Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Pinpoint pools #1246

Merged
merged 31 commits into from
Apr 22, 2024
Merged

Pinpoint pools #1246

Show file tree
Hide file tree
Changes from 10 commits
Commits
Show all changes
31 commits
Select commit Hold shift + click to select a range
92cfc1b
add script for now to create pinpoint pools
sastels Apr 10, 2024
620c7d4
add pinpoint logs and iam
sastels Apr 10, 2024
be982f1
mor copy-pasta
sastels Apr 10, 2024
2dc2d4f
Merge branch 'main' into pinpoint-pools
sastels Apr 10, 2024
e75ecde
tweak
sastels Apr 11, 2024
2abdc8e
fix arn
sastels Apr 11, 2024
80437f5
turn off pinpoint logging on dev
sastels Apr 11, 2024
1603e0b
failures working now
sastels Apr 12, 2024
7418845
add pinpoint_to_sqs_sms_callbacks lambda
sastels Apr 12, 2024
3356c7c
add ecr for pinpoint lambda
sastels Apr 12, 2024
fafbcc2
tweak
sastels Apr 15, 2024
2673807
Merge branch 'main' into pinpoint-pools
sastels Apr 15, 2024
2d2fdb4
and new lambda to staging workflows
sastels Apr 15, 2024
7c008a4
fix lambda files
sastels Apr 15, 2024
069937a
script only creates things that don't exist
sastels Apr 15, 2024
4014c52
Merge branch 'main' into pinpoint-pools
sastels Apr 15, 2024
7c3c352
Merge branch 'main' into pinpoint-pools
sastels Apr 16, 2024
755f96c
always create receipt log groups
sastels Apr 16, 2024
3884b71
put pinpoint_to_sqs_sms_callbacks code together
sastels Apr 16, 2024
1f797b1
fix sns_to_sqs_sms_callbacks bootstrap image
sastels Apr 16, 2024
e5a4c31
Merge branch 'main' into pinpoint-pools
sastels Apr 17, 2024
d56acf1
Merge branch 'main' into pinpoint-pools
sastels Apr 17, 2024
0f098a4
move ecr stuff mack to ecr module
sastels Apr 17, 2024
528fe73
Merge branch 'main' into pinpoint-pools
sastels Apr 17, 2024
2c0864e
fix
sastels Apr 17, 2024
bf6818f
Merge branch 'main' into pinpoint-pools
sastels Apr 22, 2024
bf7bd27
Merge branch 'main' into pinpoint-pools
sastels Apr 22, 2024
6628b60
Merge branch 'main' into pinpoint-pools
sastels Apr 22, 2024
5ce907c
run pool creation script
sastels Apr 22, 2024
9b27183
fix copypasta
sastels Apr 22, 2024
68cc48b
dont need bootstrap for script
sastels Apr 22, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 20 additions & 0 deletions aws/common/cloudwatch_log.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,26 @@
}
}

# TODO fix the count line after it's working. Right now we want these in dev for testing
resource "aws_cloudwatch_log_group" "pinpoint_deliveries" {
count = var.cloudwatch_enabled ? 1 : 1
name = "sns/${var.region}/${var.account_id}/PinPointDirectPublishToPhoneNumber"
retention_in_days = var.sensitive_log_retention_period_days
tags = {
CostCenter = "notification-canada-ca-${var.env}"
}
}
Fixed Show fixed Hide fixed

# TODO fix the count line after it's working. Right now we want these in dev for testing
resource "aws_cloudwatch_log_group" "pinpoint_deliveries_failures" {
count = var.cloudwatch_enabled ? 1 : 1
name = "sns/${var.region}/${var.account_id}/PinPointDirectPublishToPhoneNumber/Failure"
retention_in_days = var.sensitive_log_retention_period_days
tags = {
CostCenter = "notification-canada-ca-${var.env}"
}
}
Fixed Show fixed Hide fixed

resource "aws_cloudwatch_log_group" "route53_resolver_query_log" {
count = var.cloudwatch_enabled ? 1 : 0
name = "route53/${var.region}/${var.account_id}/DNS/logs"
Expand Down
57 changes: 57 additions & 0 deletions aws/common/iam.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -189,3 +189,60 @@ data "aws_iam_policy_document" "firehose_waf_logs" {
resource "aws_iam_service_linked_role" "spotInstances" {
aws_service_name = "spot.amazonaws.com"
}

