Pinpoint pools #1246

sastels · 2024-04-10T19:25:07Z

Summary | Résumé

add Cloudwatch log groups for Pinpoint receipts (and role to allow Pinpoint to write to them)
add repo to ECR for the new Pinpoint receipts lambda function.
add lambda function for the new Pinpoint receipts lambda function together with logs and and alarms
add a script to create the Pinpoint Pools / configuration set. Unforutnately the Pinpoint SMS and Voice v2 API is not yet supported by terraform nor cloudformation.

Note that we make no changes to the existing SMS / SNS flow so this should have no impact on how the system runs (ie until the notify api starts directing texts to Pinpoint)

Related Issues | Cartes liées

https://app.zenhub.com/workspaces/notify-planning-core-6411dfb7c95fb80014e0cab0/issues/gh/cds-snc/notification-planning-core/286

Test instructions | Instructions pour tester la modification

Have been building things on dev.

Release Instructions | Instructions pour le déploiement

None - no affect on production. But at some point we should add these new alarms / metrics to the dashboards.

Reviewer checklist | Liste de vérification du réviseur

This PR does not break existing functionality.
This PR does not violate GCNotify's privacy policies.
This PR does not raise new security concerns. Refer to our GC Notify Risk Register document on our Google drive.
This PR does not significantly alter performance.
Additional required documentation resulting of these changes is covered (such as the README, setup instructions, a related ADR or the technical documentation).

⚠ If boxes cannot be checked off before merging the PR, they should be moved to the "Release Instructions" section with appropriate steps required to verify before release. For example, changes to celery code may require tests on staging to verify that performance has not been affected.

aws/common/cloudwatch_log.tf

aws/pinpoint_to_sqs_sms_callbacks/cloudwatch_logs.tf

aws/common/cloudwatch_log.tf

aws/ecr/secrets.tf

aws/common/cloudwatch_log.tf

sastels · 2024-04-16T22:12:18Z

aws/ecr/images.tf

@@ -193,7 +193,7 @@ resource "null_resource" "build_sns_to_sqs_sms_callbacks_docker_image" {
  ]

  provisioner "local-exec" {
-    command = "docker build -t ${aws_ecr_repository.sns_to_sqs_sms_callbacks.repository_url}:bootstrap -f /var/tmp/notification-lambdas/sesemailcallbacks/Dockerfile /var/tmp/notification-lambdas"


Noticed this typo

ben851

It's a cool idea to keep this contained with the lambda function, but it won't work as is because on a new environment apply, the lambda module will fail because there is no dependency relationship between the module and these (so the module will try and run before the docker image exists).

If you add a depends_on to the module, it won't work either because the dependency resource only creates when bootstrap is set to true.

You could try a conditional dependency - I'm not sure that's a thing... but something like:

depends_on = [var.bootstrap ? null_resource.push_pinpoint_to_sqs_sms_callbacks_docker_image : null ]

no idea if that will work though... If it doesn't, it's probably easiest to just move this file back to the ecr directory.

Also, does the create_pinpoint_pools.sh script have to be run before deploy? If that's the case, can we add it as a null_resource that gets executed if bootstrap = true?

sastels · 2024-04-17T15:34:16Z

It's a cool idea to keep this contained with the lambda function, but it won't work as is because on a new environment apply, the lambda module will fail because there is no dependency relationship between the module and these (so the module will try and run before the docker image exists).

If you add a depends_on to the module, it won't work either because the dependency resource only creates when bootstrap is set to true.

You could try a conditional dependency - I'm not sure that's a thing... but something like:

depends_on = [var.bootstrap ? null_resource.push_pinpoint_to_sqs_sms_callbacks_docker_image : null ]

no idea if that will work though... If it doesn't, it's probably easiest to just move this file back to the ecr directory.

Hmm right, before we'd be applying ecr before this module and all would be in place. I will see if we can set it like this...

sastels · 2024-04-17T15:35:36Z

Also, does the create_pinpoint_pools.sh script have to be run before deploy? If that's the case, can we add it as a null_resource that gets executed if bootstrap = true?

no, in fact we need to have the terraform done (at least we need the iam role and cloudwatch receipt log groups).

aws/ecr/ecr.tf

github-actions · 2024-04-17T19:58:26Z

Updating alarms ⏰? Great! Please update the Google Sheet and add a 👍 to this message after 🙏

ben851

LGTM!

github-actions · 2024-04-22T15:54:25Z

Staging: common

✅ Terraform Init: success
✅ Terraform Validate: success
✅ Terraform Format: success
✅ Terraform Plan: success
✅ Conftest: success

Plan: 0 to add, 0 to change, 0 to destroy

Show summary

CHANGE	NAME

Show plan

Changes to Outputs:
  + sqs_deliver_receipts_queue_arn                      = "arn:aws:sqs:ca-central-1:239043911459:eks-notification-canada-cadelivery-receipts"

You can apply this plan to save these new output values to the Terraform
state, without changing any real infrastructure.

