UPD: Added Cwl-firehose-s3 module and pulled a couple updates from upstream repo.

2024-01-13 00:25:30 +08:00 · 2024-01-13 00:25:30 +08:00 · b0e174bcfa
commit b0e174bcfa
parent 4dadbd69b5
11 changed files with 493 additions and 88 deletions
--- a/modules/ManagementGovernance/Cwl-firehose-s3/README.md
+++ b/modules/ManagementGovernance/Cwl-firehose-s3/README.md
@ -0,0 +1,57 @@
+<!-- This readme file is generated with terraform-docs -->
+
+This module configure CloudwatchLog and stream logs to s3 bucket via Kinesis Firehose
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| terraform | ~> 1.3.0 |
+| aws | >= 5.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| aws | >= 5.0 |
+| random | n/a |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_cloudwatch_log_group.firehose-log](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
+| [aws_cloudwatch_log_subscription_filter.cwl-sub-filter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_subscription_filter) | resource |
+| [aws_iam_policy.cwlog-role-policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_policy.firehose-role-policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_role.cwlog-stream-role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role.firehose-stream-iam-role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role_policy_attachment.cwlog-role-policy-attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.firehose-role-policy-attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_kinesis_firehose_delivery_stream.cwl-s3-firehose-stream](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kinesis_firehose_delivery_stream) | resource |
+| [random_id.rid](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource |
+| [aws_caller_identity.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| cwl-region | AWS region where Cloudwatch LogGroup resides. Needed for setting up cwlog-stream-role | `string` | n/a | yes |
+| dest-bucket-arn | Destination S3 bucket ARN | `string` | n/a | yes |
+| dest-bucket-kmskey-arn | KMS key ARN for destination bucket | `string` | n/a | yes |
+| dest-bucket-prefix | S3 object prefix for this stream | `string` | n/a | yes |
+| firehose-kmskey-arn | KMS Key arn for Firehose | `string` | n/a | yes |
+| source-cwlgroup-name | Name of source CloudwatchLog group | `string` | n/a | yes |
+| stream-name | Name of Kinesis Data Firehose delivery stream | `string` | n/a | yes |
+
+## Outputs
+
+No outputs.
+ 
+---
+## Authorship
+This module was developed by Rackspace.
--- a/modules/ManagementGovernance/Cwl-firehose-s3/main.tf
+++ b/modules/ManagementGovernance/Cwl-firehose-s3/main.tf
@ -0,0 +1,161 @@
+resource "aws_kinesis_firehose_delivery_stream" "cwl-s3-firehose-stream" {
+  name        = var.stream-name
+  destination = "extended_s3"
+
+  extended_s3_configuration {
+    role_arn            = aws_iam_role.firehose-stream-iam-role.arn
+    bucket_arn          = var.dest-bucket-arn
+    prefix              = trimprefix(var.dest-bucket-prefix, "/")
+    error_output_prefix = "FirehoseErrors/"
+    kms_key_arn         = var.dest-bucket-kmskey-arn
+    cloudwatch_logging_options {
+      enabled         = var.enable-firehose-errorlog
+      log_group_name  = try(aws_cloudwatch_log_group.firehose-log[0].name, null)
+      log_stream_name = "DestinationDelivery"
+    }
+  }
+  server_side_encryption {
+    enabled  = true
+    key_type = "CUSTOMER_MANAGED_CMK"
+    key_arn  = var.firehose-kmskey-arn
+  }
+}
+
+resource "aws_cloudwatch_log_group" "firehose-log" {
+  count             = var.enable-firehose-errorlog ? 1 : 0
+  name              = "/aws/kinesisfirehose/${var.stream-name}"
+  retention_in_days = 365
+}
+
+resource "aws_cloudwatch_log_subscription_filter" "cwl-sub-filter" {
+  log_group_name  = var.source-cwlgroup-name
+  name            = "stream-to-s3"
+  role_arn        = aws_iam_role.cwlog-stream-role.arn
+  filter_pattern  = ""
+  destination_arn = aws_kinesis_firehose_delivery_stream.cwl-s3-firehose-stream.arn
+}
+
+resource "random_id" "rid" {
+  byte_length = 4
+}
+
+resource "aws_iam_role" "firehose-stream-iam-role" {
+  name        = "firehose-stream-role-${var.stream-name}-${random_id.rid.dec}"
+  description = "Kinesis Firehose IAM role for streaming logs from CloudwatchLog to S3"
+  assume_role_policy = jsonencode(
+    {
+      "Version" : "2012-10-17",
+      "Statement" : [
+        {
+          "Sid" : "FirehoseStreaming",
+          "Effect" : "Allow",
+          "Principal" : {
+            "Service" : "firehose.amazonaws.com"
+          },
+          "Action" : "sts:AssumeRole"
+        }
+      ]
+    }
