Add Cloudwatch Metric Healthchecks to R53 Records.

Also add terraform version to .tool-versions file
ably · Jul 6, 2022 · 85ed12e · 85ed12e
1 parent 0944ce6
commit 85ed12e
Show file tree

Hide file tree

Showing 4 changed files with 44 additions and 4 deletions.
diff --git a/.tool-versions b/.tool-versions
@@ -1 +1,2 @@
 terraform-docs 0.16.0
+terraform 1.1.4
diff --git a/README.md b/README.md
@@ -125,6 +125,8 @@ No modules.
 
 | Name | Type |
 |------|------|
+| [aws_cloudwatch_metric_alarm.privatelink_disabled_status](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_metric_alarm) | resource |
+| [aws_route53_health_check.privatelink_disabled_status](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_health_check) | resource |
 | [aws_route53_record.ably-global](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
 | [aws_route53_record.ably-regional](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
 | [aws_route53_record.ably-zonal](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
@@ -135,6 +137,7 @@ No modules.
 |------|-------------|------|---------|:--------:|
 | <a name="input_ably_vpc_endpoint_dns_entry"></a> [ably\_vpc\_endpoint\_dns\_entry](#input\_ably\_vpc\_endpoint\_dns\_entry) | The top level DNS entry exposed by your VPC Endpoint (Non-AZ version) | `string` | n/a | yes |
 | <a name="input_ably_vpc_endpoint_dns_hosted_zone_id"></a> [ably\_vpc\_endpoint\_dns\_hosted\_zone\_id](#input\_ably\_vpc\_endpoint\_dns\_hosted\_zone\_id) | Hosted Zone ID for your VPC Endpoint | `string` | n/a | yes |
+| <a name="input_ably_vpc_service_endpoint_name"></a> [ably\_vpc\_service\_endpoint\_name](#input\_ably\_vpc\_service\_endpoint\_name) | VPC Service endpoint to use for Cloudwatch Alarms. This will be provided by Ably. | `string` | n/a | yes |
 | <a name="input_azs"></a> [azs](#input\_azs) | A list of AWS Availability Zones that you have created VPC endpoints in. Used to create zonal DNS entries for PrivateLink Connections. e.g. eu-west-1a.example.com and eu-west-1b.example.com | `list(string)` | n/a | yes |
 | <a name="input_dns_global_record"></a> [dns\_global\_record](#input\_dns\_global\_record) | The global DNS CNAME record that you wish to use in a Private DNS Hosted Zone. This should be discussed with Ably. | `string` | n/a | yes |
 | <a name="input_dns_global_record_ttl"></a> [dns\_global\_record\_ttl](#input\_dns\_global\_record\_ttl) | TTL Value in seconds for the global DNS CNAME record that you wish to use in a Private DNS Hosted Zone. | `string` | `60` | no |

diff --git a/dns.tf b/dns.tf
@@ -1,7 +1,8 @@
 resource "aws_route53_record" "ably-global" {
-  for_each = toset(var.regions)
-  zone_id  = var.route53_private_zone_id
-  name     = var.dns_global_record
+  for_each        = toset(var.regions)
+  zone_id         = var.route53_private_zone_id
+  name            = var.dns_global_record
+  health_check_id = aws_route53_health_check.privatelink_disabled_status[each.key].id
 
   latency_routing_policy {
     region = each.key
@@ -14,7 +15,7 @@ resource "aws_route53_record" "ably-global" {
   alias {
     name                   = var.ably_vpc_endpoint_dns_entry
     zone_id                = var.ably_vpc_endpoint_dns_hosted_zone_id
-    evaluate_target_health = true
+    evaluate_target_health = false
   }
 }
 
@@ -35,3 +36,33 @@ resource "aws_route53_record" "ably-zonal" {
   ttl      = var.dns_zonal_record_ttl
   records  = [replace(var.ably_vpc_endpoint_dns_entry, "/^([\\w-]+).(.*)$/", "$1-${each.key}.$2")]
 }
+
+resource "aws_cloudwatch_metric_alarm" "privatelink_disabled_status" {
+  for_each            = toset(var.regions)
+  alarm_name          = "ably-privatelink-region-status-${each.key}"
+  comparison_operator = "GreaterThanOrEqualToThreshold"
+  evaluation_periods  = "1"
+  metric_name         = "Health"
+  namespace           = "Ably/VPCEndpoint"
+  dimensions = {
+    ServiceName = var.ably_vpc_service_endpoint_name
+  }
+  period            = "60"
+  statistic         = "Maximum"
+  threshold         = "1"
+  alarm_description = "This metric indicates whether an Ably region has been disabled by the Ably Incident Response team"
+}
+
+resource "aws_route53_health_check" "privatelink_disabled_status" {
+  for_each                        = toset(var.regions)
+  type                            = "CLOUDWATCH_METRIC"
+  cloudwatch_alarm_name           = aws_cloudwatch_metric_alarm.privatelink_disabled_status[each.key].alarm_name
+  cloudwatch_alarm_region         = each.key
+  insufficient_data_health_status = "Healthy"
+  invert_healthcheck              = false
+  measure_latency                 = false
+
+  tags = {
+    "Name" = "ably-privatelink-region-status-${each.key}"
+  }
+}
diff --git a/variables.tf b/variables.tf
@@ -45,3 +45,8 @@ variable "dns_zonal_record_ttl" {
   type        = string
   default     = 60
 }
+
+variable "ably_vpc_service_endpoint_name" {
+  type        = string
+  description = "VPC Service endpoint to use for Cloudwatch Alarms. This will be provided by Ably."
+}