Warning: Argument is deprecated

  with aws_s3_bucket.csv_bucket,
  on s3.tf line 5, in resource "aws_s3_bucket" "csv_bucket":
   5: resource "aws_s3_bucket" "csv_bucket" {

Use the aws_s3_bucket_lifecycle_configuration resource instead

(and 63 more similar warnings elsewhere)

─────────────────────────────────────────────────────────────────────────────

Saved the plan to: plan.tfplan

To perform exactly these actions, run the following command to apply:
    terraform apply "plan.tfplan"

Show Conftest results

WARN - plan.json - main - Missing Common Tags: ["aws_acm_certificate.client_vpn"]
WARN - plan.json - main - Missing Common Tags: ["aws_athena_workgroup.ad_hoc"]
WARN - plan.json - main - Missing Common Tags: ["aws_athena_workgroup.build_tables"]
WARN - plan.json - main - Missing Common Tags: ["aws_athena_workgroup.primary"]
WARN - plan.json - main - Missing Common Tags: ["aws_athena_workgroup.support"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_event_rule.aws_health[0]"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.route53_resolver_query_log[0]"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.sns_deliveries[0]"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.sns_deliveries_failures[0]"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.sns_deliveries_failures_us_west_2[0]"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.sns_deliveries_us_west_2[0]"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.bulk-bulk-not-being-processed-critical[0]"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.bulk-bulk-not-being-processed-warning[0]"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.bulk-inflights-not-being-processed-critical[0]"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.bulk-inflights-not-being-processed-warning[0]"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.bulk-not-being-processed-critical[0]"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.bulk-not-being-processed-warning[0]"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.contact-3-500-error-15-minutes-critical[0]"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.document-download-bucket-size-warning[0]"]
WARN - plan.json -...

github-actions · 2024-04-22T15:54:45Z

Staging: ecr

✅ Terraform Init: success
✅ Terraform Validate: success
✅ Terraform Format: success
✅ Terraform Plan: success
✅ Conftest: success

Plan: 3 to add, 0 to change, 0 to destroy

Show summary

CHANGE	NAME
add	`aws_ecr_repository.pinpoint_to_sqs_sms_callbacks`
	`aws_secretsmanager_secret.pinpoint_to_sqs_sms_callbacks_repository_url`
	`aws_secretsmanager_secret_version.pinpoint_to_sqs_sms_callbacks_repository_url`

Show plan

Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # aws_ecr_repository.pinpoint_to_sqs_sms_callbacks will be created
  + resource "aws_ecr_repository" "pinpoint_to_sqs_sms_callbacks" {
      + arn                  = (known after apply)
      + force_delete         = false
      + id                   = (known after apply)
      + image_tag_mutability = "MUTABLE"
      + name                 = "notify/pinpoint_to_sqs_sms_callbacks"
      + registry_id          = (known after apply)
      + repository_url       = (known after apply)
      + tags_all             = (known after apply)

      + image_scanning_configuration {
          + scan_on_push = true
        }
    }

  # aws_secretsmanager_secret.pinpoint_to_sqs_sms_callbacks_repository_url will be created
  + resource "aws_secretsmanager_secret" "pinpoint_to_sqs_sms_callbacks_repository_url" {
      + arn                            = (known after apply)
      + force_overwrite_replica_secret = false
      + id                             = (known after apply)
      + name                           = "PINPOINT_TO_SQS_SMS_CALLBACKS_REPOSITORY_URL"
      + name_prefix                    = (known after apply)
      + policy                         = (known after apply)
      + recovery_window_in_days        = 30
      + tags_all                       = (known after apply)
    }

  # aws_secretsmanager_secret_version.pinpoint_to_sqs_sms_callbacks_repository_url will be created
  + resource "aws_secretsmanager_secret_version" "pinpoint_to_sqs_sms_callbacks_repository_url" {
      + arn            = (known after apply)
      + id             = (known after apply)
      + secret_id      = (known after apply)
      + secret_string  = (sensitive value)
      + version_id     = (known after apply)
      + version_stages = (known after apply)
    }

Plan: 3 to add, 0 to change, 0 to destroy.

Changes to Outputs:
  + pinpoint_to_sqs_sms_callbacks_ecr_arn            = (known after apply)
  + pinpoint_to_sqs_sms_callbacks_ecr_repository_url = (known after apply)

─────────────────────────────────────────────────────────────────────────────

Saved the plan to: plan.tfplan

To perform exactly these actions, run the following command to apply:
    terraform apply "plan.tfplan"

Show Conftest results

WARN - plan.json - main - Missing Common Tags: ["aws_ecr_repository.api-lambda"]
WARN - plan.json - main - Missing Common Tags: ["aws_ecr_repository.github_arc"]
WARN - plan.json - main - Missing Common Tags: ["aws_ecr_repository.google-cidr"]
WARN - plan.json - main - Missing Common Tags: ["aws_ecr_repository.heartbeat"]
WARN - plan.json - main - Missing Common Tags: ["aws_ecr_repository.notify_admin[0]"]
WARN - plan.json - main - Missing Common Tags: ["aws_ecr_repository.performance-test[0]"]
WARN - plan.json - main - Missing Common Tags: ["aws_ecr_repository.pinpoint_to_sqs_sms_callbacks"]
WARN - plan.json - main - Missing Common Tags: ["aws_ecr_repository.ses_receiving_emails"]
WARN - plan.json - main - Missing Common Tags: ["aws_ecr_repository.ses_to_sqs_email_callbacks"]
WARN - plan.json - main - Missing Common Tags: ["aws_ecr_repository.sns_to_sqs_sms_callbacks"]
WARN - plan.json - main - Missing Common Tags: ["aws_ecr_repository.system_status"]
WARN - plan.json - main - Missing Common Tags: ["aws_secretsmanager_secret.api_lambda_repository_url"]
WARN - plan.json - main - Missing Common Tags: ["aws_secretsmanager_secret.github_arc_runner_repository_url"]
WARN - plan.json - main - Missing Common Tags: ["aws_secretsmanager_secret.google_cidr_repository_url"]
WARN - plan.json - main - Missing Common Tags: ["aws_secretsmanager_secret.heartbeat_repository_url"]
WARN - plan.json - main - Missing Common Tags: ["aws_secretsmanager_secret.pinpoint_to_sqs_sms_callbacks_repository_url"]
WARN - plan.json - main - Missing Common Tags: ["aws_secretsmanager_secret.ses_receiving_emails_repository_url"]
WARN - plan.json - main - Missing Common Tags: ["aws_secretsmanager_secret.ses_to_sqs_email_callbacks_repository_url"]
WARN - plan.json - main - Missing Common Tags: ["aws_secretsmanager_secret.sns_to_sqs_sms_callbacks_repository_url"]
WARN - plan.json - main - Missing Common Tags: ["aws_secretsmanager_secret.system_status_repository_url"]

