Add Cloudwatch monitoring

We need to know when our Archivematica instances go down, so this commit
adds Cloudwatch alarms in case they drop below the expected number of
running pods.

Author: liam-lloyd

archivematica/prod_cluster/--addon-name

@@ -0,0 +1,32 @@
+resource "aws_sns_topic" "prod_archivematica_alarm_topic" {
+  name = "prod-archivematica-alarm"
+}
+
+resource "aws_sns_topic_subscription" "prod_archivematica_alarm_subscription" {
+  topic_arn = aws_sns_topic.prod_archivematica_alarm_topic.arn
+  protocol  = "email"
+  endpoint  = var.alert_email
+}
+
+resource "aws_cloudwatch_metric_alarm" "prod_archivematica_pods" {
+  alarm_name        = "prod-archivematica-running-pods"
+  alarm_description = "Alert if the archivematica-prod namespace has fewer running pods than expected"
+
+  namespace           = "ContainerInsights"
+  metric_name         = "namespace_number_of_running_pods"
+  statistic           = "Average"
+  period              = 60
+  evaluation_periods  = 2
+  comparison_operator = "LessThanThreshold"
+  threshold           = 7
+
+  dimensions = {
+    ClusterName = local.cluster_name
+    Namespace   = "archivematica-prod"
+  }
+
+  treat_missing_data = "breaching"
+
+  alarm_actions = [aws_sns_topic.prod_archivematica_alarm_topic.arn]
+  ok_actions    = [aws_sns_topic.prod_archivematica_alarm_topic.arn]
+}

archivematica/prod_cluster/alerting.tf

@@ -1,7 +1,16 @@
+resource "kubernetes_namespace" "archivematica_prod" {
+  metadata {
+    name = "archivematica-prod"
+  }
+}
+
 data "kubernetes_resource" "archivematica_prod" {
   kind        = "Deployment"
   api_version = "apps/v1"
-  metadata { name = "archivematica-prod" }
+  metadata {
+    name = "archivematica-prod"
+    namespace = kubernetes_namespace.archivematica_prod.metadata[0].name
+  }
 }
 
 resource "kubernetes_deployment" "archivematica_prod" {
@@ -11,6 +20,7 @@ resource "kubernetes_deployment" "archivematica_prod" {
       App         = "archivematica-prod"
       Environment = "prod"
     }
+    namespace = kubernetes_namespace.archivematica_prod.metadata[0].name
   }
   spec {
     replicas = 1
@@ -565,7 +575,10 @@ resource "kubernetes_deployment" "archivematica_prod" {
 data "kubernetes_resource" "mcp_client_prod" {
   kind        = "Deployment"
   api_version = "apps/v1"
-  metadata { name = "archivematica-mcp-client-prod" }
+  metadata {
+    name = "archivematica-mcp-client-prod"
+    namespace = kubernetes_namespace.archivematica_prod.metadata[0].name
+  }
 }
 
 resource "kubernetes_deployment" "mcp_client_prod" {
@@ -575,6 +588,7 @@ resource "kubernetes_deployment" "mcp_client_prod" {
       App         = "archivematica-prod"
       Environment = "prod"
     }
+    namespace = kubernetes_namespace.archivematica_prod.metadata[0].name
   }
   spec {
     replicas = 4
@@ -701,7 +715,8 @@ resource "kubernetes_deployment" "mcp_client_prod" {
 
 resource "kubernetes_service" "archivematica_dashboard_service_prod" {
   metadata {
-    name = "archivematica-dashboard-prod"
+    name      = "archivematica-dashboard-prod"
+    namespace = kubernetes_namespace.archivematica_prod.metadata[0].name
   }
   spec {
     type = "ClusterIP"
@@ -717,7 +732,8 @@ resource "kubernetes_service" "archivematica_dashboard_service_prod" {
 
 resource "kubernetes_service" "archivematica_storage_service_prod" {
   metadata {
-    name = "archivematica-storage-prod"
+    name      = "archivematica-storage-prod"
+    namespace = kubernetes_namespace.archivematica_prod.metadata[0].name
   }
   spec {
     type = "ClusterIP"
@@ -733,7 +749,8 @@ resource "kubernetes_service" "archivematica_storage_service_prod" {
 
 resource "kubernetes_persistent_volume_claim" "archivematica_prod_pipeline_data_pvc" {
   metadata {
-    name = "prod-pipeline-data"
+    name      = "prod-pipeline-data"
+    namespace = kubernetes_namespace.archivematica_prod.metadata[0].name
   }
   spec {
     access_modes = ["ReadWriteOnce"]
@@ -749,7 +766,8 @@ resource "kubernetes_persistent_volume_claim" "archivematica_prod_pipeline_data_
 
 resource "kubernetes_persistent_volume_claim" "archivematica_prod_staging_data_pvc" {
   metadata {
-    name = "prod-staging-data"
+    name      = "prod-staging-data"
+    namespace = kubernetes_namespace.archivematica_prod.metadata[0].name
   }
   spec {
     access_modes = ["ReadWriteOnce"]
@@ -765,7 +783,8 @@ resource "kubernetes_persistent_volume_claim" "archivematica_prod_staging_data_p
 
