MLPAB-1993 - Delete the container insights log group when the PR envi…

…ronment is destroyed (#1106) * add command to delete out-of-state resource for PR environment * only create log groups for RUM on certain environments
ministryofjustice · Mar 11, 2024 · 03f9a5b · 03f9a5b
1 parent 1810d3d
commit 03f9a5b
Show file tree

Hide file tree

Showing 8 changed files with 26 additions and 8 deletions.
diff --git a/.github/workflows/workflow_destroy_pr_environment.yml b/.github/workflows/workflow_destroy_pr_environment.yml
@@ -95,3 +95,6 @@ jobs:
       - name: Remove protection for environment workspace
         run: |
           terraform-workspace-manager -register-workspace=${{ needs.generate_environment_workspace_name.outputs.environment_workspace_name }} -time-to-protect=0 -aws-account-id=653761790766 -aws-iam-role=modernising-lpa-ci
+      - name: Remove container insights log group
+        run: |
+          aws logs delete-log-group --log-group-name /aws/ecs/containerinsights/${{ needs.generate_environment_workspace_name.outputs.environment_workspace_name }}-eu-west-1/performance
diff --git a/terraform/environment/README.md b/terraform/environment/README.md
@@ -173,7 +173,7 @@ For terraform_environment, this will be based on your PR and can be found in the
 |------|-------------|------|---------|:--------:|
 | <a name="input_container_version"></a> [container\_version](#input\_container\_version) | n/a | `string` | `"latest"` | no |
 | <a name="input_default_role"></a> [default\_role](#input\_default\_role) | n/a | `string` | `"modernising-lpa-ci"` | no |
-| <a name="input_environments"></a> [environments](#input\_environments) | n/a | <pre>map(<br>    object({<br>      account_id    = string<br>      account_name  = string<br>      is_production = bool<br>      regions       = list(string)<br>      app = object({<br>        env = object({<br>          app_public_url         = string<br>          auth_redirect_base_url = string<br>          notify_is_production   = string<br>          onelogin_url           = string<br>        })<br>        autoscaling = object({<br>          minimum = number<br>          maximum = number<br>        })<br>        dependency_health_check_alarm_enabled   = bool<br>        service_health_check_alarm_enabled      = bool<br>        cloudwatch_application_insights_enabled = bool<br>        fault_injection_experiments_enabled     = bool<br>      })<br>      mock_onelogin_enabled = bool<br>      uid_service = object({<br>        base_url = string<br>        api_arns = list(string)<br>      })<br>      lpa_store_service = object({<br>        base_url = string<br>        api_arns = list(string)<br>      })<br>      backups = object({<br>        backup_plan_enabled = bool<br>        copy_action_enabled = bool<br>      })<br>      dynamodb = object({<br>        region_replica_enabled = bool<br>        stream_enabled         = bool<br>      })<br>      ecs = object({<br>        fargate_spot_capacity_provider_enabled = bool<br><br>      })<br>      cloudwatch_log_groups = object({<br>        application_log_retention_days = number<br>      })<br>      application_load_balancer = object({<br>        deletion_protection_enabled = bool<br>      })<br>      cloudwatch_application_insights_enabled = bool<br>      pagerduty_service_name                  = string<br>      event_bus = object({<br>        target_event_bus_arn = string<br>        receive_account_ids  = list(string)<br>      })<br>      reduced_fees = object({<br>        enabled                                   = bool<br>        s3_object_replication_enabled             = bool<br>        target_environment                        = string<br>        destination_account_id                    = string<br>        enable_s3_batch_job_replication_scheduler = bool<br>      })<br>      s3_antivirus_provisioned_concurrency = number<br>    })<br>  )</pre> | n/a | yes |
+| <a name="input_environments"></a> [environments](#input\_environments) | n/a | <pre>map(<br>    object({<br>      account_id    = string<br>      account_name  = string<br>      is_production = bool<br>      regions       = list(string)<br>      app = object({<br>        env = object({<br>          app_public_url         = string<br>          auth_redirect_base_url = string<br>          notify_is_production   = string<br>          onelogin_url           = string<br>        })<br>        autoscaling = object({<br>          minimum = number<br>          maximum = number<br>        })<br>        dependency_health_check_alarm_enabled   = bool<br>        service_health_check_alarm_enabled      = bool<br>        cloudwatch_application_insights_enabled = bool<br>        fault_injection_experiments_enabled     = bool<br>        real_user_monitoring_cw_logs_enabled    = bool<br>      })<br>      mock_onelogin_enabled = bool<br>      uid_service = object({<br>        base_url = string<br>        api_arns = list(string)<br>      })<br>      lpa_store_service = object({<br>        base_url = string<br>        api_arns = list(string)<br>      })<br>      backups = object({<br>        backup_plan_enabled = bool<br>        copy_action_enabled = bool<br>      })<br>      dynamodb = object({<br>        region_replica_enabled = bool<br>        stream_enabled         = bool<br>      })<br>      ecs = object({<br>        fargate_spot_capacity_provider_enabled = bool<br><br>      })<br>      cloudwatch_log_groups = object({<br>        application_log_retention_days = number<br>      })<br>      application_load_balancer = object({<br>        deletion_protection_enabled = bool<br>      })<br>      cloudwatch_application_insights_enabled = bool<br>      pagerduty_service_name                  = string<br>      event_bus = object({<br>        target_event_bus_arn = string<br>        receive_account_ids  = list(string)<br>      })<br>      reduced_fees = object({<br>        enabled                                   = bool<br>        s3_object_replication_enabled             = bool<br>        target_environment                        = string<br>        destination_account_id                    = string<br>        enable_s3_batch_job_replication_scheduler = bool<br>      })<br>      s3_antivirus_provisioned_concurrency = number<br>    })<br>  )</pre> | n/a | yes |
 | <a name="input_pagerduty_api_key"></a> [pagerduty\_api\_key](#input\_pagerduty\_api\_key) | n/a | `string` | n/a | yes |
 | <a name="input_public_access_enabled"></a> [public\_access\_enabled](#input\_public\_access\_enabled) | n/a | `bool` | `false` | no |
 