+  )
+}
+
+resource "aws_iam_role_policy_attachment" "firehose-role-policy-attachment" {
+  role       = aws_iam_role.firehose-stream-iam-role.name
+  policy_arn = aws_iam_policy.firehose-role-policy.arn
+}
+
+resource "aws_iam_policy" "firehose-role-policy" {
+  name        = "kinesis-firehose-log-stream-${var.stream-name}-${random_id.rid.dec}"
+  description = "Policy for Kinesis Firehose streaming logs to s3"
+  policy = jsonencode(
+    {
+      "Version" : "2012-10-17",
+      "Statement" : [
+        {
+          "Effect" : "Allow",
+          "Action" : [
+            "s3:AbortMultipartUpload",
+            "s3:GetBucketLocation",
+            "s3:GetObject",
+            "s3:ListBucket",
+            "s3:ListBucketMultipartUploads",
+            "s3:PutObject"
+          ],
+          "Resource" : [
+            var.dest-bucket-arn,
+            "${var.dest-bucket-arn}/*"
+          ]
+        },
+        {
+          "Effect" : "Allow",
+          "Action" : [
+            "kms:Decrypt",
+            "kms:GenerateDataKey"
+          ],
+          "Resource" : [
+            var.dest-bucket-kmskey-arn
+          ]
+        },
+        {
+          "Effect" : "Allow",
+          "Action" : [
+            "logs:PutLogEvents",
+            "logs:PutLogEventsBatch",
+            "logs:CreateLogStream"
+          ],
+          "Resource" : [
+            "arn:aws:logs:*:*:log-group:/aws/kinesisfirehose/${var.stream-name}/*"
+          ]
+        }
+      ]
+    }
+  )
+}
+
+
+resource "aws_iam_role" "cwlog-stream-role" {
+  name        = "cloudwatchlog-stream-role-${var.stream-name}-${random_id.rid.dec}"
+  description = "CloudwatchLog role for streaming to firehose"
+  assume_role_policy = jsonencode(
+    {
+      "Version" : "2012-10-17",
+      "Statement" : [
+        {
+          "Sid" : "CloudwatchLogStreaming",
+          "Effect" : "Allow",
+          "Principal" : {
+            "Service" : "logs.${var.cwl-region}.amazonaws.com"
+          },
+          "Action" : "sts:AssumeRole"
+        }
+      ]
+    }
+  )
+}
+
+
+resource "aws_iam_role_policy_attachment" "cwlog-role-policy-attachment" {
+  role       = aws_iam_role.cwlog-stream-role.name
+  policy_arn = aws_iam_policy.cwlog-role-policy.arn
+}
+
+resource "aws_iam_policy" "cwlog-role-policy" {
+  name        = "cloudwatchlog-stream-${var.stream-name}-${random_id.rid.dec}"
+  description = "Policy for CloudWatch Logs streaming to Kinesis Firehose"
+  policy = jsonencode(
+    {
+      "Version" : "2012-10-17",
+      "Statement" : [
+        {
+          "Effect" : "Allow",
+          "Action" : ["firehose:PutRecord"],
+          "Resource" : [
+            "arn:aws:firehose:${var.cwl-region}:${data.aws_caller_identity.this.account_id}:deliverystream/${var.stream-name}"
+          ]
+        }
+      ]
+    }
+  )
+}
+
+data "aws_caller_identity" "this" {}
--- a/modules/ManagementGovernance/Cwl-firehose-s3/variables.tf
+++ b/modules/ManagementGovernance/Cwl-firehose-s3/variables.tf
@ -0,0 +1,40 @@
+variable "stream-name" {
+  type        = string
+  description = "Name of Kinesis Data Firehose delivery stream"
+}
+
+variable "firehose-kmskey-arn" {
+  type        = string
+  description = "KMS Key arn for Firehose"
+}
+
+variable "dest-bucket-arn" {
+  type        = string
+  description = "Destination S3 bucket ARN"
+}
+
+variable "dest-bucket-prefix" {
+  type        = string
+  description = "S3 object prefix for this stream. Please do not start with / end with a /. For example, r53-log/acme.local/"
+}
+
+variable "dest-bucket-kmskey-arn" {
+  type        = string
+  description = "KMS key ARN for destination bucket"
+}
+
+variable "source-cwlgroup-name" {
+  type        = string
+  description = "Name of source CloudwatchLog group"
+}
+
+variable "cwl-region" {
+  type        = string
+  description = "AWS region where Cloudwatch LogGroup resides. Needed for setting up cwlog-stream-role"
+}
+
+variable "enable-firehose-errorlog" {
+  type        = bool
+  description = "Enable firehose errorlog"
+  default     = false
+}
--- a/modules/ManagementGovernance/Cwl-firehose-s3/versions.tf
+++ b/modules/ManagementGovernance/Cwl-firehose-s3/versions.tf
@ -0,0 +1,9 @@
+terraform {
+  required_version = "~> 1.3.0"
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 5.0"
+    }
+  }
+}
--- a/modules/ManagementGovernance/Monitoring.EC2/get-cwagent-dimensions.sh
+++ b/modules/ManagementGovernance/Monitoring.EC2/get-cwagent-dimensions.sh
@ -15,6 +15,11 @@ export AWS_ACCESS_KEY_ID=$access_key
 export AWS_SECRET_ACCESS_KEY=$secret_key
 export AWS_SESSION_TOKEN=$session_token

