def add_insufficient_data_action(self, alarm):
alarm.add_insufficient_data_action(
cloudwatch_actions.SnsAction(self.topic))
def add_alarm_action(self, alarm):
alarm.add_alarm_action(cloudwatch_actions.SnsAction(self.topic))
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
CLUSTER_NAME = self.node.try_get_context("cluster_name")
NOTIFY_EMAIL = self.node.try_get_context("notify_email")
SLACK_WEBHOOK_URL = self.node.try_get_context("webhook_url")
if not CLUSTER_NAME or not NOTIFY_EMAIL or not SLACK_WEBHOOK_URL:
logger.error(
f"Required context variables for {id} were not provided!")
else:
# Get the log group of our postgres instance
log_group = logs.LogGroup.from_log_group_name(
self,
"InAur01DetectionLogGroup",
f"/aws/rds/cluster/{CLUSTER_NAME}/postgresql",
)
# Create new metric
metric = cloudwatch.Metric(
namespace="LogMetrics",
metric_name="InAur01DetectionFailedDbLoginAttempts",
)
# Apply metric filter
# Filter all metrics of failed login attempts in log
logs.MetricFilter(
self,
"InAur01DetectionMetricFilter",
log_group=log_group,
metric_namespace=metric.namespace,
metric_name=metric.metric_name,
filter_pattern=logs.FilterPattern.all_terms(
"FATAL: password authentication failed for user"),
metric_value="1",
)
# Create new SNS topic
topic = sns.Topic(self, "InAur01DetectionTopic")
# Add email subscription
topic.add_subscription(subs.EmailSubscription(NOTIFY_EMAIL))
# Create new alarm for metric
# Alarm will trigger if there is >= 10 failed login attempts
# over a period of 30 seconds.
alarm = cloudwatch.Alarm(
self,
"InAur01DetectionAlarm",
metric=metric,
threshold=10,
evaluation_periods=1,
period=core.Duration.seconds(30),
datapoints_to_alarm=1,
statistic="sum",
)
# Add SNS action to alarm
alarm.add_alarm_action(cw_actions.SnsAction(topic))
# Create unban lambda
lambda_dir_path = os.path.join(os.getcwd(), "ir_cdk_stacks",
"in_aur_01")
unban_lambda = _lambda.Function(
self,
"InAur01ResponseUnbanFunction",
runtime=_lambda.Runtime.PYTHON_3_8,
handler="unban_lambda.lambda_handler",
code=_lambda.Code.from_asset(lambda_dir_path),
)
# Assign EC2 permissions to lambda
unban_lambda.add_to_role_policy(
iam.PolicyStatement(
actions=["ec2:DeleteNetworkAclEntry"],
effect=iam.Effect.ALLOW,
resources=["*"],
))
# Create stepfunction
# Define a second state machine to unban the blacklisted IP after 1 hour
wait_step = sfn.Wait(
self,
"InAur01ResponseStepWait",
time=sfn.WaitTime.duration(core.Duration.hours(1)),
)
unban_step = sfn.Task(
self,
"InAur01ResponseStepUnban",
task=tasks.RunLambdaTask(
unban_lambda,
integration_pattern=sfn.ServiceIntegrationPattern.
FIRE_AND_FORGET,
),
parameters={"Payload.$": "$"},
)
statemachine = sfn.StateMachine(
self,
"InAur01ResponseUnbanStateMachine",
definition=wait_step.next(unban_step),
timeout=core.Duration.hours(1.5),
)
# Create lambda function
lambda_func = _lambda.Function(
self,
"InAur01ResponseFunction",
runtime=_lambda.Runtime.PYTHON_3_8,
handler="response_lambda.lambda_handler",
code=_lambda.Code.from_asset(lambda_dir_path),
environment={
"webhook_url": SLACK_WEBHOOK_URL,
"unban_sm_arn": statemachine.state_machine_arn,
"cluster_name": CLUSTER_NAME,
},
)
