chore: grafana dash (#471)

* chore: grafana dash

add grafana dashboard for otp server

* chore: grafana switch

add switch to make grafana optional

* chore: tf config

keep config flexible

Author: jlangy

.github/workflows/publish-otp-provider-image.yml

@@ -28,6 +28,7 @@ jobs:
           CORS_ORIGINS=https://dev.sandbox.loginproxy.gov.bc.ca,https://test.sandbox.loginproxy.gov.bc.ca,https://sandbox.loginproxy.gov.bc.ca,https://sso-playground.apps.gold.devops.gov.bc.ca
           NODE_ENV=production
           HASH_SALT=${{ secrets.DEV_HASH_SALT }}
+          GRAFANA_ADMIN_PASS=${{secrets.DEV_GRAFANA_ADMIN_PASS}}
 
           EOF
       - name: Checkout repository
@@ -83,6 +84,8 @@ jobs:
           otp_attempts_allowed="5"
           otp_resends_allowed_per_day="4"
           otp_resend_interval_minutes="[1,2,5,60]"
+          grafana_admin_password="${{env.GRAFANA_ADMIN_PASS}}"
+          enable_grafana=true
           EOF
 
         working-directory: ./docker/otp-provider/terraform

docker/otp-provider/.gitignore

@@ -6,3 +6,7 @@ node_modules/
 /playwright-report/
 /blob-report/
 /playwright/.cache/
+
+# terraform
+.terraform
+**/*.tfvars

docker/otp-provider/terraform/alb.tf

@@ -41,3 +41,40 @@ resource "aws_alb_target_group" "this" {
   }
   tags = var.app_tags
 }
+
+# Grafana
+
+resource "aws_lb_target_group" "grafana" {
+  count       = var.enable_grafana ? 1 : 0
+  name        = "${var.app_name}-grafana"
+  port        = 3000
+  protocol    = "HTTP"
+  vpc_id      = data.aws_vpc.selected.id
+  target_type = "ip"
+
+  health_check {
+    path                = "/"
+    matcher             = "200-399"
+    interval            = 30
+    timeout             = 5
+    healthy_threshold   = 2
+    unhealthy_threshold = 2
+  }
+}
+
+resource "aws_alb_listener_rule" "grafana" {
+  count        = var.enable_grafana ? 1 : 0
+  listener_arn = aws_alb_listener.this.arn
+  priority     = 100
+
+  action {
+    type             = "forward"
+    target_group_arn = aws_lb_target_group.grafana[0].arn
+  }
+
+  condition {
+    path_pattern {
+      values = ["/grafana/*"]
+    }
+  }
+}

docker/otp-provider/terraform/api-gateway.tf

@@ -49,3 +49,22 @@ resource "aws_apigatewayv2_api_mapping" "this" {
   domain_name = aws_apigatewayv2_domain_name.this.id
   stage       = "$default"
 }
+
+# Grafana
+
+resource "aws_apigatewayv2_integration" "grafana" {
+  count              = var.enable_grafana ? 1 : 0
+  api_id             = aws_apigatewayv2_api.this.id
+  integration_type   = "HTTP_PROXY"
+  connection_id      = aws_apigatewayv2_vpc_link.this.id
+  connection_type    = "VPC_LINK"
+  integration_method = "ANY"
+  integration_uri    = aws_alb_listener.this.arn
+}
+
+resource "aws_apigatewayv2_route" "grafana" {
+  count     = var.enable_grafana ? 1 : 0
+  api_id    = aws_apigatewayv2_api.this.id
+  route_key = "ANY /grafana/{proxy+}"
+  target    = "integrations/${aws_apigatewayv2_integration.grafana[0].id}"
+}

docker/otp-provider/terraform/ecs.tf

@@ -213,3 +213,95 @@ resource "aws_ecs_service" "this" {
 data "aws_secretsmanager_secret_version" "this" {
   secret_id = aws_secretsmanager_secret.this.id
 }
+
+# Grafana
+
+resource "aws_ecs_cluster" "grafana" {
+  count = var.enable_grafana ? 1 : 0
+  name  = "grafana-cluster"
+}
+
+resource "aws_iam_role" "ecs_task_execution" {
+  count = var.enable_grafana ? 1 : 0
+  name  = "ecsTaskExecutionRole-grafana"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [{
+      Action = "sts:AssumeRole",
+      Effect = "Allow",
+      Principal = {
+        Service = "ecs-tasks.amazonaws.com"
+      }
+    }]
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "ecs_task_execution_attach" {
+  count      = var.enable_grafana ? 1 : 0
+  role       = aws_iam_role.ecs_task_execution[0].name
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
+}
+
+resource "aws_ecs_task_definition" "grafana" {
+  count                    = var.enable_grafana ? 1 : 0
+  family                   = "grafana-task"
+  network_mode             = "awsvpc"
+  requires_compatibilities = ["FARGATE"]
+  # This is a lightweight image so running the minimum allowed fargate container
+  cpu    = "256"
+  memory = "512"
+
+  execution_role_arn = aws_iam_role.ecs_task_execution[0].arn
+
+  container_definitions = jsonencode([
+    {
+      name      = "grafana"
+      image     = "grafana/grafana:latest"
+      essential = true
+      portMappings = [
+        {
+          containerPort = 3000
+          protocol      = "tcp"
+        }
+      ]
+      environment = [
+        {
+          name  = "GF_SECURITY_ADMIN_PASSWORD"
+          value = var.grafana_admin_password
+        },
+        {
+          name  = "GF_SERVER_ROOT_URL"
+          value = "https://${var.custom_domain_name}/grafana/"
+        },
+        {
+          name  = "GF_SERVER_SERVE_FROM_SUB_PATH"
+          value = "true"
+        }
+      ]
+    }
+  ])
+}
+
+resource "aws_ecs_service" "grafana" {
+  count           = var.enable_grafana ? 1 : 0
+  name            = "grafana-service"
+  cluster         = aws_ecs_cluster.grafana[0].id
+  task_definition = aws_ecs_task_definition.grafana[0].arn
+  desired_count   = 1
+  launch_type     = "FARGATE"
+
+  network_configuration {
+    security_groups  = [data.aws_security_group.app.id]
+    subnets          = [data.aws_subnet.a.id, data.aws_subnet.b.id]
+    assign_public_ip = false
+  }
+
+  load_balancer {
+    target_group_arn = aws_lb_target_group.grafana[0].arn
+    container_name   = "grafana"
+    container_port   = 3000
+  }
+
+  depends_on = [aws_alb_listener_rule.grafana]
+}

docker/otp-provider/terraform/variables.tf

@@ -185,3 +185,13 @@ variable "otp_resend_interval_minutes" {
   type        = string
   default     = ""
 }
+
+variable "grafana_admin_password" {
+  sensitive = true
+  type      = string
+}
+
+variable "enable_grafana" {
+  type    = bool
+  default = true
+}