39 tests, 19 passed, 20 warnings, 0...

github-actions · 2024-04-22T16:03:59Z

Staging: pinpoint_to_sqs_sms_callbacks

✅ Terraform Init: success
✅ Terraform Validate: success
✅ Terraform Format: success
✅ Terraform Plan: success
✅ Conftest: success

Plan: 25 to add, 0 to change, 0 to destroy

Show summary

CHANGE	NAME
add	`aws_cloudwatch_log_group.pinpoint_deliveries`
	`aws_cloudwatch_log_group.pinpoint_deliveries_failures`
	`aws_cloudwatch_log_group.pinpoint_to_sqs_sms_callbacks_log_group[0]`
	`aws_cloudwatch_log_metric_filter.pinpoint_to_sqs_sms_callbacks-500-errors-api[0]`
	`aws_cloudwatch_log_subscription_filter.pinpoint_deliveries_ca_central_to_lambda[0]`
	`aws_cloudwatch_log_subscription_filter.pinpoint_deliveries_failures_ca_central_to_lambda[0]`
	`aws_cloudwatch_metric_alarm.lambda-image-pinpoint-delivery-receipts-errors-critical[0]`
	`aws_cloudwatch_metric_alarm.lambda-image-pinpoint-delivery-receipts-errors-warning[0]`
	`aws_cloudwatch_metric_alarm.logs-1-500-error-1-minute-warning-pinpoint_to_sqs_sms_callbacks-api[0]`
	`aws_cloudwatch_metric_alarm.logs-10-500-error-5-minutes-critical-pinpoint_to_sqs_sms_callbacks-api[0]`
	`aws_iam_policy.pinpoint_logs`
	`aws_iam_role.pinpoint_logs`
	`aws_iam_role_policy_attachment.pinpoint_logs`
	`aws_lambda_permission.allow_cloudwatch_logs_pinpoint_failures[0]`
	`aws_lambda_permission.allow_cloudwatch_logs_pinpoint_successes[0]`
	`null_resource.create_pools`
	`module.pinpoint_to_sqs_sms_callbacks.aws_cloudwatch_log_group.this`
	`module.pinpoint_to_sqs_sms_callbacks.aws_cloudwatch_query_definition.lambda_statistics`
	`module.pinpoint_to_sqs_sms_callbacks.aws_iam_policy.non_vpc_policies[0]`
	`module.pinpoint_to_sqs_sms_callbacks.aws_iam_policy.policies[0]`
	`module.pinpoint_to_sqs_sms_callbacks.aws_iam_role.this`
	`module.pinpoint_to_sqs_sms_callbacks.aws_iam_role_policy_attachment.attachments[0]`
	`module.pinpoint_to_sqs_sms_callbacks.aws_iam_role_policy_attachment.lambda_insights[0]`
	`module.pinpoint_to_sqs_sms_callbacks.aws_iam_role_policy_attachment.non_vpc_policies[0]`
	`module.pinpoint_to_sqs_sms_callbacks.aws_lambda_function.this`

Show plan

Resource actions are indicated with the following symbols:
  + create
 <= read (data resources)

Terraform will perform the following actions:

  # data.aws_iam_policy_document.pinpoint_logs will be read during apply
  # (config refers to values not yet known)
 <= data "aws_iam_policy_document" "pinpoint_logs" {
      + id   = (known after apply)
      + json = (known after apply)

      + statement {
          + actions   = [
              + "logs:CreateLogStream",
              + "logs:DescribeLogStreams",
              + "logs:PutLogEvents",
            ]
          + effect    = "Allow"
          + resources = [
              + (known after apply),
              + (known after apply),
            ]
        }
    }

  # aws_cloudwatch_log_group.pinpoint_deliveries will be created
  + resource "aws_cloudwatch_log_group" "pinpoint_deliveries" {
      + arn               = (known after apply)
      + id                = (known after apply)
      + log_group_class   = (known after apply)
      + name              = "sns/ca-central-1/239043911459/PinPointDirectPublishToPhoneNumber"
      + name_prefix       = (known after apply)
      + retention_in_days = 14
      + skip_destroy      = false
      + tags              = {
          + "CostCenter" = "notification-canada-ca-staging"
        }
      + tags_all          = {
          + "CostCenter" = "notification-canada-ca-staging"
        }
    }

