Default Google API Alerts #2747
Conversation
joshw123
force-pushed
the
DefaultAPIAlerts
branch
from
2693d88 to
c5e5406
Compare
|
Just bringing this over to the new PR, The reason I originally put it within the project module, is because for Compliance to pass, every project created needs to have these API Alerts configured, including the projects created in Bootrap, Resman etc... by putting this into Project Factory would mean projects created outside of |
As mentioned in the README.md, its generally best to default to true on the module itself to ensure that every project receives. |
|
|
||
| Although you may not use the services listed above, such as SQL, it is still important to monitor these events for compliance purposes | ||
|
|
||
| To enable these alerts by default on all projects created, it is recommended to default the variable `api_slerts` within `variables.tf` to true, along with adding a default email address. |
I agree with @ludoo that the project module might not be the most suitable place for these metrics. If we go with the metrics in this PR, where do we draw the line? Why would we want these metrics but not, for example, GCE, GKE, or BigQuery metrics? Beyond that, this PR is introducing log-based metrics, custom metrics, and alert policies. What if the user wants to customize or exclude some of these resources? I'm also concerned about potential permission issues around the creation of these new resources. In another message you said that your goal is to enable these metrics within FAST projects. However, this approach forces all projects to have all these metrics, even if they just need some of them. I'd suggest implementing a more targeted approach by implementing these metrics within the specific projects where they are directly relevant—for instance, incorporating VPC-related metrics solely into networking projects. An alternative approach could involve creating an 'observability factory' to manage these resources. Within FAST, you could have data folders to store the observability configuration specific to each project. @ludoo @sruffilli wdyt? |
|
@juliocc you probably dropped off the call before we got to this point yesterday, but the original requirement slightly change how I see this. What I got from the call (rough recap): customers who need ISO compliance / use SCC need to have specific API alerts at the project level for every project, even for disabled APIs. It sounds dumb, but yep that's how compliance works in my experience. So while I agree the actual metric+alert recipes should not be in the project module, I might see a benefit of having an additional factory in the module that allows configuring metric+alert pairs from YAML files in a folder. This means that in FAST, you can point every stage creating projects to the same folder and get the same API alert policy applied everywhere. A couple alternatives:
So all in all, I'm supportive of adding factory support in the project module, and then keeping the configurations outside of it. WDYT? |
Indeed. I missed that part of the discussion. I'll reserve my opinion on the value of checkbox compliance for myself ;)
What do you mean with "logging module"? Currently logging is embedded within the CRM modules (project, folder, organization).
Agreed. This sounds like a more sensible approach. We could even start curating a nice set of observability recipes like the ones proposed in this PR. |
😁
This, refactoring it to encompass more logging-related functionality.
Sounds like we have a plan. :) |
|
Josh I'm closing this, we should rework this as described above. I can give it a shot this week, or let me know if you prefer to try your hand at this. |
Checklist
I applicable, I acknowledge that I have:
terraform fmton all modified filestools/tfdoc.py