diff --git a/terraform/environment/region/README.md b/terraform/environment/region/README.md
@@ -121,6 +121,7 @@ This module creates the regional resources for an environment.
 | <a name="input_mock_onelogin_service_repository_url"></a> [mock\_onelogin\_service\_repository\_url](#input\_mock\_onelogin\_service\_repository\_url) | Repository URL for the mock-onelogin service | `string` | n/a | yes |
 | <a name="input_pagerduty_service_name"></a> [pagerduty\_service\_name](#input\_pagerduty\_service\_name) | Name of the PagerDuty service to use for alerts | `string` | n/a | yes |
 | <a name="input_public_access_enabled"></a> [public\_access\_enabled](#input\_public\_access\_enabled) | Enable access to the Modernising LPA service from the public internet | `bool` | n/a | yes |
+| <a name="input_real_user_monitoring_cw_logs_enabled"></a> [real\_user\_monitoring\_cw\_logs\_enabled](#input\_real\_user\_monitoring\_cw\_logs\_enabled) | Enable CloudWatch logging for Real User Monitoring | `bool` | n/a | yes |
 | <a name="input_receive_account_ids"></a> [receive\_account\_ids](#input\_receive\_account\_ids) | IDs of accounts to receive messages from | `list(string)` | `[]` | no |
 | <a name="input_reduced_fees"></a> [reduced\_fees](#input\_reduced\_fees) | n/a | <pre>object({<br>    s3_object_replication_enabled             = bool<br>    target_environment                        = string<br>    destination_account_id                    = string<br>    enable_s3_batch_job_replication_scheduler = bool<br>  })</pre> | n/a | yes |
 | <a name="input_s3_antivirus_provisioned_concurrency"></a> [s3\_antivirus\_provisioned\_concurrency](#input\_s3\_antivirus\_provisioned\_concurrency) | Number of concurrent executions to provision for Lambda | `number` | `0` | no |

diff --git a/terraform/environment/region/rum_monitoring.tf b/terraform/environment/region/rum_monitoring.tf
@@ -39,7 +39,7 @@ data "aws_secretsmanager_secret_version" "rum_monitor_identity_pool_id" {
 resource "aws_rum_app_monitor" "main" {
   name           = data.aws_default_tags.current.tags.environment-name
   domain         = aws_route53_record.app.name
-  cw_log_enabled = true
+  cw_log_enabled = var.real_user_monitoring_cw_logs_enabled
   app_monitor_configuration {
     allow_cookies       = true
     enable_xray         = true

