Add Infrastructure Monitoring to Promote Security

[7174Andy]

This pull request introduces enhanced monitoring and cost control features to the LabLink infrastructure, along with significant improvements to the documentation for deployment, configuration, and troubleshooting. The changes add AWS Budget and CloudTrail support for better cost tracking and auditing, and update the README.md to provide clearer instructions and references for users.

New Monitoring and Cost Control Features:

• AWS Budget Resource:
  Adds a new aws_budgets_budget resource in budget.tf to enable monthly cost monitoring and alerting via email at configurable thresholds (50%, 80%, 100%, 150%), using values from the configuration file. This helps prevent unexpected AWS charges.

• CloudTrail Logging and Auditing:
  Introduces a full CloudTrail setup in cloudtrail.tf, including an S3 bucket for log storage, encryption, bucket policies, a CloudWatch log group, IAM roles and policies for log streaming, and a multi-region CloudTrail resource. This enables detailed auditing and security monitoring for all AWS API activity.

Documentation and Usability Improvements:

• Expanded Configuration Reference:
  Updates README.md to document the new monitoring section, including all monitoring, alerting, budget, and CloudTrail options. Also clarifies required fields and provides example configuration blocks.

These changes collectively improve the security, maintainability, and user experience of LabLink deployments.

[Copilot]

Pull Request Overview

This pull request introduces infrastructure monitoring and cost control capabilities to LabLink by adding AWS Budget tracking and CloudTrail audit logging. The changes include new Terraform resources for budget alerts, CloudTrail setup with S3 storage, CloudWatch alarms for security monitoring, and comprehensive documentation updates to guide users through the new monitoring features.

Key Changes:

• AWS Budget resource with configurable thresholds (50%, 80%, 100%, 150%) and email notifications for cost tracking
• Complete CloudTrail implementation with S3 bucket storage, CloudWatch log streaming, and IAM role configuration for audit logging
• CloudWatch metric filters and alarms for monitoring instance launches, large instance types, and unauthorized API calls

Reviewed Changes

Copilot reviewed 10 out of 10 changed files in this pull request and generated 7 comments.

Show a summary per file

File	Description
lablink-infrastructure/budget.tf	Implements AWS Budgets with monthly cost limits and multi-threshold email notifications
lablink-infrastructure/cloudtrail.tf	Sets up CloudTrail with S3 storage, encryption, CloudWatch integration, and required IAM roles
lablink-infrastructure/cloudwatch_alarms.tf	Creates SNS topic, metric filters, and alarms for security monitoring of EC2 instances and API calls
lablink-infrastructure/README.md	Documents new monitoring configuration options, usage instructions, and adds formatting improvements
lablink-infrastructure/config/*.yaml	Adds monitoring configuration blocks to all environment config files with consistent structure

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The format for tag filters in AWS Budgets cost filters appears incorrect. The $ should be used as a delimiter between tag key and value, but in the current implementation it's being escaped with $$ and the format doesn't follow AWS convention.

According to AWS documentation, the tag filter should use format: user:TagKey$TagValue. The current line has:

• user:Environment$${var.resource_suffix} - the $$ escaping is incorrect for this context

It should be:

"user:Environment$${var.resource_suffix}"

However, verify if this is intended for Terraform string interpolation. If the goal is to filter by Environment tag with a specific value, the format should be user:Environment$value where value is the actual environment name.

Suggested change

	"user:Environment$${var.resource_suffix}",
	"user:Environment${"$"}{var.resource_suffix}",