feat: setup client error rate alarm (#609)

* feat: add client status history table and related configurations * feat: remove lambda function for updating IDP status in DynamoDB and S3 * terraform-docs: automated action * feat: rename workflow for deploying lambda update status --------- Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
pagopa · Jan 31, 2025 · 02926a4 · 02926a4
1 parent a51b6bf
commit 02926a4
Show file tree

Hide file tree

Showing 22 changed files with 452 additions and 157 deletions.
diff --git a/...flows/deploy-lambda-update-idp-status.yml → ...workflows/deploy-lambda-update-status.yml b/...flows/deploy-lambda-update-idp-status.yml → ...workflows/deploy-lambda-update-status.yml
@@ -1,11 +1,11 @@
-name: Deploy Lambda update idp status
+name: Deploy Lambda update status
 
 on:
   push:
     branches:
       - "main"
     paths:
-      - "**/src/oneid/oneid-lambda-update-idp-status/**"
+      - "**/src/oneid/oneid-lambda-update-status/**"
   workflow_dispatch:
     inputs:
       environment:
@@ -49,18 +49,18 @@ jobs:
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
 
       - name: Zip Lambda
-        working-directory: src/oneid/oneid-lambda-update-idp-status
+        working-directory: src/oneid/oneid-lambda-update-status
         run: |
-          mkdir -p ./target && zip -r target/oneid-lambda-update-idp-status.zip . -x "*.dist-info/*" -x "target/*"
+          mkdir -p ./target && zip -r target/oneid-lambda-update-status.zip . -x "*.dist-info/*" -x "target/*"
 
       - name: Archive build artifacts
         uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808
         with:
-          name: update-idp-status-lambda
-          path: ./src/oneid/oneid-lambda-update-idp-status/target/oneid-lambda-update-idp-status.zip
+          name: update-status-lambda
+          path: ./src/oneid/oneid-lambda-update-status/target/oneid-lambda-update-status.zip
 
   deploy:
-    name: Deploy lambda update idp status ${{ matrix.environment }}-${{ matrix.region }}
+    name: Deploy lambda update status ${{ matrix.environment }}-${{ matrix.region }}
     if: ${{ needs.setup.outputs.matrix != '' }}
     runs-on: ubuntu-22.04
     needs: [ setup, build ]
@@ -80,8 +80,8 @@ jobs:
       - name: Download build artifacts
         uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e
         with:
-          name: update-idp-status-lambda
-          path: ./src/oneid/oneid-lambda-update-idp-status/target
+          name: update-status-lambda
+          path: ./src/oneid/oneid-lambda-update-status/target
 
       - name: Configure AWS Credentials
         uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502
@@ -91,10 +91,10 @@ jobs:
 
       - name: Update Lambda function (${{ matrix.environment }})
         run: |
-          aws s3 cp src/oneid/oneid-lambda-update-idp-status/target/oneid-lambda-update-idp-status.zip s3://${{vars.LAMBDA_CODE_BUCKET_NAME}}/${{vars.LAMBDA_UPDATE_IDP_STATUS_KEY}}
+          aws s3 cp src/oneid/oneid-lambda-update-status/target/oneid-lambda-update-status.zip s3://${{vars.LAMBDA_CODE_BUCKET_NAME}}/${{vars.LAMBDA_UPDATE_STATUS_KEY}}
 
       - name: Deploy Lambda function (${{ matrix.environment }})
         run: |
           aws lambda update-function-code \
-          --function-name oneid-${{ env.REGION_SHORT }}-${{ env.ENV_SHORT }}-update-idp-status \
-          --s3-bucket ${{vars.LAMBDA_CODE_BUCKET_NAME}} --s3-key ${{vars.LAMBDA_UPDATE_IDP_STATUS_KEY}}
+          --function-name oneid-${{ env.REGION_SHORT }}-${{ env.ENV_SHORT }}-update-status \
+          --s3-bucket ${{vars.LAMBDA_CODE_BUCKET_NAME}} --s3-key ${{vars.LAMBDA_UPDATE_STATUS_KEY}}
diff --git a/src/infra/dev/eu-south-1/README.md b/src/infra/dev/eu-south-1/README.md
@@ -147,7 +147,9 @@
 | <a name="input_aws_region"></a> [aws\_region](#input\_aws\_region) | AWS region to create resources. Default Milan | `string` | `"eu-south-1"` | no |
 | <a name="input_aws_region_short"></a> [aws\_region\_short](#input\_aws\_region\_short) | AWS region short format. | `string` | `"es-1"` | no |
 | <a name="input_cie_entity_id"></a> [cie\_entity\_id](#input\_cie\_entity\_id) | n/a | `string` | `"https://preproduzione.idserver.servizicie.interno.gov.it/idp/profile/SAML2/POST/SSO"` | no |
+| <a name="input_client_ids"></a> [client\_ids](#input\_client\_ids) | n/a | `list(string)` | <pre>[<br>  "bxMiPVktuZ5lBNbZYJ3ODosXL57ltrLp7BgyOkw-0v4"<br>]</pre> | no |
 | <a name="input_client_registrations_table"></a> [client\_registrations\_table](#input\_client\_registrations\_table) | Client configurations table. | <pre>object({<br>    point_in_time_recovery_enabled = optional(bool, false)<br>  })</pre> | <pre>{<br>  "point_in_time_recovery_enabled": false<br>}</pre> | no |
+| <a name="input_client_status_history_table"></a> [client\_status\_history\_table](#input\_client\_status\_history\_table) | Client Status History configurations table. | <pre>object({<br>    point_in_time_recovery_enabled = optional(bool, false)<br>  })</pre> | <pre>{<br>  "point_in_time_recovery_enabled": false<br>}</pre> | no |
 | <a name="input_dlq_alarms"></a> [dlq\_alarms](#input\_dlq\_alarms) | n/a | <pre>object({<br>    metric_name         = string<br>    namespace           = string<br>    threshold           = optional(number)<br>    evaluation_periods  = optional(number)<br>    period              = optional(number)<br>    statistic           = optional(string)<br>    comparison_operator = optional(string)<br>    sns_topic_alarm_arn = optional(list(string))<br>  })</pre> | <pre>{<br>  "comparison_operator": "GreaterThanThreshold",<br>  "evaluation_periods": 2,<br>  "metric_name": "ApproximateNumberOfMessagesVisible",<br>  "namespace": "AWS/SQS",<br>  "period": 300,<br>  "statistic": "Sum",<br>  "threshold": 0<br>}</pre> | no |
 | <a name="input_dlq_assertion_setting"></a> [dlq\_assertion\_setting](#input\_dlq\_assertion\_setting) | n/a | <pre>object({<br>    maximum_retry_attempts        = number<br>    maximum_record_age_in_seconds = number<br>  })</pre> | <pre>{<br>  "maximum_record_age_in_seconds": 259200,<br>  "maximum_retry_attempts": 3<br>}</pre> | no |
 | <a name="input_dns_record_ttl"></a> [dns\_record\_ttl](#input\_dns\_record\_ttl) | Dns record ttl (in sec) | `number` | `3600` | no |

diff --git a/src/infra/dev/eu-south-1/main.tf b/src/infra/dev/eu-south-1/main.tf
@@ -303,6 +303,11 @@ module "backend" {
     table_arn       = module.database.table_idp_status_history_arn
   }
 
+  dynamodb_table_clientStatus = {
+    gsi_pointer_arn = module.database.table_client_status_gsi_pointer_arn
+    table_arn       = module.database.table_client_status_history_arn
+  }
+
   is_gh_integration_lambda = {
     name                              = format("%s-is-gh-integration-lambda", local.project)
     filename                          = "${path.module}/../../hello-java/build/libs/hello-java-1.0-SNAPSHOT.jar"
@@ -311,8 +316,8 @@ module "backend" {
     environment_variables             = { LOG_LEVEL = var.app_log_level }
   }
 
