Merge pull request #21 from rhythmictech/ENG-4561

created acm certificate renewal failure monitor

Author: lalo-galvan

aws/acm/.terraform.lock.hcl

@@ -0,0 +1,65 @@
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | ~> 1.5 |
+| <a name="requirement_datadog"></a> [datadog](#requirement\_datadog) | >= 3.37 |
+| <a name="requirement_null"></a> [null](#requirement\_null) | >= 3.1.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_datadog"></a> [datadog](#provider\_datadog) | 3.76.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [datadog_monitor.certificate_renewal_failure_check](https://registry.terraform.io/providers/datadog/datadog/latest/docs/resources/monitor) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_additional_tags"></a> [additional\_tags](#input\_additional\_tags) | Additional tags (key:value format) to add to this type of check (combined with `local.tags` and `var.base_tags`) | `list(string)` | `[]` | no |
+| <a name="input_alert_critical_priority"></a> [alert\_critical\_priority](#input\_alert\_critical\_priority) | Priority for alerts within critical threshold (P1-P5, uses monitor defaults if not specified) | `string` | `null` | no |
+| <a name="input_alert_message"></a> [alert\_message](#input\_alert\_message) | Message to prepend to alert notifications | `string` | `"Alert"` | no |
+| <a name="input_alert_nodata_priority"></a> [alert\_nodata\_priority](#input\_alert\_nodata\_priority) | Priority for alerts within warning threshold (P1-P5, uses monitor defaults if not specified) | `string` | `null` | no |
+| <a name="input_base_tags"></a> [base\_tags](#input\_base\_tags) | Base tags (key:value format) to add to this type of check (combined with `local.tags` and `var.additional_tags`, generally you should not change this) | `list(string)` | <pre>[<br/>  "resource:acm"<br/>]</pre> | no |
+| <a name="input_certificate_renewal_failure_check_enabled"></a> [certificate\_renewal\_failure\_check\_enabled](#input\_certificate\_renewal\_failure\_check\_enabled) | Whether to enable the certificate renewal failure check | `bool` | `true` | no |
+| <a name="input_cost_center"></a> [cost\_center](#input\_cost\_center) | Cost Center of the monitored resource (leave blank to omit tag) | `string` | `null` | no |
+| <a name="input_dashboard_link"></a> [dashboard\_link](#input\_dashboard\_link) | Dashboard link to include in message | `string` | `null` | no |
+| <a name="input_env"></a> [env](#input\_env) | Environment the monitored resource is in (leave blank to omit tag) | `string` | `null` | no |
+| <a name="input_evaluation_delay"></a> [evaluation\_delay](#input\_evaluation\_delay) | Monitor evaluation delay (see [https://docs.datadoghq.com/monitors/configuration/?tab=thresholdalert#set-alert-conditions](Datadog Docs)) | `number` | `900` | no |
+| <a name="input_group_by"></a> [group\_by](#input\_group\_by) | List of tags to group by | `list(string)` | <pre>[<br/>  "name",<br/>  "aws_account",<br/>  "env",<br/>  "datadog_managed"<br/>]</pre> | no |
+| <a name="input_monitor_exclude_tags"></a> [monitor\_exclude\_tags](#input\_monitor\_exclude\_tags) | Tags to be excluded in the monitoring query. Specify in key:value format | `list(string)` | `[]` | no |
+| <a name="input_monitor_include_tags"></a> [monitor\_include\_tags](#input\_monitor\_include\_tags) | Tags to be included in the monitoring query. Specify in key:value format | `list(string)` | `[]` | no |
+| <a name="input_new_group_delay"></a> [new\_group\_delay](#input\_new\_group\_delay) | Delay in seconds before generating alerts for a new resource | `number` | `300` | no |
+| <a name="input_notify_alert_override"></a> [notify\_alert\_override](#input\_notify\_alert\_override) | List of notifications for alerts in critical threshold (uses `notify_default` otherwise) | `list(string)` | `[]` | no |
+| <a name="input_notify_crit_override"></a> [notify\_crit\_override](#input\_notify\_crit\_override) | List of notifications for 24x7 alerts in critical threshold (uses `notify_default` otherwise) | `list(string)` | `[]` | no |
+| <a name="input_notify_default"></a> [notify\_default](#input\_notify\_default) | List of alert notifications (can be overridden based on alert type) | `list(string)` | n/a | yes |
+| <a name="input_notify_no_data"></a> [notify\_no\_data](#input\_notify\_no\_data) | Alert if no matching data is found | `bool` | `false` | no |
+| <a name="input_notify_nodata_override"></a> [notify\_nodata\_override](#input\_notify\_nodata\_override) | List of notifications for no data (uses `notify_default` otherwise) | `list(string)` | `[]` | no |
+| <a name="input_notify_nonprod_override"></a> [notify\_nonprod\_override](#input\_notify\_nonprod\_override) | List of notifications for non-prod alerts in critical threshold (uses `notify_default` otherwise) | `list(string)` | `[]` | no |
+| <a name="input_notify_prod_override"></a> [notify\_prod\_override](#input\_notify\_prod\_override) | List of notifications for 12x5 prod alerts in critical threshold (uses `notify_default` otherwise) | `list(string)` | `[]` | no |
+| <a name="input_notify_recovery_override"></a> [notify\_recovery\_override](#input\_notify\_recovery\_override) | List of notifications for alert recovery (uses `notify_default` otherwise) | `list(string)` | `[]` | no |
+| <a name="input_notify_warn_override"></a> [notify\_warn\_override](#input\_notify\_warn\_override) | List of notifications for alerts in warning threshold (uses `notify_default` otherwise) | `list(string)` | `[]` | no |
+| <a name="input_renotify_interval"></a> [renotify\_interval](#input\_renotify\_interval) | Interval in minutes to re-send notifications about an alert | `number` | `60` | no |
+| <a name="input_runbook_link"></a> [runbook\_link](#input\_runbook\_link) | Runbook link to include in message | `string` | `null` | no |
+| <a name="input_service"></a> [service](#input\_service) | Service associated with the monitored resource (leave blank to omit tag) | `string` | `null` | no |
+| <a name="input_team"></a> [team](#input\_team) | Team supporting the monitored resource (leave blank to omit tag) | `string` | `null` | no |
+| <a name="input_timeout_h"></a> [timeout\_h](#input\_timeout\_h) | Auto-resolve alert in specified hours if condition no longer matches | `number` | `0` | no |
+| <a name="input_title_prefix"></a> [title\_prefix](#input\_title\_prefix) | Prefix all alerts with specified value in brackets | `string` | `null` | no |
+| <a name="input_title_suffix"></a> [title\_suffix](#input\_title\_suffix) | Suffix all alerts with specified value in parenthesis | `string` | `null` | no |
+| <a name="input_warn_priority"></a> [warn\_priority](#input\_warn\_priority) | Priority for alerts with no data (P1-P5, uses monitor defaults if not specified) | `string` | `null` | no |
+
+## Outputs
+
+No outputs.
+<!-- END_TF_DOCS -->