+#aws cloudwatch list-metrics --namespace CWAgent --metric-name disk_inodes_free \
+#--dimensions Name=InstanceId,Value=$iid Name=path,Value=/ | \
+#jq '.Metrics[] | .Dimensions[] | {(.Name):(.Value)}' | jq -s 'add'
+
+# when there are multiple metrics with the same name...
 aws cloudwatch list-metrics --namespace CWAgent --metric-name disk_inodes_free \
--dimensions Name=InstanceId,Value=$iid Name=path,Value=/ | \
-jq '.Metrics[] | .Dimensions[] | {(.Name):(.Value)}' | jq -s 'add'
+--dimensions Name=InstanceId,Value=$iid Name=path,Value=/ --query Metrics[] | \
+jq '. | last | .Dimensions[] | {(.Name):(.Value)}' | jq -s 'add'
--- a/modules/ManagementGovernance/Monitoring.EC2/main.tf
+++ b/modules/ManagementGovernance/Monitoring.EC2/main.tf
@ -145,24 +145,41 @@ resource "aws_cloudwatch_metric_alarm" "ec2-swap_used_percent" {
  }
 }

-resource "aws_cloudwatch_metric_alarm" "ec2-disk_used_percent" {
+resource "aws_cloudwatch_metric_alarm" "ec2-disk_used_percent_warn" {
  count                     = module.ec2_os.awscliout[0] != "Windows" && data.external.cw-dimensions.result != null ? 1 : 0
-  alarm_name                = "${var.settings.disk_used_percent.ecccode}-EC2_${var.ec2-instance-id}-disk_used_percent"
-  comparison_operator       = var.settings.disk_used_percent.comparison_operator
-  evaluation_periods        = var.settings.disk_used_percent.evaluation_periods
+  alarm_name                = "${var.settings.disk_used_percent_warn.ecccode}-EC2_${var.ec2-instance-id}-disk_used_percent"
+  comparison_operator       = var.settings.disk_used_percent_warn.comparison_operator
+  evaluation_periods        = var.settings.disk_used_percent_warn.evaluation_periods
  metric_name               = "disk_used_percent"
-  period                    = var.settings.disk_used_percent.period
-  statistic                 = var.settings.disk_used_percent.statistic
-  threshold                 = var.settings.disk_used_percent.threshold
+  period                    = var.settings.disk_used_percent_warn.period
+  statistic                 = var.settings.disk_used_percent_warn.statistic
+  threshold                 = var.settings.disk_used_percent_warn.threshold
  alarm_description         = "EC2:disk_used_percent"
  namespace                 = "CWAgent"
  insufficient_data_actions = []
  actions_enabled           = var.actions-enabled
-  alarm_actions             = [var.settings.disk_used_percent.action]
-  ok_actions                = [var.settings.disk_used_percent.action]
+  alarm_actions             = [var.settings.disk_used_percent_warn.action]
+  ok_actions                = [var.settings.disk_used_percent_warn.action]
  dimensions                = data.external.cw-dimensions.result
 }

