cloud-platform-terraform-opensearch-alert

This Terraform module creates an OpenSearch alert for detecting specific conditions on user application logs and sends notifications to a Slack channel. It allows users to configure various aspects of the alert, including the query, triggers, and Slack channel settings.

It targets the Application Log OpenSearch Cluster by default.

For modesec OpenSearch cluster, add below variable when calling the module

var.aws_opensearch_domain = "cp-live-modsec-audit"
var.aws_iam_role          = "opensearch-access-role"
var.index                 = ["live_k8s_modsec*", "live_k8s_modsec_ingress*"]

Usage

Prerequisites

Before using this module, you need to use cloud-platform-terraform-secrets-manager module to create secret in AWS Secrets Manager to store the Slack webhook URL.

You will then need to log in to the AWS Console to manually set the secret key and secret value.

Set the secret key to your desired key (e.g url) and the secret value to the actual Slack webhook URL.

Once the Slack webhook URL is stored, you can reference the variable secret_name and the secret_key in the OpenSearch alert module.

Example for creating alert in application log OpenSearch Cluster

module "opensearch_alert_app_log" {
  source = "github.com/ministryofjustice/cloud-platform-terraform-opensearch-alerts?ref=1.0.0" # use the latest module

  secret_name                    = "secret-name-created-by-secret-manager-module" 
  secret_key                     = "url"

  slack_channel_name             = "your-slack-channel-name" 
  slack_channel_name_description = "slack-channel-description"

  environment_name               = var.environment
  opensearch_alert_name          = "example-opensearch-alert-name" #To main uniqueness, the actual alert will be in the format of "${var.environment_name}-${var.opensearch_alert_name}-${local.identifier}"
  opensearch_alert_enabled       = true
  monitor_period_interval        = "1"
  monitor_period_unit            = "MINUTES"
  alert_query                    = jsonencode(
    {
      Your_alert_query : query
    }
  )
  trigger_name                   = "example-trigger-name"
  serverity                      = "1"
  query_source                   = "ctx.results[0].hits.total.value > 1"
  action_name                    = "trigger-action-name"
  slack_message_subject          = "slack-message-subject"
  slack_message_template         = "Monitor {{ctx.monitor.name}} just entered alert status. Please investigate the issue.\n- Trigger: {{ctx.trigger.name}}\n- Severity: {{ctx.trigger.severity}}" 
  alert_throttle_enabled         = true
  throttle_value                 = 60
  throttle_unit                  = "MINUTES"
}

Example for creating alert in modsec OpenSearch Cluster

module "opensearch_alert_mod_sec" {
  source = "github.com/ministryofjustice/cloud-platform-terraform-opensearch-alerts?ref=1.0.0" # use the latest module

  aws_opensearch_domain          = "cp-live-modsec-audit" #add this for modsec opensearch cluster
  aws_iam_role                   = "opensearch-access-role" #add this for modsec opensearch cluster
  index                          = ["live_k8s_modsec*", "live_k8s_modsec_ingress*"] #add this for modsec opensearch cluster

  secret_name                    = "secret-name-created-by-secret-manager-module" 
  secret_key                     = "url"

  slack_channel_name             = "your-slack-channel-name" 
  slack_channel_name_description = "slack-channel-description"

  environment_name               = var.environment
  opensearch_alert_name          = "example-opensearch-alert-name" #To main uniqueness, the actual alert will be in the format of "${var.environment_name}-${var.opensearch_alert_name}-${local.identifier}"
  opensearch_alert_enabled       = true
  monitor_period_interval        = "1"
  monitor_period_unit            = "MINUTES"
  alert_query                    = jsonencode(
    {
      Your_alert_query : query
    }
  )
  trigger_name                   = "example-trigger-name"
  serverity                      = "1"
  query_source                   = "ctx.results[0].hits.total.value > 1"
  action_name                    = "trigger-action-name"
  slack_message_subject          = "slack-message-subject"
  slack_message_template         = "Monitor {{ctx.monitor.name}} just entered alert status. Please investigate the issue.\n- Trigger: {{ctx.trigger.name}}\n- Severity: {{ctx.trigger.severity}}" 
  alert_throttle_enabled         = true
  throttle_value                 = 60
  throttle_unit                  = "MINUTES"
}

See the examples/ folder and Cloud Platform User Guide for more information.

Requirements

Name	Version
terraform	>= 1.2.5
aws	>= 4.0.0
kubernetes	>= 2.0.0
opensearch	2.2.1
random	>= 2.0.0

Providers

Name	Version
aws	>= 4.0.0
opensearch.app_logs	2.2.1
random	>= 2.0.0

Modules

No modules.

Resources

Name	Type
opensearch_channel_configuration.slack_alarm	resource
opensearch_monitor.opensearch_alert	resource
random_id.id	resource
aws_caller_identity.current	data source
aws_iam_role.os_access_role_app_logs	data source
aws_opensearch_domain.live_app_logs	data source
aws_partition.current	data source
aws_region.current	data source
aws_secretsmanager_secret_version.slack_webhook_url	data source

Inputs

Name	Description	Type	Default	Required
action_name	Name of the action	string	n/a	yes
alert_query	The OpenSearch query in JSON format	string	n/a	yes
alert_throttle_enabled	Trigger for Slack channel	bool	true	no
aws_iam_role	AWS IAM role for alert creation. Set detault to user application logs one.	string	"opensearch-access-role-app-logs"	no
aws_opensearch_domain	The OpenSearch Cluster for alert creation. Set default to user application logs one.	string	"cp-live-app-logs"	no
environment_name	Environment name	string	n/a	yes
index	Indices to be monitored	list(string)	[ "live_kubernetes_cluster*" ]	no
monitor_period_interval	Interval for the monitor schedule period	number	1	no
monitor_period_unit	Unit for the monitor schedule period	string	"MINUTES"	no
opensearch_alert_enabled	OpenSearch Alert Name	bool	true	no
opensearch_alert_name	OpenSearch Alert Name	string	n/a	yes
query_source	Source script for the query condition	string	"ctx.results[0].hits.total.value > 1"	no
secret_key	Secret key for Slack URL	string	n/a	yes
secret_name	Name of secret created from cloud-platform-terraform-secrets-manager module	string	n/a	yes
serverity	Alert Serverity that only allows values from 1 to 5, with 1 is the highest and 5 is the lowest	number	1	no
slack_channel_name	Slack Channel Name	string	n/a	yes
slack_channel_name_description	Slack Channel Description	string	""	no
slack_message_subject	Subject for Slack Message	string	n/a	yes
slack_message_template	Message template for Slack notifications	string	"Monitor {{ctx.monitor.name}} just entered alert status. Please investigate the issue.\n- Trigger: {{ctx.trigger.name}}\n- Severity: {{ctx.trigger.severity}}\n"	no
throttle_unit	Unit for the throttle	string	"MINUTES"	no
throttle_value	Use throttling to limit the number of notifications you receive within a given time frame	number	60	no
trigger_name	Name of the trigger	string	n/a	yes

Outputs

No outputs.

Tags

Some of the inputs for this module are tags. All infrastructure resources must be tagged to meet the MOJ Technical Guidance on Documenting owners of infrastructure.

You should use your namespace variables to populate these. See the Usage section for more information.

Reading Material

• Cloud Platform user guide