# AWS CDK has a bug where it would not add the correct permission
# to the lambda for Cloudwatch log subscription to invoke it.
# Hence, we need to manually add permission to lambda.
lambda_func.add_permission(
"InAur01ResponseFunctionInvokePermission",
principal=iam.ServicePrincipal("logs.amazonaws.com"),
action="lambda:InvokeFunction",
source_arn=log_group.log_group_arn + ":*",
)
# Assign permissions to response lambda
lambda_func.add_to_role_policy(
iam.PolicyStatement(
actions=[
"states:StartExecution",
],
effect=iam.Effect.ALLOW,
resources=[statemachine.state_machine_arn],
))
# Assign RDS Read-only permissions to lambda
lambda_func.add_to_role_policy(
iam.PolicyStatement(
actions=["rds:Describe*"],
effect=iam.Effect.ALLOW,
resources=["*"],
))
# Assign EC2 permissions to lambda
lambda_func.add_to_role_policy(
iam.PolicyStatement(
actions=[
"ec2:Describe*",
"ec2:CreateNetworkAclEntry",
"ec2:DeleteNetworkAclEntry",
],
effect=iam.Effect.ALLOW,
resources=["*"],
))
# Assign CloudWatch logs permissions to lambda
lambda_func.add_to_role_policy(
iam.PolicyStatement(
actions=[
"cloudwatch:Get*",
"cloudwatch:Describe*",
"logs:FilterLogEvents",
"logs:DescribeMetricFilters",
],
effect=iam.Effect.ALLOW,
resources=["*"],
))
sns_event_source = lambda_event_sources.SnsEventSource(topic)
lambda_func.add_event_source(sns_event_source)
def __init__(self, scope: core.Construct, construct_id: str,
**kwargs) -> None:
super().__init__(scope, construct_id, **kwargs)
#sns topic for monitor
snstopic_monitor01 = aws_sns.Topic(self,
"MonitorSnsTopic",
display_name="monitor webapp",
topic_name="EC2Monitor")
#add subcriptions to sns
snstopic_monitor01.add_subscription(
aws_sns_subc.EmailSubscription("*****@*****.**"))
## vpc block ##
prod_config = self.node.try_get_context('envs')['prod']
custom_vpc = aws_ec2.Vpc(
self,
"CustomVpcID",
cidr=prod_config['vpc_config']['vpc_cidr'],
max_azs=2,
nat_gateways=1,
subnet_configuration=[
aws_ec2.SubnetConfiguration(
name="PublicSubnet",
cidr_mask=prod_config['vpc_config']['cidr_mask'],
subnet_type=aws_ec2.SubnetType.PUBLIC),
aws_ec2.SubnetConfiguration(
name="PrivateSubnet",
cidr_mask=prod_config['vpc_config']['cidr_mask'],
subnet_type=aws_ec2.SubnetType.PRIVATE),
aws_ec2.SubnetConfiguration(
name="DbSubnet",
cidr_mask=prod_config['vpc_config']['cidr_mask'],
subnet_type=aws_ec2.SubnetType.ISOLATED)
])
## end vpc block ##
## ec2 block ##
#import user-data scripts
with open("userdata_scripts/setup.sh", mode="r") as file:
user_data = file.read()
#get latest ami from any region
aws_linux_ami = aws_ec2.MachineImage.latest_amazon_linux(
generation=aws_ec2.AmazonLinuxGeneration.AMAZON_LINUX_2,
edition=aws_ec2.AmazonLinuxEdition.STANDARD,
storage=aws_ec2.AmazonLinuxStorage.EBS,
virtualization=aws_ec2.AmazonLinuxVirt.HVM)
#ec2
test_server = aws_ec2.Instance(
self,
"ec2id",
instance_type=aws_ec2.InstanceType(
instance_type_identifier="t2.micro"),
instance_name="TestServer01",
machine_image=aws_linux_ami,
vpc=custom_vpc,
vpc_subnets=aws_ec2.SubnetSelection(
subnet_type=aws_ec2.SubnetType.PUBLIC),
key_name="SAA-C01",
user_data=aws_ec2.UserData.custom(user_data))
#allow web traffic
test_server.connections.allow_from_any_ipv4(
aws_ec2.Port.tcp(80), description="allow web traffic")
# add permission to instances profile
test_server.role.add_managed_policy(