aws/acm/README.md

@@ -0,0 +1 @@
+../../common/common.tf

aws/acm/common.tf

@@ -0,0 +1,30 @@
+locals {
+  # these must be defined but do not need to be overridden
+  monitor_alert_default_priority  = null
+  monitor_warn_default_priority   = null
+  monitor_nodata_default_priority = null
+
+  title_prefix = var.title_prefix == null ? "" : "[${var.title_prefix}]"
+  title_suffix = var.title_suffix == null ? "" : " (${var.title_suffix})"
+}
+
+resource "datadog_monitor" "certificate_renewal_failure_check" {
+  count = var.certificate_renewal_failure_check_enabled ? 1 : 0
+
+  name         = join("", [local.title_prefix, "ACM - Certificate Renewal Failure", local.title_suffix])
+  type         = "event-v2 alert"
+  message      = local.event_alert_base_message
+  tags         = concat(local.common_tags, var.base_tags, var.additional_tags)
+  include_tags = false
+
+  evaluation_delay = var.evaluation_delay
+  new_group_delay  = var.new_group_delay
+
+  query = <<-EOQ
+    events("source:amazon_acm").rollup("count").by("@aggregation_key,env").last("5m") > 0
+  EOQ
+
+  monitor_thresholds {
+    critical = 0
+  }
+}

aws/acm/main.tf

@@ -0,0 +1,23 @@
+########################################
+# Global variables
+########################################
+variable "additional_tags" {
+  default     = []
+  description = "Additional tags (key:value format) to add to this type of check (combined with `local.tags` and `var.base_tags`)"
+  type        = list(string)
+}
+
+variable "base_tags" {
+  default     = ["resource:acm"]
+  description = "Base tags (key:value format) to add to this type of check (combined with `local.tags` and `var.additional_tags`, generally you should not change this)"
+  type        = list(string)
+}
+
+########################################
+# Certificate Renewal Failure Check
+########################################
+variable "certificate_renewal_failure_check_enabled" {
+  default     = true
+  description = "Whether to enable the certificate renewal failure check"
+  type        = bool
+}

aws/acm/variables.tf

@@ -0,0 +1 @@
+../../common/versions.tf

aws/acm/versions.tf

@@ -340,7 +340,34 @@ END
 ${local.alert_context}
 **Alert Information**
 {{#is_alert}} ${local.notify_on_alert} {{/is_alert}}
-{{#is_recovery}} ${local.notify_on_recovery} {{/is_recovery}}
+END
+
+  event_alert_base_message = <<END
+${local.alert_context}
+
+**Alert Information**
+* **Event Tags**: {{event.tags}}
+* **Event Text**: {{event.text}}
+{{#is_alert}}
+Current value: {{value}}
+Threshold: {{threshold}}
+
+Environment: {{env.name}}
+
+  {{#is_match "env.name" "prod" "prd"}}
+    {{#is_match "event.tags.datadog_managed" "critical"}}
+      ${local.notify_on_crit}
+    {{/is_match}}
+    {{#is_match "event.tags.datadog_managed" "true"}}
+      ${local.notify_on_prod}
+    {{/is_match}}
+  {{/is_match}}
+  {{^is_match "env.name" "prod" "prd"}}
+      ${local.notify_on_nonprod}
+  {{/is_match}}
+
+Please investigate and take necessary actions.
+{{/is_alert}}
 END
 
   service_group_by = join(",", formatlist("\"%s\"", var.group_by))