+resource "aws_cloudwatch_metric_alarm" "ec2-disk_used_percent_crit" {
+  count                     = module.ec2_os.awscliout[0] != "Windows" && data.external.cw-dimensions.result != null ? 1 : 0
+  alarm_name                = "${var.settings.disk_used_percent_crit.ecccode}-EC2_${var.ec2-instance-id}-disk_used_percent"
+  comparison_operator       = var.settings.disk_used_percent_crit.comparison_operator
+  evaluation_periods        = var.settings.disk_used_percent_crit.evaluation_periods
+  metric_name               = "disk_used_percent"
+  period                    = var.settings.disk_used_percent_crit.period
+  statistic                 = var.settings.disk_used_percent_crit.statistic
+  threshold                 = var.settings.disk_used_percent_crit.threshold
+  alarm_description         = "EC2:disk_used_percent"
+  namespace                 = "CWAgent"
+  insufficient_data_actions = []
+  actions_enabled           = var.actions-enabled
+  alarm_actions             = [var.settings.disk_used_percent_crit.action]
+  ok_actions                = [var.settings.disk_used_percent_crit.action]
+  dimensions                = data.external.cw-dimensions.result
+}

 resource "aws_cloudwatch_metric_alarm" "ec2-disk_inodes_free" {
  count                     = module.ec2_os.awscliout[0] != "Windows" && data.external.cw-dimensions.result != null ? 1 : 0
@ -205,49 +222,96 @@ resource "aws_cloudwatch_metric_alarm" "ec2-processes_total" {
  }
 }

-resource "aws_cloudwatch_metric_alarm" "ec2-net_err_in" {
+resource "aws_cloudwatch_metric_alarm" "ec2-net_err" {
  count                     = module.ec2_os.awscliout[0] != "Windows" && length(module.detect_cloudwatch_agent.awscliout) > 0 ? 1 : 0
-  alarm_name                = "${var.settings.net_err_in.ecccode}-EC2_${var.ec2-instance-id}-net_err_in"
-  comparison_operator       = var.settings.net_err_in.comparison_operator
+  alarm_name                = "${var.settings.net_err_in.ecccode}-EC2_${var.ec2-instance-id}-net_err"
+  comparison_operator       = "GreaterThanThreshold"
  evaluation_periods        = var.settings.net_err_in.evaluation_periods
-  metric_name               = "net_err_in"
-  period                    = var.settings.net_err_in.period
-  statistic                 = var.settings.net_err_in.statistic
-  threshold                 = var.settings.net_err_in.threshold
-  alarm_description         = "EC2:net_err_in"
-  namespace                 = "CWAgent"
+  threshold                 = 0
+  alarm_description         = "EC2:net_err_in or EC2:net_err_out exceeds threshold"
  insufficient_data_actions = []
-  actions_enabled           = var.actions-enabled
+  actions_enabled           = false
  alarm_actions             = [var.settings.net_err_in.action]
  ok_actions                = [var.settings.net_err_in.action]
-  dimensions = {
-    InstanceId   = var.ec2-instance-id
-    ImageId      = data.aws_instance.ec2-instance.ami
-    InstanceType = data.aws_instance.ec2-instance.instance_type
-    interface    = "eth0"
+  treat_missing_data        = "notBreaching"
+
+  metric_query {
+    id          = "e1"
+    expression  = "IF(m1 > ${var.settings.net_err_in.threshold} OR m2 > ${var.settings.net_err_out.threshold}, 1, 0)"
+    label       = "net_err_exceeds_threshold"
+    return_data = "true"
+  }
+
+  metric_query {
+    id = "m1"
+    metric {
+      metric_name = "net_err_in"
+      namespace   = "CWAgent"
+      period      = var.settings.net_err_in.period
+      stat        = var.settings.net_err_in.statistic
+      dimensions = {
+        InstanceId   = var.ec2-instance-id
+        ImageId      = data.aws_instance.ec2-instance.ami
+        InstanceType = data.aws_instance.ec2-instance.instance_type
+        interface    = "eth0"
+      }
+    }
+  }
+
+  metric_query {
+    id = "m2"
+    metric {
+      metric_name = "net_err_out"
+      namespace   = "CWAgent"
+      period      = var.settings.net_err_out.period
+      stat        = var.settings.net_err_out.statistic
+      dimensions = {
+        InstanceId   = var.ec2-instance-id
+        ImageId      = data.aws_instance.ec2-instance.ami
+        InstanceType = data.aws_instance.ec2-instance.instance_type
+        interface    = "eth0"
+      }
+    }
  }
 }

