govuk-one-login · whi-tw · Dec 9, 2024 · Dec 9, 2024 · Dec 9, 2024 · Dec 9, 2024
@@ -12,7 +12,7 @@ resource "aws_cloudwatch_metric_alarm" "sqs_deadletter_cloudwatch_alarm" {
     QueueName = aws_sqs_queue.email_dead_letter_queue.name
   }
   alarm_description = "${var.dlq_alarm_threshold} or more messages have appeared on the ${aws_sqs_queue.email_dead_letter_queue.name}"
-  alarm_actions     = [data.aws_sns_topic.slack_events.arn]
+  alarm_actions     = [local.slack_event_sns_topic_arn]
 }
 moved {
   from = aws_cloudwatch_metric_alarm.sqs_deadletter_cloudwatch_alarm[0]
@@ -37,9 +37,5 @@ moved {
 #  }
 #
 #  alarm_description = "${var.waf_alarm_blocked_reqeuest_threshold} or more blocked requests have been received by the ${aws_wafv2_web_acl.wafregional_web_acl_am_api[count.index].name} in the last 5 minutes"
-#  alarm_actions     = [data.aws_sns_topic.slack_events.arn]
+#  alarm_actions     = [local.slack_event_sns_topic_arn]
 #}
-
-data "aws_sns_topic" "slack_events" {
-  name = "${var.environment}-slack-events"
-}
@@ -57,8 +57,8 @@ module "authenticate" {
   cloudwatch_log_retention               = var.cloudwatch_log_retention
   lambda_env_vars_encryption_kms_key_arn = data.terraform_remote_state.shared.outputs.lambda_env_vars_encryption_kms_key_arn
 
-  account_alias         = data.aws_iam_account_alias.current.account_alias
-  slack_event_topic_arn = data.aws_sns_topic.slack_events.arn
+  account_alias         = local.aws_account_alias
+  slack_event_topic_arn = local.slack_event_sns_topic_arn
   dynatrace_secret      = local.dynatrace_secret
 
 

@@ -135,16 +135,16 @@ resource "aws_cloudwatch_metric_alarm" "lambda_authorizer_error_cloudwatch_alarm
   period              = "3600"
   statistic           = "Sum"
   threshold           = local.alert_error_threshold
-  alarm_description   = "${local.alert_error_threshold} or more errors have occurred in the ${var.environment} ${aws_lambda_function.authorizer.function_name} lambda. ACCOUNT: ${data.aws_iam_account_alias.current.account_alias}"
-  alarm_actions       = [data.aws_sns_topic.slack_events.arn]
+  alarm_description   = "${local.alert_error_threshold} or more errors have occurred in the ${var.environment} ${aws_lambda_function.authorizer.function_name} lambda. ACCOUNT: ${local.aws_account_alias}"
+  alarm_actions       = [local.slack_event_sns_topic_arn]
 }
 
 resource "aws_cloudwatch_metric_alarm" "lambda_authorizer_error_rate_cloudwatch_alarm" {
   alarm_name          = replace("${var.environment}-${aws_lambda_function.authorizer.function_name}-error-rate-alarm", ".", "")
   comparison_operator = "GreaterThanOrEqualToThreshold"
   evaluation_periods  = "1"
   threshold           = local.alert_error_rate_threshold
-  alarm_description   = "Lambda error rate of ${local.alert_error_rate_threshold} has been reached in the ${var.environment} ${aws_lambda_function.authorizer.function_name} lambda.ACCOUNT: ${data.aws_iam_account_alias.current.account_alias}"
+  alarm_description   = "Lambda error rate of ${local.alert_error_rate_threshold} has been reached in the ${var.environment} ${aws_lambda_function.authorizer.function_name} lambda.ACCOUNT: ${local.aws_account_alias}"
 
   metric_query {
     id          = "e1"
@@ -181,5 +181,5 @@ resource "aws_cloudwatch_metric_alarm" "lambda_authorizer_error_rate_cloudwatch_
       }
     }
   }
-  alarm_actions = [data.aws_sns_topic.slack_events.arn]
+  alarm_actions = [local.slack_event_sns_topic_arn]
 }
@@ -60,8 +60,8 @@ module "delete_account" {
   cloudwatch_log_retention               = var.cloudwatch_log_retention
   lambda_env_vars_encryption_kms_key_arn = data.terraform_remote_state.shared.outputs.lambda_env_vars_encryption_kms_key_arn
 
