feat(observability): adds support for monitoring lambda

enverus-cts · Nov 16, 2022 · 19498f1 · 19498f1
1 parent 96381b4
commit 19498f1
Show file tree

Hide file tree

Showing 6 changed files with 148 additions and 0 deletions.
diff --git a/main.tf b/main.tf
@@ -211,6 +211,7 @@ module "runners" {
   lambda_runtime                   = var.lambda_runtime
   lambda_architecture              = var.lambda_architecture
   lambda_zip                       = var.runners_lambda_zip
+  monitor_lambda_zip               = var.monitor_lambda_zip
   lambda_timeout_scale_up          = var.runners_scale_up_lambda_timeout
   lambda_timeout_scale_down        = var.runners_scale_down_lambda_timeout
   lambda_subnet_ids                = var.lambda_subnet_ids

diff --git a/modules/runners/main.tf b/modules/runners/main.tf
@@ -11,6 +11,7 @@ locals {
   role_path                       = var.role_path == null ? "/${var.prefix}/" : var.role_path
   instance_profile_path           = var.instance_profile_path == null ? "/${var.prefix}/" : var.instance_profile_path
   lambda_zip                      = var.lambda_zip == null ? "${path.module}/lambdas/runners/runners.zip" : var.lambda_zip
+  monitor_lambda_zip              = var.monitor_lambda_zip
   userdata_template               = var.userdata_template == null ? local.default_userdata_template[var.runner_os] : var.userdata_template
   kms_key_arn                     = var.kms_key_arn != null ? var.kms_key_arn : ""
   s3_location_runner_distribution = var.enable_runner_binaries_syncer ? "s3://${var.s3_runner_binaries.id}/${var.s3_runner_binaries.key}" : ""