-resource "aws_cloudwatch_metric_alarm" "ec2-net_err_out" {
-  count                     = module.ec2_os.awscliout[0] != "Windows" && length(module.detect_cloudwatch_agent.awscliout) > 0 ? 1 : 0
-  alarm_name                = "${var.settings.net_err_out.ecccode}-EC2_${var.ec2-instance-id}-net_err_out"
-  comparison_operator       = var.settings.net_err_out.comparison_operator
-  evaluation_periods        = var.settings.net_err_out.evaluation_periods
-  metric_name               = "net_err_in"
-  period                    = var.settings.net_err_out.period
-  statistic                 = var.settings.net_err_out.statistic
-  threshold                 = var.settings.net_err_out.threshold
-  alarm_description         = "EC2:net_err_out"
-  namespace                 = "CWAgent"
+resource "aws_cloudwatch_metric_alarm" "ec2-NetworkIn" {
+  count                     = try(var.settings.NetworkIn.monitor,false) ? 1 : 0
+  alarm_name                = "${var.settings.NetworkIn.ecccode}-EC2_${var.ec2-instance-id}-NetworkIn"
+  comparison_operator       = var.settings.NetworkIn.comparison_operator
+  evaluation_periods        = var.settings.NetworkIn.evaluation_periods
+  metric_name               = "NetworkIn"
+  period                    = var.settings.NetworkIn.period
+  statistic                 = var.settings.NetworkIn.statistic
+  threshold                 = var.settings.NetworkIn.threshold
+  alarm_description         = "EC2:NetworkIn"
+  namespace                 = "AWS/EC2"
  insufficient_data_actions = []
  actions_enabled           = var.actions-enabled
-  alarm_actions             = [var.settings.net_err_out.action]
-  ok_actions                = [var.settings.net_err_out.action]
+  alarm_actions             = [var.settings.NetworkIn.action]
+  ok_actions                = [var.settings.NetworkIn.action]
  dimensions = {
-    InstanceId   = var.ec2-instance-id
-    ImageId      = data.aws_instance.ec2-instance.ami
-    InstanceType = data.aws_instance.ec2-instance.instance_type
-    interface    = "eth0"
+    InstanceId = var.ec2-instance-id
+  }
+}
+
+resource "aws_cloudwatch_metric_alarm" "ec2-NetworkOut" {
+  count                     = try(var.settings.NetworkIn.monitor,false) ? 1 : 0
+  alarm_name                = "${var.settings.NetworkOut.ecccode}-EC2_${var.ec2-instance-id}-NetworkOut"
+  comparison_operator       = var.settings.NetworkOut.comparison_operator
+  evaluation_periods        = var.settings.NetworkOut.evaluation_periods
+  metric_name               = "NetworkOut"
+  period                    = var.settings.NetworkOut.period
+  statistic                 = var.settings.NetworkOut.statistic
+  threshold                 = var.settings.NetworkOut.threshold
+  alarm_description         = "EC2:NetworkOut"
+  namespace                 = "AWS/EC2"
+  insufficient_data_actions = []
+  actions_enabled           = var.actions-enabled
+  alarm_actions             = [var.settings.NetworkOut.action]
+  ok_actions                = [var.settings.NetworkOut.action]
+  dimensions = {
+    InstanceId = var.ec2-instance-id
  }
 }

