H-3139: Set up CloudWatch alerts terraform (#7719)

Author: TimDiekmann

infra/terraform/hash/.terraform.lock.hcl

@@ -139,6 +139,7 @@ module "observability" {
   grafana_secret_key        = sensitive(data.vault_kv_secret_v2.secrets.data["grafana_secret_key"])
   vpc_zone_id               = aws_route53_zone.vpc.zone_id
   amazon_trust_ca_bundle    = local.amazon_trust_ca_bundle
+  critical_alerts_topic_arn = module.critical_alerts.sns_topic_arn
 }
 
 
@@ -237,6 +238,14 @@ module "temporal_worker_integration_ecr" {
   ecr_name = "temporalworkerintegration"
 }
 
+module "critical_alerts" {
+  source = "../modules/sns_slack_alerts"
+
+  prefix            = local.prefix
+  severity          = "critical"
+  slack_webhook_url = sensitive(data.vault_kv_secret_v2.secrets.data["slack_aws_webhook"])
+}
+
 module "application" {
   depends_on                   = [module.networking, module.postgres]
   providers                    = { cloudflare = cloudflare }

infra/terraform/hash/main.tf

@@ -0,0 +1,34 @@
+# CloudWatch backup alerting for Grafana service health
+# This provides independent alerting when Grafana itself is down
+# Uses shared critical alerts SNS topic with Lambda transformer
+
+# CloudWatch Alarm for Grafana ALB target health
+resource "aws_cloudwatch_metric_alarm" "grafana_service_down" {
+  alarm_name        = "${var.prefix}-grafana-service-down"
+  alarm_description = "CRITICAL: Grafana has no healthy targets. All Grafana-based alerting is offline."
+
+  # ALB Target Group metrics (much more reliable than ECS)
+  metric_name         = "HealthyHostCount"
+  namespace           = "AWS/ApplicationELB"
+  statistic           = "Average"
+  period              = 60 # 1 minute
+  evaluation_periods  = 3  # Must be down for 3 minutes total
+  threshold           = 1
+  comparison_operator = "LessThanThreshold"
+  treat_missing_data  = "breaching"
+
+  dimensions = {
+    TargetGroup  = aws_lb_target_group.grafana.arn_suffix
+    LoadBalancer = var.external_load_balancer_arn_suffix
+  }
+
+  # Send to shared critical alerts topic (Lambda → Slack)
+  alarm_actions = [var.critical_alerts_topic_arn]
+  ok_actions    = [var.critical_alerts_topic_arn]
+
+  tags = {
+    Name     = "${var.prefix}-grafana-service-down-alarm"
+    Severity = "CRITICAL"
+    Purpose  = "Backup alerting for monitoring infrastructure failure"
+  }
+}

infra/terraform/hash/observability/grafana/cloudwatch_alerts.tf

@@ -101,3 +101,13 @@ variable "mimir_http_port" {
 variable "ssl_config" {
   description = "Shared SSL configuration for container certificates"
 }
+
+variable "external_load_balancer_arn_suffix" {
+  type        = string
+  description = "ARN suffix of the external ALB for CloudWatch metrics"
+}
+
+variable "critical_alerts_topic_arn" {
+  type        = string
+  description = "ARN of the critical alerts SNS topic"
+}

infra/terraform/hash/observability/grafana/variables.tf

@@ -201,27 +201,29 @@ module "mimir" {
 
 # Grafana service for distributed tracing visualization
 module "grafana" {
-  source                           = "./grafana"
-  prefix                           = var.prefix
-  cluster_arn                      = aws_ecs_cluster.observability.arn
-  vpc                              = var.vpc
-  subnets                          = var.subnets
-  config_bucket                    = aws_s3_bucket.configs
-  log_group_name                   = aws_cloudwatch_log_group.observability.name
-  region                           = var.region
-  root_url                         = cloudflare_record.cname_grafana_internal.hostname
-  service_discovery_namespace_arn  = aws_service_discovery_private_dns_namespace.observability.arn
-  service_discovery_namespace_name = aws_service_discovery_private_dns_namespace.observability.name
-  grafana_database_host            = var.grafana_database_host
-  grafana_database_port            = var.grafana_database_port
-  grafana_database_password        = var.grafana_database_password
-  grafana_secret_key               = var.grafana_secret_key
-  tempo_api_dns                    = module.tempo.api_dns
-  tempo_api_port                   = module.tempo.api_port
-  loki_http_dns                    = module.loki.http_dns
-  loki_http_port                   = module.loki.http_port
-  mimir_http_dns                   = module.mimir.http_dns
-  mimir_http_port                  = module.mimir.http_port
+  source                            = "./grafana"
+  prefix                            = var.prefix
+  cluster_arn                       = aws_ecs_cluster.observability.arn
+  vpc                               = var.vpc
+  subnets                           = var.subnets
+  config_bucket                     = aws_s3_bucket.configs
+  log_group_name                    = aws_cloudwatch_log_group.observability.name
+  region                            = var.region
+  root_url                          = cloudflare_record.cname_grafana_internal.hostname
+  service_discovery_namespace_arn   = aws_service_discovery_private_dns_namespace.observability.arn
+  service_discovery_namespace_name  = aws_service_discovery_private_dns_namespace.observability.name
+  grafana_database_host             = var.grafana_database_host
+  grafana_database_port             = var.grafana_database_port
+  grafana_database_password         = var.grafana_database_password
+  grafana_secret_key                = var.grafana_secret_key
+  tempo_api_dns                     = module.tempo.api_dns
+  tempo_api_port                    = module.tempo.api_port
+  loki_http_dns                     = module.loki.http_dns
+  loki_http_port                    = module.loki.http_port
+  mimir_http_dns                    = module.mimir.http_dns
+  mimir_http_port                   = module.mimir.http_port
+  external_load_balancer_arn_suffix = aws_lb.observability_external.arn_suffix
+  critical_alerts_topic_arn         = var.critical_alerts_topic_arn
 
