search

wellcomecollection / platform-infrastructure

:building_construction: Infrastructure for the Wellcome Digital Platform
MIT License
24 stars 8 forks source link

Remove cloudfront_to_slack_alerts terraform module #429

Closed kenoir closed 6 months ago

kenoir commented 6 months ago

What's changing and why?

Remove a module which adds a lambda intended to post slack alerts on CloudWatch metrics, this lambda has never been invoked and isn't wired to anything which would sent alarms to it's SNS topic.

terraform plan diff

Terraform will perform the following actions:

  # module.experience_cloudfront_alerts.module.cloudfront_to_slack_alerts.aws_iam_role_policy.read_secrets will be destroyed
  # (because aws_iam_role_policy.read_secrets is not in configuration)
  - resource "aws_iam_role_policy" "read_secrets" {
      - id     = "lambda_experience_cloudfront_to_slack_alerts_iam_role:terraform-20211201141420551800000001" -> null
      - name   = "terraform-20211201141420551800000001" -> null
      - policy = jsonencode(
            {
              - Statement = [
                  - {
                      - Action   = "secretsmanager:GetSecretValue"
                      - Effect   = "Allow"
                      - Resource = "arn:aws:secretsmanager:us-east-1:130871440101:secret:monitoring/critical_slack_webhook*"
                      - Sid      = ""
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> null
      - role   = "lambda_experience_cloudfront_to_slack_alerts_iam_role" -> null
    }

  # module.experience_cloudfront_alerts.module.cloudfront_to_slack_alerts_sns_trigger.aws_lambda_permission.allow_sns_trigger will be destroyed
  # (because aws_lambda_permission.allow_sns_trigger is not in configuration)
  - resource "aws_lambda_permission" "allow_sns_trigger" {
      - action              = "lambda:InvokeFunction" -> null
      - function_name       = "arn:aws:lambda:us-east-1:130871440101:function:experience_cloudfront_to_slack_alerts" -> null
      - id                  = "terraform-20211201141443189900000002" -> null
      - principal           = "sns.amazonaws.com" -> null
      - source_arn          = "arn:aws:sns:us-east-1:130871440101:experience_cloudfront_5xx_alarm" -> null
      - statement_id        = "terraform-20211201141443189900000002" -> null
      - statement_id_prefix = "terraform-" -> null
    }

  # module.experience_cloudfront_alerts.module.cloudfront_to_slack_alerts_sns_trigger.aws_sns_topic.topic will be destroyed
  # (because aws_sns_topic.topic is not in configuration)
  - resource "aws_sns_topic" "topic" {
      - application_success_feedback_sample_rate = 0 -> null
      - arn                                      = "arn:aws:sns:us-east-1:130871440101:experience_cloudfront_5xx_alarm" -> null
      - content_based_deduplication              = false -> null
      - fifo_topic                               = false -> null
      - firehose_success_feedback_sample_rate    = 0 -> null
      - http_success_feedback_sample_rate        = 0 -> null
      - id                                       = "arn:aws:sns:us-east-1:130871440101:experience_cloudfront_5xx_alarm" -> null
      - lambda_success_feedback_sample_rate      = 0 -> null
      - name                                     = "experience_cloudfront_5xx_alarm" -> null
      - owner                                    = "130871440101" -> null
      - policy                                   = jsonencode(
            {
              - Id        = "__default_policy_ID"
              - Statement = [
                  - {
                      - Action    = [
                          - "SNS:GetTopicAttributes",
                          - "SNS:SetTopicAttributes",
                          - "SNS:AddPermission",
                          - "SNS:RemovePermission",
                          - "SNS:DeleteTopic",
                          - "SNS:Subscribe",
                          - "SNS:ListSubscriptionsByTopic",
                          - "SNS:Publish",
                        ]
                      - Condition = {
                          - StringEquals = {
                              - "AWS:SourceOwner" = "130871440101"
                            }
                        }
                      - Effect    = "Allow"
                      - Principal = {
                          - AWS = "*"
                        }
                      - Resource  = "arn:aws:sns:us-east-1:130871440101:experience_cloudfront_5xx_alarm"
                      - Sid       = "__default_statement_ID"
                    },
                ]
              - Version   = "2008-10-17"
            }
        ) -> null
      - signature_version                        = 0 -> null
      - sqs_success_feedback_sample_rate         = 0 -> null
      - tags                                     = {} -> null
      - tags_all                                 = {
          - "Department"                = "Digital Platform"
          - "Division"                  = "Culture and Society"
          - "Environment"               = "Production"
          - "TerraformConfigurationURL" = "https://github.com/wellcomecollection/platform-infrastructure/tree/main/monitoring/terraform"
          - "Use"                       = "Monitoring"
        } -> null
    }