 resource "kubernetes_persistent_volume_claim" "archivematica_prod_location_data_pvc" {
   metadata {
-    name = "prod-location-data"
+    name      = "prod-location-data"
+    namespace = kubernetes_namespace.archivematica_prod.metadata[0].name
   }
   spec {
     access_modes = ["ReadWriteOnce"]
@@ -781,7 +800,8 @@ resource "kubernetes_persistent_volume_claim" "archivematica_prod_location_data_
 
 resource "kubernetes_persistent_volume_claim" "archivematica_prod_transfer_share_pvc" {
   metadata {
-    name = "prod-transfer-share"
+    name      = "prod-transfer-share"
+    namespace = kubernetes_namespace.archivematica_prod.metadata[0].name
   }
   spec {
     access_modes = ["ReadWriteOnce"]
@@ -797,7 +817,8 @@ resource "kubernetes_persistent_volume_claim" "archivematica_prod_transfer_share
 
 resource "kubernetes_persistent_volume_claim" "archivematica_prod_storage_share_pvc" {
   metadata {
-    name = "prod-storage-share"
+    name      = "prod-storage-share"
+    namespace = kubernetes_namespace.archivematica_prod.metadata[0].name
   }
   spec {
     access_modes = ["ReadWriteOnce"]

archivematica/prod_cluster/archivematica_deployment.tf

@@ -43,6 +43,12 @@ module "eks" {
       service_account_role_arn = module.ebs_csi_irsa.iam_role_arn
       resolve_conflicts        = "OVERWRITE"
     }
+    amazon-cloudwatch-observability = {
+      most_recent                 = true
+      resolve_conflicts_on_create = "OVERWRITE"
+      resolve_conflicts           = "OVERWRITE"
+      service_account_role_arn    = module.cloudwatch_observability_irsa.iam_role_arn
+    }
   }
 
   eks_managed_node_groups = {
@@ -73,20 +79,42 @@ module "eks" {
 }
 
 module "ebs_csi_irsa" {
-  source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
+  source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
   version = "5.60.0"
 
-  role_name_prefix = "${local.cluster_name}-ebs-csi-"
+  role_name_prefix      = "${local.cluster_name}-ebs-csi-"
   attach_ebs_csi_policy = true
 
   oidc_providers = {
     main = {
-      provider_arn = module.eks.oidc_provider_arn
+      provider_arn               = module.eks.oidc_provider_arn
       namespace_service_accounts = ["kube-system:ebs-csi-controller-sa"]
     }
   }
 }
 
+module "cloudwatch_observability_irsa" {
+  source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
+  version = "5.60.0"
+
+  // It is generally our practice to avoid abbreviations, but this actually does have a
+  // length limit we'd run into if we spelled out "observability"
+  role_name_prefix = "${local.cluster_name}-o11y-"
+
+  attach_cloudwatch_observability_policy = true
+
+  oidc_providers = {
+    main = {
+      provider_arn = module.eks.oidc_provider_arn
+
+      namespace_service_accounts = [
+        "amazon-cloudwatch:cloudwatch-agent",
+        "amazon-cloudwatch:adot-collector",
+      ]
+    }
+  }
+}
+
 resource "kubernetes_cluster_role_binding" "eks_admins_cluster_admin" {
   metadata {
     name = "eks-admins-cluster-admin"

archivematica/prod_cluster/eks-cluster.tf

@@ -5,6 +5,7 @@ resource "kubernetes_deployment" "archivematica_gearman_prod" {
       App         = "archivematica-prod"
       Environment = "prod"
     }
+    namespace = kubernetes_namespace.archivematica_prod.metadata[0].name
   }
   spec {
     replicas = 1
@@ -45,7 +46,8 @@ resource "kubernetes_deployment" "archivematica_gearman_prod" {
 
 resource "kubernetes_service" "archivematica_gearman_prod" {
   metadata {
-    name = "archivematica-gearman-prod"
+    name      = "archivematica-gearman-prod"
+    namespace = kubernetes_namespace.archivematica_prod.metadata[0].name
   }
   spec {
     selector = {