  # aws_cloudwatch_log_group.pinpoint_deliveries_failures will be created
  + resource "aws_cloudwatch_log_group" "pinpoint_deliveries_failures" {
      + arn               = (known after apply)
      + id                = (known after apply)
      + log_group_class   = (known after apply)
      + name              = "sns/ca-central-1/239043911459/PinPointDirectPublishToPhoneNumber/Failure"
      + name_prefix       = (known after apply)
      + retention_in_days = 14
      + skip_destroy      = false
      + tags              = {
          + "CostCenter" = "notification-canada-ca-staging"
        }
      + tags_all          = {
          + "CostCenter" = "notification-canada-ca-staging"
        }
    }

  # aws_cloudwatch_log_group.pinpoint_to_sqs_sms_callbacks_log_group[0] will be created
  + resource "aws_cloudwatch_log_group" "pinpoint_to_sqs_sms_callbacks_log_group" {
      + arn               = (known after apply)
      + id                = (known after apply)
      + log_group_class   = (known after apply)
      + name              = "pinpoint_to_sqs_sms_callbacks_log_group"
      + name_prefix       = (known after apply)
      + retention_in_days = 14
      + skip_destroy      = false
      + tags              = {
          + "Application" = "lambda"
          + "CostCenter"  = "notification-canada-ca-staging"
          + "Environment" = "staging"
        }
      + tags_all          = {
          + "Application" = "lambda"
          + "CostCenter"  = "notification-canada-ca-staging"
          + "Environment" = "staging"
        }
    }

  # aws_cloudwatch_log_metric_filter.pinpoint_to_sqs_sms_callbacks-500-errors-api[0] will be created
  + resource "aws_cloudwatch_log_metric_filter" "pinpoint_to_sqs_sms_callbacks-500-errors-api" {
      + id             = (known after apply)
      + log_group_name = "/aws/lambda/pinpoint_to_sqs_sms_callbacks"
      + name           = "pinpoint_to_sqs_sms_callbacks-500-errors-api"
      + pattern        = "\"\\\"levelname\\\": \\\"ERROR\\\"\""

      + metric_transformation {
          + name      = "500-errors-pinpoint_to_sqs_sms_callbacks-api"
          + namespace = "LogMetrics"
          + unit      = "None"
          + value     = "1"
        }
    }

  # aws_cloudwatch_log_subscription_filter.pinpoint_deliveries_ca_central_to_lambda[0] will be created
  + resource "aws_cloudwatch_log_subscription_filter" "pinpoint_deliveries_ca_central_to_lambda" {
      + destination_arn = (known after apply)
      + distribution    = "ByLogStream"
      + id              = (known after apply)
      + log_group_name  = "sns/ca-central-1/239043911459/PinPointDirectPublishToPhoneNumber"
      + name            = "pinpoint_deliveries_ca_central"
      + role_arn        = (known after apply)
    }

  # aws_cloudwatch_log_subscription_filter.pinpoint_deliveries_failures_ca_central_to_lambda[0] will be created
  + resource "aws_cloudwatch_log_subscription_filter" "pinpoint_deliveries_failures_ca_central_to_lambda" {
      + destination_arn = (known after apply)
      + distribution    = "ByLogStream"
      + id              = (known after apply)
      + log_group_name  = "sns/ca-central-1/239043911459/PinPointDirectPublishToPhoneNumber/Failure"
      + name            = "pinpoint_deliveries_failures_ca_central"
      + role_arn        = (known after apply)
    }

  # aws_cloudwatch_metric_alarm.lambda-image-pinpoint-delivery-receipts-errors-critical[0] will be created
  + resource "aws_cloudwatch_metric_alarm" "lambda-image-pinpoint-delivery-receipts-errors-critical" {
      + actions_enabled                       = true
      + alarm_actions                         = [
          + "arn:aws:sns:ca-central-1:239043911459:alert-critical",
        ]
      + alarm_description                     = "20 errors on Lambda pinpoint-to-sqs-sms-callbacks in 10 minutes"
      + alarm_name                            = "lambda-image-pinpoint-delivery-receipts-errors-critical"
      + arn                                   = (known after apply)
      + comparison_operator                   = "GreaterThanOrEqualToThreshold"
      + dimensions                            = {
          + "FunctionName" = "pinpoint_to_sqs_sms_callbacks"
        }
      + evaluate_low_sample_count_percentiles = (known after apply)
      + evaluation_periods                    = 1
      + id                                    = (known after apply)
      + metric_name                           = "Errors"
      + namespace                             = "AWS/Lambda"
      + ok_actions                            = [
          + "arn:aws:sns:ca-central-1:239043911459:alert-ok",
        ]
      + period                                = 600
      + statistic                             = "Sum"
      + tags_all                              = (known after apply)
      + threshold                             = 20
      + treat_missing_data                    = "notBreaching"
    }

  # aws_cloudwatch_metric_alarm.lambda-image-pinpoint-delivery-receipts-errors-warning[0] will be created
  + resource "aws_cloudwatch_metric_alarm" "lambda-image-pinpoint-delivery-receipts-errors-warning" {
      + actions_enabled                       = true
      + alarm_actions                         = [
          + "arn:aws:sns:ca-central-1:239043911459:alert-warning",
        ]
      + alarm_description                     = "5 errors on Lambda pinpoint-to-sqs-sms-callbacks in 10 minutes"
      + alarm_name                            = "lambda-image-pinpoint-delivery-receipts-errors-warning"
      + arn                                   = (known after apply)
      + comparison_operator                   = "GreaterThanOrEqualToThreshold"
      + dimensions                            = {
          + "FunctionName" = "pinpoint_to_sqs_sms_callbacks"
        }
      + evaluate_low_sample_count_percentiles = (known after apply)
      + evaluation_periods                    = 1
      + id                                    = (known after apply)
      + metric_name                           = "Errors"
      + namespace                             = "AWS/Lambda"
      + ok_actions                            = [
          + "arn:aws:sns:ca-central-1:239043911459:alert-ok",
        ]
      + period                                = 600
      + statistic                             = "Sum"
      + tags_all                              = (known after apply)
      + threshold                             = 5
      + treat_missing_data                    = "notBreaching"
    }