  # module.experience_cloudfront_alerts.module.cloudfront_to_slack_alerts_sns_trigger.aws_sns_topic_subscription.sns_to_lambda will be destroyed
  # (because aws_sns_topic_subscription.sns_to_lambda is not in configuration)
  - resource "aws_sns_topic_subscription" "sns_to_lambda" {
      - arn                             = "arn:aws:sns:us-east-1:130871440101:experience_cloudfront_5xx_alarm:17405de8-8879-40fc-9f7d-d02a1f86d82e" -> null
      - confirmation_timeout_in_minutes = 1 -> null
      - confirmation_was_authenticated  = true -> null
      - endpoint                        = "arn:aws:lambda:us-east-1:130871440101:function:experience_cloudfront_to_slack_alerts" -> null
      - endpoint_auto_confirms          = false -> null
      - id                              = "arn:aws:sns:us-east-1:130871440101:experience_cloudfront_5xx_alarm:17405de8-8879-40fc-9f7d-d02a1f86d82e" -> null
      - owner_id                        = "130871440101" -> null
      - pending_confirmation            = false -> null
      - protocol                        = "lambda" -> null
      - raw_message_delivery            = false -> null
      - topic_arn                       = "arn:aws:sns:us-east-1:130871440101:experience_cloudfront_5xx_alarm" -> null
    }

  # module.experience_cloudfront_alerts.module.cloudfront_to_slack_alerts.module.lambda.aws_cloudwatch_log_group.cloudwatch_log_group will be destroyed
  # (because aws_cloudwatch_log_group.cloudwatch_log_group is not in configuration)
  - resource "aws_cloudwatch_log_group" "cloudwatch_log_group" {
      - arn               = "arn:aws:logs:us-east-1:130871440101:log-group:/aws/lambda/experience_cloudfront_to_slack_alerts" -> null
      - id                = "/aws/lambda/experience_cloudfront_to_slack_alerts" -> null
      - name              = "/aws/lambda/experience_cloudfront_to_slack_alerts" -> null
      - retention_in_days = 7 -> null
      - tags              = {} -> null
      - tags_all          = {
          - "Department"                = "Digital Platform"
          - "Division"                  = "Culture and Society"
          - "Environment"               = "Production"
          - "TerraformConfigurationURL" = "https://github.com/wellcomecollection/platform-infrastructure/tree/main/monitoring/terraform"
          - "Use"                       = "Monitoring"
        } -> null
    }

