diff --git a/terraform/shared/shared.tf.json.template.py b/terraform/shared/shared.tf.json.template.py index 12d39e1f9f..8abb73d033 100644 --- a/terraform/shared/shared.tf.json.template.py +++ b/terraform/shared/shared.tf.json.template.py @@ -108,6 +108,13 @@ def conformance_pack(name: str) -> str: '$.eventType !="AwsServiceEvent"}') ] +# The deployment and/or backup of the GitLab instance requires a reboot, which +# can interrupt an ongoing ClamAV scan. Since scans are run twice a day, we set +# the alarm period to 24 hours (maximum allowed by CloudWatch) to allow enough +# time for the next scan to complete following an interrupted scan. +# +clam_alarm_period = 24 * 60 * 60 + tf_config = { 'data': { 'aws_iam_role': { @@ -524,26 +531,19 @@ def conformance_pack(name: str) -> str: } for a in cis_alarms }, - **{ - resource_name: { - 'alarm_name': config.qualified_resource_name(resource_name, suffix='.alarm'), - 'comparison_operator': 'GreaterThanOrEqualToThreshold', - 'evaluation_periods': 1, - 'metric_name': '${aws_cloudwatch_log_metric_filter.' - '%s.metric_transformation[0].name}' % resource_name, - 'namespace': 'LogMetrics', - 'statistic': 'Sum', - 'treat_missing_data': 'notBreaching', - 'threshold': 1, - 'period': period, - 'alarm_actions': ['${aws_sns_topic.monitoring.arn}'], - 'ok_actions': ['${aws_sns_topic.monitoring.arn}'] - } for resource_name, period in [ - # With ClamScan running twice a day we've got a 12h period, - # plus 8h upper bound on running time, minus 2h lower bound - # on running time, giving us an 18h evaluation period. - ('clam_fail', 18 * 60 * 60) - ] + 'clam_fail': { + 'alarm_name': config.qualified_resource_name('clam_fail', suffix='.alarm'), + 'comparison_operator': 'GreaterThanOrEqualToThreshold', + 'evaluation_periods': 1, + 'metric_name': '${aws_cloudwatch_log_metric_filter.' + '%s.metric_transformation[0].name}' % 'clam_fail', + 'namespace': 'LogMetrics', + 'statistic': 'Sum', + 'treat_missing_data': 'notBreaching', + 'threshold': 1, + 'period': clam_alarm_period, + 'alarm_actions': ['${aws_sns_topic.monitoring.arn}'], + 'ok_actions': ['${aws_sns_topic.monitoring.arn}'] }, **{ resource_name: { @@ -580,8 +580,8 @@ def conformance_pack(name: str) -> str: ] } for resource_name, period in [ ('trail_logs', 10 * 60), - ('clamscan', 18 * 60 * 60), - ('freshclam', 18 * 60 * 60) + ('clamscan', clam_alarm_period), + ('freshclam', clam_alarm_period) ] } },