-  update_idp_status_lambda = {
-    name                              = format("%s-update-idp-status", local.project)
+  update_status_lambda = {
+    name                              = format("%s-update-status", local.project)
     filename                          = "${path.module}/../../hello-python/lambda.zip"
     assets_bucket_arn                 = module.storage.assets_bucket_arn
     vpc_id                            = module.network.vpc_id
@@ -321,18 +326,26 @@ module "backend" {
     vpc_endpoint_dynamodb_prefix_id   = module.network.vpc_endpoints["dynamodb"]["prefix_list_id"]
     cloudwatch_logs_retention_in_days = var.lambda_cloudwatch_logs_retention_in_days
     environment_variables = {
-      LOG_LEVEL                 = var.app_log_level
-      IDP_STATUS_DYNAMODB_TABLE = module.database.table_idp_status_history_name
-      IDP_STATUS_DYNAMODB_IDX   = module.database.table_idp_status_history_idx_name
-      ASSETS_S3_BUCKET          = module.storage.assets_bucket_name
-      IDP_STATUS_S3_FILE_NAME   = "idp_status_history.json"
+      LOG_LEVEL                    = var.app_log_level
+      IDP_STATUS_DYNAMODB_TABLE    = module.database.table_idp_status_history_name
+      IDP_STATUS_DYNAMODB_IDX      = module.database.table_idp_status_history_idx_name
+      CLIENT_STATUS_DYNAMODB_TABLE = module.database.table_client_status_history_name
+      CLIENT_STATUS_DYNAMODB_IDX   = module.database.table_client_status_history_idx_name
+      ASSETS_S3_BUCKET             = module.storage.assets_bucket_name
+      IDP_STATUS_S3_FILE_NAME      = "idp_status_history.json"
+      CLIENT_STATUS_S3_FILE_NAME   = "client_status_history.json"
     }
   }
 
   idp_alarm = {
     entity_id = var.entity_id
     namespace = "${local.project}-core/ApplicationMetrics"
   }
+
+  client_alarm = {
+    client_id = var.client_ids
+    namespace = "${local.project}-core/ApplicationMetrics"
+  }
   ssm_cert_key = {}
 }
 
@@ -386,14 +399,18 @@ module "spid_validator" {
 }
 
 module "database" {
-  source                     = "../../modules/database"
-  sessions_table             = var.sessions_table
-  client_registrations_table = var.client_registrations_table
-  idp_metadata_table         = var.idp_metadata_table
-  idp_status_history_table   = var.idp_status_history_table
+  source                      = "../../modules/database"
+  sessions_table              = var.sessions_table
+  client_registrations_table  = var.client_registrations_table
+  idp_metadata_table          = var.idp_metadata_table
+  idp_status_history_table    = var.idp_status_history_table
+  client_status_history_table = var.client_status_history_table
   idp_entity_ids = {
     entity_id = var.entity_id
   }
+  client_ids = {
+    client_id = var.client_ids
+  }
 }
 
 

diff --git a/src/infra/dev/eu-south-1/variables.tf b/src/infra/dev/eu-south-1/variables.tf
@@ -226,6 +226,16 @@ variable "idp_status_history_table" {
   }
 }
 
+variable "client_status_history_table" {
+  type = object({
+    point_in_time_recovery_enabled = optional(bool, false)
+  })
+  description = "Client Status History configurations table."
+  default = {
+    point_in_time_recovery_enabled = false
+  }
+}
+
 variable "cie_entity_id" {
   type    = string
   default = "https://preproduzione.idserver.servizicie.interno.gov.it/idp/profile/SAML2/POST/SSO"
@@ -660,4 +670,9 @@ variable "entity_id" {
     "https://validator.dev.oneid.pagopa.it/demo",
     "https://koz3yhpkscymaqgp4m7ceguu6m0tffuz.lambda-url.eu-south-1.on.aws",
   ]
+}
+
+variable "client_ids" {
+  type    = list(string)
+  default = ["bxMiPVktuZ5lBNbZYJ3ODosXL57ltrLp7BgyOkw-0v4"]
 }
diff --git a/src/infra/modules/backend/README.md b/src/infra/modules/backend/README.md
@@ -153,8 +153,8 @@
 | <a name="module_security_group_lambda_client_registration"></a> [security\_group\_lambda\_client\_registration](#module\_security\_group\_lambda\_client\_registration) | terraform-aws-modules/security-group/aws | 4.17.2 |
 | <a name="module_security_group_lambda_idp_metadata"></a> [security\_group\_lambda\_idp\_metadata](#module\_security\_group\_lambda\_idp\_metadata) | terraform-aws-modules/security-group/aws | 4.17.2 |
 | <a name="module_security_group_lambda_metadata"></a> [security\_group\_lambda\_metadata](#module\_security\_group\_lambda\_metadata) | terraform-aws-modules/security-group/aws | 4.17.2 |
-| <a name="module_security_group_update_idp_status_lambda"></a> [security\_group\_update\_idp\_status\_lambda](#module\_security\_group\_update\_idp\_status\_lambda) | terraform-aws-modules/security-group/aws | 4.17.2 |
-| <a name="module_update_idp_status_lambda"></a> [update\_idp\_status\_lambda](#module\_update\_idp\_status\_lambda) | terraform-aws-modules/lambda/aws | 7.4.0 |
+| <a name="module_security_group_update_status_lambda"></a> [security\_group\_update\_status\_lambda](#module\_security\_group\_update\_status\_lambda) | terraform-aws-modules/security-group/aws | 4.17.2 |
+| <a name="module_update_status_lambda"></a> [update\_status\_lambda](#module\_update\_status\_lambda) | terraform-aws-modules/lambda/aws | 7.4.0 |
 