# Pinpoint IAM
# see https://docs.aws.amazon.com/sms-voice/latest/userguide/configuration-sets-cloud-watch.html

resource "aws_iam_role" "pinpoint_logs" {
name = "PinpointLogs"
assume_role_policy = data.aws_iam_policy_document.pinpoint_assume.json
}

resource "aws_iam_policy" "pinpoint_logs" {
name = "PinpointLogsPolicy"
path = "/"
policy = data.aws_iam_policy_document.pinpoint_logs.json
}

resource "aws_iam_role_policy_attachment" "pinpoint_logs" {
role = aws_iam_role.pinpoint_logs.name
policy_arn = aws_iam_policy.pinpoint_logs.arn
}

data "aws_iam_policy_document" "pinpoint_assume" {
statement {
actions = ["sts:AssumeRole"]
effect = "Allow"
principals {
type = "Service"
identifiers = ["sms-voice.amazonaws.com"]
}
condition {
test = "StringEquals"
variable = "aws:SourceAccount"
values = [var.account_id]
}
condition {
test = "ArnLike"
variable = "aws:SourceArn"
values = [
"arn:aws:sms-voice:${var.region}:${var.account_id}:configuration-set/pinpoint-configuration"
]
}
}
}

data "aws_iam_policy_document" "pinpoint_logs" {
statement {
effect = "Allow"
actions = [
"logs:CreateLogStream",
"logs:DescribeLogStreams",
"logs:PutLogEvents"
]
resources = [
"${aws_cloudwatch_log_group.pinpoint_deliveries[0].arn}:*",
"${aws_cloudwatch_log_group.pinpoint_failures[0].arn}:*"
]
}
}
16 changes: 16 additions & 0 deletions aws/common/outputs.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -143,6 +143,22 @@ output "sns_deliveries_failures_us_west_2_name" {
value = var.cloudwatch_enabled ? aws_cloudwatch_log_group.sns_deliveries_failures_us_west_2[0].name : ""
}

output "pinpoint_deliveries_ca_central_arn" {
value = var.cloudwatch_enabled ? aws_cloudwatch_log_group.pinpoint_deliveries[0].arn : ""
}

output "pinpoint_deliveries_ca_central_name" {
value = var.cloudwatch_enabled ? aws_cloudwatch_log_group.pinpoint_deliveries[0].name : ""
}

output "pinpoint_deliveries_failures_ca_central_arn" {
value = var.cloudwatch_enabled ? aws_cloudwatch_log_group.pinpoint_deliveries_failures[0].arn : ""
}

output "pinpoint_deliveries_failures_ca_central_name" {
value = var.cloudwatch_enabled ? aws_cloudwatch_log_group.pinpoint_deliveries_failures[0].name : ""
}

output "sqs_notify_internal_tasks_arn" {
value = aws_sqs_queue.notify_internal_tasks_queue.arn
}
Expand Down
12 changes: 12 additions & 0 deletions aws/ecr/ecr.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -97,6 +97,18 @@ resource "aws_ecr_repository" "sns_to_sqs_sms_callbacks" {
}
}

resource "aws_ecr_repository" "pinpoint_to_sqs_sms_callbacks" {
# The :latest tag is used in Staging

name = "notify/pinpoint_to_sqs_sms_callbacks"
image_tag_mutability = "MUTABLE" #tfsec:ignore:AWS078
force_delete = var.force_delete_ecr

image_scanning_configuration {
scan_on_push = true
}
}

resource "aws_ecr_repository" "system_status" {
# The :latest tag is used in Staging

Expand Down
25 changes: 25 additions & 0 deletions aws/ecr/images.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -192,6 +192,7 @@ resource "null_resource" "build_sns_to_sqs_sms_callbacks_docker_image" {
null_resource.lambda_repo_clone
]

# TODO: are we building the wrong image here?
provisioner "local-exec" {
command = "docker build -t ${aws_ecr_repository.sns_to_sqs_sms_callbacks.repository_url}:bootstrap -f /var/tmp/notification-lambdas/sesemailcallbacks/Dockerfile /var/tmp/notification-lambdas"
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Noticed this typo

}
Expand All @@ -208,6 +209,30 @@ resource "null_resource" "push_sns_to_sqs_sms_callbacks_docker_image" {

