feat(connectivity_check): add automated monitoring with CloudWatch metrics and alarms #79
Conversation
…trics and alarms - Add monitoring.tf with EventBridge scheduling and CloudWatch alarms - Extend Lambda handler to publish EndpointConnectivity and EndpointLatency metrics - Add @aws-sdk/client-cloudwatch dependency to package.json - Add monitoring configuration variables (enable_monitoring, monitoring_schedule, monitoring_targets, alarm_sns_topic_arns) - Create per-critical-endpoint alarms, aggregate alarm, and Lambda error alarm - All monitoring features are optional and backward compatible Task: Enable proactive monitoring for Janus external dependencies after identity service outage incident
| } | ||
|
|
||
| // Include critical flag in result | ||
| result.critical = target.critical; |
There was a problem hiding this comment.
Since critical is included in target, and testTcp() and testHttp() already copy fields from target into their result, they could also include critical in their results and avoid having to add it after the fact.
| variable "monitoring_schedule" { | ||
| description = "EventBridge schedule expression for monitoring (e.g., 'rate(5 minutes)')" | ||
| type = string | ||
| default = "rate(5 minutes)" |
There was a problem hiding this comment.
More granularity might be a good idea. As configured it'll take 10 minutes for the alarm to fire. Running it every minute and requiring 3 or 4 evaluation periods would invoke an alarm much sooner and have a smaller false positive rate.
| variable "cloudwatch_namespace" { | ||
| description = "CloudWatch namespace for custom metrics" | ||
| type = string | ||
| default = "janus/connectivity" |
There was a problem hiding this comment.
| default = "janus/connectivity" | |
| default = "connectivity" |
Or make the default empty string and it can be the switch to turn metrics on/off
There was a problem hiding this comment.
Another option is hard-coding it so that all consumers have the same namespace, so when they get exported to datadog they'll all be consistent which might be useful for making cross-account/cross-team dashboards, since the metrics at that point will also (I think) be tagged with the account number, environment, etc.
| description = "Number of periods to evaluate for alarms" | ||
| type = number | ||
| default = 2 | ||
| } |
There was a problem hiding this comment.
The variables in this file can be removed
| targets = var.monitoring_targets | ||
| publishMetrics = true | ||
| cloudwatchNamespace = var.cloudwatch_namespace | ||
| failOnConnectivityLoss = false # Don't fail Lambda, just publish metrics |
There was a problem hiding this comment.
If this is always false we don't need the code for it. For now I think it makes sense to just remove it, if it's not being used. We're generally going to be using datadog for monitoring the metrics anyway, since those will be available.
| arn = module.lambda.lambda_function_arn | ||
| input = jsonencode({ | ||
| targets = var.monitoring_targets | ||
| publishMetrics = true |
There was a problem hiding this comment.
This should be configurable, or it should depend on if cloudwatch_namespace is empty.
|
|
||
| # CloudWatch alarms for critical endpoint failures | ||
| # Creates one alarm per critical target | ||
| resource "aws_cloudwatch_metric_alarm" "critical_endpoint_failure" { |
There was a problem hiding this comment.
Might be good to try out what it'd look like to consume these in datadog as a PoC. I think we'd probably want monitors on all the hosts, but have different severities based on if the host is critical or not. Inevitably we may end up making a dashboard that aggregates all of these across all accounts.
Also might be worth looking into if these are necessary at all. We export metrics to datadog, so we could use that do the alerting on that side. Maybe skip making the cloudwatch alarms if var.alarm_sns_topic_arns is empty? That gives consumers a choice if they want to put datadog into the equation. Without datadog, I guess you'd put a SNS topic that hits alertops or something here.
JIRA: PLATEXP-11106
Add Monitoring Features to connectivity_check Module
Problem
The
connectivity_checkmodule currently supports on-demand connectivity testing via script invocation. We need automated scheduled monitoring with CloudWatch metrics and alarms for proactive alerting.Solution
Extend the module with optional monitoring capabilities while maintaining backward compatibility.
Changes
monitoring.tf(new):lambda/handler.ts:EndpointConnectivity(1=up, 0=down),EndpointLatency(ms)FunctionName,Endpoint,Criticallambda/package.json:@aws-sdk/client-cloudwatchdependencyvariables.tf:enable_monitoring,monitoring_schedule,monitoring_targets,alarm_sns_topic_arns,alarm_evaluation_periodsUsage Example
Backward Compatibility
All monitoring features are optional. Existing module usage continues to work unchanged.