feat: add cert-manager missing issuer log alert configuration and monitoring resource

filippolmt · filippolmt · commit 792e4acff9e1 · 2025-10-10T15:00:28.000+02:00
diff --git a/README.md b/README.md
@@ -33,6 +33,7 @@ Supported services:
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_certificate"></a> [certificate](#input\_certificate) | Configuration for cert-manager missing issuer log alert. Allows customization of project, cluster, namespace, notification channels, alert documentation, enablement, extra filters, auto-close timing, and notification rate limiting. | <pre>object({<br/>    enabled                          = optional(bool, true)<br/>    cluster_name                     = string<br/>    project_id                       = optional(string, null)<br/>    namespace                        = optional(string, "cert-manager")<br/>    notification_enabled             = optional(bool, true)<br/>    notification_channels            = optional(list(string), [])<br/>    logmatch_notification_rate_limit = optional(string, "300s")<br/>    alert_documentation              = optional(string, null)<br/>    auto_close_seconds               = optional(number, 3600)<br/>    filter_extra                     = optional(string, "")<br/>  })</pre> | n/a | yes |
 | <a name="input_cloud_sql"></a> [cloud\_sql](#input\_cloud\_sql) | Configuration for Cloud SQL monitoring alerts. Supports customization of project, auto-close timing, notification channels, and per-instance alert thresholds for CPU, memory, and disk utilization. | <pre>object({<br/>    project_id            = optional(string, null)<br/>    auto_close            = optional(string, "86400s") # default 24h<br/>    notification_enabled  = optional(bool, true)<br/>    notification_channels = optional(list(string), [])<br/>    instances = optional(map(object({<br/>      cpu_utilization = optional(list(object({<br/>        severity         = optional(string, "WARNING"),<br/>        threshold        = optional(number, 0.90)<br/>        alignment_period = optional(string, "120s")<br/>        duration         = optional(string, "300s")<br/>        })), [<br/>        {<br/>          threshold = 0.85,<br/>          duration  = "1200s",<br/>        },<br/>        {<br/>          severity         = "CRITICAL",<br/>          threshold        = 1,<br/>          duration         = "300s",<br/>          alignment_period = "60s",<br/>        }<br/>      ])<br/>      memory_utilization = optional(list(object({<br/>        severity         = optional(string, "WARNING"),<br/>        threshold        = optional(number, 0.90)<br/>        alignment_period = optional(string, "300s")<br/>        duration         = optional(string, "300s")<br/>        })), [<br/>        {<br/>          severity = "WARNING",<br/>        },<br/>        {<br/>          severity  = "CRITICAL",<br/>          threshold = 0.95,<br/>        }<br/>      ])<br/>      disk_utilization = optional(list(object({<br/>        severity         = optional(string, "WARNING"),<br/>        threshold        = optional(number, 0.85)<br/>        alignment_period = optional(string, "300s")<br/>        duration         = optional(string, "600s")<br/>        })), [<br/>        {<br/>          severity = "WARNING",<br/>        },<br/>        {<br/>          severity  = "CRITICAL",<br/>          threshold = 0.95,<br/>        }<br/>      ])<br/>    })), {})<br/>  })</pre> | n/a | yes |
 | <a name="input_kyverno"></a> [kyverno](#input\_kyverno) | Configuration for Kyverno monitoring alerts. Allows customization of cluster name, project, notification channels, alert documentation, metric thresholds, auto-close timing, enablement, extra filters, and namespace. | <pre>object({<br/>    enabled               = optional(bool, true)<br/>    cluster_name          = string<br/>    project_id            = optional(string, null)<br/>    notification_enabled  = optional(bool, true)<br/>    notification_channels = optional(list(string), [])<br/>    # Rate limit for notifications, e.g. "300s" for 5 minutes, used only for log match alerts<br/>    logmatch_notification_rate_limit = optional(string, "300s")<br/>    alert_documentation              = optional(string, null)<br/>    auto_close_seconds               = optional(number, 3600)<br/>    filter_extra                     = optional(string, "")<br/>    namespace                        = optional(string, "kyverno")<br/>  })</pre> | n/a | yes |
 | <a name="input_notification_channels"></a> [notification\_channels](#input\_notification\_channels) | List of notification channel IDs to notify when an alert is triggered | `list(string)` | `[]` | no |
@@ -50,6 +51,7 @@ Supported services:
 
 | Name | Type |
 |------|------|
+| [google_monitoring_alert_policy.certificate_logmatch_alert](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/monitoring_alert_policy) | resource |
 | [google_monitoring_alert_policy.cloud_sql_cpu_utilization](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/monitoring_alert_policy) | resource |
 | [google_monitoring_alert_policy.cloud_sql_disk_utilization](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/monitoring_alert_policy) | resource |
 | [google_monitoring_alert_policy.cloud_sql_memory_utilization](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/monitoring_alert_policy) | resource |
diff --git a/certificate_log_alert.tf b/certificate_log_alert.tf
@@ -0,0 +1,69 @@
+locals {
+  certificate_project_id = var.certificate.project_id != null ? var.certificate.project_id : var.project_id
+  certificate_alert_documentation = (
+    var.certificate.alert_documentation != null
+    ? var.certificate.alert_documentation
+    : <<-EOT
+      cert-manager is reporting that an Issuer or ClusterIssuer resource referenced by a Certificate cannot be found. This may indicate that the Issuer/ClusterIssuer has been deleted or is otherwise unavailable.
