feat: provision lambda job with elasticache-slowlog-to-datadog v1.0.0

Author: jim80net

data_sources.tf

@@ -0,0 +1,3 @@
+data "aws_caller_identity" "current" {}
+data "aws_canonical_user_id" "current_user" {}
+data "aws_region" "current" {}

main.tf

@@ -0,0 +1,150 @@
+resource aws_cloudwatch_event_rule slowlog_check {
+  name_prefix         = "slowlog_check_every_minute"
+  description         = "Check for slowlogs every five minutes"
+  schedule_expression = "cron(0/5 * * * ? *)" # every 5 minute
+  tags                = var.tags
+}
+
+resource aws_cloudwatch_event_target slowlog_check {
+  rule = aws_cloudwatch_event_rule.slowlog_check.name
+  arn  = aws_lambda_function.slowlog_check.arn
+}
+
+resource aws_lambda_permission slowlog_check {
+  statement_id  = "AllowExecutionFromCloudWatch"
+  action        = "lambda:InvokeFunction"
+  function_name = aws_lambda_function.slowlog_check.function_name
+  principal     = "events.amazonaws.com"
+  source_arn    = aws_cloudwatch_event_rule.slowlog_check.arn
+}
+
+
+resource aws_iam_role slowlog_check {
+  name = "slowlog_check"
+
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": "sts:AssumeRole",
+      "Principal": {
+        "Service": "lambda.amazonaws.com"
+      },
+      "Effect": "Allow",
+      "Sid": ""
+    }
+  ]
+}
+EOF
+}
+
+resource aws_iam_policy slowlog_check {
+  name        = "slowlog_check"
+  path        = "/"
+  description = "This IAM policy allows the slowlog_check to run"
+
+  policy = <<EOF
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+          "Action": [
+            "ssm:GetParameter",
+            "ssm:GetParametersByPath"
+          ],
+          "Resource": [
+            "arn:aws:ssm:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:parameter/${var.ssm_path}",
+            "arn:aws:ssm:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:parameter/${var.ssm_path}/*"
+            ],
+          "Effect": "Allow"
+        }
+    ]
+}
+EOF
+}
+
+resource aws_iam_role_policy_attachment "lambda_vpc_0" {
+  role       = aws_iam_role.slowlog_check.name
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
+}
+
+resource aws_iam_role_policy_attachment "lambda_vpc_1" {
+  role       = aws_iam_role.slowlog_check.name
+  policy_arn = aws_iam_policy.slowlog_check.arn
+}
+
+resource aws_security_group egress {
+  name_prefix = "egress-https"
+  description = "Allow outbound https calls"
+  vpc_id      = var.vpc_id
+
+  # https://github.com/hashicorp/terraform/issues/8617#issuecomment-343973544-permalink
+  lifecycle {
+    create_before_destroy = true
+  }
+
+  egress {
+    description = "outbound https"
+    from_port   = 443
+    to_port     = 443
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+  tags = var.tags
+}
+
+resource null_resource get_slowlog_archive {
+  provisioner local-exec {
+    command = "wget https://github.com/scribd/elasticache-slowlog-to-datadog/releases/download/v1.0.0/slowlog_check.1.0.0.zip"
+  }
+}
+
+resource aws_ssm_parameter datadog_api_key {
+  name        = "/${var.ssm_path}/DATADOG_API_KEY"
+  description = "Datadog API Key"
+  tags        = var.tags
+  type        = "SecureString"
+  value       = var.datadog_api_key
+}
+
+resource aws_ssm_parameter datadog_app_key {
+  name        = "/${var.ssm_path}/DATADOG_APP_KEY"
+  description = "Datadog App Key"
+  tags        = var.tags
+  type        = "SecureString"
+  value       = var.datadog_app_key
+}
+
+
+resource "aws_lambda_function" "slowlog_check" {
+  function_name    = "slowlog_check"
+  filename         = "${path.module}/slowlog_check.1.0.0.zip"
+  source_code_hash = "MDgxYjVkZmMyNDkzODg1ZDJiMzBiY2FmYWI5NWNkMTQ1MjQ0Y2ViNDkzZTFhM2I3OGFhMmU3MzZiOWFhZTJiMw=="
+  role             = aws_iam_role.slowlog_check.arn
+  handler          = "lambda_function.lambda_handler"
+  runtime          = "ruby2.5"
+  vpc_config {
+    subnet_ids         = var.subnet_ids
+    security_group_ids = concat([aws_security_group.egress.id], var.elasticache_security_groups)
+  }
+  timeout = 600
+
+  environment {
+    variables = {
+      REDIS_HOST = var.elasticache_endpoint
+      SSM_PATH   = "/${var.ssm_path}/"
+      NAMESPACE  = var.namespace
+      ENV        = var.env
+      METRICNAME = var.metric_name
+    }
+  }
+
+  tags       = var.tags
+  depends_on = [null_resource.get_slowlog_archive]
+}
+
+resource aws_lambda_function_event_invoke_config slowlog_check {
+  function_name          = aws_lambda_function.slowlog_check.function_name
+  maximum_retry_attempts = 0
+}

vars.tf

@@ -0,0 +1,49 @@
+variable elasticache_endpoint {
+  description = "AWS Elasticache endpoint to get slowqueries from"
+}
+
+variable elasticache_security_groups {
+  description = "AWS Elasticache Security groups to bind to"
+  type        = list(string)
+  default     = []
+}
+
+variable subnet_ids {
+  description = "Subnets to associate with VPC lambda job"
+  type        = list(string)
+}
+
+variable vpc_id {
+  description = "VPC to associate with VPC lambda job"
+}
+
+variable datadog_api_key {
+  description = "Datadog API key"
+}
+
+variable datadog_app_key {
+  description = "Datadog App key"
+}
+
+variable namespace {
+  description = "Namespace tag to pass to datadog"
+}
+
+variable env {
+  description = "Env tag to pass to datadog"
+}
+
+variable metric_name {
+  description = "Custom metric name to pass to datadog"
+  default     = "elasticache.slowlog"
+}
+
+variable ssm_path {
+  description = "Custom SSM path to provision Datadog access ID's in. Leading slash ommitted."
+  default     = "slowlog_check"
+}
+
+variable tags {
+  description = "Additional tags to create resources with and to send to datadog"
+  default     = {}
+}