aws_iam.ManagedPolicy.from_aws_managed_policy_name(
"AmazonSSMManagedInstanceCore"))
test_server.role.add_managed_policy(
aws_iam.ManagedPolicy.from_aws_managed_policy_name(
"AmazonS3ReadOnlyAccess"))
## end ec2 block ##
## lambda block ##
#import function code
try:
with open("serverless_stack/functions/function.py",
mode="r") as file:
function_body = file.read()
except OSError:
print('File can not read')
#function
function_01 = aws_lambda.Function(
self,
"lambdafunction01",
function_name="LambdaTestCDK",
runtime=aws_lambda.Runtime.PYTHON_3_6,
handler="index.lambda_handler",
code=aws_lambda.InlineCode(function_body),
timeout=core.Duration.seconds(5),
reserved_concurrent_executions=1,
environment={
'LOG_LEVEL': 'INFO',
'AUTOMATION': 'SKON'
})
## end lambda block ##
## monitor block ##
#ec2 metric for cpu usage
ec2_metric_01 = aws_cw.Metric(
namespace="AWS/EC2",
metric_name="CPUUtilization",
dimensions={"InstanceID": test_server.instance_id},
period=core.Duration.minutes(5))
#under utilize alram ec2
low_cpu_ec2 = aws_cw.Alarm(
self,
"lowcpualram",
alarm_description="low cpu utilization",
alarm_name="Low-CPU-Alarm",
actions_enabled=True,
metric=ec2_metric_01,
threshold=10,
comparison_operator=aws_cw.ComparisonOperator.
LESS_THAN_OR_EQUAL_TO_THRESHOLD,
evaluation_periods=1,
datapoints_to_alarm=1,
period=core.Duration.minutes(5),
treat_missing_data=aws_cw.TreatMissingData.NOT_BREACHING)
#sns on ec2 alram
low_cpu_ec2.add_alarm_action(aws_cw_ats.SnsAction(snstopic_monitor01))
#Lambda alram
function_01_alarm = aws_cw.Alarm(self,
"LambdaAlarm",
metric=function_01.metric_errors(),
threshold=2,
evaluation_periods=1,
datapoints_to_alarm=1,
period=core.Duration.minutes(5))
#sns on lambda alarm
function_01_alarm.add_alarm_action(
aws_cw_ats.SnsAction(snstopic_monitor01))
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
super().__init__(scope, id, **kwargs)
queue = sqs.Queue(self,
"StartProwlerScan",
receive_message_wait_time=core.Duration.seconds(20),
visibility_timeout=core.Duration.seconds(7200))
push_all_active_accounts_onto_queue_lambda_function = lambda_.Function(
self,
"PushAllActiveAccountsOntoQueue",
runtime=lambda_.Runtime.PYTHON_3_8,
code=lambda_.Code.asset("lambda/pushAllActiveActivesOntoQueue"),
handler="lambda_function.lambda_handler",
environment={"SQS_QUEUE_URL": queue.queue_url})
event_lambda_target = events_targets.LambdaFunction(
handler=push_all_active_accounts_onto_queue_lambda_function)
queue.grant_send_messages(
push_all_active_accounts_onto_queue_lambda_function)
schedule = events.Schedule.rate(core.Duration.days(1))
events.Rule(self,
"DailyTrigger",
schedule=schedule,
targets=[event_lambda_target])
vpc = ec2.Vpc(self, "Vpc")
cluster = ecs.Cluster(self, "Cluster", vpc=vpc)
logging = ecs.AwsLogDriver(stream_prefix="ProwlerTask",
log_retention=logs.RetentionDays.ONE_DAY)
results_bucket = s3.Bucket(self, "ResultsBucket")
dockerfile_directory = path.join(path.dirname(path.realpath(__file__)),
"docker")
image = ecr_assets.DockerImageAsset(self,
"ProwlerImageBuild",
directory=dockerfile_directory)
prowler_task = ecs.FargateTaskDefinition(self,
"ProwlerTaskDefinition",
cpu=256,
memory_limit_mib=512)
prowler_task.add_container(
"Prowler_image",
image=ecs.ContainerImage.from_docker_image_asset(image),
logging=logging,
environment={
"RESULTS_BUCKET": results_bucket.bucket_name,
