +12,8 @@ resource "aws_cloudwatch_metric_alarm" "forms_cpu_utilization_high_warn" { threshold = var.threshold_ecs_cpu_utilization_high alarm_description = "End User Forms Warning - High CPU usage has been detected." - alarm_actions = [aws_sns_topic.alert_warning.arn] - ok_actions = [aws_sns_topic.alert_ok.arn] + alarm_actions = [var.sns_topic_alert_warning_arn] + ok_actions = [var.sns_topic_alert_ok_arn] dimensions = { ClusterName = var.ecs_cluster_name ServiceName = var.ecs_service_name @@ -36,8 +36,8 @@ resource "aws_cloudwatch_metric_alarm" "forms_memory_utilization_high_warn" { threshold = var.threshold_ecs_memory_utilization_high alarm_description = "End User Forms Warning - High memory usage has been detected." - alarm_actions = [aws_sns_topic.alert_warning.arn] - ok_actions = [aws_sns_topic.alert_ok.arn] + alarm_actions = [var.sns_topic_alert_warning_arn] + ok_actions = [var.sns_topic_alert_ok_arn] dimensions = { ClusterName = var.ecs_cluster_name @@ -78,7 +78,7 @@ resource "aws_cloudwatch_metric_alarm" "five_hundred_response_warn" { treat_missing_data = "notBreaching" alarm_description = "End User Forms Warning - A 5xx HTML error was detected coming from the Forms." - alarm_actions = [aws_sns_topic.alert_warning.arn] + alarm_actions = [var.sns_topic_alert_warning_arn] tags = { (var.billing_tag_key) = var.billing_tag_value @@ -111,7 +111,7 @@ resource "aws_cloudwatch_metric_alarm" "application_error_warn" { treat_missing_data = "notBreaching" alarm_description = "End User Forms Warning - An error message was detected in the ECS logs" - alarm_actions = [aws_sns_topic.alert_warning.arn] + alarm_actions = [var.sns_topic_alert_warning_arn] tags = { (var.billing_tag_key) = var.billing_tag_value @@ -135,7 +135,7 @@ resource "aws_cloudwatch_metric_alarm" "forms_dead_letter_queue_warn" { treat_missing_data = "notBreaching" alarm_description = "End User Forms Warning - A message has been sent to the Dead Letter Queue." - alarm_actions = [aws_sns_topic.alert_warning.arn] + alarm_actions = [var.sns_topic_alert_warning_arn] dimensions = { QueueName = var.sqs_deadletter_queue_arn } @@ -157,8 +157,8 @@ resource "aws_cloudwatch_metric_alarm" "response_time_warn" { threshold = var.threshold_lb_response_time alarm_description = "End User Forms Warning - The latency of response times from the forms are abnormally high." treat_missing_data = "notBreaching" - alarm_actions = [aws_sns_topic.alert_warning.arn] - ok_actions = [aws_sns_topic.alert_ok.arn] + alarm_actions = [var.sns_topic_alert_warning_arn] + ok_actions = [var.sns_topic_alert_ok_arn] metric_query { @@ -195,7 +195,7 @@ resource "aws_cloudwatch_metric_alarm" "ddos_detected_forms_warn" { threshold = "0" alarm_description = "End User Forms Warning - AWS has detected a DDOS attack on the End User Forms's Load Balancer" - alarm_actions = [aws_sns_topic.alert_warning.arn] + alarm_actions = [var.sns_topic_alert_warning_arn] dimensions = { ResourceArn = var.lb_arn @@ -219,7 +219,7 @@ resource "aws_cloudwatch_metric_alarm" "ddos_detected_route53_warn" { threshold = "0" alarm_description = "End User Forms Warning - AWS has detected a DDOS attack on the End User Forms's DNS