Merge pull request #5430 from nhsuk/prometheus_exports_to_cloudwatch_metrics

MAV-2918: Prometheus exporter setup with cloudwatch

Author: TheOneFromNorway

Gemfile

@@ -52,6 +52,7 @@ gem "omniauth_openid_connect"
 gem "omniauth-rails_csrf_protection"
 gem "pagy"
 gem "phonelib"
+gem "prometheus_exporter"
 gem "pstore"
 gem "pundit"
 gem "rails_semantic_logger"

Gemfile.lock

@@ -463,6 +463,8 @@ GEM
     prettier_print (1.2.1)
     prettyprint (0.2.0)
     prism (1.8.0)
+    prometheus_exporter (2.3.1)
+      webrick
     propshaft (1.3.1)
       actionpack (>= 7.0.0)
       activesupport (>= 7.0.0)
@@ -852,6 +854,7 @@ DEPENDENCIES
   pg
   phonelib
   prettier_print
+  prometheus_exporter
   propshaft
   pry-rails
   pstore

bin/docker-start

@@ -4,9 +4,13 @@ BIN_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
 
 if [ "$SERVER_TYPE" == "web" ]; then
   echo "Starting web server..."
+  "$BIN_DIR"/prometheus_exporter &
+  sleep 5
   exec "$BIN_DIR"/thrust "$BIN_DIR"/rails server
 elif [ "$SERVER_TYPE" == "sidekiq" ]; then
   echo "Starting sidekiq server..."
+  "$BIN_DIR"/prometheus_exporter &
+  sleep 5
   exec "$BIN_DIR"/sidekiq
 elif [ "$SERVER_TYPE" == "none" ]; then
   echo "No server started"

bin/prometheus_exporter

@@ -0,0 +1,30 @@
+#!/usr/bin/env bash
+
+TASK_DETAILS=$(curl ${ECS_CONTAINER_METADATA_URI_V4})
+TASK_ID=$(echo "$TASK_DETAILS" | jq -r '.Labels["com.amazonaws.ecs.task-arn"] | split("/") | last')
+
+task_details() {
+  curl -sSf ${ECS_CONTAINER_METADATA_URI_V4}
+}
+
+MAX_RETRIES=12
+RETRY_DELAY=10
+TASK_DETAILS=""
+
+for ((i=1; i<=MAX_RETRIES; i++)); do
+    if TASK_DETAILS=$(task_details); then
+        break
+    fi
+    if [[ $i -eq $MAX_RETRIES ]]; then
+        echo "Failed to fetch task details after $MAX_RETRIES attempts" >&2
+        exit 1
+    fi
+    sleep $RETRY_DELAY
+done
+
+TASK_ID=$(echo "$TASK_DETAILS" | jq '.Labels["com.amazonaws.ecs.task-arn"] | split("/") | last')
+
+bundle exec prometheus_exporter \
+  --port 9394 \
+  --bind 0.0.0.0 \
+  --label "{\"TaskId\": ${TASK_ID}, \"ServiceName\": \"${SERVICE_NAME}\"}"

config/initializers/sidekiq.rb

@@ -9,7 +9,25 @@
   redis_config[:timeout] = 10
 end
 
-Sidekiq.configure_server { |config| config.redis = redis_config }
+Sidekiq.configure_server do |config|
+  config.redis = redis_config
+  if ENV["EXPORT_SIDEKIQ_METRICS"] == "true"
+    require "prometheus_exporter/instrumentation"
+    config.server_middleware do |chain|
+      chain.add PrometheusExporter::Instrumentation::Sidekiq
+    end
+    config.death_handlers << PrometheusExporter::Instrumentation::Sidekiq.death_handler
+    config.on :startup do
+      PrometheusExporter::Instrumentation::Process.start type: "sidekiq"
+      PrometheusExporter::Instrumentation::SidekiqProcess.start
+      PrometheusExporter::Instrumentation::SidekiqQueue.start
+      PrometheusExporter::Instrumentation::SidekiqStats.start
+    end
+    at_exit do
+      PrometheusExporter::Client.default.stop(wait_timeout_seconds: 10)
+    end
+  end
+end
 