--- a/modules/ManagementGovernance/Monitoring.EventBridge/main.tf
+++ b/modules/ManagementGovernance/Monitoring.EventBridge/main.tf
@ -1,9 +1,12 @@
 resource "aws_cloudwatch_event_rule" "EventRule" {
-  name = "${var.cw-alarm-prefix}-health-events"
-  description = "A CloudWatch Event Rule that triggers on changes in the status of AWS Personal Health Dashboard (AWS Health) and forwards the events to an SNS topic."
-  is_enabled = var.actions-enabled
+  name          = "${var.cw-alarm-prefix}-health-events"
+  description   = "A CloudWatch Event Rule that triggers on changes in the status of AWS Personal Health Dashboard (AWS Health) and forwards the events to an SNS topic."
+  state         = var.actions-enabled
  event_pattern = <<PATTERN
 {
+  "detail": {
+    "service": ["DIRECTCONNECT", "VPN", "LAMBDA", "EC2", "RDS"]
+  },
  "detail-type": [
    "AWS Health Event"
  ],
@ -12,14 +15,32 @@ resource "aws_cloudwatch_event_rule" "EventRule" {
  ]
 }
 PATTERN
-  tags = var.default-tags
  lifecycle {
    ignore_changes = [tags["LastModified"]]
  }
 }

 resource "aws_cloudwatch_event_target" "TargetForEventRule" {
-  rule      = aws_cloudwatch_event_rule.EventRule.name
-  target_id = "health-event-notification-sns"
-  arn       = var.settings.healthEvents.action
+  rule = aws_cloudwatch_event_rule.EventRule.name
+  # target_id = "health-event-notification-sns"
+  arn = var.settings.healthEvents.action
+  input_transformer {
+    input_paths = {
+      "account" : "$.account",
+      "endTime" : "$.detail.endTime",
+      "message" : "$.detail.eventDescription[0].latestDescription",
+      "resources" : "$.resources",
+      "service" : "$.detail.service",
+      "startTime" : "$.detail.startTime"
+    }
+    input_template = <<EOF
+"A maintenance has been scheduled for <service> on AWS account <account>."
+
+"Resources: <resources>"
+"Start time: <startTime>"
+"End time: <endTime>"
+
+"Detail: <message>"
+EOF
+  }
 }
--- a/modules/ManagementGovernance/Monitoring.NLB/main.tf
+++ b/modules/ManagementGovernance/Monitoring.NLB/main.tf
@ -80,3 +80,26 @@ resource "aws_cloudwatch_metric_alarm" "nlb-HealthyHostCount" {
    LoadBalancer = "net/${split("/", var.load-balancer)[2]}/${split("/", var.load-balancer)[3]}"
  }
 }
+
+
+resource "aws_cloudwatch_metric_alarm" "nlb-UnHealthyHostCount" {
+  # for_each = module.nlb-targetgroups.result-set
+  for_each                  = toset(module.nlb_tgs.awscliout)
+  alarm_name                = "${var.settings.UnHealthyHostCount.ecccode}-NLBTG_${split(":", each.value)[5]}-UnHealthyHostCount"
+  comparison_operator       = var.settings.UnHealthyHostCount.comparison_operator
+  evaluation_periods        = var.settings.UnHealthyHostCount.evaluation_periods
+  metric_name               = "UnHealthyHostCount"
+  period                    = var.settings.UnHealthyHostCount.period
+  statistic                 = var.settings.UnHealthyHostCount.statistic
+  threshold                 = var.settings.UnHealthyHostCount.threshold
+  alarm_description         = "NLBTG:UnHealthyHostCount"
+  namespace                 = "AWS/NetworkELB"
+  insufficient_data_actions = []
+  actions_enabled           = var.actions-enabled
+  alarm_actions             = [var.settings.UnHealthyHostCount.action]
+  ok_actions                = [var.settings.UnHealthyHostCount.action]
+  dimensions = {
+    TargetGroup  = split(":", each.value)[5]
+    LoadBalancer = "net/${split("/", var.load-balancer)[2]}/${split("/", var.load-balancer)[3]}"
+  }
+}
--- a/modules/ManagementGovernance/Monitoring.Redis/main.tf
+++ b/modules/ManagementGovernance/Monitoring.Redis/main.tf
@ -7,13 +7,15 @@ resource "aws_cloudwatch_metric_alarm" "redis-alarms" {
  period                    = each.value["period"]
  statistic                 = each.value["statistic"]
  threshold                 = each.value["threshold"]
-  alarm_description         = "NGW:${each.value["metric"]}"
+  alarm_description         = "ElastiCache:${each.value["metric"]}"
  namespace                 = "AWS/ElastiCache"
  insufficient_data_actions = []
  actions_enabled           = var.actions-enabled
  alarm_actions             = [each.value["action"]]
  ok_actions                = [each.value["action"]]
+  treat_missing_data        = "notBreaching"
  dimensions = {
    CacheClusterId = var.redis-cluster-id
  }
+
 }
--- a/modules/storage/s3_bucket_2023/outputs.tf
+++ b/modules/storage/s3_bucket_2023/outputs.tf
@ -1,3 +1,7 @@
 output bucket_name {
  value = aws_s3_bucket.this.id
+}
+
+output bucket_arn {
+  value = aws_s3_bucket.this.arn
 }
--- a/modules/storage/s3_bucket_2023/variables.tf
+++ b/modules/storage/s3_bucket_2023/variables.tf
@ -1,60 +1,79 @@
-variable bucket_name {}
-variable bucket_policy_json {}
-variable current_version_expiration_days {
-  type = number
-  default = 2560
+variable "bucket_name" {
+  type        = string
+  description = "Name of bucket"
+}
+
+variable "bucket_policy_json" {
+  type        = string
+  default     = "{}"
+  description = "Json-encoded bucket policy. The AllowSSLRequestsOnly policy is merged with this input."
+}
+
+variable "current_version_expiration_days" {
+  type        = number
+  default     = 2560
  description = "731 for flowlogs"
 }

