terraform-google-services-monitoring/cert_manager.tf at 12e25d31bd0724b6db83d447d654f0269689da1c · sparkfabrik/terraform-google-services-monitoring · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
locals {
  cert_manager_project_id = var.cert_manager.project_id != null ? var.cert_manager.project_id : var.project_id
  cert_manager_alert_documentation = (
    var.cert_manager.alert_documentation != null
    ? var.cert_manager.alert_documentation
    : <<-EOT
      cert-manager is reporting that an Issuer or ClusterIssuer resource referenced by a Certificate cannot be found. This may indicate that the Issuer/ClusterIssuer has been deleted or is otherwise unavailable.
    EOT
  )
  cert_manager_notification_channels = var.cert_manager.notification_enabled ? (length(var.cert_manager.notification_channels) > 0 ? var.cert_manager.notification_channels : var.notification_channels) : []

  cert_manager_log_filter = <<-EOT
    (
      (
        resource.type="k8s_container"
        AND resource.labels.project_id="${local.cert_manager_project_id}"
        AND resource.labels.cluster_name="${var.cert_manager.cluster_name}"
        AND resource.labels.namespace_name="${var.cert_manager.namespace}"
      )
      OR (
        log_id("events")
        AND resource.labels.project_id="${local.cert_manager_project_id}"
        AND resource.labels.cluster_name="${var.cert_manager.cluster_name}"
        AND (
          jsonPayload.involvedObject.namespace="${var.cert_manager.namespace}"
          OR jsonPayload.metadata.namespace="${var.cert_manager.namespace}"
        )
      )
    )
    AND (
      textPayload=~"Referenced \"(Issuer|ClusterIssuer)\" not found"
      OR jsonPayload.message=~"Referenced \"(Issuer|ClusterIssuer)\" not found"
      OR jsonPayload.note=~"Referenced \"(Issuer|ClusterIssuer)\" not found"
    )
    ${trimspace(var.cert_manager.filter_extra)}
  EOT
}

resource "google_monitoring_alert_policy" "cert_manager_logmatch_alert" {
  count = (
    var.cert_manager.enabled
    && trimspace(var.cert_manager.cluster_name) != ""
    && var.cert_manager.cluster_name != null
  ) ? 1 : 0

  display_name = "cert-manager missing Issuer/ClusterIssuer (cluster=${var.cert_manager.cluster_name}, namespace=${var.cert_manager.namespace})"
  combiner     = "OR"
  enabled      = var.cert_manager.enabled

  conditions {
    display_name = "Log match: cert-manager Issuer/ClusterIssuer not found"
    condition_matched_log {
      filter = local.cert_manager_log_filter
    }
  }

  documentation {
    content   = local.cert_manager_alert_documentation
    mime_type = "text/markdown"
  }

  notification_channels = local.cert_manager_notification_channels

  alert_strategy {
    auto_close = "${var.cert_manager.auto_close_seconds}s"
    notification_rate_limit {
      period = var.cert_manager.logmatch_notification_rate_limit
    }
  }
}