}

# Pinpoint to SQS Queue Build and Push

resource "null_resource" "build_pinpoint_to_sqs_sms_callbacks_docker_image" {
count = var.bootstrap ? 1 : 0
depends_on = [
null_resource.lambda_repo_clone
]

provisioner "local-exec" {
command = "docker build -t ${aws_ecr_repository.pinpoint_to_sqs_sms_callbacks.repository_url}:bootstrap -f /var/tmp/notification-lambdas/pinpointsmscallbacks/Dockerfile /var/tmp/notification-lambdas"
}

}

resource "null_resource" "push_pinpoint_to_sqs_sms_callbacks_docker_image" {
count = var.bootstrap ? 1 : 0
depends_on = [null_resource.build_pinpoint_to_sqs_sms_callbacks_docker_image]

provisioner "local-exec" {
command = "docker push ${aws_ecr_repository.pinpoint_to_sqs_sms_callbacks.repository_url}:bootstrap"
}

}

#System status Build and Push

resource "null_resource" "build_system_status_docker_image" {
Expand Down
8 changes: 8 additions & 0 deletions aws/ecr/outputs.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,14 @@ output "sns_to_sqs_sms_callbacks_ecr_repository_url" {
description = "Repository URL of sns_to_sqs_sms_callbacks ECR"
value = aws_ecr_repository.sns_to_sqs_sms_callbacks.repository_url
}
output "pinpoint_to_sqs_sms_callbacks_ecr_arn" {
description = "arn of pinpoint_to_sqs_sms_callbacks ECR"
value = aws_ecr_repository.pinpoint_to_sqs_sms_callbacks.arn
}
output "pinpoint_to_sqs_sms_callbacks_ecr_repository_url" {
description = "Repository URL of pinpoint_to_sqs_sms_callbacks ECR"
value = aws_ecr_repository.pinpoint_to_sqs_sms_callbacks.repository_url
}
output "heartbeat_ecr_arn" {
description = "arn of heartbeat ECR"
value = aws_ecr_repository.heartbeat.arn
Expand Down
9 changes: 9 additions & 0 deletions aws/ecr/secrets.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,15 @@
secret_string = aws_ecr_repository.sns_to_sqs_sms_callbacks.repository_url
}

resource "aws_secretsmanager_secret" "pinpoint_to_sqs_sms_callbacks_repository_url" {
name = "PINPOINT_TO_SQS_SMS_CALLBACKS_REPOSITORY_URL"
}
Dismissed Show dismissed Hide dismissed

resource "aws_secretsmanager_secret_version" "pinpoint_to_sqs_sms_callbacks_repository_url" {
secret_id = aws_secretsmanager_secret.pinpoint_to_sqs_sms_callbacks_repository_url.id
secret_string = aws_ecr_repository.pinpoint_to_sqs_sms_callbacks.repository_url
}

resource "aws_secretsmanager_secret" "heartbeat_repository_url" {
name = "HEARTBEAT_REPOSITORY_URL"
}
Expand Down
74 changes: 74 additions & 0 deletions aws/pinpoint_to_sqs_sms_callbacks/cloudwatch_alarms.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,74 @@
# Note to maintainers:
# Updating alarms? Update the Google Sheet also!
# https://docs.google.com/spreadsheets/d/1gkrL3Trxw0xEkX724C1bwpfeRsTlK2X60wtCjF6MFRA/edit
#

resource "aws_cloudwatch_metric_alarm" "logs-1-500-error-1-minute-warning-pinpoint_to_sqs_sms_callbacks-api" {
count = var.cloudwatch_enabled ? 1 : 0
alarm_name = "logs-1-500-error-1-minute-warning-pinpoint_to_sqs_sms_callbacks-api"
alarm_description = "One 500 error in 1 minute for pinpoint_to_sqs_sms_callbacks api"
comparison_operator = "GreaterThanOrEqualToThreshold"
evaluation_periods = "1"
metric_name = aws_cloudwatch_log_metric_filter.pinpoint_to_sqs_sms_callbacks-500-errors-api[0].metric_transformation[0].name
namespace = aws_cloudwatch_log_metric_filter.pinpoint_to_sqs_sms_callbacks-500-errors-api[0].metric_transformation[0].namespace
period = "60"
statistic = "Sum"
threshold = 1
treat_missing_data = "notBreaching"
alarm_actions = [var.sns_alert_warning_arn]
ok_actions = [var.sns_alert_warning_arn]
}