Server" - alarm_actions = [aws_sns_topic.alert_warning.arn] + alarm_actions = [var.sns_topic_alert_warning_arn] dimensions = { ResourceArn = "arn:aws:route53:::hostedzone/${var.hosted_zone_id}" @@ -237,7 +237,7 @@ resource "aws_cloudwatch_metric_alarm" "ddos_detected_route53_warn" { resource "aws_cloudwatch_event_target" "codedeploy_sns" { target_id = "CodeDeploy_SNS" rule = aws_cloudwatch_event_rule.codedeploy_sns.name - arn = aws_sns_topic.alert_warning.arn + arn = var.sns_topic_alert_warning_arn input_transformer { input_paths = { @@ -284,8 +284,8 @@ resource "aws_cloudwatch_metric_alarm" "alb_ddos" { treat_missing_data = "notBreaching" alarm_description = "DDoS detection for ALB" - alarm_actions = [aws_sns_topic.alert_warning.arn] - ok_actions = [aws_sns_topic.alert_ok.arn] + alarm_actions = [var.sns_topic_alert_warning_arn] + ok_actions = [var.sns_topic_alert_ok_arn] dimensions = { ResourceArn = var.lb_arn @@ -306,8 +306,8 @@ resource "aws_cloudwatch_metric_alarm" "route53_ddos" { treat_missing_data = "notBreaching" alarm_description = "DDoS detection for Route53" - alarm_actions = [aws_sns_topic.alert_warning_us_east.arn] - ok_actions = [aws_sns_topic.alert_ok_us_east.arn] + alarm_actions = [var.sns_topic_alert_warning_us_east_arn] + ok_actions = [var.sns_topic_alert_ok_us_east_arn] dimensions = { ResourceArn = "arn:aws:route53:::hostedzone/${var.hosted_zone_id}" diff --git a/aws/alarms/inputs.tf b/aws/alarms/inputs.tf index 9d14c227c..2b6fa4fc9 100644 --- a/aws/alarms/inputs.tf +++ b/aws/alarms/inputs.tf @@ -18,16 +18,6 @@ variable "hosted_zone_id" { type = string } -variable "kms_key_cloudwatch_arn" { - description = "CloudWatch KMS key ARN, used by SNS topics" - type = string -} - -variable "kms_key_cloudwatch_us_east_arn" { - description = "CloudWatch KMS key ARN in us-east-1, used by SNS topics" - type = string -} - variable "lb_arn" { description = "Load balancer ARN, used by DDoS alarms" type = string @@ -63,3 +53,28 @@ variable "threshold_lb_response_time" { description = "Load balancer response time, in seconds, above which an alarm is triggered (10 minute period)" type = string } + +variable "sns_topic_alert_critical_arn" { + description = "SNS topic ARN that critical alerts are sent to" + type = string +} + +variable "sns_topic_alert_warning_arn" { + description = "SNS topic ARN that warning alerts are sent to" + type = string +} + +variable "sns_topic_alert_ok_arn" { + description = "SNS topic ARN that ok alerts are sent to" + type = string +} + +variable "sns_topic_alert_warning_us_east_arn" { + description = "SNS topic ARN that warning alerts are sent to (US East)" + type = string +} + +variable "sns_topic_alert_ok_us_east_arn" { + description = "SNS topic ARN that ok alerts are sent to (US East)" + type = string +} \ No newline at end of file diff --git a/aws/alarms/lambda.tf b/aws/alarms/lambda.tf index 0ce285e80..cee10d8e5 100644 --- a/aws/alarms/lambda.tf +++ b/aws/alarms/lambda.tf @@ -38,12 +38,20 @@ resource "aws_lambda_function" "notify_slack_sns" { # # Allow SNS to invoke Lambda function # +resource "aws_lambda_permission" "notify_slack_critical" { + statement_id = "AllowExecutionFromSNSCriticalAlert" + action = "lambda:InvokeFunction" + function_name = aws_lambda_function.notify_slack_sns.function_name + principal = "sns.amazonaws.com" + source_arn = var.sns_topic_alert_critical_arn +} + resource "aws_lambda_permission" "notify_slack_warning" { statement_id = "AllowExecutionFromSNSWarningAlert" action = "lambda:InvokeFunction" function_name = aws_lambda_function.notify_slack_sns.function_name principal = "sns.amazonaws.com" - source_arn = aws_sns_topic.alert_warning.arn + source_arn = var.sns_topic_alert_warning_arn } resource "aws_lambda_permission" "notify_slack_ok" { @@ -51,7 +59,7 @@ resource "aws_lambda_permission" "notify_slack_ok" { action = "lambda:InvokeFunction" function_name = aws_lambda_function.notify_slack_sns.function_name principal = "sns.amazonaws.com" - source_arn = aws_sns_topic.alert_ok.arn + source_arn = var.sns_topic_alert_ok_arn } resource "aws_lambda_permission" "notify_slack_warning_us_east" { @@ -59,7 +67,7 @@ resource "aws_lambda_permission" "notify_slack_warning_us_east" { action = "lambda:InvokeFunction" function_name = aws_lambda_function.notify_slack_sns.function_name principal = "sns.amazonaws.com" - source_arn = aws_sns_topic.alert_warning_us_east.arn + source_arn = var.sns_topic_alert_warning_us_east_arn } resource "aws_lambda_permission" "notify_slack_ok_us_east" { @@ -67,7 +75,7 @@ resource "aws_lambda_permission" "notify_slack_ok_us_east" { action = "lambda:InvokeFunction" function_name = aws_lambda_function.notify_slack_sns.function_name principal = "sns.amazonaws.com" - source_arn = aws_sns_topic.alert_ok_us_east.arn + source_arn = var.sns_topic_alert_ok_us_east_arn } # diff --git a/aws/alarms/sns.tf b/aws/alarms/sns.tf index c0eab0141..a2039cf85 100644 --- a/aws/alarms/sns.tf +++ b/aws/alarms/sns.tf @@ -1,58 +1,20 @@ # -# SNS topics +# SNS topic subscriptions # -resource "aws_sns_topic" "alert_warning" { - name = "alert-warning" - kms_master_key_id = var.kms_key_cloudwatch_arn - - tags = { - (var.billing_tag_key) = var.billing_tag_value - Terraform = true - } -} - -resource "aws_sns_topic" "alert_ok" { - name = "alert-ok" - kms_master_key_id = var.kms_key_cloudwatch_arn - tags = { - (var.billing_tag_key) = var.billing_tag_value - Terraform = true - } -} - -resource "aws_sns_topic" "alert_warning_us_east" { - provider = aws.us-east-1 - - name = "alert-warning" - kms_master_key_id = var.kms_key_cloudwatch_us_east_arn - tags = { - (var.billing_tag_key) = var.billing_tag_value - Terraform = true - } -} - -resource "aws_sns_topic" "alert_ok_us_east" { - provider = aws.us-east-1 - - name = "alert-ok" - kms_master_key_id = var.kms_key_cloudwatch_us_east_arn - tags = { - (var.billing_tag_key) = var.billing_tag_value - Terraform = true - } +resource "aws_sns_topic_subscription" "topic_critical" { + topic_arn = var.sns_topic_alert_critical_arn + protocol = "lambda" + endpoint = aws_lambda_function.notify_slack_sns.arn } -# -# SNS topic subscriptions -# resource "aws_sns_topic_subscription" "topic_warning" { - topic_arn = aws_sns_topic.alert_warning.arn + topic_arn = var.sns_topic_alert_warning_arn protocol = "lambda" endpoint = aws_lambda_function.notify_slack_sns.arn } resource "aws_sns_topic_subscription" "topic_ok" { - topic_arn = aws_sns_topic.alert_ok.arn + topic_arn = var.sns_topic_alert_ok_arn protocol = "lambda" endpoint = aws_lambda_function.notify_slack_sns.arn } @@ -60,7 +22,7 @@ resource "aws_sns_topic_subscription" "topic_ok" { resource "aws_sns_topic_subscription" "topic_warning_us_east" { provider = aws.us-east-1 - topic_arn = aws_sns_topic.alert_warning_us_east.arn + topic_arn = var.sns_topic_alert_warning_us_east_arn protocol = "lambda" endpoint = aws_lambda_function.notify_slack_sns.arn } @@ -68,7 +30,7 @@ resource "aws_sns_topic_subscription" "topic_warning_us_east" { resource "aws_sns_topic_subscription" "topic_ok_us_east" { provider = aws.us-east-1 - topic_arn = aws_sns_topic.alert_ok_us_east.arn + topic_arn = var.sns_topic_alert_ok_us_east_arn protocol = "lambda" endpoint = aws_lambda_function.notify_slack_sns.arn } @@ -76,13 +38,18 @@ resource "aws_sns_topic_subscription" "topic_ok_us_east" { # # CloudWatch Policy # +resource "aws_sns_topic_policy" "cloudwatch_events_critical_sns" { + arn = var.sns_topic_alert_critical_arn + policy = data.aws_iam_policy_document.cloudwatch_events_sns_topic_policy.json +} + resource "aws_sns_topic_policy" "cloudwatch_events_warning_sns" { - arn = aws_sns_topic.alert_warning.arn + arn = var.sns_topic_alert_warning_arn policy = data.aws_iam_policy_document.cloudwatch_events_sns_topic_policy.json } resource "aws_sns_topic_policy" "cloudwatch_events_ok_sns" { - arn = aws_sns_topic.alert_ok.arn + arn = var.sns_topic_alert_ok_arn policy = data.aws_iam_policy_document.cloudwatch_events_sns_topic_policy.json } @@ -134,4 +101,4 @@ data "aws_iam_policy_document" "cloudwatch_events_sns_topic_policy" { identifiers = ["events.amazonaws.com"] } } -} +} \ No newline at end of file diff --git a/aws/sns/inputs.tf b/aws/sns/inputs.tf new file mode 100644 index 000000000..37968a738 --- /dev/null +++ b/aws/sns/inputs.tf @@ -0,0 +1,9 @@ +variable "kms_key_cloudwatch_arn" { + description = "Cloudwatch KMS key ARN" + type = string +} + +variable "kms_key_cloudwatch_us_east_arn" { + description = "Cloudwatch KMS key ARN (US East)" + type = string +} \ No newline at end of file diff --git a/aws/sns/outputs.tf b/aws/sns/outputs.tf new file mode 100644 index 000000000..82b711e84 --- /dev/null +++ b/aws/sns/outputs.tf @@ -0,0 +1,24 @@ +output "sns_topic_alert_critical_arn" { + description = "SNS topic ARN for critical alerts" + value = aws_sns_topic.alert_critical.arn +} + +output "sns_topic_alert_warning_arn" { + description = "SNS topic ARN for warning alerts" + value = aws_sns_topic.alert_warning.arn +} + +output "sns_topic_alert_ok_arn" { + description = "SNS topic ARN for ok alerts" + value = aws_sns_topic.alert_ok.arn +} + +output "sns_topic_alert_warning_us_east_arn" { + description = "SNS topic ARN for warning alerts (US East)" + value = aws_sns_topic.alert_warning_us_east.arn +} + +output "sns_topic_alert_ok_us_east_arn" { + description = "SNS topic ARN for ok alerts (US East)" + value = aws_sns_topic.alert_ok_us_east.arn +} \ No newline at end of file diff --git a/aws/sns/sns.tf b/aws/sns/sns.tf new file mode 100644 index 000000000..60cdebf24 --- /dev/null +++ b/aws/sns/sns.tf @@ -0,0 +1,53 @@ +# +# SNS topics +# +resource "aws_sns_topic" "alert_critical" { + name = "alert-critical" + kms_master_key_id = var.kms_key_cloudwatch_arn + + tags = { + (var.billing_tag_key) = var.billing_tag_value + Terraform = true + } +} + +resource "aws_sns_topic" "alert_warning" { + name = "alert-warning" + kms_master_key_id = var.kms_key_cloudwatch_arn + + tags = { + (var.billing_tag_key) = var.billing_tag_value + Terraform = true + } +} + +resource "aws_sns_topic" "alert_ok" { + name = "alert-ok" + kms_master_key_id = var.kms_key_cloudwatch_arn + tags = { + (var.billing_tag_key) = var.billing_tag_value + Terraform = true + } +} + +resource "aws_sns_topic" "alert_warning_us_east" { + provider = aws.us-east-1 + + name = "alert-warning" + kms_master_key_id = var.kms_key_cloudwatch_us_east_arn + tags = { + (var.billing_tag_key) = var.billing_tag_value + Terraform = true + } +} + +resource "aws_sns_topic" "alert_ok_us_east" { + provider = aws.us-east-1 + + name = "alert-ok" + kms_master_key_id = var.kms_key_cloudwatch_us_east_arn + tags = { + (var.billing_tag_key) = var.billing_tag_value + Terraform = true + } +} \ No newline at end of file diff --git a/env/production/alarms/terragrunt.hcl b/env/production/alarms/terragrunt.hcl index bf228d1c5..42c88ec96 100644 --- a/env/production/alarms/terragrunt.hcl +++ b/env/production/alarms/terragrunt.hcl @@ -3,7 +3,7 @@ terraform { } dependencies { - paths = ["../hosted_zone", "../kms", "../load_balancer", "../sqs", "../app"] + paths = ["../hosted_zone", "../kms", "../load_balancer", "../sqs", "../app", "../sns"] } dependency "hosted_zone" { @@ -60,6 +60,20 @@ dependency "app" { } } +dependency "sns" { + config_path = "../sns" + + mock_outputs_allowed_terraform_commands = ["init", "fmt", "validate", "plan", "show"] + mock_outputs_merge_with_state = true + mock_outputs = { + sns_topic_alert_critical_arn = "" + sns_topic_alert_warning_arn = "" + sns_topic_alert_ok_arn = "" + sns_topic_alert_warning_us_east_arn = "" + sns_topic_alert_ok_us_east_arn = "" + } +} + inputs = { threshold_ecs_cpu_utilization_high = "50" threshold_ecs_memory_utilization_high = "50" @@ -78,6 +92,12 @@ inputs = { ecs_cloudwatch_log_group_name = dependency.app.outputs.ecs_cloudwatch_log_group_name ecs_cluster_name = dependency.app.outputs.ecs_cluster_name ecs_service_name = dependency.app.outputs.ecs_service_name + + sns_topic_alert_critical_arn = dependency.sns.outputs.sns_topic_alert_critical_arn + sns_topic_alert_warning_arn = dependency.sns.outputs.sns_topic_alert_warning_arn + sns_topic_alert_ok_arn = dependency.sns.outputs.sns_topic_alert_ok_arn + sns_topic_alert_warning_us_east_arn = dependency.sns.outputs.sns_topic_alert_warning_us_east_arn + sns_topic_alert_ok_us_east_arn = dependency.sns.outputs.sns_topic_alert_ok_us_east_arn } include { diff --git a/env/production/sns/terragrunt.hcl b/env/production/sns/terragrunt.hcl new file mode 100644 index 000000000..ec1f83128 --- /dev/null +++ b/env/production/sns/terragrunt.hcl @@ -0,0 +1,27 @@ +terraform { + source = "git::https://github.com/cds-snc/forms-terraform//aws/sns?ref=${get_env("TARGET_VERSION")}" +} + +dependencies { + paths = ["../kms"] +} + +dependency "kms" { + config_path = "../kms" + + mock_outputs_allowed_terraform_commands = ["init", "fmt", "validate", "plan", "show"] + mock_outputs_merge_with_state = true + mock_outputs = { + kms_key_cloudwatch_arn = "" + kms_key_cloudwatch_us_east_arn = "" + } +} + +inputs = { + kms_key_cloudwatch_arn = dependency.kms.outputs.kms_key_cloudwatch_arn + kms_key_cloudwatch_us_east_arn = dependency.kms.outputs.kms_key_cloudwatch_us_east_arn +} + +include { + path = find_in_parent_folders() +} \ No newline at end of file diff --git a/env/staging/alarms/terragrunt.hcl b/env/staging/alarms/terragrunt.hcl index eb286a70b..c8589139c 100644 --- a/env/staging/alarms/terragrunt.hcl +++ b/env/staging/alarms/terragrunt.hcl @@ -3,7 +3,7 @@ terraform { } dependencies { - paths = ["../hosted_zone", "../kms", "../load_balancer", "../sqs", "../app"] + paths = ["../hosted_zone", "../kms", "../load_balancer", "../sqs", "../app", "../sns"] } dependency "hosted_zone" { @@ -60,6 +60,20 @@ dependency "app" { } } +dependency "sns" { + config_path = "../sns" + + mock_outputs_allowed_terraform_commands = ["init", "fmt", "validate", "plan", "show"] + mock_outputs_merge_with_state = true + mock_outputs = { + sns_topic_alert_critical_arn = "" + sns_topic_alert_warning_arn = "" + sns_topic_alert_ok_arn = "" + sns_topic_alert_warning_us_east_arn = "" + sns_topic_alert_ok_us_east_arn = "" + } +} + inputs = { threshold_ecs_cpu_utilization_high = "50" threshold_ecs_memory_utilization_high = "50" @@ -78,6 +92,12 @@ inputs = { ecs_cloudwatch_log_group_name = dependency.app.outputs.ecs_cloudwatch_log_group_name ecs_cluster_name = dependency.app.outputs.ecs_cluster_name ecs_service_name = dependency.app.outputs.ecs_service_name + + sns_topic_alert_critical_arn = dependency.sns.outputs.sns_topic_alert_critical_arn + sns_topic_alert_warning_arn = dependency.sns.outputs.sns_topic_alert_warning_arn + sns_topic_alert_ok_arn = dependency.sns.outputs.sns_topic_alert_ok_arn + sns_topic_alert_warning_us_east_arn = dependency.sns.outputs.sns_topic_alert_warning_us_east_arn + sns_topic_alert_ok_us_east_arn = dependency.sns.outputs.sns_topic_alert_ok_us_east_arn } include { diff --git a/env/staging/sns/terragrunt.hcl b/env/staging/sns/terragrunt.hcl new file mode 100644 index 000000000..20b570090 --- /dev/null +++ b/env/staging/sns/terragrunt.hcl @@ -0,0 +1,27 @@ +terraform { + source = "../../../aws//sns" +} + +dependencies { + paths = ["../kms"] +} + +dependency "kms" { + config_path = "../kms" + + mock_outputs_allowed_terraform_commands = ["init", "fmt", "validate", "plan", "show"] + mock_outputs_merge_with_state = true + mock_outputs = { + kms_key_cloudwatch_arn = "" + kms_key_cloudwatch_us_east_arn = "" + } +} + +inputs = { + kms_key_cloudwatch_arn = dependency.kms.outputs.kms_key_cloudwatch_arn + kms_key_cloudwatch_us_east_arn = dependency.kms.outputs.kms_key_cloudwatch_us_east_arn +} + +include { + path = find_in_parent_folders() +} \ No newline at end of file From 56835a8d7940d65c615da708f7111b4cc7215397 Mon Sep 17 00:00:00 2001 From: Pat Heard Date: Fri, 17 Dec 2021 15:53:35 +0000 Subject: [PATCH 2/3] feat: add SNS Terraform lock