archivematica/prod_cluster/gearman_deployment.tf

@@ -1,6 +1,6 @@
 resource "kubernetes_ingress_v1" "archivematica_dashboard_ingress_prod" {
   metadata {
-    name = "archivematica-dashboard-ingress-dev"
+    name = "archivematica-dashboard-ingress-prod"
     annotations = {
       "alb.ingress.kubernetes.io/scheme"          = "internet-facing"
       "alb.ingress.kubernetes.io/subnets"         = "${var.subnet_ids[0]},${var.subnet_ids[1]},${var.subnet_ids[2]}"
@@ -11,6 +11,7 @@ resource "kubernetes_ingress_v1" "archivematica_dashboard_ingress_prod" {
       "alb.ingress.kubernetes.io/target-type"     = "ip"
       "alb.ingress.kubernetes.io/inbound-cidrs"   = join(",", var.whitelisted_cidrs)
     }
+    namespace = kubernetes_namespace.archivematica_prod.metadata[0].name
   }
   spec {
     ingress_class_name = "alb"
@@ -44,6 +45,7 @@ resource "kubernetes_ingress_v1" "archivematica_storage_ingress_prod" {
       "alb.ingress.kubernetes.io/target-type"     = "ip"
       "alb.ingress.kubernetes.io/inbound-cidrs"   = join(",", var.whitelisted_cidrs)
     }
+    namespace = kubernetes_namespace.archivematica_prod.metadata[0].name
   }
   spec {
     ingress_class_name = "alb"
@@ -77,6 +79,7 @@ resource "kubernetes_ingress_v1" "archivematica_dashboard_internal_ingress_prod"
       "alb.ingress.kubernetes.io/target-type"     = "ip"
       "alb.ingress.kubernetes.io/security-groups" = var.security_group_id
     }
+    namespace = kubernetes_namespace.archivematica_prod.metadata[0].name
   }
   spec {
     ingress_class_name = "alb"
@@ -110,6 +113,7 @@ resource "kubernetes_ingress_v1" "archivematica_storage_internal_ingress_prod" {
       "alb.ingress.kubernetes.io/target-type"     = "ip"
       "alb.ingress.kubernetes.io/security-groups" = var.security_group_id
     }
+    namespace = kubernetes_namespace.archivematica_prod.metadata[0].name
   }
   spec {
     ingress_class_name = "alb"

archivematica/prod_cluster/ingress.tf

@@ -5,6 +5,7 @@ resource "kubernetes_deployment" "archivematica_redis_prod" {
       App         = "archivematica-prod"
       Environment = "prod"
     }
+    namespace = kubernetes_namespace.archivematica_prod.metadata[0].name
   }
   spec {
     replicas = 1
@@ -54,7 +55,8 @@ resource "kubernetes_deployment" "archivematica_redis_prod" {
 
 resource "kubernetes_service" "archivematica_redis_prod" {
   metadata {
-    name = "archivematica-redis-prod"
+    name      = "archivematica-redis-prod"
+    namespace = kubernetes_namespace.archivematica_prod.metadata[0].name
   }
   spec {
     selector = {
@@ -70,7 +72,8 @@ resource "kubernetes_service" "archivematica_redis_prod" {
 
 resource "kubernetes_persistent_volume_claim" "archivematica_redis_pvc_prod" {
   metadata {
-    name = "archivematica-redis-pvc-prod"
+    name      = "archivematica-redis-pvc-prod"
+    namespace = kubernetes_namespace.archivematica_prod.metadata[0].name
   }
   spec {
     access_modes = ["ReadWriteOnce"]

archivematica/prod_cluster/redis_deployment.tf

@@ -1,6 +1,7 @@
 resource "kubernetes_secret" "prod-archivematica-secrets" {
   metadata {
-    name = "prod-archivematica-secrets"
+    name      = "prod-archivematica-secrets"
+    namespace = kubernetes_namespace.archivematica_prod.metadata[0].name
   }
 
   data = {

archivematica/prod_cluster/secrets.tf

@@ -77,3 +77,9 @@ variable "image_overrides" {
   type        = map(string)
   default     = {}
 }
+
+variable "alert_email" {
+  description = "The email to which to send Cloudwatch alerts"
+  type        = string
+  default     = "engineering@permanent.org"
+}

archivematica/prod_cluster/variables.tf

@@ -0,0 +1,32 @@
+resource "aws_sns_topic" "dev_archivematica_alarm_topic" {
+  name = "dev-archivematica-alarm"
+}
+
+resource "aws_sns_topic_subscription" "dev_archivematica_alarm_subscription" {
+  topic_arn = aws_sns_topic.dev_archivematica_alarm_topic.arn
+  protocol  = "email"
+  endpoint  = var.alert_email
+}
+
+resource "aws_cloudwatch_metric_alarm" "dev_archivematica_pods" {
+  alarm_name        = "dev-archivematica-running-pods"
+  alarm_description = "Alert if the archivematica-dev namespace has fewer running pods than expected"
+
+  namespace           = "ContainerInsights"
+  metric_name         = "namespace_number_of_running_pods"
+  statistic           = "Average"
+  period              = 60
+  evaluation_periods  = 2
+  comparison_operator = "LessThanThreshold"
+  threshold           = 7
+
+  dimensions = {
+    ClusterName = local.cluster_name
+    Namespace   = "archivematica-dev"
+  }
+
+  treat_missing_data = "breaching"
+
+  alarm_actions = [aws_sns_topic.dev_archivematica_alarm_topic.arn]
+  ok_actions    = [aws_sns_topic.dev_archivematica_alarm_topic.arn]
+}