  # aws_cloudwatch_metric_alarm.logs-1-500-error-1-minute-warning-pinpoint_to_sqs_sms_callbacks-api[0] will be created
  + resource "aws_cloudwatch_metric_alarm" "logs-1-500-error-1-minute-warning-pinpoint_to_sqs_sms_callbacks-api" {
      + actions_enabled                       = true
      + alarm_actions                         = [
          + "arn:aws:sns:ca-central-1:239043911459:alert-warning",
        ]
      + alarm_description                     = "One 500 error in 1 minute for pinpoint_to_sqs_sms_callbacks api"
      + alarm_name                            = "logs-1-500-error-1-minute-warning-pinpoint_to_sqs_sms_callbacks-api"
      + arn                                   = (known after apply)
      + comparison_operator                   = "GreaterThanOrEqualToThreshold"
      + evaluate_low_sample_count_percentiles = (known after apply)
      + evaluation_periods                    = 1
      + id                                    = (known after apply)
      + metric_name                           = "500-errors-pinpoint_to_sqs_sms_callbacks-api"
      + namespace                             = "LogMetrics"
      + ok_actions                            = [
          + "arn:aws:sns:ca-central-1:239043911459:alert-warning",
        ]
      + period                                = 60
      + statistic                             = "Sum"
      + tags_all                              = (known after apply)
      + threshold                             = 1
      + treat_missing_data                    = "notBreaching"
    }

  # aws_cloudwatch_metric_alarm.logs-10-500-error-5-minutes-critical-pinpoint_to_sqs_sms_callbacks-api[0] will be created
  + resource "aws_cloudwatch_metric_alarm" "logs-10-500-error-5-minutes-critical-pinpoint_to_sqs_sms_callbacks-api" {
      + actions_enabled                       = true
      + alarm_actions                         = [
          + "arn:aws:sns:ca-central-1:239043911459:alert-critical",
        ]
      + alarm_description                     = "Ten 500 errors in 5 minutes for pinpoint_to_sqs_sms_callbacks api"
      + alarm_name                            = "logs-10-500-error-5-minutes-critical-pinpoint_to_sqs_sms_callbacks-api"
      + arn                                   = (known after apply)
      + comparison_operator                   = "GreaterThanOrEqualToThreshold"
      + evaluate_low_sample_count_percentiles = (known after apply)
      + evaluation_periods                    = 1
      + id                                    = (known after apply)
      + metric_name                           = "500-errors-pinpoint_to_sqs_sms_callbacks-api"
      + namespace                             = "LogMetrics"
      + ok_actions                            = [
          + "arn:aws:sns:ca-central-1:239043911459:alert-ok",
        ]
      + period                                = 300
      + statistic                             = "Sum"
      + tags_all                              = (known after apply)
      + threshold                             = 10
      + treat_missing_data                    = "notBreaching"
    }

  # aws_iam_policy.pinpoint_logs will be created
  + resource "aws_iam_policy" "pinpoint_logs" {
      + arn              = (known after apply)
      + attachment_count = (known after apply)
      + id               = (known after apply)
      + name             = "PinpointLogsPolicy"
      + name_prefix      = (known after apply)
      + path             = "/"
      + policy           = (known after apply)
      + policy_id        = (known after apply)
      + tags_all         = (known after apply)
    }

  # aws_iam_role.pinpoint_logs will be created
  + resource "aws_iam_role" "pinpoint_logs" {
      + arn                   = (known after apply)
      + assume_role_policy    = jsonencode(
            {
              + Statement = [
                  + {
                      + Action    = "sts:AssumeRole"
                      + Condition = {
                          + ArnLike      = {
                              + "aws:SourceArn" = "arn:aws:sms-voice:ca-central-1:239043911459:configuration-set/pinpoint-configuration"
                            }
                          + StringEquals = {
                              + "aws:SourceAccount" = "239043911459"
                            }
                        }
                      + Effect    = "Allow"
                      + Principal = {
                          + Service = "sms-voice.amazonaws.com"
                        }
                    },
                ]
              + Version   = "2012-10-17"
            }
        )
      + create_date           = (known after apply)
      + force_detach_policies = false
      + id                    = (known after apply)
      + managed_policy_arns   = (known after apply)
      + max_session_duration  = 3600
      + name                  = "PinpointLogs"
      + name_prefix           = (known after apply)
      + path                  = "/"
      + tags_all              = (known after apply)
      + unique_id             = (known after apply)
    }

  # aws_iam_role_policy_attachment.pinpoint_logs will be created
  + resource "aws_iam_role_policy_attachment" "pinpoint_logs" {
      + id         = (known after apply)
      + policy_arn = (known after apply)
      + role       = "PinpointLogs"
    }

