Merge pull request #457 from NHSDigital/feat/DTOSS-11103-Spike-Azure-monitor-infrastructure-metrics

[DTOSS-11103]: Spike Azure monitor infrastructure metrics

Author: mrlockstar

infrastructure/environments/preprod/variables.tfvars

@@ -11,3 +11,4 @@ vnet_address_space                    = "10.10.0.0/16"
 nhs_notify_api_message_batch_url      = "https://int.api.service.nhs.uk/comms/v1/message-batches"
 seed_demo_data                        = false
 allowed_paths                         = ["/notifications/message-status/create"]
+enable_alerting                       = true

infrastructure/modules/container-apps/main.tf

@@ -22,8 +22,8 @@ module "webapp" {
   container_app_environment_id     = var.container_app_environment_id
   resource_group_name              = azurerm_resource_group.main.name
   fetch_secrets_from_app_key_vault = var.fetch_secrets_from_app_key_vault
-  infra_key_vault_name             = "kv-${var.app_short_name}-${var.env_config}-inf"
-  infra_key_vault_rg               = "rg-${var.app_short_name}-${var.env_config}-infra"
+  infra_key_vault_name             = var.infra_key_vault_name
+  infra_key_vault_rg               = var.infra_key_vault_rg
   enable_auth                      = var.enable_auth
   app_key_vault_id                 = var.app_key_vault_id
   docker_image                     = var.docker_image

infrastructure/modules/container-apps/postgres.tf

@@ -45,6 +45,10 @@ module "postgres" {
     private_service_connection_is_manual = false
   }
 
+  # alerts
+  action_group_id   = var.action_group_id
+  enable_monitoring = var.enable_alerting
+
   databases = {
     db1 = {
       collation   = "en_US.utf8"

infrastructure/modules/container-apps/variables.tf

@@ -137,14 +137,42 @@ variable "region" {
 variable "seed_demo_data" {
   description = "Whether or not to seed the demo data in the database."
   type        = bool
-  default     = false
 }
 
 variable "use_apex_domain" {
   description = "Use apex domain for the Front Door endpoint. Set to true for production."
   type        = bool
 }
 
+variable "enable_alerting" {
+  description = "Whether monitoring and alerting is enabled for the PostgreSQL Flexible Server."
+  type        = bool
+}
+
+variable "alert_window_size" {
+  type     = string
+  nullable = false
+  validation {
+    condition     = contains(["PT1M", "PT5M", "PT15M", "PT30M", "PT1H", "PT6H", "PT12H"], var.alert_window_size)
+    error_message = "The alert_window_size must be one of: PT1M, PT5M, PT15M, PT30M, PT1H, PT6H, PT12H"
+  }
+  description = "The period of time that is used to monitor alert activity e.g. PT1M, PT5M, PT15M, PT30M, PT1H, PT6H, PT12H. The interval between checks is adjusted accordingly."
+}
+
+variable "action_group_id" {
+  type        = string
+  description = "ID of the action group to notify."
+}
+
+variable "infra_key_vault_name" {
+  description = "Name of the infra key vault"
+  type        = string
+}
+
+variable "infra_key_vault_rg" {
+  description = "Name of the infra key vault resource group"
+  type        = string
+}
 
 locals {
   resource_group_name = "rg-${var.app_short_name}-${var.environment}-container-app-uks"
@@ -162,8 +190,8 @@ locals {
   common_env = merge(
     local.env_vars_from_yaml,
     {
-      SSL_MODE         = "require"
-      DJANGO_ENV       = var.env_config
+      SSL_MODE   = "require"
+      DJANGO_ENV = var.env_config
     }
   )
 

infrastructure/modules/infra/data.tf

@@ -0,0 +1,11 @@
+data "azurerm_key_vault" "infra" {
+  provider = azurerm.hub
+
+  name                = var.infra_key_vault_name
+  resource_group_name = var.infra_key_vault_rg
+}
+
+data "azurerm_key_vault_secret" "infra" {
+  name         = "monitoring-email-address"
+  key_vault_id = data.azurerm_key_vault.infra.id
+}