"SQS_QUEUE_URL": queue.queue_url
})
task_role = prowler_task.task_role
task_role.add_managed_policy(
iam.ManagedPolicy.from_aws_managed_policy_name("ReadOnlyAccess"))
queue.grant(task_role, "sqs:DeleteMessage")
results_bucket.grant_put(task_role)
task_role.attach_inline_policy(
iam.Policy(self,
"AssumeRolePermissions",
statements=[
iam.PolicyStatement(actions=["sts:AssumeRole"],
effect=iam.Effect.ALLOW,
resources=["*"])
]))
run_fargate_task_lambda_function = lambda_.Function(
self,
"RunFargateTask",
runtime=lambda_.Runtime.PYTHON_3_8,
code=lambda_.Code.asset("lambda/runFargateTask"),
handler="lambda_function.lambda_handler",
environment={
"CLUSTER_ARN":
cluster.cluster_arn,
"SUBNET_IDS":
json.dumps(
[subnet.subnet_id for subnet in vpc.private_subnets]),
"QUEUE_URL":
queue.queue_url,
"TASK_DEFINITION_ARN":
prowler_task.task_definition_arn
})
queue.grant(run_fargate_task_lambda_function, "sqs:GetQueueAttributes")
sqs_alarm_topic = sns.Topic(self, "SqsAlarmTopic")
sqs_alarm_topic.grant_publish(run_fargate_task_lambda_function)
sqs_alarm_queue = sqs.Queue(
self,
"SqsAlarmQueue",
retention_period=core.Duration.days(14),
visibility_timeout=core.Duration.minutes(3))
sqs_alarm_topic.add_subscription(
sns_subscriptions.SqsSubscription(sqs_alarm_queue))
run_fargate_task_lambda_function.add_event_source(
lambda_event_sources.SqsEventSource(sqs_alarm_queue))
run_fargate_task_lambda_function.add_to_role_policy(
iam.PolicyStatement(actions=["ecs:RunTask"],
effect=iam.Effect.ALLOW,
resources=[prowler_task.task_definition_arn]))
run_fargate_task_lambda_function.add_to_role_policy(
iam.PolicyStatement(actions=["iam:PassRole"],
effect=iam.Effect.ALLOW,
resources=[
prowler_task.execution_role.role_arn,
prowler_task.task_role.role_arn
]))
sqs_ok_topic = sns.Topic(self, "SqsOkTopic")
clear_alarm_queue = lambda_.Function(
self,
"ClearAlarmQueue",
runtime=lambda_.Runtime.PYTHON_3_8,
code=lambda_.Code.asset("lambda/clearAlarmQueue"),
handler="lambda_function.lambda_handler",
environment={"QUEUE_URL": sqs_alarm_queue.queue_url})
clear_alarm_queue.add_event_source(
lambda_event_sources.SnsEventSource(sqs_ok_topic))
sqs_alarm_queue.grant(clear_alarm_queue, "sqs:DeleteMessage")
alarm = cloudwatch.Alarm(
self,
"FargateTaskTrigger",
metric=queue.metric_approximate_number_of_messages_visible(
period=core.Duration.seconds(60), statistic="max"),
evaluation_periods=1,
threshold=1,
alarm_description="Run a fargate task when there "
"are messages in the queue",
treat_missing_data=cloudwatch.TreatMissingData.IGNORE)
alarm.add_alarm_action(cloudwatch_actions.SnsAction(sqs_alarm_topic))
alarm.add_ok_action(cloudwatch_actions.SnsAction(sqs_ok_topic))
def __init__(self, scope: core.Construct, _id: str, **kwargs) -> None:
super().__init__(scope, _id, **kwargs)
# Setup SSM parameter of credentials, bucket_para, ignore_list
ssm_credential_para = ssm.StringParameter.from_secure_string_parameter_attributes(
self,
"ssm_parameter_credentials",
parameter_name=ssm_parameter_credentials,
version=1)
ssm_bucket_para = ssm.StringParameter(self,
"s3bucket_serverless",
string_value=json.dumps(
bucket_para, indent=4))
ssm_parameter_ignore_list = ssm.StringParameter(
self, "s3_migrate_ignore_list", string_value=ignore_list)
# Setup DynamoDB
ddb_file_list = ddb.Table(self,
"s3migrate_serverless",
partition_key=ddb.Attribute(
name="Key",