  # aws_lambda_permission.allow_cloudwatch_logs_pinpoint_failures[0] will be created
  + resource "aws_lambda_permission" "allow_cloudwatch_logs_pinpoint_failures" {
      + action              = "lambda:InvokeFunction"
      + function_name       = "pinpoint_to_sqs_sms_callbacks"
      + id                  = (known after apply)
      + principal           = "logs.ca-central-1.amazonaws.com"
      + source_arn          = (known after apply)
      + statement_id        = (known after apply)
      + statement_id_prefix = (known after apply)
    }

  # aws_lambda_permission.allow_cloudwatch_logs_pinpoint_successes[0] will be created
  + resource "aws_lambda_permission" "allow_cloudwatch_logs_pinpoint_successes" {
      + action              = "lambda:InvokeFunction"
      + function_name       = "pinpoint_to_sqs_sms_callbacks"
      + id                  = (known after apply)
      + principal           = "logs.ca-central-1.amazonaws.com"
      + source_arn          = (known after apply)
      + statement_id        = (known after apply)
      + statement_id_prefix = (known after apply)
    }

  # null_resource.create_pools will be created
  + resource "null_resource" "create_pools" {
      + id = (known after apply)
    }

  # module.pinpoint_to_sqs_sms_callbacks.aws_cloudwatch_log_group.this will be created
  + resource "aws_cloudwatch_log_group" "this" {
      + arn               = (known after apply)
      + id                = (known after apply)
      + log_group_class   = (known after apply)
      + name              = "/aws/lambda/pinpoint_to_sqs_sms_callbacks"
      + name_prefix       = (known after apply)
      + retention_in_days = 14
      + skip_destroy      = false
      + tags              = {
          + "CostCentre" = "notification-canada-ca-staging"
          + "Terraform"  = "true"
        }
      + tags_all          = {
          + "CostCentre" = "notification-canada-ca-staging"
          + "Terraform"  = "true"
        }
    }

  # module.pinpoint_to_sqs_sms_callbacks.aws_cloudwatch_query_definition.lambda_statistics will be created
  + resource "aws_cloudwatch_query_definition" "lambda_statistics" {
      + id                  = (known after apply)
      + log_group_names     = [
          + "aws_cloudwatch_log_group.this",
        ]
      + name                = "Lambda Statistics - pinpoint_to_sqs_sms_callbacks"
      + query_definition_id = (known after apply)
      + query_string        = <<-EOT
            filter @type = “REPORT”
            | stats
            count(@type) as countInvocations,
            count(@initDuration) as countColdStarts, (count(@initDuration)/count(@type))*100 as percentageColdStarts,
            max(@initDuration) as maxColdStartTime,
            avg(@duration) as averageDuration,
            max(@duration) as maxDuration,
            min(@duration) as minDuration,
            avg(@maxMemoryUsed) as averageMemoryUsed,
            max(@memorySize) as memoryAllocated, (avg(@maxMemoryUsed)/max(@memorySize))*100 as percentageMemoryUsed
            by bin(1h) as timeFrame
        EOT
    }

  # module.pinpoint_to_sqs_sms_callbacks.aws_iam_policy.non_vpc_policies[0] will be created
  + resource "aws_iam_policy" "non_vpc_policies" {
      + arn              = (known after apply)
      + attachment_count = (known after apply)
      + id               = (known after apply)
      + name             = "pinpoint_to_sqs_sms_callbacks_non_vpc"
      + name_prefix      = (known after apply)
      + path             = "/"
      + policy           = jsonencode(
            {
              + Statement = [
                  + {
                      + Action   = [
                          + "logs:PutLogEvents",
                          + "logs:CreateLogStream",
                          + "logs:CreateLogGroup",
                        ]
                      + Effect   = "Allow"
                      + Resource = "*"
                      + Sid      = "CloudWatchAccess"
                    },
                  + {
                      + Action   = [
                          + "ecr:GetDownloadUrlForlayer",
                          + "ecr:BatchGetImage",
                        ]
                      + Effect   = "Allow"
                      + Resource = ""
                      + Sid      = "ECRImageAccess"
                    },
                ]
              + Version   = "2012-10-17"
            }
        )
      + policy_id        = (known after apply)
      + tags             = {
          + "CostCentre" = "notification-canada-ca-staging"
          + "Terraform"  = "true"
        }
      + tags_all         = {
          + "CostCentre" = "notification-canada-ca-staging"
          + "Terraform"  = "true"
        }
    }

  # module.pinpoint_to_sqs_sms_callbacks.aws_iam_policy.policies[0] will be created
  + resource "aws_iam_policy" "policies" {
      + arn              = (known after apply)
      + attachment_count = (known after apply)
      + id               = (known after apply)
      + name             = "pinpoint_to_sqs_sms_callbacks-0"
      + name_prefix      = (known after apply)
      + path             = "/"
      + policy           = jsonencode(
            {
              + Statement = [
                  + {
                      + Action   = [
                          + "sqs:SendMessage",
                          + "sqs:Get*",
                        ]
                      + Effect   = "Allow"
                      + Resource = ""
                    },
                ]
              + Version   = "2012-10-17"
            }
        )
      + policy_id        = (known after apply)
      + tags             = {
          + "CostCentre" = "notification-canada-ca-staging"
          + "Terraform"  = "true"
        }
      + tags_all         = {
          + "CostCentre" = "notification-canada-ca-staging"
          + "Terraform"  = "true"
        }
    }

