Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Extracted SNS topic definition to its own module because it will be r… #156

Merged
merged 3 commits into from
Dec 17, 2021
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .devcontainer/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ ARG TERRAGRUNT_VERSION

# Install packages
RUN apt-get update && export DEBIAN_FRONTEND=noninteractive \
&& apt-get -y install --no-install-recommends awscli ca-certificates curl git gnupg2 jq make nodejs npm openssh-client python3-pip vim zsh \
&& apt-get -y install --no-install-recommends awscli build-essential ca-certificates curl git gnupg2 jq libffi-dev make nodejs npm openssh-client python3-dev python3-pip vim zsh \
&& apt-get autoremove -y && apt-get clean -y

# Install yarn
Expand Down
8 changes: 8 additions & 0 deletions .github/workflows/terragrunt-apply-production.yml
Original file line number Diff line number Diff line change
Expand Up @@ -95,6 +95,9 @@ jobs:
redis:
- 'aws/redis/**'
- 'env/production/redis/**'
sns:
- 'aws/sns/**'
- 'env/production/sns/**'
sqs:
- 'aws/sqs/**'
- 'env/production/sqs/**'
Expand All @@ -120,6 +123,11 @@ jobs:
working-directory: env/production/sqs
run: terragrunt apply --terragrunt-non-interactive -auto-approve

- name: Terragrunt apply sns
if: ${{ steps.filter.outputs.sns == 'true' || steps.filter.outputs.common == 'true' }}
working-directory: env/production/sns
run: terragrunt apply --terragrunt-non-interactive -auto-approve

# Depends on kms
- name: Terragrunt apply network
if: ${{ steps.filter.outputs.network == 'true' || steps.filter.outputs.common == 'true' }}
Expand Down
8 changes: 8 additions & 0 deletions .github/workflows/terragrunt-apply-staging.yml
Original file line number Diff line number Diff line change
Expand Up @@ -87,6 +87,9 @@ jobs:
redis:
- 'aws/redis/**'
- 'env/staging/redis/**'
sns:
- 'aws/sns/**'
- 'env/staging/sns/**'
sqs:
- 'aws/sqs/**'
- 'env/staging/sqs/**'
Expand All @@ -112,6 +115,11 @@ jobs:
working-directory: env/staging/sqs
run: terragrunt apply --terragrunt-non-interactive -auto-approve

- name: Terragrunt apply sns
if: ${{ steps.filter.outputs.sns == 'true' || steps.filter.outputs.common == 'true' }}
working-directory: env/staging/sns
run: terragrunt apply --terragrunt-non-interactive -auto-approve

# Depends on kms
- name: Terragrunt apply network
if: ${{ steps.filter.outputs.network == 'true' || steps.filter.outputs.common == 'true' }}
Expand Down
13 changes: 13 additions & 0 deletions .github/workflows/terragrunt-plan-production.yml
Original file line number Diff line number Diff line change
Expand Up @@ -113,6 +113,9 @@ jobs:
redis:
- 'aws/redis/**'
- 'env/production/redis/**'
sns:
- 'aws/sns/**'
- 'env/production/sns/**'
sqs:
- 'aws/sqs/**'
- 'env/production/sqs/**'
Expand Down Expand Up @@ -158,6 +161,16 @@ jobs:
github-token: "${{ secrets.GITHUB_TOKEN }}"
terragrunt: "true"

- name: Terragrunt plan sns
if: ${{ steps.filter.outputs.sns == 'true' || steps.filter.outputs.common == 'true' }}
uses: cds-snc/terraform-plan@v2
with:
directory: "env/production/sns"
comment-delete: "true"
comment-title: "Production: sns"
github-token: "${{ secrets.GITHUB_TOKEN }}"
terragrunt: "true"

# Depends on kms
- name: Terragrunt plan network
if: ${{ steps.filter.outputs.network == 'true' || steps.filter.outputs.common == 'true' }}
Expand Down
13 changes: 13 additions & 0 deletions .github/workflows/terragrunt-plan-staging.yml
Original file line number Diff line number Diff line change
Expand Up @@ -96,6 +96,9 @@ jobs:
redis:
- 'aws/redis/**'
- 'env/staging/redis/**'
sns:
- 'aws/sns/**'
- 'env/staging/sns/**'
sqs:
- 'aws/sqs/**'
- 'env/staging/sqs/**'
Expand Down Expand Up @@ -141,6 +144,16 @@ jobs:
github-token: "${{ secrets.GITHUB_TOKEN }}"
terragrunt: "true"

- name: Terragrunt plan sns
if: ${{ steps.filter.outputs.sns == 'true' || steps.filter.outputs.common == 'true' }}
uses: cds-snc/terraform-plan@v2
with:
directory: "env/staging/sns"
comment-delete: "true"
comment-title: "Staging: sns"
github-token: "${{ secrets.GITHUB_TOKEN }}"
terragrunt: "true"

