feat: API alarms module

[patheard]

Summary

Add API alarms that trigger when errors are logged or a secret is detected.

Related

• Closes Terraform: add alarms module #15
• cds-snc/site-reliability-engineering#812
• Implement validation of prefix in API keys notification-planning#838

[github-actions]

Production: alarms

✅   Terraform Format: success
✅   Terraform Plan: success
✅   Conftest: success

Plan: 10 to add, 0 to change, 0 to destroy

Show summary

CHANGE	NAME
add	aws_cloudwatch_log_metric_filter.api_error
	aws_cloudwatch_log_metric_filter.api_secret_detected
	aws_cloudwatch_metric_alarm.api_error
	aws_cloudwatch_metric_alarm.api_secret_detected
	module.cloudwatch_alarms_slack.aws_cloudwatch_log_group.notify_slack_lambda
	module.cloudwatch_alarms_slack.aws_iam_policy.notify_slack_lambda
	module.cloudwatch_alarms_slack.aws_iam_role.notify_slack_lambda
	module.cloudwatch_alarms_slack.aws_iam_role_policy_attachment.notify_slack_lambda
	module.cloudwatch_alarms_slack.aws_lambda_function.notify_slack
	module.cloudwatch_alarms_slack.aws_lambda_permission.notify_slack[0]

Show plan

Resource actions are indicated with the following symbols:
  + create
 <= read (data resources)

Terraform will perform the following actions:

  # aws_cloudwatch_log_metric_filter.api_error will be created
  + resource "aws_cloudwatch_log_metric_filter" "api_error" {
      + id             = (known after apply)
      + log_group_name = "/aws/lambda/github-secret-scanning-api"
      + name           = "ErrorLoggedAPI"
      + pattern        = "?ERROR ?Error ?error ?failed"

      + metric_transformation {
          + name      = "ErrorLoggedAPI"
          + namespace = "GitHubSecretScanning"
          + unit      = "None"
          + value     = "1"
        }
    }

  # aws_cloudwatch_log_metric_filter.api_secret_detected will be created
  + resource "aws_cloudwatch_log_metric_filter" "api_secret_detected" {
      + id             = (known after apply)
      + log_group_name = "/aws/lambda/github-secret-scanning-api"
      + name           = "SecretDetectedAPI"
      + pattern        = "Secret detected"

      + metric_transformation {
          + name      = "SecretDetectedAPI"
          + namespace = "GitHubSecretScanning"
          + unit      = "None"
          + value     = "1"
        }
    }

  # aws_cloudwatch_metric_alarm.api_error will be created
  + resource "aws_cloudwatch_metric_alarm" "api_error" {
      + actions_enabled                       = true
      + alarm_actions                         = [
          + "arn:aws:sns:ca-central-1:283582579564:internal-sre-alert",
        ]
      + alarm_description                     = "Errors logged by the API lambda function"
      + alarm_name                            = "ErrorLoggedAPI"
      + arn                                   = (known after apply)
      + comparison_operator                   = "GreaterThanOrEqualToThreshold"
      + evaluate_low_sample_count_percentiles = (known after apply)
      + evaluation_periods                    = 1
      + id                                    = (known after apply)
      + metric_name                           = "ErrorLoggedAPI"
      + namespace                             = "GitHubSecretScanning"
      + ok_actions                            = [
          + "arn:aws:sns:ca-central-1:283582579564:internal-sre-alert",
        ]
      + period                                = 60
      + statistic                             = "Sum"
      + tags_all                              = (known after apply)
      + threshold                             = 1
      + treat_missing_data                    = "notBreaching"
    }

  # aws_cloudwatch_metric_alarm.api_secret_detected will be created
  + resource "aws_cloudwatch_metric_alarm" "api_secret_detected" {
      + actions_enabled                       = true
      + alarm_actions                         = [
          + "arn:aws:sns:ca-central-1:283582579564:internal-sre-alert",
        ]
      + alarm_description                     = "GitHub alert that a secret has been detected"
      + alarm_name                            = "SecretDetectedAPI"
      + arn                                   = (known after apply)
      + comparison_operator                   = "GreaterThanOrEqualToThreshold"
      + evaluate_low_sample_count_percentiles = (known after apply)
      + evaluation_periods                    = 1
      + id                                    = (known after apply)
      + metric_name                           = "SecretDetectedAPI"
      + namespace                             = "GitHubSecretScanning"
      + ok_actions                            = [
          + "arn:aws:sns:ca-central-1:283582579564:internal-sre-alert",
        ]
      + period                                = 60
      + statistic                             = "Sum"
      + tags_all                              = (known after apply)
      + threshold                             = 1
      + treat_missing_data                    = "notBreaching"
    }

  # module.cloudwatch_alarms_slack.data.aws_iam_policy_document.notify_slack_lambda will be read during apply
  # (config refers to values not yet known)
 <= data "aws_iam_policy_document" "notify_slack_lambda" {
      + id   = (known after apply)
      + json = (known after apply)

      + statement {
          + actions   = [
              + "logs:CreateLogStream",
              + "logs:PutLogEvents",
            ]
          + effect    = "Allow"
          + resources = [
              + (known after apply),
            ]
        }
    }

  # module.cloudwatch_alarms_slack.aws_cloudwatch_log_group.notify_slack_lambda will be created
  + resource "aws_cloudwatch_log_group" "notify_slack_lambda" {
      + arn               = (known after apply)
      + id                = (known after apply)
      + name              = "/aws/lambda/github-secret-scanning"
      + name_prefix       = (known after apply)
      + retention_in_days = 14
      + skip_destroy      = false
      + tags              = {
          + "CostCentre" = "github-secret-scanning-production"
        }
      + tags_all          = {
          + "CostCentre" = "github-secret-scanning-production"
        }
    }

  # module.cloudwatch_alarms_slack.aws_iam_policy.notify_slack_lambda will be created
  + resource "aws_iam_policy" "notify_slack_lambda" {
      + arn       = (known after apply)
      + id        = (known after apply)
      + name      = "NotifySlackLambda-github-secret-scanning"
      + path      = "/"
      + policy    = (known after apply)
      + policy_id = (known after apply)
      + tags_all  = (known after apply)
    }

  # module.cloudwatch_alarms_slack.aws_iam_role.notify_slack_lambda will be created
  + resource "aws_iam_role" "notify_slack_lambda" {
      + arn                   = (known after apply)
      + assume_role_policy    = jsonencode(
            {
              + Statement = [
                  + {
                      + Action    = "sts:AssumeRole"
                      + Effect    = "Allow"
                      + Principal = {
                          + Service = "lambda.amazonaws.com"
                        }
                      + Sid       = ""
                    },
                ]
              + Version   = "2012-10-17"
            }
        )
      + create_date           = (known after apply)
      + force_detach_policies = false
      + id                    = (known after apply)
      + managed_policy_arns   = (known after apply)
      + max_session_duration  = 3600
      + name                  = "NotifySlackLambda-github-secret-scanning"
      + name_prefix           = (known after apply)
      + path                  = "/"
      + tags_all              = (known after apply)
      + unique_id             = (known after apply)

      + inline_policy {
          + name   = (known after apply)
          + policy = (known after apply)
        }
    }

  # module.cloudwatch_alarms_slack.aws_iam_role_policy_attachment.notify_slack_lambda will be created
  + resource "aws_iam_role_policy_attachment" "notify_slack_lambda" {
      + id         = (known after apply)
      + policy_arn = (known after apply)
      + role       = "NotifySlackLambda-github-secret-scanning"
    }

  # module.cloudwatch_alarms_slack.aws_lambda_function.notify_slack will be created
  + resource "aws_lambda_function" "notify_slack" {
      + architectures                  = (known after apply)
      + arn                            = (known after apply)
      + description                    = "Lambda function to post CloudWatch alarm notifications to a Slack channel."
      + filename                       = "/tmp/notify_slack.py.zip"
      + function_name                  = "github-secret-scanning"
      + handler                        = "notify_slack.lambda_handler"
      + id                             = (known after apply)
      + invoke_arn                     = (known after apply)
      + last_modified                  = (known after apply)
      + memory_size                    = 128
      + package_type                   = "Zip"
      + publish                        = false
      + qualified_arn                  = (known after apply)
      + qualified_invoke_arn           = (known after apply)
      + reserved_concurrent_executions = -1
      + role                           = (known after apply)
      + runtime                        = "python3.8"
      + signing_job_arn                = (known after apply)
      + signing_profile_version_arn    = (known after apply)
      + source_code_hash               = "iC0Ta5b8fs9u6i/c3LA3/Tk8BUHfS6Jgq4NF8At0CBo="
      + source_code_size               = (known after apply)
      + tags                           = {
          + "CostCentre" = "github-secret-scanning-production"
        }
      + tags_all                       = {
          + "CostCentre" = "github-secret-scanning-production"
        }
      + timeout                        = 30
      + version                        = (known after apply)

      + environment {
          + variables = {
              + "LOG_EVENTS"        = "True"
              + "PROJECT_NAME"      = "github-secret-scanning"
              + "SLACK_WEBHOOK_URL" = (sensitive value)
            }
        }

      + ephemeral_storage {
          + size = (known after apply)
        }

      + tracing_config {
          + mode = (known after apply)
        }
    }

  # module.cloudwatch_alarms_slack.aws_lambda_permission.notify_slack[0] will be created
  + resource "aws_lambda_permission" "notify_slack" {
      + action              = "lambda:InvokeFunction"
      + function_name       = "github-secret-scanning"
      + id                  = (known after apply)
      + principal           = "sns.amazonaws.com"
      + source_arn          = "arn:aws:sns:ca-central-1:283582579564:internal-sre-alert"
      + statement_id        = "AllowExecutionFromSNS-github-secret-scanning-0"
      + statement_id_prefix = (known after apply)
    }

Plan: 10 to add, 0 to change, 0 to destroy.

─────────────────────────────────────────────────────────────────────────────

Saved the plan to: plan.tfplan

To perform exactly these actions, run the following command to apply:
    terraform apply "plan.tfplan"
Releasing state lock. This may take a few moments...

Show Conftest results

WARN - plan.json - main - Cloudwatch log metric pattern is invalid: ["aws_cloudwatch_log_metric_filter.api_error"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.api_error"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.api_secret_detected"]
WARN - plan.json - main - Missing Common Tags: ["module.cloudwatch_alarms_slack.aws_cloudwatch_log_group.notify_slack_lambda"]
WARN - plan.json - main - Missing Common Tags: ["module.cloudwatch_alarms_slack.aws_iam_policy.notify_slack_lambda"]
WARN - plan.json - main - Missing Common Tags: ["module.cloudwatch_alarms_slack.aws_iam_role.notify_slack_lambda"]
WARN - plan.json - main - Missing Common Tags: ["module.cloudwatch_alarms_slack.aws_lambda_function.notify_slack"]

23 tests, 16 passed, 7 warnings, 0 failures, 0 exceptions