 ## Resources
 
@@ -196,7 +196,7 @@
 | [aws_iam_policy_document.idp_metadata_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.is_gh_integration_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.metadata_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
-| [aws_iam_policy_document.update_idp_status_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.update_status_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_ssm_parameter.certificate](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source |
 | [aws_ssm_parameter.is_gh_integration_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source |
 | [aws_ssm_parameter.key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source |
@@ -213,6 +213,7 @@
 | <a name="input_client_registration_lambda"></a> [client\_registration\_lambda](#input\_client\_registration\_lambda) | n/a | <pre>object({<br>    name                              = string<br>    filename                          = string<br>    table_client_registrations_arn    = string<br>    cloudwatch_logs_retention_in_days = number<br>    vpc_id                            = string<br>    vpc_endpoint_dynamodb_prefix_id   = string<br>    vpc_subnet_ids                    = list(string)<br>    environment_variables             = map(string)<br>  })</pre> | n/a | yes |
 | <a name="input_dlq_alarms"></a> [dlq\_alarms](#input\_dlq\_alarms) | n/a | <pre>object({<br>    metric_name         = string<br>    namespace           = string<br>    threshold           = number<br>    evaluation_periods  = number<br>    period              = number<br>    statistic           = string<br>    comparison_operator = string<br>    sns_topic_alarm_arn = string<br>  })</pre> | n/a | yes |
 | <a name="input_dynamodb_clients_table_stream_arn"></a> [dynamodb\_clients\_table\_stream\_arn](#input\_dynamodb\_clients\_table\_stream\_arn) | n/a | `string` | `null` | no |
+| <a name="input_dynamodb_table_clientStatus"></a> [dynamodb\_table\_clientStatus](#input\_dynamodb\_table\_clientStatus) | Dynamodb table clientStatus arns | <pre>object({<br>    table_arn       = string<br>    gsi_pointer_arn = string<br>  })</pre> | n/a | yes |
 | <a name="input_dynamodb_table_idpMetadata"></a> [dynamodb\_table\_idpMetadata](#input\_dynamodb\_table\_idpMetadata) | Dynamodb table idpMetadata anrs | <pre>object({<br>    table_arn       = string<br>    gsi_pointer_arn = string<br>  })</pre> | n/a | yes |
 | <a name="input_dynamodb_table_idpStatus"></a> [dynamodb\_table\_idpStatus](#input\_dynamodb\_table\_idpStatus) | Dynamodb table idpStatus arns | <pre>object({<br>    table_arn       = string<br>    gsi_pointer_arn = string<br>  })</pre> | n/a | yes |
 | <a name="input_dynamodb_table_sessions"></a> [dynamodb\_table\_sessions](#input\_dynamodb\_table\_sessions) | Dynamodb table sessions anrs | <pre>object({<br>    table_arn    = string<br>    gsi_code_arn = string<br>  })</pre> | n/a | yes |
@@ -229,7 +230,7 @@
 | <a name="input_idp_metadata_lambda"></a> [idp\_metadata\_lambda](#input\_idp\_metadata\_lambda) | n/a | <pre>object({<br>    name                              = string<br>    filename                          = string<br>    environment_variables             = map(string)<br>    s3_idp_metadata_bucket_arn        = string<br>    s3_idp_metadata_bucket_id         = string<br>    vpc_id                            = string<br>    vpc_subnet_ids                    = list(string)<br>    vpc_s3_prefix_id                  = string<br>    cloudwatch_logs_retention_in_days = number<br>  })</pre> | n/a | yes |