# Depends on kms
- name: Terragrunt plan network
if: ${{ steps.filter.outputs.network == 'true' || steps.filter.outputs.common == 'true' }}
Expand Down
32 changes: 16 additions & 16 deletions aws/alarms/cloudwatch.tf
Original file line number Diff line number Diff line change
Expand Up @@ -12,8 +12,8 @@ resource "aws_cloudwatch_metric_alarm" "forms_cpu_utilization_high_warn" {
threshold = var.threshold_ecs_cpu_utilization_high
alarm_description = "End User Forms Warning - High CPU usage has been detected."

alarm_actions = [aws_sns_topic.alert_warning.arn]
ok_actions = [aws_sns_topic.alert_ok.arn]
alarm_actions = [var.sns_topic_alert_warning_arn]
ok_actions = [var.sns_topic_alert_ok_arn]
dimensions = {
ClusterName = var.ecs_cluster_name
ServiceName = var.ecs_service_name
Expand All @@ -36,8 +36,8 @@ resource "aws_cloudwatch_metric_alarm" "forms_memory_utilization_high_warn" {
threshold = var.threshold_ecs_memory_utilization_high
alarm_description = "End User Forms Warning - High memory usage has been detected."

alarm_actions = [aws_sns_topic.alert_warning.arn]
ok_actions = [aws_sns_topic.alert_ok.arn]
alarm_actions = [var.sns_topic_alert_warning_arn]
ok_actions = [var.sns_topic_alert_ok_arn]

dimensions = {
ClusterName = var.ecs_cluster_name
Expand Down Expand Up @@ -78,7 +78,7 @@ resource "aws_cloudwatch_metric_alarm" "five_hundred_response_warn" {
treat_missing_data = "notBreaching"
alarm_description = "End User Forms Warning - A 5xx HTML error was detected coming from the Forms."

alarm_actions = [aws_sns_topic.alert_warning.arn]
alarm_actions = [var.sns_topic_alert_warning_arn]

tags = {
(var.billing_tag_key) = var.billing_tag_value
Expand Down Expand Up @@ -111,7 +111,7 @@ resource "aws_cloudwatch_metric_alarm" "application_error_warn" {
treat_missing_data = "notBreaching"
alarm_description = "End User Forms Warning - An error message was detected in the ECS logs"

alarm_actions = [aws_sns_topic.alert_warning.arn]
alarm_actions = [var.sns_topic_alert_warning_arn]

tags = {
(var.billing_tag_key) = var.billing_tag_value
Expand All @@ -135,7 +135,7 @@ resource "aws_cloudwatch_metric_alarm" "forms_dead_letter_queue_warn" {
treat_missing_data = "notBreaching"
alarm_description = "End User Forms Warning - A message has been sent to the Dead Letter Queue."

alarm_actions = [aws_sns_topic.alert_warning.arn]
alarm_actions = [var.sns_topic_alert_warning_arn]
dimensions = {
QueueName = var.sqs_deadletter_queue_arn
}
Expand All @@ -157,8 +157,8 @@ resource "aws_cloudwatch_metric_alarm" "response_time_warn" {
threshold = var.threshold_lb_response_time
alarm_description = "End User Forms Warning - The latency of response times from the forms are abnormally high."
treat_missing_data = "notBreaching"
alarm_actions = [aws_sns_topic.alert_warning.arn]
ok_actions = [aws_sns_topic.alert_ok.arn]
alarm_actions = [var.sns_topic_alert_warning_arn]
ok_actions = [var.sns_topic_alert_ok_arn]


metric_query {
Expand Down Expand Up @@ -195,7 +195,7 @@ resource "aws_cloudwatch_metric_alarm" "ddos_detected_forms_warn" {
threshold = "0"
alarm_description = "End User Forms Warning - AWS has detected a DDOS attack on the End User Forms's Load Balancer"

alarm_actions = [aws_sns_topic.alert_warning.arn]
alarm_actions = [var.sns_topic_alert_warning_arn]

dimensions = {
ResourceArn = var.lb_arn
Expand All @@ -219,7 +219,7 @@ resource "aws_cloudwatch_metric_alarm" "ddos_detected_route53_warn" {
threshold = "0"
alarm_description = "End User Forms Warning - AWS has detected a DDOS attack on the End User Forms's DNS Server"

alarm_actions = [aws_sns_topic.alert_warning.arn]
alarm_actions = [var.sns_topic_alert_warning_arn]

dimensions = {
ResourceArn = "arn:aws:route53:::hostedzone/${var.hosted_zone_id}"
Expand All @@ -237,7 +237,7 @@ resource "aws_cloudwatch_metric_alarm" "ddos_detected_route53_warn" {
resource "aws_cloudwatch_event_target" "codedeploy_sns" {
target_id = "CodeDeploy_SNS"
rule = aws_cloudwatch_event_rule.codedeploy_sns.name
arn = aws_sns_topic.alert_warning.arn
arn = var.sns_topic_alert_warning_arn