diff --git a/modules/runners/policies/lambda-scale-runner-monitor.json b/modules/runners/policies/lambda-scale-runner-monitor.json
@@ -0,0 +1,33 @@
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": [
+                "ssm:GetParameter"
+            ],
+            "Resource": [
+                "${github_app_key_base64_arn}",
+                "${github_app_id_arn}"
+            ]
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "sqs:ReceiveMessage",
+                "sqs:GetQueueAttributes",
+                "sqs:DeleteMessage"
+            ],
+            "Resource": "${sqs_arn}"
+%{ if kms_key_arn != "" ~}
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "kms:Decrypt"
+            ],
+            "Resource": "${kms_key_arn}"
+%{ endif ~}
+        }
+    ]
+}
diff --git a/modules/runners/runner-monitor.tf b/modules/runners/runner-monitor.tf
@@ -0,0 +1,97 @@
+resource "aws_lambda_function" "runner_monitor" {
+  s3_bucket                      = var.lambda_s3_bucket != null ? var.lambda_s3_bucket : null
+  s3_key                         = var.runners_lambda_s3_key != null ? var.runners_lambda_s3_key : null
+  s3_object_version              = var.runners_lambda_s3_object_version != null ? var.runners_lambda_s3_object_version : null
+  filename                       = var.lambda_s3_bucket == null ? local.monitor_lambda_zip : null
+  source_code_hash               = var.lambda_s3_bucket == null ? filebase64sha256(local.monitor_lambda_zip) : null
+  function_name                  = "${var.prefix}-scale-up"
+  role                           = aws_iam_role.runner_monitor.arn
+  handler                        = "lambda_function.lambda_handler"
+  runtime                        = var.lambda_runtime
+  timeout                        = 180
+  memory_size                    = 512
+  tags                           = local.tags
+  architectures                  = [var.lambda_architecture]
+
+  environment {
+    variables = {
+      PARAMETER_GITHUB_APP_ID_NAME         = var.github_app_parameters.id.name
+      PARAMETER_GITHUB_APP_KEY_BASE64_NAME = var.github_app_parameters.key_base64.name
+      SQS_QUEUE_NAME = var.var.sqs_workflow_job_queue.name
+    }
+  }
+
+  dynamic "vpc_config" {
+    for_each = var.lambda_subnet_ids != null && var.lambda_security_group_ids != null ? [true] : []
+    content {
+      security_group_ids = var.lambda_security_group_ids
+      subnet_ids         = var.lambda_subnet_ids
+    }
+  }
+}
+
+resource "aws_cloudwatch_log_group" "runner_monitor" {
+  name              = "/aws/lambda/${aws_lambda_function.runner_monitor.function_name}"
+  retention_in_days = var.logging_retention_in_days
+  kms_key_id        = var.logging_kms_key_id
+  tags              = var.tags
+}
+
+
+resource "aws_iam_role" "runner_monitor" {
+  name                 = "${var.prefix}-action-runner-monitor-role"
+  assume_role_policy   = data.aws_iam_policy_document.lambda_assume_role_policy.json
+  path                 = local.role_path
+  permissions_boundary = var.role_permissions_boundary
+  tags                 = local.tags
+}
+# working
+resource "aws_iam_role_policy" "runner_monitor" {
+  name = "${var.prefix}-lambda-runner-monitor-policy"
+  role = aws_iam_role.runner_monitor.name
+  policy = templatefile("${path.module}/policies/lambda-runner-monitor.json", {
+    arn_runner_instance_role  = aws_iam_role.runner.arn
+    sqs_arn                   = var.var.sqs_workflow_job_queue.arn
+    github_app_id_arn         = var.github_app_parameters.id.arn
+    github_app_key_base64_arn = var.github_app_parameters.key_base64.arn
+    kms_key_arn               = local.kms_key_arn
+  })
+}
+
+
+resource "aws_iam_role_policy" "runner_monitor_logging" {
+  name = "${var.prefix}-lambda-logging"
+  role = aws_iam_role.runner_monitor.name
+  policy = templatefile("${path.module}/policies/lambda-cloudwatch.json", {
+    log_group_arn = aws_cloudwatch_log_group.runner_monitor.arn
+  })
+}
+
+
+resource "aws_iam_role_policy_attachment" "runner_monitor_vpc_execution_role" {
+  count      = length(var.lambda_subnet_ids) > 0 ? 1 : 0
+  role       = aws_iam_role.runner_monitor.name
+  policy_arn = "arn:${var.aws_partition}:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
+}
+
+resource "aws_iam_role_policy" "ami_id_ssm_parameter_read" {
+  count  = var.ami_id_ssm_parameter_name != null ? 1 : 0
+  name   = "${var.prefix}-ami-id-ssm-parameter-read"
+  role   = aws_iam_role.runner_monitor.name
+  policy = <<-JSON
+    {
+      "Version": "2012-10-17",
+      "Statement": [
+        {
+          "Effect": "Allow",
+          "Action": [
+            "ssm:GetParameter"
+          ],
+          "Resource": [
+            "arn:aws:ssm:${var.aws_region}:${data.aws_caller_identity.current.account_id}:parameter/${trimprefix(var.ami_id_ssm_parameter_name, "/")}"
+          ]
+        }
+      ]
+    }
+  JSON
+}
diff --git a/modules/runners/variables.tf b/modules/runners/variables.tf
@@ -582,3 +582,11 @@ variable "enable_user_data_debug_logging" {
   type        = bool
   default     = false
 }
+
+
+###### Enverus Variables
+variable "monitor_lambda_zip" {
+  description = "File location of the lambda zip file."
+  type        = string
+  default     = null
+}
diff --git a/variables.tf b/variables.tf
@@ -758,3 +758,11 @@ variable "enable_user_data_debug_logging_runner" {
   type        = bool
   default     = false
 }
+
+##### Enverus Variables
+
+variable "monitor_lambda_zip" {
+  description = "File location of the lambda zip file for monitor runners."
+  type        = string
+  default     = null
+}