Merge pull request #4065 from nhsuk/enhanced_db_monitoring

thomasleese · web-flow · commit 421584fb6786 · 2025-08-20T10:46:33.000+01:00
Enhanced DB monitoring
diff --git a/terraform/app/env/production.tfvars b/terraform/app/env/production.tfvars
@@ -30,4 +30,5 @@ minimum_web_replicas      = 2
 maximum_web_replicas      = 4
 container_insights        = "enhanced"
 
-enable_backup_to_vault = true
+enable_backup_to_vault        = true
+enable_enhanced_db_monitoring = true
diff --git a/terraform/app/env/qa.tfvars b/terraform/app/env/qa.tfvars
@@ -26,4 +26,5 @@ minimum_web_replicas      = 2
 maximum_web_replicas      = 4
 container_insights        = "enhanced"
 
-enable_backup_to_vault = true
+enable_backup_to_vault        = true
+enable_enhanced_db_monitoring = true
diff --git a/terraform/app/rds.tf b/terraform/app/rds.tf
@@ -53,6 +53,9 @@ resource "aws_rds_cluster" "core" {
   preferred_backup_window         = "01:00-01:30"
   preferred_maintenance_window    = "sun:02:30-sun:03:00"
   db_cluster_parameter_group_name = "default.aurora-postgresql16"
+  monitoring_interval             = var.enable_enhanced_db_monitoring ? 30 : 0
+  monitoring_role_arn             = var.enable_enhanced_db_monitoring ? aws_iam_role.enhanced_db_monitoring[0].arn : null
+  enabled_cloudwatch_logs_exports = ["postgresql", "instance"]
 
   serverlessv2_scaling_configuration {
     max_capacity = var.max_aurora_capacity_units
@@ -83,4 +86,20 @@ resource "aws_rds_cluster_instance" "core" {
   engine_version       = aws_rds_cluster.core.engine_version
   db_subnet_group_name = aws_db_subnet_group.core.name
   promotion_tier       = each.value["promotion_tier"]
+  monitoring_interval  = var.enable_enhanced_db_monitoring ? 30 : 0
+  monitoring_role_arn  = var.enable_enhanced_db_monitoring ? aws_iam_role.enhanced_db_monitoring[0].arn : null
+}
+
+resource "aws_iam_role" "enhanced_db_monitoring" {
+  count = var.enable_enhanced_db_monitoring ? 1 : 0
+  name  = "enhanced-db-monitoring-role-${var.environment}"
+  assume_role_policy = templatefile(
+    "../app/templates/iam_assume_role.json.tpl",
+  { service_name = "monitoring.rds.amazonaws.com" })
+}
+
+resource "aws_iam_role_policy_attachment" "enhanced_db_monitoring_policy" {
+  count      = var.enable_enhanced_db_monitoring ? 1 : 0
+  role       = aws_iam_role.enhanced_db_monitoring[0].name
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonRDSEnhancedMonitoringRole"
 }
diff --git a/terraform/app/variables.tf b/terraform/app/variables.tf
@@ -175,6 +175,13 @@ variable "enable_splunk" {
   nullable    = false
 }
 
+variable "enable_enhanced_db_monitoring" {
+  type        = bool
+  default     = false
+  description = "Boolean toggle to determine whether enhanced DB monitoring should be enabled."
+  nullable    = false
+}
+
 variable "app_version" {
   type        = string
   description = "The version identifier for the MAVIS application deployment"
