Merge pull request #450 from wellcomecollection/rk/add-alert-slackbot

Add AWS Slack ChatBot for CloudWatch Alarms
wellcomecollection · Nov 1, 2024 · 5af2928 · 5af2928
2 parents 3ac8996 + 302d8fd
commit 5af2928
Show file tree

Hide file tree

Showing 9 changed files with 129 additions and 65 deletions.
diff --git a/monitoring/terraform/.terraform.lock.hcl b/monitoring/terraform/.terraform.lock.hcl
diff --git a/monitoring/terraform/modules/slack_chatbot/iam.tf b/monitoring/terraform/modules/slack_chatbot/iam.tf
@@ -0,0 +1,67 @@
+# Chatbot IAM roles and policies
+
+resource "aws_iam_role" "chatbot_role" {
+  name = "${var.configuration_name}-chatbot-role"
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Principal = {
+          Service = "chatbot.amazonaws.com"
+        }
+        Action = "sts:AssumeRole"
+      }
+    ]
+  })
+}
+
+data "aws_iam_policy_document" "cloudwatch_read" {
+  statement {
+    actions = [
+      "cloudwatch:Describe*",
+      "cloudwatch:Get*",
+      "cloudwatch:List*",
+    ]
+    effect    = "Allow"
+    resources = ["*"]
+  }
+}
+
+resource "aws_iam_policy" "cloudwatch_read" {
+  name        = "${var.configuration_name}-cloudwatch_read"
+  description = "Allow read access to CloudWatch"
+  policy      = data.aws_iam_policy_document.cloudwatch_read.json
+}
+
+resource "aws_iam_role_policy_attachment" "chatbot_role_policy" {
+  role       = aws_iam_role.chatbot_role.name
+  policy_arn = aws_iam_policy.cloudwatch_read.arn
+}
+
+# SNS Topic Policy
+
+data "aws_caller_identity" "current" {}
+
+data "aws_iam_policy_document" "sns_topic_policy" {
+  statement {
+    effect  = "Allow"
+    actions = ["SNS:Publish"]
+    principals {
+      type        = "Service"
+      identifiers = ["cloudwatch.amazonaws.com"]
+    }
+    condition {
+      test     = "StringEquals"
+      variable = "aws:SourceAccount"
+      values   = [data.aws_caller_identity.current.account_id]
+    }
+    resources = [aws_sns_topic.chatbot_events.arn]
+  }
+}
+
+resource "aws_sns_topic_policy" "default" {
+  arn    = aws_sns_topic.chatbot_events.arn
+  policy = data.aws_iam_policy_document.sns_topic_policy.json
+}
+
diff --git a/monitoring/terraform/modules/slack_chatbot/main.tf b/monitoring/terraform/modules/slack_chatbot/main.tf
@@ -0,0 +1,16 @@
+resource "aws_sns_topic" "chatbot_events" {
+  name = "${var.configuration_name}-chatbot-events"
+}
+
+resource "awscc_chatbot_slack_channel_configuration" "channel" {
+  configuration_name = var.configuration_name
+  iam_role_arn       = aws_iam_role.chatbot_role.arn
+  slack_channel_id   = var.slack_channel_id
+  slack_workspace_id = var.slack_workspace_id
+  sns_topic_arns     = [aws_sns_topic.chatbot_events.arn]
+  logging_level      = "INFO"
+
+  guardrail_policies = [
+    "arn:aws:iam::aws:policy/ReadOnlyAccess"
+  ]
+}
diff --git a/monitoring/terraform/modules/slack_chatbot/outputs.tf b/monitoring/terraform/modules/slack_chatbot/outputs.tf
@@ -0,0 +1,3 @@
+output "chatbot_topic_arn" {
+  value = aws_sns_topic.chatbot_events.arn
+}
diff --git a/monitoring/terraform/modules/slack_chatbot/variables.tf b/monitoring/terraform/modules/slack_chatbot/variables.tf
@@ -0,0 +1,11 @@
+variable "configuration_name" {
+  type = string
+}
+
+variable "slack_workspace_id" {
+  type = string
+}
+
+variable "slack_channel_id" {
+  type = string
+}
diff --git a/monitoring/terraform/outputs.tf b/monitoring/terraform/outputs.tf
@@ -0,0 +1,3 @@
+output "chatbot_topic_arn" {
+  value = module.slack_chatbot.chatbot_topic_arn
+}
diff --git a/monitoring/terraform/provider.tf b/monitoring/terraform/provider.tf
@@ -8,6 +8,12 @@ locals {
   }
 }
 
+provider "awscc" {
+  assume_role = {
+    role_arn = "arn:aws:iam::760097843905:role/platform-admin"
+  }
+}
+
 provider "aws" {
   region = var.aws_region
 

diff --git a/monitoring/terraform/slack_chatbot.tf b/monitoring/terraform/slack_chatbot.tf
@@ -0,0 +1,17 @@
+module "slack_chatbot" {
+  source = "./modules/slack_chatbot"
+
+  configuration_name = "alerting"
+  slack_workspace_id = data.aws_ssm_parameter.slack_workspace_id.value
+  slack_channel_id   = data.aws_ssm_parameter.slack_channel_id.value
+
+  alarm_match_string = "*slack_alarm*"
+}
+
+data "aws_ssm_parameter" "slack_workspace_id" {
+  name = "/platform/alert_chatbot/workspace_id"
+}
+
+data "aws_ssm_parameter" "slack_channel_id" {
+  name = "/platform/alert_chatbot/channel_id"
+}
diff --git a/monitoring/terraform/terraform.tf b/monitoring/terraform/terraform.tf
@@ -1,7 +1,12 @@
 # Terraform config
 
 terraform {
-  required_version = ">= 0.10"
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.6.1"
+    }
+  }
 
   backend "s3" {
     role_arn = "arn:aws:iam::760097843905:role/platform-developer"