extend example to create a policy alert (#9)

chainguard-dev · Dec 12, 2022 · dbe1003 · dbe1003
1 parent f4996ed
commit dbe1003
Show file tree

Hide file tree

Showing 7 changed files with 92 additions and 19 deletions.
diff --git a/.gitignore b/.gitignore
@@ -1,2 +1,3 @@
 .terraform*
 terraform.tfstate*
+plan.out*
diff --git a/README.md b/README.md
@@ -116,15 +116,15 @@ No modules.
 | [google_cloud_run_service.probers](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/cloud_run_service) | resource |
 | [google_cloud_run_service_iam_policy.noauths](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/cloud_run_service_iam_policy) | resource |
 | [google_compute_backend_service.probers](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_backend_service) | resource |
-| [google_compute_global_address.static-ip](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_global_address) | resource |
-| [google_compute_global_forwarding_rule.forwarding-rule](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_global_forwarding_rule) | resource |
-| [google_compute_managed_ssl_certificate.prober-cert](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_managed_ssl_certificate) | resource |
+| [google_compute_global_address.static_ip](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_global_address) | resource |
+| [google_compute_global_forwarding_rule.forwarding_rule](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_global_forwarding_rule) | resource |
+| [google_compute_managed_ssl_certificate.prober_cert](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_managed_ssl_certificate) | resource |
 | [google_compute_region_network_endpoint_group.neg](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_region_network_endpoint_group) | resource |
 | [google_compute_target_https_proxy.prober](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_target_https_proxy) | resource |
 | [google_compute_url_map.probers](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_url_map) | resource |
-| [google_dns_record_set.prober-dns](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/dns_record_set) | resource |
-| [google_monitoring_uptime_check_config.global-uptime-check](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/monitoring_uptime_check_config) | resource |
-| [google_monitoring_uptime_check_config.regional-uptime-check](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/monitoring_uptime_check_config) | resource |
+| [google_dns_record_set.prober_dns](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/dns_record_set) | resource |
+| [google_monitoring_uptime_check_config.global_uptime_check](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/monitoring_uptime_check_config) | resource |
+| [google_monitoring_uptime_check_config.regional_uptime_check](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/monitoring_uptime_check_config) | resource |
 | [google_service_account.prober](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account) | resource |
 | [ko_image.image](https://registry.terraform.io/providers/chainguard-dev/ko/latest/docs/resources/image) | resource |
 | [random_password.secret](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource |
@@ -147,5 +147,6 @@ No modules.
 
 | Name | Description |
 |------|-------------|
-| <a name="output_uptime-check"></a> [uptime-check](#output\_uptime-check) | n/a |
+| <a name="output_uptime_check"></a> [uptime\_check](#output\_uptime\_check) | n/a |
+| <a name="output_uptime_check_name"></a> [uptime\_check\_name](#output\_uptime\_check\_name) | n/a |
 <!-- END_TF_DOCS -->
diff --git a/examples/basic/example.tf b/examples/basic/example.tf
@@ -31,3 +31,50 @@ module "prober" {
     EXAMPLE_ENV = "honk"
   }
 }
+
+// Create an alert policy based on the uptime check above.
+resource "google_monitoring_alert_policy" "prober_uptime" {
+  project = var.project_id
+  # In the absence of data, incident will auto-close in 7 days
+  alert_strategy {
+    auto_close = "604800s"
+  }
+  combiner = "OR"
+
+  conditions {
+    condition_threshold {
+      aggregations {
+        alignment_period     = "300s"
+        cross_series_reducer = "REDUCE_COUNT_FALSE"
+        group_by_fields      = ["resource.*"]
+        per_series_aligner   = "ALIGN_NEXT_OLDER"
+      }
+
+      comparison = "COMPARISON_GT"
+      duration   = "60s"
+      filter     = format("metric.type=\"monitoring.googleapis.com/uptime_check/check_passed\" resource.type=\"uptime_url\" metric.label.\"check_id\"=\"%s\"", module.prober.uptime_check)
+
+      threshold_value = "1"
+
+      trigger {
+        count   = "1"
+        percent = "0"
+      }
+    }
+
+    display_name = "${module.prober.uptime_check_name} probe failure"
+  }
+
+  display_name = "${module.prober.uptime_check_name} prober failed alert"
+  enabled      = "true"
+
+  documentation {
+    content = <<-EOT
+    < Add your documentation or link to a playbook here >
+    EOT
+  }
+
+  depends_on = [
+    module.prober
+  ]
+}
diff --git a/gclb.tf b/gclb.tf
@@ -1,29 +1,34 @@
+/*
+Copyright 2022 Chainguard, Inc.
+SPDX-License-Identifier: Apache-2.0
+*/
+
 locals {
   # GCLB is expensive, so we only provision one when we have to put multiple
   # Cloud Run locations behind one.
   use_gclb = length(var.locations) > 1
 }
 