  # module.experience_cloudfront_alerts.module.cloudfront_to_slack_alerts.module.lambda.aws_cloudwatch_metric_alarm.lambda_alarm will be destroyed
  # (because aws_cloudwatch_metric_alarm.lambda_alarm is not in configuration)
  - resource "aws_cloudwatch_metric_alarm" "lambda_alarm" {
      - actions_enabled           = true -> null
      - alarm_actions             = [
          - "arn:aws:sns:us-east-1:130871440101:experience_useast1_lambda_error_alarm",
        ] -> null
      - alarm_description         = "This metric monitors lambda errors for function: experience_cloudfront_to_slack_alerts" -> null
      - alarm_name                = "lambda-experience_cloudfront_to_slack_alerts-errors" -> null
      - arn                       = "arn:aws:cloudwatch:us-east-1:130871440101:alarm:lambda-experience_cloudfront_to_slack_alerts-errors" -> null
      - comparison_operator       = "GreaterThanOrEqualToThreshold" -> null
      - datapoints_to_alarm       = 0 -> null
      - dimensions                = {
          - "FunctionName" = "experience_cloudfront_to_slack_alerts"
        } -> null
      - evaluation_periods        = 1 -> null
      - id                        = "lambda-experience_cloudfront_to_slack_alerts-errors" -> null
      - insufficient_data_actions = [] -> null
      - metric_name               = "Errors" -> null
      - namespace                 = "AWS/Lambda" -> null
      - ok_actions                = [] -> null
      - period                    = 60 -> null
      - statistic                 = "Sum" -> null
      - tags                      = {} -> null
      - tags_all                  = {
          - "Department"                = "Digital Platform"
          - "Division"                  = "Culture and Society"
          - "Environment"               = "Production"
          - "TerraformConfigurationURL" = "https://github.com/wellcomecollection/platform-infrastructure/tree/main/monitoring/terraform"
          - "Use"                       = "Monitoring"
        } -> null
      - threshold                 = 1 -> null
      - treat_missing_data        = "missing" -> null
    }

  # module.experience_cloudfront_alerts.module.cloudfront_to_slack_alerts.module.lambda.aws_iam_role.iam_role will be destroyed
  # (because aws_iam_role.iam_role is not in configuration)
  - resource "aws_iam_role" "iam_role" {
      - arn                   = "arn:aws:iam::130871440101:role/lambda_experience_cloudfront_to_slack_alerts_iam_role" -> null
      - assume_role_policy    = jsonencode(
            {
              - Statement = [
                  - {
                      - Action    = "sts:AssumeRole"
                      - Effect    = "Allow"
                      - Principal = {
                          - Service = "lambda.amazonaws.com"
                        }
                      - Sid       = ""
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> null
      - create_date           = "2021-12-01T14:14:19Z" -> null
      - force_detach_policies = false -> null
      - id                    = "lambda_experience_cloudfront_to_slack_alerts_iam_role" -> null
      - managed_policy_arns   = [] -> null
      - max_session_duration  = 3600 -> null
      - name                  = "lambda_experience_cloudfront_to_slack_alerts_iam_role" -> null
      - path                  = "/" -> null
      - tags                  = {} -> null
      - tags_all              = {
          - "Department"                = "Digital Platform"
          - "Division"                  = "Culture and Society"
          - "Environment"               = "Production"
          - "TerraformConfigurationURL" = "https://github.com/wellcomecollection/platform-infrastructure/tree/main/monitoring/terraform"
          - "Use"                       = "Monitoring"
        } -> null
      - unique_id             = "AROAR46ELWLSZRATQGCEY" -> null

      - inline_policy {
          - name   = "lambda_experience_cloudfront_to_slack_alerts_iam_role_lambda_cloudwatch_logs" -> null
          - policy = jsonencode(
                {
                  - Statement = [
                      - {
                          - Action   = [
                              - "logs:PutLogEvents",
                              - "logs:CreateLogStream",
                            ]
                          - Effect   = "Allow"
                          - Resource = [
                              - "arn:aws:logs:us-east-1:130871440101:log-group:/aws/lambda/experience_cloudfront_to_slack_alerts:*",
                              - "arn:aws:logs:us-east-1:130871440101:log-group:/aws/lambda/experience_cloudfront_to_slack_alerts",
                            ]
                          - Sid      = ""
                        },
                    ]
                  - Version   = "2012-10-17"
                }
            ) -> null
        }
      - inline_policy {
          - name   = "lambda_experience_cloudfront_to_slack_alerts_iam_role_lambda_dlq" -> null
          - policy = jsonencode(
                {
                  - Statement = [
                      - {
                          - Action   = "sqs:SendMessage"
                          - Effect   = "Allow"
                          - Resource = "arn:aws:sqs:us-east-1:130871440101:lambda-experience_cloudfront_to_slack_alerts_dlq"
                          - Sid      = ""
                        },
                    ]
                  - Version   = "2012-10-17"
                }
            ) -> null
        }
      - inline_policy {
          - name   = "terraform-20211201141420551800000001" -> null
          - policy = jsonencode(
                {
                  - Statement = [
                      - {
                          - Action   = "secretsmanager:GetSecretValue"
                          - Effect   = "Allow"
                          - Resource = "arn:aws:secretsmanager:us-east-1:130871440101:secret:monitoring/critical_slack_webhook*"
                          - Sid      = ""
                        },
                    ]
                  - Version   = "2012-10-17"
                }
            ) -> null
        }
    }