type=ddb.AttributeType.STRING),
billing_mode=ddb.BillingMode.PAY_PER_REQUEST)
ddb_file_list.add_global_secondary_index(
partition_key=ddb.Attribute(name="desBucket",
type=ddb.AttributeType.STRING),
index_name="desBucket-index",
projection_type=ddb.ProjectionType.INCLUDE,
non_key_attributes=["desKey", "versionId"])
# Setup SQS
sqs_queue_DLQ = sqs.Queue(self,
"s3migrate_serverless_Q_DLQ",
visibility_timeout=core.Duration.minutes(15),
retention_period=core.Duration.days(14))
sqs_queue = sqs.Queue(self,
"s3migrate_serverless_Q",
visibility_timeout=core.Duration.minutes(15),
retention_period=core.Duration.days(14),
dead_letter_queue=sqs.DeadLetterQueue(
max_receive_count=60, queue=sqs_queue_DLQ))
# Setup API for Lambda to get IP address (for debug networking routing purpose)
checkip = api.RestApi(
self,
"lambda-checkip-api",
cloud_watch_role=True,
deploy=True,
description="For Lambda get IP address",
default_integration=api.MockIntegration(
integration_responses=[
api.IntegrationResponse(status_code="200",
response_templates={
"application/json":
"$context.identity.sourceIp"
})
],
request_templates={"application/json": '{"statusCode": 200}'}),
endpoint_types=[api.EndpointType.REGIONAL])
checkip.root.add_method("GET",
method_responses=[
api.MethodResponse(
status_code="200",
response_models={
"application/json":
api.Model.EMPTY_MODEL
})
])
# Setup Lambda functions
handler = lam.Function(self,
"s3-migrate-worker",
code=lam.Code.asset("./lambda"),
handler="lambda_function_worker.lambda_handler",
runtime=lam.Runtime.PYTHON_3_8,
memory_size=1024,
timeout=core.Duration.minutes(15),
tracing=lam.Tracing.ACTIVE,
environment={
'table_queue_name':
ddb_file_list.table_name,
'Des_bucket_default': Des_bucket_default,
'Des_prefix_default': Des_prefix_default,
'StorageClass': StorageClass,
'checkip_url': checkip.url,
'ssm_parameter_credentials':
ssm_parameter_credentials,
'JobType': JobType,
'MaxRetry': MaxRetry,
'MaxThread': MaxThread,
'MaxParallelFile': MaxParallelFile,
'JobTimeout': JobTimeout,
'UpdateVersionId': UpdateVersionId,
'GetObjectWithVersionId':
GetObjectWithVersionId
})
handler_jobsender = lam.Function(
self,
"s3-migrate-jobsender",
code=lam.Code.asset("./lambda"),
handler="lambda_function_jobsender.lambda_handler",
runtime=lam.Runtime.PYTHON_3_8,
memory_size=1024,
timeout=core.Duration.minutes(15),
tracing=lam.Tracing.ACTIVE,
environment={
'table_queue_name': ddb_file_list.table_name,
'StorageClass': StorageClass,
'checkip_url': checkip.url,
'sqs_queue': sqs_queue.queue_name,
'ssm_parameter_credentials': ssm_parameter_credentials,
'ssm_parameter_ignore_list':
ssm_parameter_ignore_list.parameter_name,
'ssm_parameter_bucket': ssm_bucket_para.parameter_name,
'JobType': JobType,
'MaxRetry': MaxRetry,
'JobsenderCompareVersionId': JobsenderCompareVersionId
})
# Allow lambda read/write DDB, SQS
ddb_file_list.grant_read_write_data(handler)
ddb_file_list.grant_read_write_data(handler_jobsender)
sqs_queue.grant_send_messages(handler_jobsender)
# SQS trigger Lambda worker
handler.add_event_source(SqsEventSource(sqs_queue, batch_size=1))
# Option1: Create S3 Bucket, all new objects in this bucket will be transmitted by Lambda Worker
s3bucket = s3.Bucket(self, "s3_new_migrate")
s3bucket.grant_read(handler)
s3bucket.add_event_notification(s3.EventType.OBJECT_CREATED,
s3n.SqsDestination(sqs_queue))