infrastructure/modules/infra/monitor_action_group.tf

@@ -0,0 +1,14 @@
+module "monitor_action_group" {
+  source = "../dtos-devops-templates/infrastructure/modules/monitor-action-group"
+
+  name                = "${module.shared_config.names.monitor-action-group}-${var.environment}"
+  resource_group_name = azurerm_resource_group.main.name
+  location            = var.region
+  short_name          = "ag-${var.environment}"
+  email_receiver = {
+    email = {
+      name          = "email"
+      email_address = data.azurerm_key_vault_secret.infra.value
+    }
+  }
+}

infrastructure/modules/infra/output.tf

@@ -25,3 +25,7 @@ output "postgres_subnet_id" {
 output "main_subnet_id" {
   value = module.main_subnet.id
 }
+
+output "monitor_action_group_id" {
+  value = module.monitor_action_group.monitor_action_group.id
+}

infrastructure/modules/infra/variables.tf

@@ -31,7 +31,16 @@ variable "vnet_address_space" {
 variable "protect_keyvault" {
   description = "Ability to recover the key vault or its secrets after deletion"
   type        = bool
-  default     = true
+}
+
+variable "infra_key_vault_name" {
+  description = "Name of the infra key vault"
+  type        = string
+}
+
+variable "infra_key_vault_rg" {
+  description = "Name of the infra key vault resource group"
+  type        = string
 }
 
 locals {

infrastructure/terraform/data.tf

@@ -35,3 +35,10 @@ data "azurerm_subnet" "main" {
   virtual_network_name = module.shared_config.names.virtual-network-lowercase
   resource_group_name  = local.resource_group_name
 }
+
+data "azurerm_monitor_action_group" "main" {
+  count = var.deploy_infra ? 0 : 1
+
+  name                = "${module.shared_config.names.monitor-action-group}-${var.env_config}"
+  resource_group_name = local.resource_group_name
+}

infrastructure/terraform/main.tf

@@ -8,13 +8,15 @@ module "infra" {
     azurerm.hub = azurerm.hub
   }
 
-  region              = local.region
-  resource_group_name = local.resource_group_name
-  app_short_name      = var.app_short_name
-  environment         = var.env_config
-  hub                 = var.hub
-  protect_keyvault    = var.protect_keyvault
-  vnet_address_space  = var.vnet_address_space
+  region               = local.region
+  resource_group_name  = local.resource_group_name
+  infra_key_vault_name = local.infra_key_vault_name
+  infra_key_vault_rg   = local.infra_key_vault_rg
+  app_short_name       = var.app_short_name
+  environment          = var.env_config
+  hub                  = var.hub
+  protect_keyvault     = var.protect_keyvault
+  vnet_address_space   = var.vnet_address_space
 }
 
 module "shared_config" {
@@ -36,6 +38,9 @@ module "container-apps" {
   }
 
   region                                = local.region
+  action_group_id                       = var.deploy_infra ? module.infra[0].monitor_action_group_id : data.azurerm_monitor_action_group.main[0].id
+  alert_window_size                     = var.alert_window_size
+  enable_alerting                       = var.enable_alerting
   app_key_vault_id                      = var.deploy_infra ? module.infra[0].app_key_vault_id : data.azurerm_key_vault.app_key_vault[0].id
   app_short_name                        = var.app_short_name
   allowed_paths                         = var.allowed_paths
@@ -61,4 +66,6 @@ module "container-apps" {
   main_subnet_id                        = var.deploy_infra ? module.infra[0].main_subnet_id : data.azurerm_subnet.main[0].id
   seed_demo_data                        = var.seed_demo_data
   use_apex_domain                       = var.use_apex_domain
+  infra_key_vault_name                  = local.infra_key_vault_name
+  infra_key_vault_rg                    = local.infra_key_vault_rg
 }