 | <a name="input_is_gh_integration_lambda"></a> [is\_gh\_integration\_lambda](#input\_is\_gh\_integration\_lambda) | n/a | <pre>object({<br>    name                              = string<br>    filename                          = string<br>    sns_topic_arn                     = optional(string, null)<br>    cloudwatch_logs_retention_in_days = string<br>    ssm_parameter_name                = optional(string, "GH_PERSONAL_ACCESS_TOKEN")<br>    environment_variables             = map(string)<br>  })</pre> | n/a | yes |
 | <a name="input_kms_rotation_period_in_days"></a> [kms\_rotation\_period\_in\_days](#input\_kms\_rotation\_period\_in\_days) | n/a | `number` | `365` | no |
-| <a name="input_kms_sessions_table_alias_arn"></a> [kms\_sessions\_table\_alias\_arn](#input\_kms\_sessions\_table\_alias\_arn) | Kms key used to encrypt and dectypt session table. | `string` | n/a | yes |
+| <a name="input_kms_sessions_table_alias_arn"></a> [kms\_sessions\_table\_alias\_arn](#input\_kms\_sessions\_table\_alias\_arn) | Kms key used to encrypt and decrypt session table. | `string` | n/a | yes |
 | <a name="input_kms_ssm_enable_rotation"></a> [kms\_ssm\_enable\_rotation](#input\_kms\_ssm\_enable\_rotation) | n/a | `bool` | `true` | no |
 | <a name="input_lambda_alarms"></a> [lambda\_alarms](#input\_lambda\_alarms) | n/a | <pre>map(object({<br>    metric_name         = string<br>    namespace           = string<br>    threshold           = number<br>    evaluation_periods  = number<br>    period              = number<br>    statistic           = string<br>    comparison_operator = string<br>    sns_topic_alarm_arn = string<br>    treat_missing_data  = string<br>  }))</pre> | n/a | yes |
 | <a name="input_lambda_client_registration_trigger_enabled"></a> [lambda\_client\_registration\_trigger\_enabled](#input\_lambda\_client\_registration\_trigger\_enabled) | n/a | `bool` | `true` | no |
@@ -242,7 +243,7 @@
 | <a name="input_ssm_cert_key"></a> [ssm\_cert\_key](#input\_ssm\_cert\_key) | TODO fix name | <pre>object({<br>    cert_pem = optional(string, "cert.pem")<br>    key_pem  = optional(string, "key.pem")<br>  })</pre> | n/a | yes |
 | <a name="input_switch_region_enabled"></a> [switch\_region\_enabled](#input\_switch\_region\_enabled) | n/a | `bool` | `false` | no |
 | <a name="input_table_client_registrations_arn"></a> [table\_client\_registrations\_arn](#input\_table\_client\_registrations\_arn) | Dynamodb table client registrations arn. | `string` | n/a | yes |
-| <a name="input_update_idp_status_lambda"></a> [update\_idp\_status\_lambda](#input\_update\_idp\_status\_lambda) | n/a | <pre>object({<br>    name                              = string<br>    filename                          = string<br>    assets_bucket_arn                 = string<br>    cloudwatch_logs_retention_in_days = string<br>    environment_variables             = map(string)<br>    vpc_s3_prefix_id                  = string<br>    vpc_endpoint_dynamodb_prefix_id   = string<br>    vpc_subnet_ids                    = list(string)<br>    vpc_id                            = string<br>  })</pre> | n/a | yes |
+| <a name="input_update_status_lambda"></a> [update\_status\_lambda](#input\_update\_status\_lambda) | n/a | <pre>object({<br>    name                              = string<br>    filename                          = string<br>    assets_bucket_arn                 = string<br>    cloudwatch_logs_retention_in_days = string<br>    environment_variables             = map(string)<br>    vpc_s3_prefix_id                  = string<br>    vpc_endpoint_dynamodb_prefix_id   = string<br>    vpc_subnet_ids                    = list(string)<br>    vpc_id                            = string<br>  })</pre> | n/a | yes |
 | <a name="input_vpc_cidr_block"></a> [vpc\_cidr\_block](#input\_vpc\_cidr\_block) | VPC cidr block. | `string` | n/a | yes |
 | <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | VPC id | `string` | n/a | yes |