Add Alerts, Logging, Channels Factories #2758
Conversation
There was a problem hiding this comment.
@joshw123 this is great stuff!
I left comments below, but besides that:
- We need to update project/README.md to include examples the new variables and factories
- FAST tests need to be updated
I have a few more things, but let's start with this batch.
Co-authored-by: Julio Castillo <[email protected]>
Co-authored-by: Julio Castillo <[email protected]>
Thank You, Ill look at the above, Im checking through all the fields too to ensure optional and required match the docs, and to include validation where necessary :) |
|
@ludoo @juliocc The only two tests that are still not passing are examples.test_plan.test_example[terraform:modules/project-factory:Example:1] examples.test_plan.test_example[terraform:modules/project-factory:Tests:1] I don't know if its just me, but I can't seem to see where it is getting them values, could you point me in the right direction please? :) Thank You. |
Look at the
Same thing here. Take a look at the contributing guide for more details. |
|
Can you sign the CLA from the |
That address is mine. Should be fixed now. |
|
@joshw123 I'll do my second pass today. Apologies for the delay. |
| @@ -102,6 +102,12 @@ variable "custom_roles" { | |||
| default = {} | |||
| } | |||
|
|
|||
| variable "default_alerts_email" { | |||
There was a problem hiding this comment.
should we use the existing essential_contacts email here?
There was a problem hiding this comment.
I had a similar thought either using an existing group, or building something with var.organization.domain
I actually prefer using essential_contacts
| @@ -23,7 +23,7 @@ locals { | |||
| # If users give a list of custom audiences we set by default the first element. | |||
| # If no audiences are given, we set https://iam.googleapis.com/{PROVIDER_NAME} | |||
| audiences = try( | |||
| local.cicd_providers[v["identity_provider"]].audiences, "" | |||
| local.cicd_providers[v["identity_provider"]].audiences, "e" | |||
| @@ -109,6 +109,7 @@ locals { | |||
| vpcsc = module.automation-tf-vpcsc-sa.email | |||
| vpcsc-r = module.automation-tf-vpcsc-r-sa.email | |||
| } | |||
| default_alerts_email = var.default_alerts_email | |||
There was a problem hiding this comment.
this should go in globals, but TBH I would not even pass this down as it's specific to stage 0
| @@ -109,6 +109,7 @@ locals { | |||
| vpcsc = module.automation-tf-vpcsc-sa.email | |||
| vpcsc-r = module.automation-tf-vpcsc-r-sa.email | |||
| } | |||
| default_alerts_email = var.default_alerts_email | |||
There was a problem hiding this comment.
should we export notification channels to the following stages?
| @@ -68,6 +68,12 @@ variable "custom_roles" { | |||
| default = null | |||
| } | |||
|
|
|||
| variable "default_alerts_email" { | |||
There was a problem hiding this comment.
this might be different for notifications set here, I would not include it in FAST variables
| @@ -37,6 +37,12 @@ variable "billing_account" { | |||
| } | |||
| } | |||
|
|
|||
| variable "default_alerts_email" { | |||
There was a problem hiding this comment.
same as for resman, this should be configurable at the stage level
|
|
||
| network-firewall-config-changes: | ||
| description: "Monitor VPC network firewall configuration changes inside GCP projects" | ||
| filter: "resource.type=\"gce_firewall_rule\" AND (protoPayload.methodName:\"compute.firewalls.delete\" OR protoPayload.methodName:\"compute.firewalls.insert\")" |
There was a problem hiding this comment.
please use "|" syntax for all filters in this file
There was a problem hiding this comment.
I've done this in the PR I sent
| sensitive = true | ||
| value = local.tfvars_globals | ||
| sensitive = false | ||
| value = jsonencode(local.tfvars_globals) |
There was a problem hiding this comment.
What's this about?
/cc @ludoo
There was a problem hiding this comment.
We mark large outputs as sensitive so as not to pollute the screen at every apply, as they still can be fetched explictly even when sensitive. So I would keep it.
As for jsonencode, we never do it for outputs and the globals file is JSON anyway, so I would also revert that.
| @@ -102,6 +102,12 @@ variable "custom_roles" { | |||
| default = {} | |||
| } | |||
|
|
|||
| variable "default_alerts_email" { | |||
There was a problem hiding this comment.
I had a similar thought either using an existing group, or building something with var.organization.domain
I actually prefer using essential_contacts
| alerts = var.factories_config.alerts | ||
| channels = var.factories_config.channels | ||
| logging_metrics = var.factories_config.logging_metrics | ||
| } |
There was a problem hiding this comment.
now that we are creating LBMs and alerts, do we need to enable the logging and monitoring APIs?
Same, applies to all projects
| notification_channels = [ | ||
| try(google_monitoring_notification_channel.this[each.value.notification_channels].id, | ||
| each.value.notification_channels), | ||
| try(google_monitoring_notification_channel.default[0].id, "") | ||
| ] |
There was a problem hiding this comment.
I'm not sure this works (you're indexing google_monitoring_notification_channel.this with each.value.notification_channels, which is a list). Please double check.
Also, I think the default shouldn't be used if there are notification channels defined by the alert. For me, the logic should be:
- Try to use the locally created channel first,
- If the specified channel id is not created by us, use it as as an id (i.e. the notification channel was created elsewhere)
- If there are no notification channels, use the default, if provided.
Checklist
I applicable, I acknowledge that I have:
terraform fmton all modified filestools/tfdoc.py