  # module.pinpoint_to_sqs_sms_callbacks.aws_iam_role.this will be created
  + resource "aws_iam_role" "this" {
      + arn                   = (known after apply)
      + assume_role_policy    = jsonencode(
            {
              + Statement = [
                  + {
                      + Action    = "sts:AssumeRole"
                      + Effect    = "Allow"
                      + Principal = {
                          + Service = "lambda.amazonaws.com"
                        }
                    },
                ]
              + Version   = "2012-10-17"
            }
        )
      + create_date           = (known after apply)
      + force_detach_policies = false
      + id                    = (known after apply)
      + managed_policy_arns   = (known after apply)
      + max_session_duration  = 3600
      + name                  = "pinpoint_to_sqs_sms_callbacks"
      + name_prefix           = (known after apply)
      + path                  = "/"
      + tags                  = {
          + "CostCentre" = "notification-canada-ca-staging"
          + "Terraform"  = "true"
        }
      + tags_all              = {
          + "CostCentre" = "notification-canada-ca-staging"
          + "Terraform"  = "true"
        }
      + unique_id             = (known after apply)
    }

  # module.pinpoint_to_sqs_sms_callbacks.aws_iam_role_policy_attachment.attachments[0] will be created
  + resource "aws_iam_role_policy_attachment" "attachments" {
      + id         = (known after apply)
      + policy_arn = (known after apply)
      + role       = "pinpoint_to_sqs_sms_callbacks"
    }

  # module.pinpoint_to_sqs_sms_callbacks.aws_iam_role_policy_attachment.lambda_insights[0] will be created
  + resource "aws_iam_role_policy_attachment" "lambda_insights" {
      + id         = (known after apply)
      + policy_arn = "arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy"
      + role       = "pinpoint_to_sqs_sms_callbacks"
    }

  # module.pinpoint_to_sqs_sms_callbacks.aws_iam_role_policy_attachment.non_vpc_policies[0] will be created
  + resource "aws_iam_role_policy_attachment" "non_vpc_policies" {
      + id         = (known after apply)
      + policy_arn = (known after apply)
      + role       = "pinpoint_to_sqs_sms_callbacks"
    }

  # module.pinpoint_to_sqs_sms_callbacks.aws_lambda_function.this will be created
  + resource "aws_lambda_function" "this" {
      + architectures                  = [
          + "x86_64",
        ]
      + arn                            = (known after apply)
      + function_name                  = "pinpoint_to_sqs_sms_callbacks"
      + id                             = (known after apply)
      + image_uri                      = ":bootstrap"
      + invoke_arn                     = (known after apply)
      + last_modified                  = (known after apply)
      + memory_size                    = 1024
      + package_type                   = "Image"
      + publish                        = false
      + qualified_arn                  = (known after apply)
      + qualified_invoke_arn           = (known after apply)
      + reserved_concurrent_executions = -1
      + role                           = (known after apply)
      + signing_job_arn                = (known after apply)
      + signing_profile_version_arn    = (known after apply)
      + skip_destroy                   = false
      + source_code_hash               = (known after apply)
      + source_code_size               = (known after apply)
      + tags                           = {
          + "CostCentre" = "notification-canada-ca-staging"
          + "Terraform"  = "true"
        }
      + tags_all                       = {
          + "CostCentre" = "notification-canada-ca-staging"
          + "Terraform"  = "true"
        }
      + timeout                        = 60
      + version                        = (known after apply)

      + ephemeral_storage {
          + size = 512
        }

      + tracing_config {
          + mode = "PassThrough"
        }

      + vpc_config {
          + ipv6_allowed_for_dual_stack = false
          + vpc_id                      = (known after apply)
        }
    }

Plan: 25 to add, 0 to change, 0 to destroy.

─────────────────────────────────────────────────────────────────────────────

Saved the plan to: plan.tfplan

To perform exactly these actions, run the following command to apply:
    terraform apply "plan.tfplan"

Show Conftest results

WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.pinpoint_deliveries"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.pinpoint_deliveries_failures"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.pinpoint_to_sqs_sms_callbacks_log_group[0]"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.lambda-image-pinpoint-delivery-receipts-errors-critical[0]"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.lambda-image-pinpoint-delivery-receipts-errors-warning[0]"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.logs-1-500-error-1-minute-warning-pinpoint_to_sqs_sms_callbacks-api[0]"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.logs-10-500-error-5-minutes-critical-pinpoint_to_sqs_sms_callbacks-api[0]"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.pinpoint_logs"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_role.pinpoint_logs"]

28 tests, 19 passed, 9 warnings, 0 failures, 0 exceptions

add script for now to create pinpoint pools

92cfc1b

sastels mentioned this pull request Apr 10, 2024

Revive the Pinpoint implementation to send SMS notifications cds-snc/notification-planning-core#286

Closed

4 tasks

add pinpoint logs and iam

620c7d4

github-advanced-security bot found potential problems Apr 10, 2024

View reviewed changes

aws/common/cloudwatch_log.tf Fixed Show fixed Hide fixed

aws/common/cloudwatch_log.tf Fixed Show fixed Hide fixed

aws/common/cloudwatch_log.tf Fixed Show fixed Hide fixed

aws/common/cloudwatch_log.tf Fixed Show fixed Hide fixed

mor copy-pasta

be982f1

github-advanced-security bot found potential problems Apr 10, 2024

View reviewed changes

aws/common/cloudwatch_log.tf Fixed Show fixed Hide fixed

sastels and others added 4 commits April 10, 2024 17:17

Merge branch 'main' into pinpoint-pools

2dc2d4f

tweak

e75ecde

fix arn

2abdc8e

turn off pinpoint logging on dev

80437f5

github-advanced-security bot found potential problems Apr 11, 2024

View reviewed changes

aws/common/cloudwatch_log.tf Fixed Show fixed Hide fixed

failures working now

1603e0b

github-advanced-security bot found potential problems Apr 12, 2024

View reviewed changes

aws/common/cloudwatch_log.tf Fixed Show fixed Hide fixed

sastels changed the title ~~Add script to create pinpoint pools~~ Pinpoint pools Apr 12, 2024

