chanciturnervgt2

Monitor AWS Resources Created by Terraform in Amazon DevOps Guru Using tfdevops

by

VGT2 Las Vegas
in

Monitor AWS Resources Created by Terraform in Amazon DevOps Guru Using tfdevopsMore Info

Amazon DevOps Guru is a machine learning (ML) based service that assists developers and operators in automatically identifying anomalies and enhancing application availability. By leveraging machine learning models derived from years of operational excellence at Amazon.com and AWS, DevOps Guru detects unusual application behaviors such as increased latency, error rates, and resource constraints, effectively surfacing critical issues that could lead to potential outages or service disruptions. Its anomaly detection capabilities can even proactively identify anomalous behavior before it occurs, allowing you to address issues ahead of time. The insights provided also offer actionable recommendations to mitigate these anomalies.

When enabling DevOps Guru, you can configure its coverage to specify which AWS resources you wish to analyze. As an option, you may define the coverage boundary by selecting specific AWS CloudFormation stacks. For every selected stack, DevOps Guru analyzes operational data from the supported resources to detect unusual behavior. For further information, refer to the section on Working with AWS CloudFormation stacks in DevOps Guru.

For those using Terraform, Stacklet has developed an open-source tool named tfdevops that converts Terraform state into an importable CloudFormation stack, thereby allowing DevOps Guru to monitor the encapsulated AWS resources. It’s important to clarify that tfdevops does not convert Terraform into CloudFormation; it simply generates a CloudFormation stack containing the imported resources specified in the Terraform module, enabling monitoring through DevOps Guru.

In this article, we will detail how to configure and utilize tfdevops to seamlessly enable DevOps Guru for your existing AWS resources created through Terraform.

Solution Overview

The tfdevops tool operates through the following steps to import resources into Amazon DevOps Guru:

  1. It translates the Terraform state into an AWS CloudFormation template with a retain deletion policy.
  2. It creates an AWS CloudFormation stack with the imported resources.
  3. It enrolls the stack into Amazon DevOps Guru.

To illustrate, we will use a sample serverless application that includes components supported by both DevOps Guru and tfdevops. This application consists of an Amazon Simple Queue Service (SQS) queue, an AWS Lambda function for processing messages, an Amazon DynamoDB table for data persistence, and an Amazon Simple Notification Service (SNS) topic for publishing processing results. Below is a diagram to represent our sample application.

Prerequisites

Before you begin, ensure you have the following prerequisites:

  • The AWS CLI installed and authenticated, using either an AWS Identity and Access Management (IAM) user or an AWS Security Token Service (AWS STS) token.
  • Terraform installed.
  • pip installed.

Walkthrough

Follow these steps to monitor your AWS resources created with Terraform templates using tfdevops:

  1. Install tfdevops by following the instructions on GitHub.
  2. Create a Terraform module with the resources supported by tfdevops.
  3. Deploy the Terraform module to your AWS account to provision the resources.

Here’s a sample Terraform module that creates an AWS Lambda function, a DynamoDB table, an SNS topic, and an SQS queue:

# IAM role for the lambda function
resource "aws_iam_role" "lambda_role" {
 name = "iam_role_lambda_function"
 assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "lambda.amazonaws.com"
      },
      "Effect": "Allow"
    }
  ]
}
EOF
}

# IAM policy for logging from the lambda function
resource "aws_iam_policy" "lambda_logging" {
  name        = "iam_policy_lambda_logging_function"
  path        = "/"
  description = "IAM policy for logging from a lambda"
  policy      = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "logs:CreateLogGroup",
        "logs:CreateLogStream",
        "logs:PutLogEvents"
      ],
      "Resource": "arn:aws:logs:*:*:*",
      "Effect": "Allow"
    }
  ]
}
EOF
}

# Policy attachment for the role
resource "aws_iam_role_policy_attachment" "policy_attach" {
  role       = aws_iam_role.lambda_role.name
  policy_arn = aws_iam_policy.lambda_logging.arn
}

# Generate an archive from the source
data "archive_file" "default" {
  type        = "zip"
  source_dir  = "${path.module}/src/"
  output_path = "${path.module}/myzip/python.zip"
}

# Create a lambda function
resource "aws_lambda_function" "basic_lambda_function" {
  filename      = "${path.module}/myzip/python.zip"
  function_name = "basic_lambda_function"
  role          = aws_iam_role.lambda_role.arn
  handler       = "index.lambda_handler"
  runtime       = "python3.8"
  depends_on    = [aws_iam_role_policy_attachment.policy_attach]
}

# Create a DynamoDB table
resource "aws_dynamodb_table" "sample_dynamodb_table" {
  name        = "sample_dynamodb_table"
  hash_key    = "sampleHashKey"
  billing_mode = "PAY_PER_REQUEST"

  attribute {
    name = "sampleHashKey"
    type = "S"
  }
}

# Create an SQS queue
resource "aws_sqs_queue" "sample_sqs_queue" {
  name = "sample_sqs_queue"
}

# Create an SNS topic
resource "aws_sns_topic" "sample_sns_topic" {
  name = "sample_sns_topic"
}

Run tfdevops to convert to the CloudFormation template, deploy the stack, and enable DevOps Guru.

The following command generates a CloudFormation template locally from a Terraform state file:

tfdevops cfn -d ~/path/to/terraform/module --template mycfn.json --resources importable-ids.json

The next command deploys the CloudFormation template, creates a CloudFormation stack, imports resources, and activates DevOps Guru on the stack:

tfdevops deploy --template mycfn.json --resources importable-ids.json

Once tfdevops completes the deployment, you will find the stack listed in the CloudFormation dashboard.

tfdevops imports the existing resources from the Terraform module into AWS CloudFormation. These are not new resources, so there are no additional cost implications for them. For more information, see the article on Bringing existing resources into CloudFormation management.

Your stack will also appear on the DevOps Guru dashboard, indicating that it is monitoring your resources and will alert you if it detects anomalous behavior. Insights are correlated sequences of events and trails, grouped together to provide prescriptive guidance and recommendations for quickly resolving issues. For more details, refer to the section on Working with insights in DevOps Guru.

Note that when using the tfdevops tool, it automatically enables DevOps Guru on the imported stack.

Clean Up – Delete the Stack

Conclusion

This article showcased how to activate DevOps Guru to monitor your AWS resources created via Terraform. By using Stacklet’s tfdevops tool, you can efficiently integrate monitoring capabilities into your existing infrastructure.

Related Topics:

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *