Add cloudwatch alarm metric for total vCPUs

.github/workflows/deploy-generate.yml

@@ -76,6 +76,7 @@ jobs:
           echo "TF_VAR_prefix=$PREFIX_ENV" >> $GITHUB_ENV
           echo "TF_VAR_cross_account_id=${{ secrets[format('CROSS_ACCOUNT_ID_{0}', env.TARGET_ENV)] }}" >> $GITHUB_ENV
           echo "TF_VAR_sns_topic_email=${{ secrets[format('SNS_TOPIC_EMAIL_{0}', env.TARGET_ENV)] }}" >> $GITHUB_ENV
+          echo "TF_VAR_sns_topic_email_alarms=${{ secrets[format('SNS_TOPIC_EMAIL_ALARMS{0}', env.TARGET_ENV)] }}" >> $GITHUB_ENV
           echo "AWS_ACCESS_KEY_ID=${{ secrets[format('AWS_ACCESS_KEY_ID_{0}', env.TARGET_ENV)] }}" >> $GITHUB_ENV
           echo "AWS_SECRET_ACCESS_KEY=${{ secrets[format('AWS_SECRET_ACCESS_KEY_{0}', env.TARGET_ENV)] }}" >> $GITHUB_ENV
           echo "AWS_DEFAULT_REGION=us-west-2" >> $GITHUB_ENV

terraform/generate-cw.tf

@@ -1,3 +1,34 @@
+# CloudWatch Alarm
+resource "aws_cloudwatch_metric_alarm" "aws_cloudwatch_ec2_vcpu_alarm" {
+  alarm_name          = "${var.prefix}-ec2-vcpu-alarm"
+  comparison_operator = "GreaterThanThreshold"
+  evaluation_periods  = "1"
+  threshold           = "85"
+  alarm_description   = "Alarm for when EC2 vCPU usage passes the 85% threshold for all available vCPUs in the account."
+  alarm_actions       = [aws_sns_topic.aws_sns_topic_cloudwatch_alarms.arn]
+  metric_query {
+    id          = "e1"
+    expression  = "m1/SERVICE_QUOTA(m1)*100"
+    label       = "Percentage"
+    return_data = "true"
+  }
+  metric_query {
+    id = "m1"
+    metric {
+      metric_name = "ResourceCount"
+      namespace   = "AWS/Usage"
+      period      = "180"
+      stat        = "Average"
+      dimensions = {
+        Type     = "Resource"
+        Service  = "EC2"
+        Resource = "vCPU"
+        Class    = "Standard/OnDemand"
+      }
+    }
+  }
+}
+
 # CloudWatch Logs
 
 # Downloader

terraform/generate-sns.tf

@@ -65,4 +65,40 @@ resource "aws_sns_topic_subscription" "aws_sns_topic_batch_job_failure_subscript
   endpoint  = var.sns_topic_email
   protocol  = "email"
   topic_arn = aws_sns_topic.aws_sns_topic_batch_job_failure.arn
+}
+
+# SNS Topic for CloudWatch alarms
+resource "aws_sns_topic" "aws_sns_topic_cloudwatch_alarms" {
+  name         = "${var.prefix}-cloudwatch-alarms"
+  display_name = "${var.prefix}-cloudwatch-alarms"
+}
+
+resource "aws_sns_topic_policy" "aws_sns_topic_cloudwatch_alarms_policy" {
+  arn = aws_sns_topic.aws_sns_topic_cloudwatch_alarms.arn
+  policy = jsonencode({
+    "Version" : "2008-10-17",
+    "Id" : "__default_policy_ID",
+    "Statement" : [
+      {
+        "Sid" : "AllowPublishAlarms",
+        "Effect" : "Allow",
+        "Principal" : {
+          "Service" : "cloudwatch.amazonaws.com"
+        },
+        "Action" : "sns:Publish",
+        "Resource" : "${aws_sns_topic.aws_sns_topic_cloudwatch_alarms.arn}",
+        "Condition" : {
+          "ArnLike" : {
+            "aws:SourceArn" : "arn:aws:cloudwatch:${var.aws_region}:${local.account_id}:alarm:*"
+          }
+        }
+      }
+    ]
+  })
+}
+
+resource "aws_sns_topic_subscription" "aws_sns_topic_cloudwatch_alarms_subscription" {
+  endpoint  = var.sns_topic_email_alarms
+  protocol  = "email"
+  topic_arn = aws_sns_topic.aws_sns_topic_cloudwatch_alarms.arn
 }

terraform/variables.tf

@@ -50,4 +50,9 @@ variable "prefix" {
 variable "sns_topic_email" {
   type        = string
   description = "Email to send SNS Topic messages to"
+}
+
+variable "sns_topic_email_alarms" {
+  type        = string
+  description = "Email to send CloudWatch alarms to"
 }