-  account_alias         = data.aws_iam_account_alias.current.account_alias
-  slack_event_topic_arn = data.aws_sns_topic.slack_events.arn
+  account_alias         = local.aws_account_alias
+  slack_event_topic_arn = local.slack_event_sns_topic_arn
   dynatrace_secret      = local.dynatrace_secret
 
   depends_on = [module.account_management_api_remove_account_role]

@@ -0,0 +1 @@
+../dynatrace.tf
@@ -30,7 +30,7 @@ resource "aws_elasticache_replication_group" "account_management_sessions_store"
   parameter_group_name        = "default.redis6.x"
   port                        = local.redis_port_number
   maintenance_window          = "tue:22:00-tue:23:00"
-  notification_topic_arn      = data.aws_sns_topic.slack_events.arn
+  notification_topic_arn      = local.slack_event_sns_topic_arn
 
   multi_az_enabled = true
 

@@ -73,8 +73,8 @@ module "send_otp_notification" {
   lambda_env_vars_encryption_kms_key_arn = data.terraform_remote_state.shared.outputs.lambda_env_vars_encryption_kms_key_arn
   authorizer_id                          = aws_api_gateway_authorizer.di_account_management_api.id
 
-  account_alias         = data.aws_iam_account_alias.current.account_alias
-  slack_event_topic_arn = data.aws_sns_topic.slack_events.arn
+  account_alias         = local.aws_account_alias
+  slack_event_topic_arn = local.slack_event_sns_topic_arn
   dynatrace_secret      = local.dynatrace_secret
 
   depends_on = [

@@ -19,4 +19,7 @@ locals {
   client_registry_encryption_key_arn          = data.terraform_remote_state.shared.outputs.client_registry_encryption_key_arn
   user_profile_kms_key_arn                    = data.terraform_remote_state.shared.outputs.user_profile_kms_key_arn
   email_check_results_encryption_policy_arn   = data.terraform_remote_state.shared.outputs.email_check_results_encryption_policy_arn
+
+  slack_event_sns_topic_arn = data.terraform_remote_state.shared.outputs.slack_event_sns_topic_arn
+  aws_account_alias         = data.terraform_remote_state.shared.outputs.aws_account_alias
 }
@@ -64,8 +64,8 @@ module "update_email" {
   cloudwatch_log_retention               = var.cloudwatch_log_retention
   lambda_env_vars_encryption_kms_key_arn = data.terraform_remote_state.shared.outputs.lambda_env_vars_encryption_kms_key_arn
 
-  account_alias         = data.aws_iam_account_alias.current.account_alias
-  slack_event_topic_arn = data.aws_sns_topic.slack_events.arn
+  account_alias         = local.aws_account_alias
+  slack_event_topic_arn = local.slack_event_sns_topic_arn
   dynatrace_secret      = local.dynatrace_secret
 
   depends_on = [module.account_management_api_update_email_role]

@@ -60,8 +60,8 @@ module "update_password" {
   cloudwatch_log_retention               = var.cloudwatch_log_retention
   lambda_env_vars_encryption_kms_key_arn = data.terraform_remote_state.shared.outputs.lambda_env_vars_encryption_kms_key_arn
 