file --- env/staging/sns/.terraform.lock.hcl | 40 +++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 env/staging/sns/.terraform.lock.hcl diff --git a/env/staging/sns/.terraform.lock.hcl b/env/staging/sns/.terraform.lock.hcl new file mode 100644 index 000000000..da0ae04c7 --- /dev/null +++ b/env/staging/sns/.terraform.lock.hcl @@ -0,0 +1,40 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/aws" { + version = "3.63.0" + constraints = "3.63.0" + hashes = [ + "h1:v9aPF3aaBpk0uSO5pfggYJKGgP/Ur28hZRJs1jS+ttI=", + "zh:42c6c98b294953a4e1434a331251e539f5372bf6779bd61ab5df84cac0545287", + "zh:5493773762a470889c9a23db97582d3a82035847c8d3bd13323b4c3012abf325", + "zh:550d22ff9fed4d817a922e7b84bd9d1f2ef8d3afa00832cf66b8cd5f0e6dc748", + "zh:632cb5e2d9d5041875f57174236eafe5b05dbf26750c1041ab57eb08c5369fe2", + "zh:7cfeaf5bde1b28bd010415af1f3dc494680a8374f1a26ec19db494d99938cc4e", + "zh:99d871606b67c8aefce49007315de15736b949c09a9f8f29ad8af1e9ce383ed3", + "zh:c4fc8539ffe90df5c7ae587fde495fac6bc0186fec2f2713a8988a619cef265f", + "zh:d0a26493206575c99ca221d78fe64f96a8fbcebe933af92eea6b39168c1f1c1d", + "zh:e156fdc964fdd4a7586ec15629e20d2b06295b46b4962428006e088145db07d6", + "zh:eb04fc80f652b5c92f76822f0fec1697581543806244068506aed69e1bb9b2af", + "zh:f5638a533cf9444f7d02b5527446cdbc3b2eab8bcc4ec4b0ca32035fe6f479d3", + ] +} + +provider "registry.terraform.io/hashicorp/random" { + version = "3.1.0" + constraints = "3.1.0" + hashes = [ + "h1:BZMEPucF+pbu9gsPk0G0BHx7YP04+tKdq2MrRDF1EDM=", + "zh:2bbb3339f0643b5daa07480ef4397bd23a79963cc364cdfbb4e86354cb7725bc", + "zh:3cd456047805bf639fbf2c761b1848880ea703a054f76db51852008b11008626", + "zh:4f251b0eda5bb5e3dc26ea4400dba200018213654b69b4a5f96abee815b4f5ff", + "zh:7011332745ea061e517fe1319bd6c75054a314155cb2c1199a5b01fe1889a7e2", + "zh:738ed82858317ccc246691c8b85995bc125ac3b4143043219bd0437adc56c992", + "zh:7dbe52fac7bb21227acd7529b487511c91f4107db9cc4414f50d04ffc3cab427", + "zh:a3a9251fb15f93e4cfc1789800fc2d7414bbc18944ad4c5c98f466e6477c42bc", + "zh:a543ec1a3a8c20635cf374110bd2f87c07374cf2c50617eee2c669b3ceeeaa9f", + "zh:d9ab41d556a48bd7059f0810cf020500635bfc696c9fc3adab5ea8915c1d886b", + "zh:d9e13427a7d011dbd654e591b0337e6074eef8c3b9bb11b2e39eaaf257044fd7", + "zh:f7605bd1437752114baf601bdf6931debe6dc6bfe3006eb7e9bb9080931dca8a", + ] +} From 0356873e785aa60c74d410e4780b9dd93582ad53 Mon Sep 17 00:00:00 2001 From: Pat Heard Date: Fri, 17 Dec 2021 15:53:57 +0000 Subject: [PATCH 3/3] fix: devcontainer Python deps to install checkov --- .devcontainer/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile index 206f7bb6d..11e0e6061 100644 --- a/.devcontainer/Dockerfile +++ b/.devcontainer/Dockerfile @@ -8,7 +8,7 @@ ARG TERRAGRUNT_VERSION # Install packages RUN apt-get update && export DEBIAN_FRONTEND=noninteractive \ - && apt-get -y install --no-install-recommends awscli ca-certificates curl git gnupg2 jq make nodejs npm openssh-client python3-pip vim zsh \ + && apt-get -y install --no-install-recommends awscli build-essential ca-certificates curl git gnupg2 jq libffi-dev make nodejs npm openssh-client python3-dev python3-pip vim zsh \ && apt-get autoremove -y && apt-get clean -y # Install yarn