[PLT-1361] Create a lambda to deliver cost anomaly alerts to Slack #340
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
## 🎫 Ticket https://jira.cms.gov/browse/PLT-1390 ## 🛠 Changes This PR removes TF data references to the now deleted DPC SNS topic key, which was removed from the dpc-ops repo in a related PR. ## ℹ️ Context As part of the alarm-to-slack service work the DPC CloudWatch alarm topic was updated to use the shared dpc-\<env\> KMS key instead of the custom DPC SNS topic key, and that custom key was destroyed. This PR cleans up references to that custom key that continued to exist in the github-actions-role service. ## 🧪 Validation <details> <summary>Tofu plan output (DPC-DEV)</summary> ``` OpenTofu will perform the following actions: # aws_iam_role_policy.github_actions_role_policy will be updated in-place ~ resource "aws_iam_role_policy" "github_actions_role_policy" { id = "dpc-dev-github-actions:terraform-2025xxxxxxxxxxxxxxxxxxxxxx" name = "terraform-2025xxxxxxxxxxxxxxxxxxxxxx" ~ policy = jsonencode( ~ { ~ Statement = [ # (12 unchanged elements hidden) { Action = [ "kms:ListAliases", "kms:GetKeyRotationStatus", "kms:GetKeyPolicy", "kms:EnableKeyRotation", "kms:CreateKey", "kms:CreateAlias", ] Effect = "Allow" Resource = "*" Sid = "KmsUsage" }, ~ { ~ Resource = [ # (3 unchanged elements hidden) "arn:aws:kms:us-east-1:xxxxxxxxxxxx:alias/dpc-dev-web-admin-cloudwatch-key", - "arn:aws:kms:us-east-1:xxxxxxxxxxxx:alias/dpc-dev-sns-topic-key", "arn:aws:kms:us-east-1:xxxxxxxxxxxx:alias/dpc-dev-master-key", # (4 unchanged elements hidden) ] # (3 unchanged attributes hidden) }, { Action = [ "firehose:StartDeliveryStreamEncryption", "firehose:DescribeDeliveryStream", "firehose:CreateDeliveryStream", ] Effect = "Allow" Resource = "*" }, # (12 unchanged elements hidden) ] # (1 unchanged attribute hidden) } ) # (2 unchanged attributes hidden) } Plan: 0 to add, 1 to change, 0 to destroy. ``` </details>
## 🎫 Ticket https://jira.cms.gov/browse/PLT-1482 ## 🛠 Changes Adds environment and app config keys to lambda permissions passed through to function module. ## ℹ️ Context The DPC WAF sync lambdas have been very error heavy and the source is invalid key configuration in the terraform service. This change aims to add the necessary permissions to stop the lambdas from erroring out. ## 🧪 Validation <details> <summary>Tofu Plan Output (DPC/DEV)</summary> ``` OpenTofu will perform the following actions: # module.api_waf_sync_function.aws_iam_role_policy.default_function will be updated in-place ~ resource "aws_iam_role_policy" "default_function" { id = "dpc-dev-api-waf-sync-function:default-function" name = "default-function" ~ policy = jsonencode( ~ { ~ Statement = [ { Action = [ "ssm:GetParameters", "ssm:GetParameter", "sqs:ReceiveMessage", "sqs:GetQueueAttributes", "sqs:DeleteMessage", "logs:PutLogEvents", "logs:CreateLogStream", "logs:CreateLogGroup", "ec2:DescribeNetworkInterfaces", "ec2:DescribeAccountAttributes", "ec2:DeleteNetworkInterface", "ec2:CreateNetworkInterface", ] Effect = "Allow" Resource = "*" }, ~ { ~ Resource = [ + "arn:aws:kms:us-east-1::key/69fc1eca-71e6-43e6-acd1-53f0b80a7ef6", "arn:aws:kms:us-east-1::key/601028a8-2ef7-4bec-9e39-af26d91e07b9", # (1 unchanged element hidden) ] # (2 unchanged attributes hidden) }, ] # (1 unchanged attribute hidden) } ) # (1 unchanged attribute hidden) } Plan: 0 to add, 1 to change, 0 to destroy. ``` </details>
## 🛠 Changes Added contract name ## ℹ️ Context Doug requested to add contract name for the existing dataset : https://cmsgov.slack.com/archives/CNHDC8HCZ/p1765474837300259 ## 🧪 Validation Ran in the quicksights and it displays contract names and no duplicates: <img width="331" height="648" alt="image" src="https://github.com/user-attachments/assets/add06df2-c7a7-40f0-9618-18a9b42ee314" />
## 🎫 Ticket https://jira.cms.gov/browse/BCDA-9633 Related tickets: [bcda-ops](CMSgov/bcda-ops#1303) [bcda-app](CMSgov/bcda-app#1276) ## 🛠 Changes <!-- What was added, updated, or removed in this PR? --> - added an optional health check variable for the ecs service module ## ℹ️ Context <!-- Why were these changes made? Add background context suitable for a non-technical audience. --> The BCDA worker service runs containers that don't have a target group or a load balancer. It would be helpful to have a container health check that can monitor unhealthy containers. <!-- If any of the following security implications apply, this PR must not be merged without Stephen Walter's approval. Explain in this section and add @SJWalter11 as a reviewer. - Adds a new software dependency or dependencies. - Modifies or invalidates one or more of our security controls. - Stores or transmits data that was not stored or transmitted before. - Requires additional review of security implications for other reasons. --> ## 🧪 Validation <!-- How were the changes verified? Did you fully test the acceptance criteria in the ticket? Provide reproducible testing instructions and screenshots if applicable. --> Tested with bcda ecs services in dev environment.