-variable noncurrent_version_expiration_days {
-  type = number
-  default = 2560
+variable "noncurrent_version_expiration_days" {
+  type        = number
+  default     = 2560
  description = "731 for flowlogs"
 }

-variable enable_bucket_logging {
-  type = bool
+variable "enable_bucket_logging" {
+  type        = bool
+  description = "Enable bucket logging"
 }
-variable logging_bucket_id {
-  type = string
-  default = null
+variable "logging_bucket_id" {
+  type        = string
+  default     = null
+  description = "Logging bucket id"
 }
-variable enable_encryption {
-  type = bool
+variable "enable_encryption" {
+  type        = bool
+  description = "Enable encryption for s3 bucket"
 }
-variable encryption_key_arn {
-  type = string
-  default = ""
+variable "encryption_key_arn" {
+  type        = string
+  default     = ""
  description = "Leave blank to use AES256"
 }
-variable enable_versioning {
-  type = bool
+variable "enable_versioning" {
+  type        = bool
+  description = "Enable s3 bucket versioning"
 }
-variable enable_bucket_lifecycle {
-  type = bool
+variable "enable_bucket_lifecycle" {
+  type        = bool
+  description = "Enable s3 bucket lifecycle"
 }

-variable enable_replication {
-  type = bool
-  default = false
+variable "enable_replication" {
+  type        = bool
+  default     = false
+  description = "Enable s3 bucket replication"
 }

-variable replication_role_arn {
-  type = string
-  default = null
+variable "replication_role_arn" {
+  type        = string
+  default     = null
+  description = "IAM role of s3 bucket replication"
 }

-variable replication_dest_bucket_name {
-  type = string
-  default = null
+variable "replication_dest_bucket_name" {
+  type        = string
+  default     = null
+  description = "Replica bucket name"
 }

-variable replication_destination_aws_account_id {
-  type = number
-  default = null
+variable "replication_destination_aws_account_id" {
+  type        = number
+  default     = null
+  description = "AWS account id of replica bucket"
 }

-variable replication_destination_kms_key_arn {
-  type = string
-  default = null
+variable "replication_destination_kms_key_arn" {
+  type        = string
+  default     = null
+  description = "KMS key ARN of destination bucket"
 }