Wardship: add cloudwatch alerts & WAF (#3971)

* add cloudwatch alert config

* add WAF config

terraform/environments/wardship/ecs.tf

@@ -276,3 +276,81 @@ resource "aws_cloudwatch_log_resource_policy" "ecs_logging_policy" {
   })
   policy_name = "TrustEventsToStoreLogEvents"
 }
+
+resource "aws_cloudwatch_metric_alarm" "ecs_cpu_alarm" {
+  count               = local.is-development ? 0 : 1
+  alarm_name          = "ecs-cpu-utilization-alarm"
+  comparison_operator = "GreaterThanOrEqualToThreshold"
+  evaluation_periods  = "2"
+  metric_name         = "CpuUtilized"
+  namespace           = "ECS/ContainerInsights"
+  period              = "120"
+  statistic           = "Average"
+  threshold           = "80"
+  alarm_description   = "This metric checks if CPU utilization is high - threshold set to 80%"
+  alarm_actions       = [aws_sns_topic.wardship_utilisation_alarm[0].arn]
+  dimensions = {
+    ClusterName = aws_ecs_cluster.wardship_cluster.name
+  }
+}
+
+resource "aws_cloudwatch_metric_alarm" "ecs_memory_alarm" {
+  count               = local.is-development ? 0 : 1
+  alarm_name          = "ecs-memory-utilization-alarm"
+  comparison_operator = "GreaterThanOrEqualToThreshold"
+  evaluation_periods  = "2"
+  metric_name         = "MemoryUtilized"
+  namespace           = "ECS/ContainerInsights"
+  period              = "120"
+  statistic           = "Average"
+  threshold           = "1600"
+  alarm_description   = "This metric checks if memory utilization is high - threshold set to 1600MB"
+  alarm_actions       = [aws_sns_topic.wardship_utilisation_alarm[0].arn]
+  dimensions = {
+    ClusterName = aws_ecs_cluster.wardship_cluster.name
+  }
+}
+
+resource "aws_sns_topic" "wardship_utilisation_alarm" {
+  count = local.is-development ? 0 : 1
+  name  = "wardship_utilisation_alarm"
+}
+
+# Pager duty integration
+
+# Get the map of pagerduty integration keys from the modernisation platform account
+data "aws_secretsmanager_secret" "pagerduty_integration_keys" {
+  provider = aws.modernisation-platform
+  name     = "pagerduty_integration_keys"
+}
+data "aws_secretsmanager_secret_version" "pagerduty_integration_keys" {
+  provider  = aws.modernisation-platform
+  secret_id = data.aws_secretsmanager_secret.pagerduty_integration_keys.id
+}
+
+# Add a local to get the keys
+locals {
+  pagerduty_integration_keys = jsondecode(data.aws_secretsmanager_secret_version.pagerduty_integration_keys.secret_string)
+}
+
+# link the sns topic to the service - preprod
+module "pagerduty_core_alerts_non_prod" {
+  count = local.is-preproduction ? 1 : 0
+  depends_on = [
+    aws_sns_topic.wardship_utilisation_alarm
+  ]
+  source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
+  sns_topics                = [aws_sns_topic.wardship_utilisation_alarm[0].name]
+  pagerduty_integration_key = local.pagerduty_integration_keys["wardship_non_prod_alarms"]
+}
+
+# link the sns topic to the service - prod
+module "pagerduty_core_alerts_prod" {
+  count = local.is-production ? 1 : 0
+  depends_on = [
+    aws_sns_topic.wardship_utilisation_alarm
+  ]
+  source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
+  sns_topics                = [aws_sns_topic.wardship_utilisation_alarm[0].name]
+  pagerduty_integration_key = local.pagerduty_integration_keys["wardship_prod_alarms"]
+}

terraform/environments/wardship/load_balancer.tf

@@ -155,3 +155,8 @@ resource "aws_lb_listener" "wardship_lb" {
     target_group_arn = aws_lb_target_group.wardship_target_group.arn
   }
 }
+
+resource "aws_wafv2_web_acl_association" "web_acl_association_my_lb" {
+  resource_arn = aws_lb.wardship_lb.arn
+  web_acl_arn  = aws_wafv2_web_acl.wardship_web_acl.arn
+}

terraform/environments/wardship/waf.tf

@@ -0,0 +1,36 @@
+resource "aws_wafv2_web_acl" "wardship_web_acl" {
+  name  = "wardship-web-acl"
+  scope = "REGIONAL"
+
+  default_action {
+    allow {}
+  }
+
+  rule {
+    name     = "common-rule-set"
+    priority = 1
+
+    override_action {
+      none {}
+    }
+
+    statement {
+      managed_rule_group_statement {
+        name        = "AWSManagedRulesCommonRuleSet"
+        vendor_name = "AWS"
+      }
+    }
+
+    visibility_config {
+      cloudwatch_metrics_enabled = true
+      metric_name                = "AWSManagedRulesCommonRuleSetMetrics"
+      sampled_requests_enabled   = true
+    }
+  }
+
+  visibility_config {
+    cloudwatch_metrics_enabled = true
+    metric_name                = "wardship-web-acl"
+    sampled_requests_enabled   = true
+  }
+}