  # module.experience_cloudfront_alerts.module.cloudfront_to_slack_alerts.module.lambda.aws_iam_role_policy.cloudwatch_logs will be destroyed
  # (because aws_iam_role_policy.cloudwatch_logs is not in configuration)
  - resource "aws_iam_role_policy" "cloudwatch_logs" {
      - id     = "lambda_experience_cloudfront_to_slack_alerts_iam_role:lambda_experience_cloudfront_to_slack_alerts_iam_role_lambda_cloudwatch_logs" -> null
      - name   = "lambda_experience_cloudfront_to_slack_alerts_iam_role_lambda_cloudwatch_logs" -> null
      - policy = jsonencode(
            {
              - Statement = [
                  - {
                      - Action   = [
                          - "logs:PutLogEvents",
                          - "logs:CreateLogStream",
                        ]
                      - Effect   = "Allow"
                      - Resource = [
                          - "arn:aws:logs:us-east-1:130871440101:log-group:/aws/lambda/experience_cloudfront_to_slack_alerts:*",
                          - "arn:aws:logs:us-east-1:130871440101:log-group:/aws/lambda/experience_cloudfront_to_slack_alerts",
                        ]
                      - Sid      = ""
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> null
      - role   = "lambda_experience_cloudfront_to_slack_alerts_iam_role" -> null
    }

  # module.experience_cloudfront_alerts.module.cloudfront_to_slack_alerts.module.lambda.aws_iam_role_policy.lambda_dlq will be destroyed
  # (because aws_iam_role_policy.lambda_dlq is not in configuration)
  - resource "aws_iam_role_policy" "lambda_dlq" {
      - id     = "lambda_experience_cloudfront_to_slack_alerts_iam_role:lambda_experience_cloudfront_to_slack_alerts_iam_role_lambda_dlq" -> null
      - name   = "lambda_experience_cloudfront_to_slack_alerts_iam_role_lambda_dlq" -> null
      - policy = jsonencode(
            {
              - Statement = [
                  - {
                      - Action   = "sqs:SendMessage"
                      - Effect   = "Allow"
                      - Resource = "arn:aws:sqs:us-east-1:130871440101:lambda-experience_cloudfront_to_slack_alerts_dlq"
                      - Sid      = ""
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> null
      - role   = "lambda_experience_cloudfront_to_slack_alerts_iam_role" -> null
    }