-resource "google_compute_global_address" "static-ip" {
+resource "google_compute_global_address" "static_ip" {
   count = local.use_gclb ? 1 : 0
 
   project = var.project_id
   name    = "${var.name}-prober"
 }
 
-resource "google_compute_global_forwarding_rule" "forwarding-rule" {
+resource "google_compute_global_forwarding_rule" "forwarding_rule" {
   count = local.use_gclb ? 1 : 0
 
   project               = var.project_id
   name                  = "${var.name}-prober"
   ip_protocol           = "TCP"
   load_balancing_scheme = "EXTERNAL"
   port_range            = 443
-  ip_address            = google_compute_global_address.static-ip[0].id
+  ip_address            = google_compute_global_address.static_ip[0].id
   target                = google_compute_target_https_proxy.prober[0].id
 }
 
-resource "google_dns_record_set" "prober-dns" {
+resource "google_dns_record_set" "prober_dns" {
   count = local.use_gclb ? 1 : 0
 
   project      = var.project_id
@@ -33,17 +38,17 @@ resource "google_dns_record_set" "prober-dns" {
   ttl          = 60
 
   rrdatas = [
-    google_compute_global_address.static-ip[0].address
+    google_compute_global_address.static_ip[0].address
   ]
 }
 
-resource "google_compute_managed_ssl_certificate" "prober-cert" {
+resource "google_compute_managed_ssl_certificate" "prober_cert" {
   count = local.use_gclb ? 1 : 0
 
   name = "${var.name}-prober"
 
   managed {
-    domains = [google_dns_record_set.prober-dns[0].name]
+    domains = [google_dns_record_set.prober_dns[0].name]
   }
 }
 
@@ -54,7 +59,7 @@ resource "google_compute_target_https_proxy" "prober" {
   name    = "${var.name}-prober"
   url_map = google_compute_url_map.probers[0].id
 
-  ssl_certificates = [google_compute_managed_ssl_certificate.prober-cert[0].id]
+  ssl_certificates = [google_compute_managed_ssl_certificate.prober_cert[0].id]
 }
 
 resource "google_compute_url_map" "probers" {

diff --git a/main.tf b/main.tf
@@ -1,3 +1,8 @@
+/*
+Copyright 2022 Chainguard, Inc.
+SPDX-License-Identifier: Apache-2.0
+*/
+
 terraform {
   required_providers {
     ko = {
@@ -88,7 +93,7 @@ resource "google_cloud_run_service_iam_policy" "noauths" {
 // This is the uptime check, which will send traffic to the Cloud Run
 // application every few minutes (from several locations) to ensure
 // things are operating as expected.
-resource "google_monitoring_uptime_check_config" "regional-uptime-check" {
+resource "google_monitoring_uptime_check_config" "regional_uptime_check" {
   count = local.use_gclb ? 0 : 1
 
   display_name = "${var.name}-uptime-regional"
@@ -127,7 +132,7 @@ resource "google_monitoring_uptime_check_config" "regional-uptime-check" {
 // This is the uptime check, which will send traffic to the GCLB
 // address every few minutes (from several locations) to ensure
 // things are operating as expected.
-resource "google_monitoring_uptime_check_config" "global-uptime-check" {
+resource "google_monitoring_uptime_check_config" "global_uptime_check" {
   count = local.use_gclb ? 1 : 0
 
   display_name = "${var.name}-uptime-global"

diff --git a/outputs.tf b/outputs.tf
@@ -1,3 +1,12 @@
-output "uptime-check" {
-  value = local.use_gclb ? google_monitoring_uptime_check_config.global-uptime-check[0].uptime_check_id : google_monitoring_uptime_check_config.regional-uptime-check[0].uptime_check_id
+/*
+Copyright 2022 Chainguard, Inc.
+SPDX-License-Identifier: Apache-2.0
+*/
+
+output "uptime_check" {
+  value = local.use_gclb ? google_monitoring_uptime_check_config.global_uptime_check[0].uptime_check_id : google_monitoring_uptime_check_config.regional_uptime_check[0].uptime_check_id
+}
+
+output "uptime_check_name" {
+  value = local.use_gclb ? google_monitoring_uptime_check_config.global_uptime_check[0].display_name : google_monitoring_uptime_check_config.regional_uptime_check[0].display_name
 }
diff --git a/variables.tf b/variables.tf
@@ -1,3 +1,8 @@
+/*
+Copyright 2022 Chainguard, Inc.
+SPDX-License-Identifier: Apache-2.0
+*/
+
 variable "name" {
   description = "Name to prefix to created resources."
 }