Merge pull request #687 from NHSDigital/feature/eema1-NRL-693-addCloudWatchAlarmForLambdaError

eesa456 · web-flow · commit 6adbb5a9f10b · 2024-07-17T16:11:36.000+01:00
NRL-693 lambda error cloudwatch alarm
diff --git a/terraform/account-wide-infrastructure/dev/cloudwatch.tf b/terraform/account-wide-infrastructure/dev/cloudwatch.tf
@@ -0,0 +1,8 @@
+module "lambda_errors_cloudwatch_metric_alarm_dev" {
+  source      = "../modules/lambda-errors-metric-alarm"
+  name_prefix = "nhsd-nrlf--dev"
+
+  evaluation_periods = 1
+  period             = 60
+  threshold          = 1
+}
diff --git a/terraform/account-wide-infrastructure/modules/lambda-errors-metric-alarm/cloudwatch.tf b/terraform/account-wide-infrastructure/modules/lambda-errors-metric-alarm/cloudwatch.tf
@@ -0,0 +1,17 @@
+resource "aws_cloudwatch_metric_alarm" "metric_alarm" {
+  alarm_name        = "${var.name_prefix}--lambda-errors-metric-alarm"
+  alarm_description = "This metric monitors the number of Lambda errors that have occurred"
+
+  alarm_actions = [aws_sns_topic.sns_topic.arn]
+
+  comparison_operator = "GreaterThanOrEqualToThreshold"
+  evaluation_periods  = var.evaluation_periods
+  threshold           = var.threshold
+  unit                = "Count"
+
+  metric_name = "Errors"
+  namespace   = "AWS/Lambda"
+  period      = var.period
+  statistic   = "Sum"
+
+}
diff --git a/terraform/account-wide-infrastructure/modules/lambda-errors-metric-alarm/iam.tf b/terraform/account-wide-infrastructure/modules/lambda-errors-metric-alarm/iam.tf
@@ -0,0 +1,21 @@
+resource "aws_iam_policy" "lambda-errors-topic-kms-read-write" {
+  name        = "${var.name_prefix}-lambda-errors-topic-kms-read-write"
+  description = "Encrypt and decrypt with the lambda errors sns topic kms key"
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = [
+          "kms:Decrypt",
+          "kms:DescribeKey",
+          "kms:Encrypt",
+          "kms:GenerateDataKey"
+        ]
+        Effect = "Allow"
+        Resource = [
+          aws_kms_key.lambda-errors-topic-key.arn
+        ]
+      }
+    ]
+  })
+}
diff --git a/terraform/account-wide-infrastructure/modules/lambda-errors-metric-alarm/kms.tf b/terraform/account-wide-infrastructure/modules/lambda-errors-metric-alarm/kms.tf
@@ -0,0 +1,10 @@
+resource "aws_kms_key" "lambda-errors-topic-key" {
+  description             = "Lambda errors SNS topic table KMS key"
+  deletion_window_in_days = var.kms_deletion_window_in_days
+
+}
+
+resource "aws_kms_alias" "lambda-errors-topic-alias" {
+  name          = "alias/${var.name_prefix}-lambda-errors-topic-table-key"
+  target_key_id = aws_kms_key.lambda-errors-topic-key.key_id
+}
diff --git a/terraform/account-wide-infrastructure/modules/lambda-errors-metric-alarm/output.tf b/terraform/account-wide-infrastructure/modules/lambda-errors-metric-alarm/output.tf
@@ -0,0 +1,4 @@
+output "cloudwatch_metric_alarm_arn" {
+  description = "The ARN of the Cloudwatch metric alarm."
+  value       = try(aws_cloudwatch_metric_alarm.metric_alarm.arn, "")
+}
diff --git a/terraform/account-wide-infrastructure/modules/lambda-errors-metric-alarm/secretsmanager.tf b/terraform/account-wide-infrastructure/modules/lambda-errors-metric-alarm/secretsmanager.tf
@@ -0,0 +1,8 @@
+data "aws_secretsmanager_secret" "emails" {
+  name = "${var.name_prefix}-emails"
+}
+
+data "aws_secretsmanager_secret_version" "emails" {
+  secret_id = data.aws_secretsmanager_secret.emails.id
+
+}
diff --git a/terraform/account-wide-infrastructure/modules/lambda-errors-metric-alarm/sns.tf b/terraform/account-wide-infrastructure/modules/lambda-errors-metric-alarm/sns.tf
@@ -0,0 +1,11 @@
+resource "aws_sns_topic" "sns_topic" {
+  name              = "${var.name_prefix}--lambda-errors-sns-topic"
+  kms_master_key_id = aws_kms_key.lambda-errors-topic-key.key_id
+}
+
+resource "aws_sns_topic_subscription" "sns_subscription" {
+  for_each  = nonsensitive(toset(tolist(jsondecode(data.aws_secretsmanager_secret_version.emails.secret_string))))
+  topic_arn = aws_sns_topic.sns_topic.arn
+  protocol  = "email"
+  endpoint  = sensitive(each.value)
+}
diff --git a/terraform/account-wide-infrastructure/modules/lambda-errors-metric-alarm/vars.tf b/terraform/account-wide-infrastructure/modules/lambda-errors-metric-alarm/vars.tf
@@ -0,0 +1,27 @@
+variable "evaluation_periods" {
+  description = "The number of periods over which data is compared to the specified threshold."
+  type        = number
+}
+
+variable "threshold" {
+  description = "The value against which the specified statistic is compared."
+  type        = number
+  default     = null
+}
+
+variable "period" {
+  description = "The period in seconds over which the specified statistic is applied."
+  type        = string
+  default     = null
+}
+
+variable "name_prefix" {
+  type        = string
+  description = "The prefix to apply to all resources in the module."
+}
+
+variable "kms_deletion_window_in_days" {
+  type        = number
+  description = "The duration in days after which the key is deleted after destruction of the resource."
+  default     = 7
+}
diff --git a/terraform/account-wide-infrastructure/prod/cloudwatch.tf b/terraform/account-wide-infrastructure/prod/cloudwatch.tf
@@ -0,0 +1,8 @@
+module "lambda_errors_cloudwatch_metric_alarm_dev" {
+  source      = "../modules/lambda-errors-metric-alarm"
+  name_prefix = "nhsd-nrlf--prod"
+
+  evaluation_periods = 1
+  period             = 60
+  threshold          = 1
+}
diff --git a/terraform/account-wide-infrastructure/test/cloudwatch.tf b/terraform/account-wide-infrastructure/test/cloudwatch.tf
@@ -0,0 +1,8 @@
+module "lambda_errors_cloudwatch_metric_alarm_dev" {
+  source      = "../modules/lambda-errors-metric-alarm"
+  name_prefix = "nhsd-nrlf--test"
+
+  evaluation_periods = 1
+  period             = 60
+  threshold          = 1
+}