diff --git a/terraform/environment/region/variables.tf b/terraform/environment/region/variables.tf
@@ -166,3 +166,8 @@ variable "search_collection_arn" {
   description = "ARN of the OpenSearch collection to use"
   nullable    = true
 }
+
+variable "real_user_monitoring_cw_logs_enabled" {
+  type        = bool
+  description = "Enable CloudWatch logging for Real User Monitoring"
+}
diff --git a/terraform/environment/regions.tf b/terraform/environment/regions.tf
@@ -66,6 +66,7 @@ module "eu_west_1" {
   fault_injection_experiments_enabled     = local.environment.app.fault_injection_experiments_enabled
   search_endpoint                         = aws_opensearchserverless_collection.lpas_collection.collection_endpoint
   search_collection_arn                   = aws_opensearchserverless_collection.lpas_collection.arn
+  real_user_monitoring_cw_logs_enabled    = local.environment.app.real_user_monitoring_cw_logs_enabled
   providers = {
     aws.region            = aws.eu_west_1
     aws.global            = aws.global
@@ -128,6 +129,7 @@ module "eu_west_2" {
   fault_injection_experiments_enabled     = local.environment.app.fault_injection_experiments_enabled
   search_endpoint                         = null
   search_collection_arn                   = null
+  real_user_monitoring_cw_logs_enabled    = local.environment.app.real_user_monitoring_cw_logs_enabled
   providers = {
     aws.region            = aws.eu_west_2
     aws.global            = aws.global

diff --git a/terraform/environment/terraform.tfvars.json b/terraform/environment/terraform.tfvars.json
@@ -21,7 +21,8 @@
         "dependency_health_check_alarm_enabled": false,
         "service_health_check_alarm_enabled": false,
         "cloudwatch_application_insights_enabled": false,
-        "fault_injection_experiments_enabled": false
+        "fault_injection_experiments_enabled": false,
+        "real_user_monitoring_cw_logs_enabled": false
       },
       "mock_onelogin_enabled": false,
       "uid_service": {
@@ -97,7 +98,8 @@
         "dependency_health_check_alarm_enabled": true,
         "service_health_check_alarm_enabled": true,
         "cloudwatch_application_insights_enabled": true,
-        "fault_injection_experiments_enabled": false
+        "fault_injection_experiments_enabled": false,
+        "real_user_monitoring_cw_logs_enabled": true
       },
       "mock_onelogin_enabled": true,
       "uid_service": {
@@ -173,7 +175,8 @@
         "dependency_health_check_alarm_enabled": false,
         "service_health_check_alarm_enabled": false,
         "cloudwatch_application_insights_enabled": false,
-        "fault_injection_experiments_enabled": false
+        "fault_injection_experiments_enabled": false,
+        "real_user_monitoring_cw_logs_enabled": false
       },
       "mock_onelogin_enabled": true,
       "uid_service": {
@@ -249,7 +252,8 @@
         "dependency_health_check_alarm_enabled": false,
         "service_health_check_alarm_enabled": false,
         "cloudwatch_application_insights_enabled": true,
-        "fault_injection_experiments_enabled": false
+        "fault_injection_experiments_enabled": false,
+        "real_user_monitoring_cw_logs_enabled": true
       },
       "mock_onelogin_enabled": true,
       "uid_service": {
@@ -325,7 +329,8 @@
         "dependency_health_check_alarm_enabled": false,
         "service_health_check_alarm_enabled": false,
         "cloudwatch_application_insights_enabled": true,
-        "fault_injection_experiments_enabled": false
+        "fault_injection_experiments_enabled": false,
+        "real_user_monitoring_cw_logs_enabled": true
       },
       "mock_onelogin_enabled": false,
       "uid_service": {
@@ -401,7 +406,8 @@
         "dependency_health_check_alarm_enabled": true,
         "service_health_check_alarm_enabled": true,
         "cloudwatch_application_insights_enabled": true,
-        "fault_injection_experiments_enabled": false
+        "fault_injection_experiments_enabled": false,
+        "real_user_monitoring_cw_logs_enabled": true
       },
       "mock_onelogin_enabled": false,
       "uid_service": {

diff --git a/terraform/environment/variables.tf b/terraform/environment/variables.tf
@@ -47,6 +47,7 @@ variable "environments" {
         service_health_check_alarm_enabled      = bool
         cloudwatch_application_insights_enabled = bool
         fault_injection_experiments_enabled     = bool
+        real_user_monitoring_cw_logs_enabled    = bool
       })
       mock_onelogin_enabled = bool
       uid_service = object({