sastels mentioned this pull request Apr 12, 2024

Use pinpoint for designated templates cds-snc/notification-api#2152

Merged

5 tasks

add pinpoint_to_sqs_sms_callbacks lambda

7418845

github-advanced-security bot found potential problems Apr 12, 2024

View reviewed changes

aws/pinpoint_to_sqs_sms_callbacks/cloudwatch_logs.tf Fixed Show fixed Hide fixed

add ecr for pinpoint lambda

3356c7c

github-advanced-security bot found potential problems Apr 12, 2024

View reviewed changes

aws/common/cloudwatch_log.tf Fixed Show fixed Hide fixed

aws/ecr/secrets.tf Dismissed Show dismissed Hide dismissed

sastels and others added 7 commits April 15, 2024 11:43

tweak

fafbcc2

Merge branch 'main' into pinpoint-pools

2673807

and new lambda to staging workflows

2d2fdb4

fix lambda files

7c008a4

script only creates things that don't exist

069937a

Merge branch 'main' into pinpoint-pools

4014c52

Merge branch 'main' into pinpoint-pools

7c3c352

github-advanced-security bot found potential problems Apr 16, 2024

View reviewed changes

aws/common/cloudwatch_log.tf Fixed Show fixed Hide fixed

aws/common/cloudwatch_log.tf Fixed Show resolved Hide resolved

sastels force-pushed the pinpoint-pools branch from 68d1be5 to 648aa44 Compare April 16, 2024 19:18

always create receipt log groups

755f96c

sastels force-pushed the pinpoint-pools branch from 648aa44 to 755f96c Compare April 16, 2024 19:27

sastels commented Apr 16, 2024

View reviewed changes

fix sns_to_sqs_sms_callbacks bootstrap image

1f797b1

sastels force-pushed the pinpoint-pools branch from b1bb7b8 to 1f797b1 Compare April 16, 2024 22:13

Merge branch 'main' into pinpoint-pools

e5a4c31

ben851 requested changes Apr 17, 2024

View reviewed changes

Merge branch 'main' into pinpoint-pools

d56acf1

sastels force-pushed the pinpoint-pools branch from b03b514 to 2069de3 Compare April 17, 2024 15:54

github-advanced-security bot found potential problems Apr 17, 2024

View reviewed changes

aws/ecr/ecr.tf Fixed Show fixed Hide fixed

move ecr stuff mack to ecr module

0f098a4

sastels force-pushed the pinpoint-pools branch from 2069de3 to 0f098a4 Compare April 17, 2024 17:28

sastels and others added 2 commits April 17, 2024 13:31

Merge branch 'main' into pinpoint-pools

528fe73

fix

2c0864e

sastels requested a review from ben851 April 17, 2024 19:58

sastels and others added 4 commits April 22, 2024 09:06

Merge branch 'main' into pinpoint-pools

bf6818f

Merge branch 'main' into pinpoint-pools

bf7bd27

Merge branch 'main' into pinpoint-pools

6628b60

run pool creation script

5ce907c

ben851 approved these changes Apr 22, 2024

View reviewed changes

sastels added 2 commits April 22, 2024 11:46

fix copypasta

9b27183

dont need bootstrap for script

68cc48b

sastels merged commit 132155b into main Apr 22, 2024
3 checks passed

sastels deleted the pinpoint-pools branch April 22, 2024 17:12

andrewleith mentioned this pull request Apr 23, 2024

release 2.8.4 #1270

Merged

sastels mentioned this pull request Apr 24, 2024

release 2.8.7 #1277

Closed

5 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Pinpoint pools #1246

Pinpoint pools #1246

sastels commented Apr 10, 2024 •

edited

Loading

sastels Apr 16, 2024

ben851 left a comment

sastels commented Apr 17, 2024

sastels commented Apr 17, 2024

github-actions bot commented Apr 17, 2024

ben851 left a comment

github-actions bot commented Apr 22, 2024

github-actions bot commented Apr 22, 2024

github-actions bot commented Apr 22, 2024

Pinpoint pools #1246

Pinpoint pools #1246

Conversation

sastels commented Apr 10, 2024 • edited Loading

Summary | Résumé

Related Issues | Cartes liées

Test instructions | Instructions pour tester la modification

Release Instructions | Instructions pour le déploiement

Reviewer checklist | Liste de vérification du réviseur

sastels Apr 16, 2024

Choose a reason for hiding this comment

ben851 left a comment

Choose a reason for hiding this comment

sastels commented Apr 17, 2024

sastels commented Apr 17, 2024

github-actions bot commented Apr 17, 2024

ben851 left a comment

Choose a reason for hiding this comment

github-actions bot commented Apr 22, 2024

Staging: common

github-actions bot commented Apr 22, 2024

Staging: ecr

github-actions bot commented Apr 22, 2024

Staging: pinpoint_to_sqs_sms_callbacks

sastels commented Apr 10, 2024 •

edited

Loading