# Option2: Allow Exist S3 Buckets to be read by Lambda functions.
# Lambda Jobsender will scan and compare the these buckets and trigger Lambda Workers to transmit
bucket_name = ''
for b in bucket_para:
if bucket_name != b['src_bucket']: # 如果列了多个相同的Bucket,就跳过
bucket_name = b['src_bucket']
s3exist_bucket = s3.Bucket.from_bucket_name(
self,
bucket_name, # 用这个做id
bucket_name=bucket_name)
s3exist_bucket.grant_read(handler_jobsender)
s3exist_bucket.grant_read(handler)
# Allow Lambda read ssm parameters
ssm_bucket_para.grant_read(handler_jobsender)
ssm_credential_para.grant_read(handler)
ssm_credential_para.grant_read(handler_jobsender)
ssm_parameter_ignore_list.grant_read(handler_jobsender)
# Schedule cron event to trigger Lambda Jobsender per hour:
event.Rule(self,
'cron_trigger_jobsender',
schedule=event.Schedule.rate(core.Duration.hours(1)),
targets=[target.LambdaFunction(handler_jobsender)])
# Create Lambda logs filter to create network traffic metric
handler.log_group.add_metric_filter(
"Complete-bytes",
metric_name="Complete-bytes",
metric_namespace="s3_migrate",
metric_value="$bytes",
filter_pattern=logs.FilterPattern.literal(
'[info, date, sn, p="--->Complete", bytes, key]'))
handler.log_group.add_metric_filter(
"Uploading-bytes",
metric_name="Uploading-bytes",
metric_namespace="s3_migrate",
metric_value="$bytes",
filter_pattern=logs.FilterPattern.literal(
'[info, date, sn, p="--->Uploading", bytes, key]'))
handler.log_group.add_metric_filter(
"Downloading-bytes",
metric_name="Downloading-bytes",
metric_namespace="s3_migrate",
metric_value="$bytes",
filter_pattern=logs.FilterPattern.literal(
'[info, date, sn, p="--->Downloading", bytes, key]'))
lambda_metric_Complete = cw.Metric(namespace="s3_migrate",
metric_name="Complete-bytes",
statistic="Sum",
period=core.Duration.minutes(1))
lambda_metric_Upload = cw.Metric(namespace="s3_migrate",
metric_name="Uploading-bytes",
statistic="Sum",
period=core.Duration.minutes(1))
lambda_metric_Download = cw.Metric(namespace="s3_migrate",
metric_name="Downloading-bytes",
statistic="Sum",
period=core.Duration.minutes(1))
handler.log_group.add_metric_filter(
"ERROR",
metric_name="ERROR-Logs",
metric_namespace="s3_migrate",
metric_value="1",
filter_pattern=logs.FilterPattern.literal('"ERROR"'))
handler.log_group.add_metric_filter(
"WARNING",
metric_name="WARNING-Logs",
metric_namespace="s3_migrate",
metric_value="1",
filter_pattern=logs.FilterPattern.literal('"WARNING"'))
# Task timed out
handler.log_group.add_metric_filter(
"TIMEOUT",
metric_name="TIMEOUT-Logs",
metric_namespace="s3_migrate",
metric_value="1",
filter_pattern=logs.FilterPattern.literal('"Task timed out"'))
log_metric_ERROR = cw.Metric(namespace="s3_migrate",
metric_name="ERROR-Logs",
statistic="Sum",
period=core.Duration.minutes(1))
