Skip to content

ministryofjustice/cloud-platform-terraform-monitoring

Repository files navigation

cloud-platform-terraform-monitoring

Terraform module that deploy cloud-platform monitoring solution. It has support for components like: proxy, thanos, cloudwatch datasource for grafana, side-car, etc

Usage

module "monitoring" {
  source = "github.com/ministryofjustice/cloud-platform-terraform-monitoring?ref=0.1.3"

  alertmanager_slack_receivers               = var.alertmanager_slack_receivers
  pagerduty_config                           = var.pagerduty_config
  enable_ecr_exporter                        = terraform.workspace == local.live_workspace ? true : false
  enable_cloudwatch_exporter                 = terraform.workspace == local.live_workspace ? true : false
  enable_thanos_helm_chart                   = terraform.workspace == local.live_workspace ? true : false
  enable_prometheus_affinity_and_tolerations = terraform.workspace == local.live_workspace ? true : false
  
  cluster_domain_name           = data.terraform_remote_state.cluster.outputs.cluster_domain_name
  oidc_components_client_id     = data.terraform_remote_state.cluster.outputs.oidc_components_client_id
  oidc_components_client_secret = data.terraform_remote_state.cluster.outputs.oidc_components_client_secret
  oidc_issuer_url               = data.terraform_remote_state.cluster.outputs.oidc_issuer_url

  dependence_opa    = module.opa.helm_opa_status
}

Requirements

Name Version
terraform >= 1.2.5
aws >=4.24.0
helm >=2.6.0
http >=3.2.1
kubectl 2.0.4
kubernetes >=2.12.1
random >=3.4.3

Providers

Name Version
aws >=4.24.0
helm >=2.6.0
kubectl 2.0.4
kubernetes >=2.12.1
random >=3.4.3

Modules

Name Source Version
iam_assumable_role_monitoring terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc 3.13.0
iam_assumable_role_yace_cloudwatch_exporter terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc 4.24.1
irsa github.com/ministryofjustice/cloud-platform-terraform-irsa 2.0.0
rds_exporter_irsa github.com/ministryofjustice/cloud-platform-terraform-irsa 2.0.0
subnet_exporter_irsa github.com/ministryofjustice/cloud-platform-terraform-irsa 2.0.0

Resources

Name Type
aws_iam_policy.ecr_exporter resource
aws_iam_policy.grafana_datasource resource
aws_iam_policy.monitoring resource
aws_iam_policy.rds_exporter resource
aws_iam_policy.subnet_exporter resource
aws_iam_policy.yace_cloudwatch_exporter resource
aws_iam_role.grafana_role resource
aws_iam_role_policy_attachment.custom resource
helm_release.alertmanager_proxy resource
helm_release.ecr_exporter resource
helm_release.metrics_server resource
helm_release.prometheus_operator_eks resource
helm_release.prometheus_proxy resource
helm_release.rds_exporter resource
helm_release.subnet_exporter resource
helm_release.thanos resource
helm_release.thanos_proxy resource
helm_release.yace_cloudwatch_exporter resource
kubectl_manifest.manager_only_alerts resource
kubectl_manifest.prometheusrule_alerts resource
kubernetes_ingress_v1.ingress_redirect_grafana resource
kubernetes_limit_range.monitoring resource
kubernetes_namespace.monitoring resource
kubernetes_network_policy.allow-monitoring-alerts resource
kubernetes_network_policy.allow_ingress_controllers resource
kubernetes_network_policy.allow_kube_api resource
kubernetes_network_policy.default resource
kubernetes_resource_quota.monitoring resource
kubernetes_secret.dockerhub_credentials resource
kubernetes_secret.grafana_secret resource
kubernetes_secret.thanos_config resource
random_id.password resource
random_id.session_secret resource
random_id.username resource
aws_caller_identity.current data source
aws_iam_policy_document.assume_role_with_oidc data source
aws_iam_policy_document.ecr_exporter data source
aws_iam_policy_document.grafana_datasource_irsa data source
aws_iam_policy_document.monitoring data source
aws_iam_policy_document.rds_exporter data source
aws_iam_policy_document.subnet_exporter data source
aws_iam_policy_document.yace_cloudwatch_exporter data source

Inputs

Name Description Type Default Required
alertmanager_slack_receivers A list of configuration values for Slack receivers list(any) n/a yes
application n/a string "Monitoring" no
aws_subnet_exporter_image_tag Tag of the subnet exporter image to use string "" no
business_unit n/a string "Platforms" no
cluster_domain_name The cluster domain - used by externalDNS and certmanager to create URLs any n/a yes
dockerhub_password DockerHub password - required to avoid hitting Dockerhub API limits in EKS clusters string "" no
dockerhub_username DockerHub username - required to avoid hitting Dockerhub API limits in EKS clusters string "" no
eks_cluster_name n/a string "live" no
eks_cluster_oidc_issuer_url This is going to be used when we create the IAM OIDC role string "" no
enable_cloudwatch_exporter Enable or not Cloudwatch exporter bool false no
enable_ecr_exporter Enable or not ECR exporter bool false no
enable_large_nodesgroup Due to Prometheus resource consumption, enabling this will set k8s Prometheus resources to higher values bool false no
enable_prometheus_affinity_and_tolerations Enable or not Prometheus node affinity (check helm values for the expressions) bool false no
enable_rds_exporter Whether or not to enable the RDS exporter bool false no
enable_subnet_exporter Whether or not to enable the Subnet exporter bool false no
enable_thanos_compact Enable or not Thanos Compact - not semantically concurrency safe and must be deployed as a singleton against a bucket bool false no
enable_thanos_helm_chart Enable or not Thanos Helm Chart - (do NOT confuse this with thanos sidecar within prometheus-operator) bool false no
enable_thanos_sidecar Enable or not Thanos sidecar. Basically defines if we want to send cluster metrics to thanos's S3 bucket bool false no
environment n/a string "production" no
infrastructure_support n/a string "Cloud Platform" no
is_production n/a string "true" no
large_nodesgroup_cpu_requests CPU requests for large nodesgroup string "1300m" no
large_nodesgroup_memory_requests Memory requests for large nodesgroup string "14000Mi" no
oidc_components_client_id OIDC ClientID used to authenticate to Grafana, AlertManager and Prometheus (oauth2-proxy) any n/a yes
oidc_components_client_secret OIDC ClientSecret used to authenticate to Grafana, AlertManager and Prometheus (oauth2-proxy) any n/a yes
oidc_issuer_url Issuer URL used to authenticate to Grafana, AlertManager and Prometheus (oauth2-proxy) any n/a yes
pagerduty_config Add PagerDuty key to allow integration with a PD service. any n/a yes
team_name n/a string "webops" no

Outputs

Name Description
helm_prometheus_operator_eks_status n/a