-  account_alias         = data.aws_iam_account_alias.current.account_alias
-  slack_event_topic_arn = data.aws_sns_topic.slack_events.arn
+  account_alias         = local.aws_account_alias
+  slack_event_topic_arn = local.slack_event_sns_topic_arn
   dynatrace_secret      = local.dynatrace_secret
 
   depends_on = [module.account_management_api_update_password_role]

@@ -60,8 +60,8 @@ module "update_phone_number" {
   cloudwatch_log_retention               = var.cloudwatch_log_retention
   lambda_env_vars_encryption_kms_key_arn = data.terraform_remote_state.shared.outputs.lambda_env_vars_encryption_kms_key_arn
 
-  account_alias         = data.aws_iam_account_alias.current.account_alias
-  slack_event_topic_arn = data.aws_sns_topic.slack_events.arn
+  account_alias         = local.aws_account_alias
+  slack_event_topic_arn = local.slack_event_sns_topic_arn
   dynatrace_secret      = local.dynatrace_secret
 
   depends_on = [module.account_management_api_update_phone_number_role]

@@ -0,0 +1 @@
+../dynatrace.tf
@@ -32,4 +32,7 @@ locals {
   redis_ssm_parameter_policy                  = data.terraform_remote_state.shared.outputs.redis_ssm_parameter_policy
   authentication_oidc_redis_security_group_id = data.terraform_remote_state.shared.outputs.authentication_oidc_redis_security_group_id
   redis_key                                   = "session"
+
+  slack_event_sns_topic_arn = data.terraform_remote_state.shared.outputs.slack_event_sns_topic_arn
+  aws_account_alias         = data.terraform_remote_state.shared.outputs.aws_account_alias
 }
@@ -22,7 +22,7 @@ module "auth_token_role" {
 }
 
 module "auth_token" {
-  source = "../modules/endpoint-module"
+  source = "../modules/endpoint-module-v2"
 
   endpoint_name   = "auth-token"
   path_part       = "token"
@@ -68,6 +68,10 @@ module "auth_token" {
   cloudwatch_log_retention               = var.cloudwatch_log_retention
   lambda_env_vars_encryption_kms_key_arn = local.lambda_env_vars_encryption_kms_key_arn
 
+  dynatrace_secret      = local.dynatrace_secret
+  slack_event_topic_arn = local.slack_event_sns_topic_arn
+  account_alias         = local.aws_account_alias
+
   depends_on = [
     aws_api_gateway_rest_api.di_auth_ext_api,
   ]

@@ -23,7 +23,7 @@ module "auth_userinfo_role" {
 }
 
 module "auth_userinfo" {
-  source = "../modules/endpoint-module"
+  source = "../modules/endpoint-module-v2"
 
   endpoint_name   = "auth-userinfo"
   path_part       = "userinfo"
@@ -65,6 +65,10 @@ module "auth_userinfo" {
   cloudwatch_log_retention               = var.cloudwatch_log_retention
   lambda_env_vars_encryption_kms_key_arn = local.lambda_env_vars_encryption_kms_key_arn
 
+  dynatrace_secret      = local.dynatrace_secret
+  slack_event_topic_arn = local.slack_event_sns_topic_arn
+  account_alias         = local.aws_account_alias
+
   depends_on = [
     aws_api_gateway_rest_api.di_auth_ext_api,
   ]

@@ -0,0 +1 @@
+../dynatrace.tf
@@ -15,7 +15,7 @@ module "delivery_receipts_api_notify_callback_role" {
 }
 
 module "notify_callback" {
-  source = "../modules/endpoint-module"
+  source = "../modules/endpoint-module-v2"
 
   endpoint_name   = "notify-callback"
   path_part       = "notify-callback"
@@ -50,6 +50,10 @@ module "notify_callback" {
   lambda_env_vars_encryption_kms_key_arn = data.terraform_remote_state.shared.outputs.lambda_env_vars_encryption_kms_key_arn
   api_key_required                       = false
 