…led workflow (#352) ## 🎫 Ticket https://jira.cms.gov/browse/PLT-1425 ## 🛠 Changes Granted codebuild-runner access to decrypt the bcda-prod or bcda-test keys as they are used to encrypt cdap sops values. ## ℹ️ Context Added the kms key to correct this permissions error: `Error: User: arn:aws:sts::{$account}:assumed-role/codebuild-runner/AWSCodeBuild-axxxxxxx-7272-421e-8d25-d4f58468c162 is not authorized to perform: kms:Decrypt on resource: arn:aws:kms:us-east-1:{$account}:key/37584589-3eb7-437a-9f20-b00000000b3 because no identity-based policy allows the kms:Decrypt action (Service: AWSKMS; Status Code: 400; Error Code: AccessDeniedException; roxy: null)` ## 🧪 Validation https://github.com/CMSgov/cdap/actions/runs/20241886420/job/58111901612?pr=352 --------- Co-authored-by: Sean Fern <[email protected]>
… cloudfront logging; (#358) ## 🎫 Ticket jira.cms.gov/browse/PLT-1418 ## 🛠 Changes This PR configures: 1) The 'web' module to configure an existing cloudfront deployment that supports STS headers, has a regional domain name ("domain_name_overwrite"). 2) The platform module to accommodate bucket logging in regional paths for Cloudfront logs passed into S3. This enables the passing of logs, by administrative AWS configuration, to an external provider. 3) Simplifies some variables into strings instead of objects. ## ℹ️ Context These changes were made to support oversight and standardization of static site management through the centralization of terraform. <!-- If any of the following security implications apply, this PR must not be merged without Stephen Walter's approval. Explain in this section and add @SJWalter11 as a reviewer. - Adds a new software dependency or dependencies. - Modifies or invalidates one or more of our security controls. - Stores or transmits data that was not stored or transmitted before. - Requires additional review of security implications for other reasons. --> ## 🧪 Validation <!-- How were the changes verified? Did you fully test the acceptance criteria in the ticket? Provide reproducible testing instructions and screenshots if applicable. --> These changes require validation in the sandbox environment. The module source will be updated to point to this github commit hash as ref. Once the sandbox site is determined mostly unchanged, the module ref can be updated for the production site.
## 🎫 Ticket https://jira.cms.gov/browse/PLT-1456 ## 🛠 Changes - Adds backends for cdap-prod and cdap-test. - Adds standards module to github_actions_role service. _**(Will update all roles in-place.)**_ - Adds permissions for KMS key management and s3 usage. - Adds cdap-test and cdap-prod to plan and apply workflows. ## ℹ️ Context We want to move away from the current configuration of all CDAP resources living in the singular cdap-mgmt VPC which exists in the prod account, or overloading `bcda-prod` and `bcda-test` in each account. This way we can test changes and not have to bother with peering requests and ingress rules from the management VPC in the lower environments. Also, resources we manage will more clearly be owned by CDAP. ## 🧪 Validation See plans
This reverts commit 4fd15ac.
# Conflicts: # terraform/services/github-actions-role/data.tf # terraform/services/github-actions-role/main.tf
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
🎫 Ticket
https://jira.cms.gov/browse/PLT-1361
🛠 Changes
Added lambda python source code and tofu configurations.
ℹ️ Context
Parse cost anomaly events from the cost anomaly monitor sns subscription. Format as a Slack message in #dasg_metrics_and_insights channel.
🧪 Validation
See plan below.