resource "aws_cloudwatch_metric_alarm" "logs-10-500-error-5-minutes-critical-pinpoint_to_sqs_sms_callbacks-api" {
count = var.cloudwatch_enabled ? 1 : 0
alarm_name = "logs-10-500-error-5-minutes-critical-pinpoint_to_sqs_sms_callbacks-api"
alarm_description = "Ten 500 errors in 5 minutes for pinpoint_to_sqs_sms_callbacks api"
comparison_operator = "GreaterThanOrEqualToThreshold"
evaluation_periods = "1"
metric_name = aws_cloudwatch_log_metric_filter.pinpoint_to_sqs_sms_callbacks-500-errors-api[0].metric_transformation[0].name
namespace = aws_cloudwatch_log_metric_filter.pinpoint_to_sqs_sms_callbacks-500-errors-api[0].metric_transformation[0].namespace
period = "300"
statistic = "Sum"
threshold = 10
treat_missing_data = "notBreaching"
alarm_actions = [var.sns_alert_critical_arn]
ok_actions = [var.sns_alert_ok_arn]
}

resource "aws_cloudwatch_metric_alarm" "lambda-image-pinpoint-delivery-receipts-errors-warning" {
count = var.cloudwatch_enabled ? 1 : 0
alarm_name = "lambda-image-pinpoint-delivery-receipts-errors-warning"
alarm_description = "5 errors on Lambda pinpoint-to-sqs-sms-callbacks in 10 minutes"
comparison_operator = "GreaterThanOrEqualToThreshold"
evaluation_periods = "1"
metric_name = "Errors"
namespace = "AWS/Lambda"
period = 60 * 10
statistic = "Sum"
threshold = 5
treat_missing_data = "notBreaching"
alarm_actions = [var.sns_alert_warning_arn]
ok_actions = [var.sns_alert_ok_arn]
dimensions = {
FunctionName = module.pinpoint_to_sqs_sms_callbacks.function_name
}
}

resource "aws_cloudwatch_metric_alarm" "lambda-image-pinpoint-delivery-receipts-errors-critical" {
count = var.cloudwatch_enabled ? 1 : 0
alarm_name = "lambda-image-pinpoint-delivery-receipts-errors-critical"
alarm_description = "20 errors on Lambda pinpoint-to-sqs-sms-callbacks in 10 minutes"
comparison_operator = "GreaterThanOrEqualToThreshold"
evaluation_periods = "1"
metric_name = "Errors"
namespace = "AWS/Lambda"
period = 60 * 10
statistic = "Sum"
threshold = 20
treat_missing_data = "notBreaching"
alarm_actions = [var.sns_alert_critical_arn]
ok_actions = [var.sns_alert_ok_arn]
dimensions = {
FunctionName = module.pinpoint_to_sqs_sms_callbacks.function_name
}
}
27 changes: 27 additions & 0 deletions aws/pinpoint_to_sqs_sms_callbacks/cloudwatch_logs.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
#
# SNS Receiving SMS CloudWatch logging
#

resource "aws_cloudwatch_log_group" "pinpoint_to_sqs_sms_callbacks_log_group" {
count = var.cloudwatch_enabled ? 1 : 0
name = "pinpoint_to_sqs_sms_callbacks_log_group"
retention_in_days = var.sensitive_log_retention_period_days
tags = {
CostCenter = "notification-canada-ca-${var.env}"
Environment = var.env
Application = "lambda"
}
}
Fixed Show fixed Hide fixed

resource "aws_cloudwatch_log_metric_filter" "pinpoint_to_sqs_sms_callbacks-500-errors-api" {
count = var.cloudwatch_enabled ? 1 : 0
name = "pinpoint_to_sqs_sms_callbacks-500-errors-api"
pattern = "\"\\\"levelname\\\": \\\"ERROR\\\"\""
log_group_name = "/aws/lambda/${module.pinpoint_to_sqs_sms_callbacks.function_name}"

metric_transformation {
name = "500-errors-pinpoint_to_sqs_sms_callbacks-api"
namespace = "LogMetrics"
value = "1"
}
}
Loading
Loading