input_transformer {
input_paths = {
Expand Down Expand Up @@ -284,8 +284,8 @@ resource "aws_cloudwatch_metric_alarm" "alb_ddos" {
treat_missing_data = "notBreaching"

alarm_description = "DDoS detection for ALB"
alarm_actions = [aws_sns_topic.alert_warning.arn]
ok_actions = [aws_sns_topic.alert_ok.arn]
alarm_actions = [var.sns_topic_alert_warning_arn]
ok_actions = [var.sns_topic_alert_ok_arn]

dimensions = {
ResourceArn = var.lb_arn
Expand All @@ -306,8 +306,8 @@ resource "aws_cloudwatch_metric_alarm" "route53_ddos" {
treat_missing_data = "notBreaching"

alarm_description = "DDoS detection for Route53"
alarm_actions = [aws_sns_topic.alert_warning_us_east.arn]
ok_actions = [aws_sns_topic.alert_ok_us_east.arn]
alarm_actions = [var.sns_topic_alert_warning_us_east_arn]
ok_actions = [var.sns_topic_alert_ok_us_east_arn]

dimensions = {
ResourceArn = "arn:aws:route53:::hostedzone/${var.hosted_zone_id}"
Expand Down
35 changes: 25 additions & 10 deletions aws/alarms/inputs.tf
Original file line number Diff line number Diff line change
Expand Up @@ -18,16 +18,6 @@ variable "hosted_zone_id" {
type = string
}

variable "kms_key_cloudwatch_arn" {
description = "CloudWatch KMS key ARN, used by SNS topics"
type = string
}

variable "kms_key_cloudwatch_us_east_arn" {
description = "CloudWatch KMS key ARN in us-east-1, used by SNS topics"
type = string
}

variable "lb_arn" {
description = "Load balancer ARN, used by DDoS alarms"
type = string
Expand Down Expand Up @@ -63,3 +53,28 @@ variable "threshold_lb_response_time" {
description = "Load balancer response time, in seconds, above which an alarm is triggered (10 minute period)"
type = string
}

variable "sns_topic_alert_critical_arn" {
description = "SNS topic ARN that critical alerts are sent to"
type = string
}

variable "sns_topic_alert_warning_arn" {
description = "SNS topic ARN that warning alerts are sent to"
type = string
}

variable "sns_topic_alert_ok_arn" {
description = "SNS topic ARN that ok alerts are sent to"
type = string
}

variable "sns_topic_alert_warning_us_east_arn" {
description = "SNS topic ARN that warning alerts are sent to (US East)"
type = string
}

variable "sns_topic_alert_ok_us_east_arn" {
description = "SNS topic ARN that ok alerts are sent to (US East)"
type = string
}
16 changes: 12 additions & 4 deletions aws/alarms/lambda.tf
Original file line number Diff line number Diff line change
Expand Up @@ -38,36 +38,44 @@ resource "aws_lambda_function" "notify_slack_sns" {
#
# Allow SNS to invoke Lambda function
#
resource "aws_lambda_permission" "notify_slack_critical" {
statement_id = "AllowExecutionFromSNSCriticalAlert"
action = "lambda:InvokeFunction"
function_name = aws_lambda_function.notify_slack_sns.function_name
principal = "sns.amazonaws.com"
source_arn = var.sns_topic_alert_critical_arn
}

resource "aws_lambda_permission" "notify_slack_warning" {
statement_id = "AllowExecutionFromSNSWarningAlert"
action = "lambda:InvokeFunction"
function_name = aws_lambda_function.notify_slack_sns.function_name
principal = "sns.amazonaws.com"
source_arn = aws_sns_topic.alert_warning.arn
source_arn = var.sns_topic_alert_warning_arn
}

resource "aws_lambda_permission" "notify_slack_ok" {
statement_id = "AllowExecutionFromSNSOkAlert"
action = "lambda:InvokeFunction"
function_name = aws_lambda_function.notify_slack_sns.function_name
principal = "sns.amazonaws.com"
source_arn = aws_sns_topic.alert_ok.arn
source_arn = var.sns_topic_alert_ok_arn
}

resource "aws_lambda_permission" "notify_slack_warning_us_east" {
statement_id = "AllowExecutionFromSNSWarningAlertUSEast"
action = "lambda:InvokeFunction"
function_name = aws_lambda_function.notify_slack_sns.function_name
principal = "sns.amazonaws.com"
source_arn = aws_sns_topic.alert_warning_us_east.arn
source_arn = var.sns_topic_alert_warning_us_east_arn
}

resource "aws_lambda_permission" "notify_slack_ok_us_east" {
statement_id = "AllowExecutionFromSNSOkAlertUSEast"
action = "lambda:InvokeFunction"
function_name = aws_lambda_function.notify_slack_sns.function_name
principal = "sns.amazonaws.com"
source_arn = aws_sns_topic.alert_ok_us_east.arn
source_arn = var.sns_topic_alert_ok_us_east_arn
}

#
Expand Down
Loading