Skip to content

H-3139: Set up CloudWatch alerts terraform #7719

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Aug 18, 2025
Merged

H-3139: Set up CloudWatch alerts terraform #7719

merged 1 commit into from
Aug 18, 2025

Conversation

TimDiekmann
Copy link
Member

🌟 What is the purpose of this PR?

We have alerts through Grafana, however, if Grafana goes offline we won't notice that because we don't have a watcher who watches the watcher.

This implements a CloudWatch alarm and sends it to Slack.

@TimDiekmann TimDiekmann requested a review from CiaranMn August 8, 2025 13:21
@TimDiekmann TimDiekmann self-assigned this Aug 8, 2025
@github-actions github-actions bot added area/infra Relates to version control, CI, CD or IaC (area) area/infra > terraform labels Aug 8, 2025
semgrep-app[bot]
semgrep-app bot reviewed Aug 8, 2025
View reviewed changes
infra/terraform/modules/sns_slack_alerts/main.tf
Comment on lines +16 to +38
resource "aws_lambda_function" "sns_to_slack" {
function_name = "${var.prefix}-${var.severity}-slack-alert"
role = aws_iam_role.lambda_execution.arn
handler = "index.handler"
runtime = "python3.10"
timeout = 30

filename = data.archive_file.lambda_zip.output_path
source_code_hash = data.archive_file.lambda_zip.output_base64sha256

environment {
variables = {
SLACK_WEBHOOK_URL = var.slack_webhook_url
ALERT_SEVERITY = var.severity
}
}

tags = {
Name = "${var.prefix}-${var.severity}-slack-alert"
Purpose = "Transform SNS alerts to Slack format"
Severity = var.severity
}
}
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Semgrep identified an issue in your code:
The AWS Lambda function does not have active X-Ray tracing enabled. X-Ray tracing enables end-to-end debugging and analysis of all function activity. This makes it easier to trace the flow of logs and identify bottlenecks, slow downs and timeouts.

To resolve this comment:

🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.

💬 Ignore this finding

Reply with Semgrep commands to ignore this finding.

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by aws-lambda-x-ray-tracing-not-active.

You can view more details about this finding in the Semgrep AppSec Platform.

semgrep-app[bot]
semgrep-app bot reviewed Aug 8, 2025
View reviewed changes
infra/terraform/modules/sns_slack_alerts/main.tf
Comment on lines +26 to +31
environment {
variables = {
SLACK_WEBHOOK_URL = var.slack_webhook_url
ALERT_SEVERITY = var.severity
}
}
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Semgrep identified an issue in your code:
By default, the AWS Lambda Environment is encrypted using AWS-managed keys. However, for added security, it's recommended to configure your own AWS KMS encryption key to protect your environment variables in Lambda. You can either create a new aws_kms_key resource or use the ARN of an existing key in your AWS account to do so.

To resolve this comment:

🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.

💬 Ignore this finding

Reply with Semgrep commands to ignore this finding.

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by aws-lambda-environment-unencrypted.

You can view more details about this finding in the Semgrep AppSec Platform.

github-advanced-security[bot]
github-advanced-security bot found potential problems Aug 8, 2025
View reviewed changes
infra/terraform/modules/sns_slack_alerts/main.tf
Comment on lines +16 to +38
resource "aws_lambda_function" "sns_to_slack" {
function_name = "${var.prefix}-${var.severity}-slack-alert"
role = aws_iam_role.lambda_execution.arn
handler = "index.handler"
runtime = "python3.10"
timeout = 30

filename = data.archive_file.lambda_zip.output_path
source_code_hash = data.archive_file.lambda_zip.output_base64sha256

environment {
variables = {
SLACK_WEBHOOK_URL = var.slack_webhook_url
ALERT_SEVERITY = var.severity
}
}

tags = {
Name = "${var.prefix}-${var.severity}-slack-alert"
Purpose = "Transform SNS alerts to Slack format"
Severity = var.severity
}
}

Check notice

Code scanning / Semgrep OSS

Semgrep Finding: terraform.aws.security.aws-lambda-x-ray-tracing-not-active.aws-lambda-x-ray-tracing-not-active Note

The AWS Lambda function does not have active X-Ray tracing enabled. X-Ray tracing enables end-to-end debugging and analysis of all function activity. This makes it easier to trace the flow of logs and identify bottlenecks, slow downs and timeouts.
infra/terraform/modules/sns_slack_alerts/main.tf
Comment on lines +26 to +31
environment {
variables = {
SLACK_WEBHOOK_URL = var.slack_webhook_url
ALERT_SEVERITY = var.severity
}
}

Check warning

Code scanning / Semgrep OSS

Semgrep Finding: terraform.aws.security.aws-lambda-environment-unencrypted.aws-lambda-environment-unencrypted Warning

By default, the AWS Lambda Environment is encrypted using AWS-managed keys. However, for added security, it's recommended to configure your own AWS KMS encryption key to protect your environment variables in Lambda. You can either create a new aws_kms_key resource or use the ARN of an existing key in your AWS account to do so.
@TimDiekmann TimDiekmann force-pushed the t/h-3139-define-cloudwatch-metric-alarms-using-terraform branch from 88fff08 to 29a5c01 Compare August 11, 2025 13:28
@TimDiekmann TimDiekmann added this pull request to the merge queue Aug 18, 2025
Merged via the queue into main with commit e83ebe8 Aug 18, 2025
29 checks passed
@TimDiekmann TimDiekmann deleted the t/h-3139-define-cloudwatch-metric-alarms-using-terraform branch August 18, 2025 17:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@CiaranMn CiaranMn CiaranMn approved these changes

+1 more reviewer

@semgrep-app semgrep-app[bot] semgrep-app[bot] left review comments

Reviewers whose approvals may not affect merge requirements
Assignees

@TimDiekmann TimDiekmann

Labels
area/infra > terraform area/infra Relates to version control, CI, CD or IaC (area)
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@TimDiekmann @CiaranMn