   ssl_config = local.full_ca_ssl_config
 }

infra/terraform/hash/observability/main.tf

@@ -58,3 +58,8 @@ variable "amazon_trust_ca_bundle" {
   type        = string
   description = "Amazon Trust Services CA Bundle for SSL verification"
 }
+
+variable "critical_alerts_topic_arn" {
+  type        = string
+  description = "ARN of the critical alerts SNS topic (from infrastructure level)"
+}

infra/terraform/hash/observability/variables.tf

@@ -0,0 +1,104 @@
+# SNS to Slack Alerts Module
+# Provides clean, formatted Slack notifications via Lambda transformer
+
+# SNS Topic for alerts
+resource "aws_sns_topic" "alerts" {
+  name = "${var.prefix}-${var.severity}-alerts"
+
+  tags = {
+    Name     = "${var.prefix}-${var.severity}-alerts"
+    Purpose  = "${var.severity} level alerts via Slack"
+    Severity = var.severity
+  }
+}
+
+# Lambda function to transform SNS messages to Slack format
+resource "aws_lambda_function" "sns_to_slack" {
+  function_name = "${var.prefix}-${var.severity}-slack-alert"
+  role          = aws_iam_role.lambda_execution.arn
+  handler       = "index.handler"
+  runtime       = "python3.10"
+  timeout       = 30
+
+  filename         = data.archive_file.lambda_zip.output_path
+  source_code_hash = data.archive_file.lambda_zip.output_base64sha256
+
+  environment {
+    variables = {
+      SLACK_WEBHOOK_URL = var.slack_webhook_url
+      ALERT_SEVERITY    = var.severity
+    }
+  }
+
+  tags = {
+    Name     = "${var.prefix}-${var.severity}-slack-alert"
+    Purpose  = "Transform SNS alerts to Slack format"
+    Severity = var.severity
+  }
+}
+
+# Lambda source code package
+data "archive_file" "lambda_zip" {
+  type        = "zip"
+  output_path = "/tmp/${var.prefix}-${var.severity}-slack-alert.zip"
+  
+  source {
+    content  = file("${path.module}/slack_alert.py")
+    filename = "index.py"
+  }
+}
+
+# IAM role for Lambda execution
+resource "aws_iam_role" "lambda_execution" {
+  name = "${var.prefix}-${var.severity}-slack-alert-role"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = "sts:AssumeRole"
+        Effect = "Allow"
+        Principal = {
+          Service = "lambda.amazonaws.com"
+        }
+      }
+    ]
+  })
+}
+
+# Lambda execution policy
+resource "aws_iam_role_policy" "lambda_execution" {
+  name = "${var.prefix}-${var.severity}-slack-alert-policy"
+  role = aws_iam_role.lambda_execution.id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Action = [
+          "logs:CreateLogGroup",
+          "logs:CreateLogStream",
+          "logs:PutLogEvents"
+        ]
+        Resource = "arn:aws:logs:*:*:*"
+      }
+    ]
+  })
+}
+
+# SNS Topic Subscription to Lambda
+resource "aws_sns_topic_subscription" "lambda" {
+  topic_arn = aws_sns_topic.alerts.arn
+  protocol  = "lambda"
+  endpoint  = aws_lambda_function.sns_to_slack.arn
+}
+
+# Allow SNS to invoke Lambda
+resource "aws_lambda_permission" "allow_sns" {
+  statement_id  = "AllowExecutionFromSNS"
+  action        = "lambda:InvokeFunction"
+  function_name = aws_lambda_function.sns_to_slack.function_name
+  principal     = "sns.amazonaws.com"
+  source_arn    = aws_sns_topic.alerts.arn
+}

infra/terraform/modules/sns_slack_alerts/main.tf

@@ -0,0 +1,4 @@
+output "sns_topic_arn" {
+  description = "ARN of the SNS topic for alerts"
+  value       = aws_sns_topic.alerts.arn
+}