  # module.experience_cloudfront_alerts.module.cloudfront_to_slack_alerts.module.lambda.aws_lambda_function.lambda_function will be destroyed
  # (because aws_lambda_function.lambda_function is not in configuration)
  - resource "aws_lambda_function" "lambda_function" {
      - architectures                  = [
          - "x86_64",
        ] -> null
      - arn                            = "arn:aws:lambda:us-east-1:130871440101:function:experience_cloudfront_to_slack_alerts" -> null
      - description                    = "Sends a notification to Slack when there are 5xx errors from CloudFront" -> null
      - filename                       = "modules/slack_alert_lambda/metric_to_slack_alert.zip" -> null
      - function_name                  = "experience_cloudfront_to_slack_alerts" -> null
      - handler                        = "metric_to_slack_alert.main" -> null
      - id                             = "experience_cloudfront_to_slack_alerts" -> null
      - invoke_arn                     = "arn:aws:apigateway:us-east-1:lambda:path/2015-03-31/functions/arn:aws:lambda:us-east-1:130871440101:function:experience_cloudfront_to_slack_alerts/invocations" -> null
      - last_modified                  = "2023-03-07T09:10:00.000+0000" -> null
      - layers                         = [] -> null
      - memory_size                    = 128 -> null
      - package_type                   = "Zip" -> null
      - publish                        = false -> null
      - qualified_arn                  = "arn:aws:lambda:us-east-1:130871440101:function:experience_cloudfront_to_slack_alerts:$LATEST" -> null
      - qualified_invoke_arn           = "arn:aws:apigateway:us-east-1:lambda:path/2015-03-31/functions/arn:aws:lambda:us-east-1:130871440101:function:experience_cloudfront_to_slack_alerts:$LATEST/invocations" -> null
      - reserved_concurrent_executions = -1 -> null
      - role                           = "arn:aws:iam::130871440101:role/lambda_experience_cloudfront_to_slack_alerts_iam_role" -> null
      - runtime                        = "python3.9" -> null
      - skip_destroy                   = false -> null
      - source_code_hash               = "HLxzXCamKv1Z3Fa63U+p+nDCBb4JNRa85kiZGHL+D1k=" -> null
      - source_code_size               = 3651 -> null
      - tags                           = {} -> null
      - tags_all                       = {
          - "Department"                = "Digital Platform"
          - "Division"                  = "Culture and Society"
          - "Environment"               = "Production"
          - "TerraformConfigurationURL" = "https://github.com/wellcomecollection/platform-infrastructure/tree/main/monitoring/terraform"
          - "Use"                       = "Monitoring"
        } -> null
      - timeout                        = 10 -> null
      - version                        = "$LATEST" -> null

      - dead_letter_config {
          - target_arn = "arn:aws:sqs:us-east-1:130871440101:lambda-experience_cloudfront_to_slack_alerts_dlq" -> null
        }

      - environment {
          - variables = {
              - "ACCOUNT_NAME"               = "experience"
              - "CONTEXT_URL_TEMPLATE"       = "experience-cloudfront-errors"
              - "STR_ALARM_LEVEL"            = "error"
              - "STR_ALARM_SLUG"             = "cloudfront-5xx-alarm"
              - "STR_MULTIPLE_ERROR_MESSAGE" = "{error_count:0.2f}% of requests in CloudFront were 5xx errors"
              - "STR_SINGLE_ERROR_MESSAGE"   = "1% of requests in CloudFront were 5xx errors"
            } -> null
        }

      - ephemeral_storage {
          - size = 512 -> null
        }

      - tracing_config {
          - mode = "PassThrough" -> null
        }
    }

  # module.experience_cloudfront_alerts.module.cloudfront_to_slack_alerts.module.lambda.aws_sqs_queue.lambda_dlq will be destroyed
  # (because aws_sqs_queue.lambda_dlq is not in configuration)
  - resource "aws_sqs_queue" "lambda_dlq" {
      - arn                               = "arn:aws:sqs:us-east-1:130871440101:lambda-experience_cloudfront_to_slack_alerts_dlq" -> null
      - content_based_deduplication       = false -> null
      - delay_seconds                     = 0 -> null
      - fifo_queue                        = false -> null
      - id                                = "https://sqs.us-east-1.amazonaws.com/130871440101/lambda-experience_cloudfront_to_slack_alerts_dlq" -> null
      - kms_data_key_reuse_period_seconds = 300 -> null
      - max_message_size                  = 262144 -> null
      - message_retention_seconds         = 345600 -> null
      - name                              = "lambda-experience_cloudfront_to_slack_alerts_dlq" -> null
      - receive_wait_time_seconds         = 0 -> null
      - sqs_managed_sse_enabled           = false -> null
      - tags                              = {} -> null
      - tags_all                          = {
          - "Department"                = "Digital Platform"
          - "Division"                  = "Culture and Society"
          - "Environment"               = "Production"
          - "TerraformConfigurationURL" = "https://github.com/wellcomecollection/platform-infrastructure/tree/main/monitoring/terraform"
          - "Use"                       = "Monitoring"
        } -> null
      - url                               = "https://sqs.us-east-1.amazonaws.com/130871440101/lambda-experience_cloudfront_to_slack_alerts_dlq" -> null
      - visibility_timeout_seconds        = 30 -> null
    }

Plan: 0 to add, 0 to change, 11 to destroy.