+  dynatrace_secret      = local.dynatrace_secret
+  slack_event_topic_arn = local.slack_event_sns_topic_arn
+  account_alias         = local.aws_account_alias
+
   depends_on = [
     aws_api_gateway_rest_api.di_authentication_delivery_receipts_api,
   ]

@@ -14,4 +14,7 @@ locals {
   bulk_user_email_table_encryption_key_arn = data.terraform_remote_state.shared.outputs.bulk_user_email_table_encryption_key_arn
   user_profile_encryption_policy_arn       = data.terraform_remote_state.shared.outputs.user_profile_encryption_policy_arn
   user_profile_kms_key_arn                 = data.terraform_remote_state.shared.outputs.user_profile_kms_key_arn
+
+  slack_event_sns_topic_arn = data.terraform_remote_state.shared.outputs.slack_event_sns_topic_arn
+  aws_account_alias         = data.terraform_remote_state.shared.outputs.aws_account_alias
 }
@@ -1,26 +1,13 @@
-data "aws_secretsmanager_secret" "dynatrace_secret" {
-  arn = var.environment == "production" ? local.dynatrace_production_secret : local.dynatrace_nonproduction_secret
-}
-data "aws_secretsmanager_secret_version" "dynatrace_secret" {
-  secret_id = data.aws_secretsmanager_secret.dynatrace_secret.id
-}
-
 locals {
-  dynatrace_layer_arn = local.dynatrace_secret["JAVA_LAYER"]
-  dynatrace_environment_variables = {
-    AWS_LAMBDA_EXEC_WRAPPER = "/opt/dynatrace"
-
-    DT_CONNECTION_AUTH_TOKEN     = local.dynatrace_secret["DT_CONNECTION_AUTH_TOKEN"]
-    DT_CONNECTION_BASE_URL       = local.dynatrace_secret["DT_CONNECTION_BASE_URL"]
-    DT_CLUSTER_ID                = local.dynatrace_secret["DT_CLUSTER_ID"]
-    DT_TENANT                    = local.dynatrace_secret["DT_TENANT"]
-    DT_LOG_COLLECTION_AUTH_TOKEN = local.dynatrace_secret["DT_LOG_COLLECTION_AUTH_TOKEN"]
-
-    DT_OPEN_TELEMETRY_ENABLE_INTEGRATION = "true"
-  }
-
   dynatrace_production_secret    = "arn:aws:secretsmanager:eu-west-2:216552277552:secret:DynatraceProductionVariables"
   dynatrace_nonproduction_secret = "arn:aws:secretsmanager:eu-west-2:216552277552:secret:DynatraceNonProductionVariables"
 
