Add monitoring

iaac/boostrap.md

@@ -86,4 +86,4 @@ role_arn = <arn of the role you have created, e.g. "arn:aws:iam::000000000000:ro
 ```
 Terraform has been successfully initialized!
 ```
-10. Run `make t-apply` to create the required resources.
+1.  Run `make t-apply` to create the required resources. Note that you will be asked for an email address to send notifications to. You would get an email to Confirm subscription once it is created.

iaac/iam.tf

@@ -11,21 +11,24 @@ data "aws_iam_policy_document" "lambda_assume_role" {
   }
 }
 
-resource "aws_iam_role" "iam_for_lambda" {
+resource "aws_iam_role" "lambda" {
   name               = "${local.prefix}-lambda"
   assume_role_policy = data.aws_iam_policy_document.lambda_assume_role.json
 }
 
-data "aws_iam_policy" "lambda_logging" {
-  arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
-}
+data "aws_iam_policy_document" "lambda" {
+  statement {
+    effect = "Allow"
 
-resource "aws_iam_role_policy_attachment" "lambda_logs" {
-  role       = aws_iam_role.iam_for_lambda.name
-  policy_arn = data.aws_iam_policy.lambda_logging.arn
-}
+    actions = [
+      "logs:CreateLogGroup",
+      "logs:CreateLogStream",
+      "logs:PutLogEvents"
+    ]
+
+    resources = ["*"]
+  }
 
-data "aws_iam_policy_document" "bucket_access" {
   statement {
     effect = "Allow"
 
@@ -36,16 +39,24 @@ data "aws_iam_policy_document" "bucket_access" {
 
     resources = ["${aws_s3_bucket.photos.arn}/*"]
   }
+
+  statement {
+    effect = "Allow"
+
+    actions = ["sns:Publish"]
+
+    resources = [aws_sns_topic.dead_letter_queue.arn]
+  }
 }
 
-resource "aws_iam_policy" "bucket_access" {
-  name        = "photos-bucket-access"
-  path        = "/year-on-facade/"
-  description = "IAM policy for getting access to year-on-facade photos bucket"
-  policy      = data.aws_iam_policy_document.bucket_access.json
+resource "aws_iam_policy" "lambda" {
+  name        = "lambda"
+  path        = "/${local.prefix}/"
+  description = "IAM policy for year on facade lambda function"
+  policy      = data.aws_iam_policy_document.lambda.json
 }
 
-resource "aws_iam_role_policy_attachment" "bucket_access" {
-  role       = aws_iam_role.iam_for_lambda.name
-  policy_arn = aws_iam_policy.bucket_access.arn
+resource "aws_iam_role_policy_attachment" "lambda" {
+  role       = aws_iam_role.lambda.name
+  policy_arn = aws_iam_policy.lambda.arn
 }

iaac/lambda-monitoring.tf

@@ -0,0 +1,9 @@
+resource "aws_sns_topic" "dead_letter_queue" {
+  name = local.prefix
+}
+
+resource "aws_sns_topic_subscription" "email" {
+  topic_arn = aws_sns_topic.dead_letter_queue.arn
+  protocol  = "email"
+  endpoint  = var.email_for_notifications
+}

iaac/lambda-resize.tf

@@ -34,25 +34,28 @@ data "archive_file" "resize" {
 resource "aws_lambda_function" "resize" {
   filename      = data.archive_file.resize.output_path
   function_name = local.resize_lambda_name
-  role          = aws_iam_role.iam_for_lambda.arn
+  role          = aws_iam_role.lambda.arn
   handler       = "resize.lambda_handler"
   architectures = [local.architecture.aws_arch]
   runtime       = "python${local.python_version}"
 
   source_code_hash = data.archive_file.resize.output_base64sha256
 
   timeout = 30
+  dead_letter_config {
+    target_arn = aws_sns_topic.dead_letter_queue.arn
+  }
 
   depends_on = [
-    aws_iam_role_policy_attachment.lambda_logs,
+    aws_iam_role_policy_attachment.lambda,
     aws_cloudwatch_log_group.resize,
   ]
 }
 
 resource "aws_lambda_function_event_invoke_config" "resize" {
   function_name                = aws_lambda_function.resize.function_name
   maximum_event_age_in_seconds = 300
-  maximum_retry_attempts       = 0
+  maximum_retry_attempts       = 1
 }
 
 resource "aws_lambda_permission" "allow_bucket" {

iaac/variables.tf

@@ -0,0 +1,4 @@
+variable "email_for_notifications" {
+  type = string
+  description = "Email address for notifications about processing errors"
+}

photos/upload.sh

@@ -9,4 +9,4 @@ photos_dir="./photos/original"
 s3_bucket="$(grep '^bucket' config.properties | cut -d'=' -f2 | cut -d'#' -f1 | cut -d'"' -f2)-photos"
 s3_folder="s3://$s3_bucket/original"
 
-aws-vault exec $aws_profile -- aws s3 sync --dryrun $photos_dir $s3_folder --exclude "*" --include "*.jpg"
+aws-vault exec $aws_profile -- aws s3 sync $photos_dir $s3_folder --exclude "*" --include "*.jpg"