feat: [PAYMCLOUD-221] Update monitoring and AKS configs for non-prod …

…environments (#2786) Update monitoring and AKS configurations for non-prod environments Modified logic to enable monitoring and Prometheus metrics for non-prod environments. Disabled public network access for the Azure Monitor Workspace, updated API versions, and adjusted action group handling for production-specific settings. Also increased the minimum node count for UAT environments. Signed-off-by: Fabio Felici <[email protected]>
pagopa · Feb 12, 2025 · 5736ef3 · 5736ef3
1 parent 3a1201e
commit 5736ef3
Show file tree

Hide file tree

Showing 5 changed files with 30 additions and 16 deletions.
diff --git a/src/aks-platform/02_aks.tf b/src/aks-platform/02_aks.tf
@@ -21,8 +21,8 @@ module "aks" {
   oidc_issuer_enabled       = var.aks_enable_workload_identity
 
   ## Prometheus managed
-  # ff: enabled on DEV
-  enable_prometheus_monitor_metrics = var.env_short == "d" ? true : false
+  # ff: enabled on DEV/UAT
+  enable_prometheus_monitor_metrics = var.env_short != "p" ? true : false
 
   # ff: Enabled cost analysis on UAT/PROD
   cost_analysis_enabled = var.env_short != "d" ? true : false

diff --git a/src/aks-platform/05_monitoring.tf b/src/aks-platform/05_monitoring.tf
@@ -103,7 +103,7 @@ module "opencosts" {
 resource "kubernetes_manifest" "service_monitor" {
   count = var.env_short == "d" ? 1 : 0
   manifest = {
-    "apiVersion" : "monitoring.coreos.com/v1"
+    "apiVersion" : "azmonitoring.coreos.com/v1"
     "kind" : "ServiceMonitor"
     "metadata" : {
       "name" : "prometheus-opencosts"
@@ -136,20 +136,34 @@ resource "kubernetes_manifest" "service_monitor" {
 
 # Refer: Resource created on next-core 02_monitor.tf
 data "azurerm_monitor_workspace" "workspace" {
-  count               = var.env == "dev" ? 1 : 0
-  name                = "pagopa-${var.env_short}-${var.location}-monitor-workspace"
+  count               = var.env != "prod" ? 1 : 0
+  name                = "pagopa-${var.env_short}-monitor-workspace"
   resource_group_name = "pagopa-${var.env_short}-monitor-rg"
 }
 
 module "prometheus_managed_addon" {
-  count                  = var.env == "dev" ? 1 : 0
-  source                 = "git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_prometheus_managed?ref=v8.80.0"
+  count                  = var.env != "prod" ? 1 : 0
+  source                 = "git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_prometheus_managed?ref=v8.82.0"
   cluster_name           = module.aks.name
   resource_group_name    = module.aks.aks_resource_group_name
   location               = var.location
   monitor_workspace_name = data.azurerm_monitor_workspace.workspace.0.name
   monitor_workspace_rg   = data.azurerm_monitor_workspace.workspace.0.resource_group_name
   grafana_name           = "pagopa-${var.env_short}-${var.location_short}-grafana"
   grafana_resource_group = "pagopa-${var.env_short}-${var.location_short}-grafana-rg"
-  tags                   = var.tags
+
+  # takes a list and replaces any elements that are lists with a
+  # flattened sequence of the list contents.
+  # In this case, we enable OpsGenie only on prod env
+  action_groups_id = flatten([
+    [
+      data.azurerm_monitor_action_group.slack.id,
+      data.azurerm_monitor_action_group.email.id
+    ],
+    (var.env == "prod" ? [
+      data.azurerm_monitor_action_group.opsgenie.0.id
+    ] : [])
+  ])
+
+  tags = var.tags
 }
diff --git a/src/aks-platform/README.md b/src/aks-platform/README.md
@@ -22,7 +22,7 @@
 | <a name="module_monitoring_pod_identity"></a> [monitoring\_pod\_identity](#module\_monitoring\_pod\_identity) | git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_pod_identity | v8.53.0 |
 | <a name="module_nginx_ingress"></a> [nginx\_ingress](#module\_nginx\_ingress) | terraform-module/release/helm | 2.8.0 |
 | <a name="module_opencosts"></a> [opencosts](#module\_opencosts) | git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_opencosts | v8.71.0 |
-| <a name="module_prometheus_managed_addon"></a> [prometheus\_managed\_addon](#module\_prometheus\_managed\_addon) | git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_prometheus_managed | v8.80.0 |
+| <a name="module_prometheus_managed_addon"></a> [prometheus\_managed\_addon](#module\_prometheus\_managed\_addon) | git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_prometheus_managed | v8.82.0 |
 | <a name="module_tls_checker"></a> [tls\_checker](#module\_tls\_checker) | git::https://github.com/pagopa/terraform-azurerm-v3.git//tls_checker | v8.54.0 |
 | <a name="module_tls_checker_workload_identity_configuration"></a> [tls\_checker\_workload\_identity\_configuration](#module\_tls\_checker\_workload\_identity\_configuration) | git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_workload_identity_configuration | v8.54.0 |
 | <a name="module_tls_checker_workload_identity_init"></a> [tls\_checker\_workload\_identity\_init](#module\_tls\_checker\_workload\_identity\_init) | git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_workload_identity_init | v8.54.0 |

diff --git a/src/aks-platform/env/weu-uat/terraform.tfvars b/src/aks-platform/env/weu-uat/terraform.tfvars
@@ -35,7 +35,7 @@ aks_system_node_pool = {
   vm_size                      = "Standard_D2ds_v5"
   os_disk_type                 = "Ephemeral"
   os_disk_size_gb              = "75"
-  node_count_min               = "1" #TODO change to 2 or 3 in prod
+  node_count_min               = "2" #TODO change to 2 or 3 in prod
   node_count_max               = "3"
   only_critical_addons_enabled = true
   node_labels                  = { node_name : "aks-system-01", node_type : "system" },

diff --git a/src/next-core/02_monitor.tf b/src/next-core/02_monitor.tf
@@ -26,12 +26,12 @@ resource "azurerm_log_analytics_workspace" "log_analytics_workspace" {
 
 # Azure Monitor Workspace
 resource "azurerm_monitor_workspace" "monitor_workspace" {
-  count               = var.env == "dev" ? 1 : 0
-  name                = "pagopa-${var.env_short}-${var.location}-monitor-workspace"
-  resource_group_name = "pagopa-${var.env_short}-monitor-rg"
-  location            = var.location
-
-  tags = var.tags
+  count                         = var.env != "prod" ? 1 : 0
+  name                          = "pagopa-${var.env_short}-monitor-workspace"
+  resource_group_name           = "pagopa-${var.env_short}-monitor-rg"
+  location                      = var.location
+  public_network_access_enabled = false
+  tags                          = var.tags
 }
 
 # Application insights