   dynatrace_secret = jsondecode(data.aws_secretsmanager_secret_version.dynatrace_secret.secret_string)
 }
+
+data "aws_secretsmanager_secret" "dynatrace_secret" {
+  arn = var.environment == "production" ? local.dynatrace_production_secret : local.dynatrace_nonproduction_secret
+}
+data "aws_secretsmanager_secret_version" "dynatrace_secret" {
+  secret_id = data.aws_secretsmanager_secret.dynatrace_secret.id
+}
@@ -0,0 +1 @@
+../dynatrace.tf
@@ -44,7 +44,8 @@ module "account_interventions_stub_lambda" {
   cloudwatch_key_arn                     = data.terraform_remote_state.shared.outputs.cloudwatch_encryption_key_arn
   cloudwatch_log_retention               = var.cloudwatch_log_retention
   lambda_env_vars_encryption_kms_key_arn = local.lambda_env_vars_encryption_kms_key_arn
-  account_alias                          = data.aws_iam_account_alias.current.account_alias
-  slack_event_topic_arn                  = data.aws_sns_topic.slack_events.arn
-  dynatrace_secret                       = local.dynatrace_secret
+
+  account_alias         = local.aws_account_alias
+  slack_event_topic_arn = local.slack_event_sns_topic_arn
+  dynatrace_secret      = local.dynatrace_secret
 }
@@ -21,4 +21,7 @@ locals {
   authentication_security_group_id       = data.terraform_remote_state.shared.outputs.authentication_security_group_id
   authentication_private_subnet_ids      = data.terraform_remote_state.shared.outputs.authentication_private_subnet_ids
   lambda_env_vars_encryption_kms_key_arn = data.terraform_remote_state.shared.outputs.lambda_env_vars_encryption_kms_key_arn
+
+  slack_event_sns_topic_arn = data.terraform_remote_state.shared.outputs.slack_event_sns_topic_arn
+  aws_account_alias         = data.terraform_remote_state.shared.outputs.aws_account_alias
 }
@@ -79,7 +79,7 @@ No modules.
 | <a name="input_logging_endpoint_enabled"></a> [logging\_endpoint\_enabled](#input\_logging\_endpoint\_enabled) | Whether the Lambda should ship its logs to the `logging_endpoint_arn` | `bool` | `false` | no |
 | <a name="input_max_provisioned_concurrency"></a> [max\_provisioned\_concurrency](#input\_max\_provisioned\_concurrency) | n/a | `number` | `5` | no |
 | <a name="input_provisioned_concurrency"></a> [provisioned\_concurrency](#input\_provisioned\_concurrency) | n/a | `number` | `0` | no |
-| <a name="input_runbook_link"></a> [runbook\_link](#input\_runbook\_link) | A link that is appended to alarm descriptions that should open a page describing how to triage and handle the alarm | `string` | `""` | no |
+| <a name="input_runbook_link"></a> [runbook\_link](#input\_runbook\_link) | A link that is appended to alarm descriptions that should open a page describing how to triage and handle the alarm | `string` | `null` | no |
 | <a name="input_scaling_trigger"></a> [scaling\_trigger](#input\_scaling\_trigger) | n/a | `number` | `0.7` | no |
 | <a name="input_snapstart"></a> [snapstart](#input\_snapstart) | n/a | `bool` | `false` | no |
 | <a name="input_wait_for_alias_timeout"></a> [wait\_for\_alias\_timeout](#input\_wait\_for\_alias\_timeout) | The number of seconds to wait for the alias to be created | `number` | `300` | no |

@@ -1,8 +1,8 @@
 locals {
   base_error_alarm_description      = "${var.lambda_log_alarm_threshold} or more errors have occurred in the ${var.environment} ${var.endpoint_name} lambda.ACCOUNT: ${var.account_alias}"
-  error_alarm_description           = var.runbook_link == "" ? local.base_error_alarm_description : "${local.base_error_alarm_description}. Runbook: ${var.runbook_link}"
+  error_alarm_description           = var.runbook_link == null ? local.base_error_alarm_description : "${local.base_error_alarm_description}. Runbook: ${var.runbook_link}"
   base_error_rate_alarm_description = "Lambda error rate of ${var.lambda_log_alarm_error_rate_threshold} has been reached in the ${var.environment} ${var.endpoint_name} lambda.ACCOUNT: ${var.account_alias}"
-  error_rate_alarm_description      = var.runbook_link == "" ? local.base_error_rate_alarm_description : "${local.base_error_rate_alarm_description}. Runbook: ${var.runbook_link}"
+  error_rate_alarm_description      = var.runbook_link == null ? local.base_error_rate_alarm_description : "${local.base_error_rate_alarm_description}. Runbook: ${var.runbook_link}"
 }
 
 resource "aws_cloudwatch_log_metric_filter" "lambda_error_metric_filter" {

@@ -175,7 +175,7 @@ variable "wait_for_alias_timeout" {
 }
 
 variable "runbook_link" {
-  type        = string
   description = "A link that is appended to alarm descriptions that should open a page describing how to triage and handle the alarm"
-  default     = ""
+  type        = string
+  default     = null
 }