+    EOT
+  )
+  certificate_notification_channels = var.certificate.notification_enabled ? (length(var.certificate.notification_channels) > 0 ? var.certificate.notification_channels : var.notification_channels) : []
+
+  certificate_log_filter = <<-EOT
+    (
+      (
+        resource.type="k8s_container"
+        AND resource.labels.project_id="${local.certificate_project_id}"
+        AND resource.labels.cluster_name="${var.certificate.cluster_name}"
+        AND resource.labels.namespace_name="${var.certificate.namespace}"
+      )
+      OR (
+        log_id("events")
+        AND resource.labels.project_id="${local.certificate_project_id}"
+        AND resource.labels.cluster_name="${var.certificate.cluster_name}"
+        AND (
+          jsonPayload.involvedObject.namespace="${var.certificate.namespace}"
+          OR jsonPayload.metadata.namespace="${var.certificate.namespace}"
+        )
+      )
+    )
+    AND (
+      textPayload=~"Referenced \\"(Issuer|ClusterIssuer)\\" not found"
+      OR jsonPayload.message=~"Referenced \\"(Issuer|ClusterIssuer)\\" not found"
+      OR jsonPayload.note=~"Referenced \\"(Issuer|ClusterIssuer)\\" not found"
+    )
+    ${trimspace(var.certificate.filter_extra)}
+  EOT
+}
+
+resource "google_monitoring_alert_policy" "certificate_logmatch_alert" {
+  count = (
+    var.certificate.enabled
+    && trimspace(var.certificate.cluster_name) != ""
+  ) ? 1 : 0
+
+  display_name = "cert-manager missing Issuer/ClusterIssuer (cluster=${var.certificate.cluster_name}, namespace=${var.certificate.namespace})"
+  combiner     = "OR"
+  enabled      = var.certificate.enabled
+
+  conditions {
+    display_name = "Log match: cert-manager Issuer/ClusterIssuer not found"
+    condition_matched_log {
+      filter = local.certificate_log_filter
+    }
+  }
+
+  documentation {
+    content   = local.certificate_alert_documentation
+    mime_type = "text/markdown"
+  }
+
+  notification_channels = local.certificate_notification_channels
+
+  alert_strategy {
+    auto_close = "${var.certificate.auto_close_seconds}s"
+    notification_rate_limit {
+      period = var.certificate.logmatch_notification_rate_limit
+    }
+  }
+}
diff --git a/variables.tf b/variables.tf
@@ -82,3 +82,19 @@ variable "kyverno" {
     namespace                        = optional(string, "kyverno")
   })
 }
+
+variable "certificate" {
+  description = "Configuration for cert-manager missing issuer log alert. Allows customization of project, cluster, namespace, notification channels, alert documentation, enablement, extra filters, auto-close timing, and notification rate limiting."
+  type = object({
+    enabled                          = optional(bool, true)
+    cluster_name                     = string
+    project_id                       = optional(string, null)
+    namespace                        = optional(string, "cert-manager")
+    notification_enabled             = optional(bool, true)
+    notification_channels            = optional(list(string), [])
+    logmatch_notification_rate_limit = optional(string, "300s")
+    alert_documentation              = optional(string, null)
+    auto_close_seconds               = optional(number, 3600)
+    filter_extra                     = optional(string, "")
+  })
+}