log_metric_WARNING = cw.Metric(namespace="s3_migrate",
metric_name="WARNING-Logs",
statistic="Sum",
period=core.Duration.minutes(1))
log_metric_TIMEOUT = cw.Metric(namespace="s3_migrate",
metric_name="TIMEOUT-Logs",
statistic="Sum",
period=core.Duration.minutes(1))
# Dashboard to monitor SQS and Lambda
board = cw.Dashboard(self, "s3_migrate_serverless")
board.add_widgets(
cw.GraphWidget(title="Lambda-NETWORK",
left=[
lambda_metric_Download, lambda_metric_Upload,
lambda_metric_Complete
]),
# TODO: here monitor all lambda concurrency not just the working one. Limitation from CDK
# Lambda now supports monitor single lambda concurrency, will change this after CDK support
cw.GraphWidget(title="Lambda-all-concurrent",
left=[
handler.metric_all_concurrent_executions(
period=core.Duration.minutes(1))
]),
cw.GraphWidget(
title="Lambda-invocations/errors/throttles",
left=[
handler.metric_invocations(
period=core.Duration.minutes(1)),
handler.metric_errors(period=core.Duration.minutes(1)),
handler.metric_throttles(period=core.Duration.minutes(1))
]),
cw.GraphWidget(
title="Lambda-duration",
left=[
handler.metric_duration(period=core.Duration.minutes(1))
]),
)
board.add_widgets(
cw.GraphWidget(
title="SQS-Jobs",
left=[
sqs_queue.metric_approximate_number_of_messages_visible(
period=core.Duration.minutes(1)),
sqs_queue.
metric_approximate_number_of_messages_not_visible(
period=core.Duration.minutes(1))
]),
cw.GraphWidget(
title="SQS-DeadLetterQueue",
left=[
sqs_queue_DLQ.
metric_approximate_number_of_messages_visible(
period=core.Duration.minutes(1)),
sqs_queue_DLQ.
metric_approximate_number_of_messages_not_visible(
period=core.Duration.minutes(1))
]),
cw.GraphWidget(title="ERROR/WARNING Logs",
left=[log_metric_ERROR],
right=[log_metric_WARNING, log_metric_TIMEOUT]),
cw.SingleValueWidget(
title="Running/Waiting and Dead Jobs",
metrics=[
sqs_queue.
metric_approximate_number_of_messages_not_visible(
period=core.Duration.minutes(1)),
sqs_queue.metric_approximate_number_of_messages_visible(
period=core.Duration.minutes(1)),
sqs_queue_DLQ.
metric_approximate_number_of_messages_not_visible(
period=core.Duration.minutes(1)),
sqs_queue_DLQ.
metric_approximate_number_of_messages_visible(
period=core.Duration.minutes(1))
],
height=6))
# Alarm for queue - DLQ
alarm_DLQ = cw.Alarm(
self,
"SQS_DLQ",
metric=sqs_queue_DLQ.metric_approximate_number_of_messages_visible(
),
threshold=0,
comparison_operator=cw.ComparisonOperator.GREATER_THAN_THRESHOLD,
evaluation_periods=1,
datapoints_to_alarm=1)
alarm_topic = sns.Topic(self, "SQS queue-DLQ has dead letter")
alarm_topic.add_subscription(
subscription=sub.EmailSubscription(alarm_email))
alarm_DLQ.add_alarm_action(action.SnsAction(alarm_topic))
core.CfnOutput(self,
"Dashboard",
value="CloudWatch Dashboard name s3_migrate_serverless")