From efaae921aaf8225e87836dbfc7261698ec69b071 Mon Sep 17 00:00:00 2001 From: ariagraham-nhs Date: Fri, 1 May 2026 16:47:03 +0100 Subject: [PATCH 1/3] VED-1170: CloudWatch Alarm without actions --- .../fhir_api_perf_errors_slack_chatbot.tf | 24 +++++++++++++++++++ .../account/fhir_api_perf_errors_sns_topic.tf | 22 +++++++++++++++++ infrastructure/account/kms.tf | 6 +++++ 3 files changed, 52 insertions(+) create mode 100644 infrastructure/account/fhir_api_perf_errors_slack_chatbot.tf create mode 100644 infrastructure/account/fhir_api_perf_errors_sns_topic.tf diff --git a/infrastructure/account/fhir_api_perf_errors_slack_chatbot.tf b/infrastructure/account/fhir_api_perf_errors_slack_chatbot.tf new file mode 100644 index 0000000000..88fe488df1 --- /dev/null +++ b/infrastructure/account/fhir_api_perf_errors_slack_chatbot.tf @@ -0,0 +1,24 @@ +resource "aws_chatbot_slack_channel_configuration" "fhir_api_perf_alerts" { + configuration_name = "${var.environment}-fhir-api-perf-alerts-slack-channel-config" + iam_role_arn = aws_iam_role.fhir_api_perf_alerts_chatbot.arn + slack_channel_id = var.environment == "prod" ? "C0B11MJPQ6A" : "C0B1GKZ5S4R" + slack_team_id = "TJ00QR03U" + sns_topic_arns = [aws_sns_topic.fhir_api_perf_alerts.arn] +} + +resource "aws_iam_role" "fhir_api_perf_alerts_chatbot" { + name = "${var.environment}-fhir-api-perf-alerts-chatbot-channel-role" + assume_role_policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = "sts:AssumeRole" + Effect = "Allow" + Sid = "AssumeChatbotRole" + Principal = { + Service = "chatbot.amazonaws.com" + } + }, + ] + }) +} diff --git a/infrastructure/account/fhir_api_perf_errors_sns_topic.tf b/infrastructure/account/fhir_api_perf_errors_sns_topic.tf new file mode 100644 index 0000000000..00fcda4576 --- /dev/null +++ b/infrastructure/account/fhir_api_perf_errors_sns_topic.tf @@ -0,0 +1,22 @@ +resource "aws_sns_topic" "fhir_api_perf_alerts" { + name = "${var.environment}-fhir-api-perf-alerts" + kms_master_key_id = aws_kms_key.error_alerts_sns_encryption_key.arn +} + +resource "aws_sns_topic_policy" "fhir_api_perf_alerts_topic_policy" { + arn = aws_sns_topic.fhir_api_perf_alerts.arn + policy = jsonencode({ + Version = "2012-10-17", + Statement = [ + { + Sid = "AllowCloudWatchToPublish", + Effect = "Allow", + Principal = { + Service = "cloudwatch.amazonaws.com" + }, + Action = "SNS:Publish", + Resource = aws_sns_topic.fhir_api_perf_alerts.arn + } + ] + }) +} diff --git a/infrastructure/account/kms.tf b/infrastructure/account/kms.tf index 21e5e2a78e..563c7bdc72 100644 --- a/infrastructure/account/kms.tf +++ b/infrastructure/account/kms.tf @@ -225,3 +225,9 @@ resource "aws_kms_alias" "fhir_api_errors_sns_encryption_key" { name = "alias/${var.environment}-fhir-api-errors-imms-sns-encryption" target_key_id = aws_kms_key.error_alerts_sns_encryption_key.key_id } + +resource "aws_kms_alias" "fhir_api_perf_alerts_sns_encryption_key" { + name = "alias/${var.environment}-fhir-api-perf-alerts-imms-sns-encryption" + target_key_id = aws_kms_key.error_alerts_sns_encryption_key.key_id +} + From 70ac3c1b8f94bed160101249489af0028220cb5f Mon Sep 17 00:00:00 2001 From: ariagraham-nhs Date: Tue, 5 May 2026 11:59:43 +0100 Subject: [PATCH 2/3] Add action to existing alarm --- ...lack_chatbot.tf => fhir_api_perf_alerts_slack_chatbot.tf} | 0 ...errors_sns_topic.tf => fhir_api_perf_alerts_sns_topic.tf} | 0 infrastructure/instance/modules/lambda/lambda.tf | 5 +++++ 3 files changed, 5 insertions(+) rename infrastructure/account/{fhir_api_perf_errors_slack_chatbot.tf => fhir_api_perf_alerts_slack_chatbot.tf} (100%) rename infrastructure/account/{fhir_api_perf_errors_sns_topic.tf => fhir_api_perf_alerts_sns_topic.tf} (100%) diff --git a/infrastructure/account/fhir_api_perf_errors_slack_chatbot.tf b/infrastructure/account/fhir_api_perf_alerts_slack_chatbot.tf similarity index 100% rename from infrastructure/account/fhir_api_perf_errors_slack_chatbot.tf rename to infrastructure/account/fhir_api_perf_alerts_slack_chatbot.tf diff --git a/infrastructure/account/fhir_api_perf_errors_sns_topic.tf b/infrastructure/account/fhir_api_perf_alerts_sns_topic.tf similarity index 100% rename from infrastructure/account/fhir_api_perf_errors_sns_topic.tf rename to infrastructure/account/fhir_api_perf_alerts_sns_topic.tf diff --git a/infrastructure/instance/modules/lambda/lambda.tf b/infrastructure/instance/modules/lambda/lambda.tf index 9714614c04..87e38808d3 100644 --- a/infrastructure/instance/modules/lambda/lambda.tf +++ b/infrastructure/instance/modules/lambda/lambda.tf @@ -24,6 +24,10 @@ module "lambda_function_container_image" { image_config_command = ["${var.function_name}_handler.${var.function_name}_handler"] } +data "aws_sns_topic" "fhir_api_perf_alerts" { + name = "${var.environment}-fhir-api-perf-alerts" +} + resource "aws_cloudwatch_metric_alarm" "memory_alarm" { alarm_name = "${var.short_prefix}_${var.function_name} memory alarm" comparison_operator = "GreaterThanOrEqualToThreshold" @@ -34,6 +38,7 @@ resource "aws_cloudwatch_metric_alarm" "memory_alarm" { statistic = "Maximum" threshold = 256 alarm_description = "This metric monitors Lambda memory usage" + alarm_actions = [data.aws_sns_topic.fhir_api_perf_alerts.arn] insufficient_data_actions = [] } From b2bf711da84e5131b9e172befe6ad2dab0fd1ac2 Mon Sep 17 00:00:00 2001 From: ariagraham-nhs Date: Wed, 6 May 2026 11:32:20 +0100 Subject: [PATCH 3/3] Add action to DDoS alarm --- infrastructure/account/shield_protection.tf | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/infrastructure/account/shield_protection.tf b/infrastructure/account/shield_protection.tf index 0809c97d08..a7a6770830 100644 --- a/infrastructure/account/shield_protection.tf +++ b/infrastructure/account/shield_protection.tf @@ -34,6 +34,10 @@ locals { } } +# Topic to publish alerts to when alarm is triggered +data "aws_sns_topic" "fhir_api_perf_alerts" { + name = "${var.environment}-fhir-api-perf-alerts" +} # Create Metric Alarms for each of those resources resource "aws_cloudwatch_metric_alarm" "ddos_protection_regional" { @@ -41,6 +45,7 @@ resource "aws_cloudwatch_metric_alarm" "ddos_protection_regional" { alarm_name = "imms-${var.environment}-shield_ddos_${each.key}" alarm_description = "Alarm when Shield detects DDoS on ${each.key}" + alarm_actions = [data.aws_sns_topic.fhir_api_perf_alerts.arn] namespace = "AWS/DDoSProtection" metric_name = "DDoSDetected"