 Sidekiq.configure_client { |config| config.redis = redis_config }
 

config/puma.rb

@@ -60,3 +60,14 @@
 
 # Re-open appenders after forking the process; needed for Semantic Logger
 before_worker_boot { SemanticLogger.reopen }
+
+# Export puma metrics
+if ENV["EXPORT_PUMA_METRICS"] == "true"
+  after_worker_boot do
+    require "prometheus_exporter/instrumentation"
+    # optional check, avoids spinning up and down threads per worker
+    unless PrometheusExporter::Instrumentation::Puma.started?
+      PrometheusExporter::Instrumentation::Puma.start
+    end
+  end
+end

script/shell.sh

@@ -24,9 +24,9 @@ describe_tasks() {
     aws ecs describe-tasks --region "$region" --cluster "$cluster_name" --tasks $task_arns
 }
 
-select_running_container() {
+select_running_container() { 
     local task_data="$1"
-    echo "$task_data" | jq -r '.containers | map(select(.lastStatus == "RUNNING" and .runtimeId != null))[0].name'
+    echo "$task_data" | jq -r '.containers | map(select(.lastStatus == "RUNNING" and .name == "application"))[0].name'
 }
 
 if [ "$1" = "--help" ]; then

terraform/account/iam.tf

@@ -8,6 +8,12 @@ resource "aws_iam_role_policy_attachment" "ecs_task_fargate" {
   policy_arn = aws_iam_policy.session_manager_access.arn
 }
 
+resource "aws_iam_role_policy_attachment" "ecs_task_cloudwatch_agent" {
+  role       = aws_iam_role.ecs_task_role.name
+  policy_arn = "arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy"
+}
+
+
 resource "aws_iam_role_policy_attachment" "get_s3_object" {
   role       = aws_iam_role.ecs_task_role.name
   policy_arn = aws_iam_policy.get_s3_object.arn
@@ -113,4 +119,4 @@ resource "aws_iam_policy" "get_s3_object" {
   lifecycle {
     ignore_changes = [description]
   }
-}
+}

terraform/app/ecs.tf

@@ -64,7 +64,7 @@ data "aws_iam_role" "ecs_task_role" {
 module "web_service" {
   source = "./modules/ecs_service"
   task_config = {
-    environment          = local.task_envs["CORE"]
+    environment          = local.web_envs
     secrets              = local.task_secrets["CORE"]
     cpu                  = 2048
     memory               = 4096
@@ -74,6 +74,17 @@ module "web_service" {
     region               = var.region
     health_check_command = ["CMD-SHELL", "./bin/internal_healthcheck http://localhost:${local.container_ports.web}/health/database"]
   }
+  export_prometheus_metrics = local.export_prometheus_metrics
+  cloudwatch_agent_secrets = [
+    {
+      "name" : "PROMETHEUS_CONFIG_CONTENT",
+      "valueFrom" : aws_ssm_parameter.prometheus_config.arn
+    },
+    {
+      "name" : "CW_CONFIG_CONTENT",
+      "valueFrom" : aws_ssm_parameter.cloudwatch_agent_config.arn
+    }
+  ]
   network_params = {
     subnets = [aws_subnet.private_subnet_a.id, aws_subnet.private_subnet_b.id]
     vpc_id  = aws_vpc.application_vpc.id
@@ -122,7 +133,7 @@ module "web_service" {
 module "sidekiq_service" {
   source = "./modules/ecs_service"
   task_config = {
-    environment          = local.task_envs["CORE"]
+    environment          = local.sidekiq_envs
     secrets              = local.task_secrets["CORE"]
     cpu                  = 1024
     memory               = 6144
@@ -132,6 +143,17 @@ module "sidekiq_service" {
     region               = var.region
     health_check_command = ["CMD-SHELL", "./bin/internal_healthcheck && grep -q '[s]idekiq' /proc/*/cmdline 2>/dev/null || exit 1"]
   }
+  export_prometheus_metrics = local.export_prometheus_metrics
+  cloudwatch_agent_secrets = [
+    {
+      "name" : "PROMETHEUS_CONFIG_CONTENT",
+      "valueFrom" : aws_ssm_parameter.prometheus_config.arn
+    },
+    {
+      "name" : "CW_CONFIG_CONTENT",
+      "valueFrom" : aws_ssm_parameter.cloudwatch_agent_config.arn
+    }
+  ]
   network_params = {
     subnets = [aws_subnet.private_subnet_a.id, aws_subnet.private_subnet_b.id]
     vpc_id  = aws_vpc.application_vpc.id

terraform/app/iam_policy_documents.tf

@@ -16,10 +16,13 @@ data "aws_iam_policy_document" "ecs_secrets_access" {
   dynamic "statement" {
     for_each = length(local.parameter_values[each.key]) == 0 ? [] : [1]
     content {
-      sid       = "ssmParameterStoreAccessSid"
-      actions   = ["ssm:GetParameters"]
-      resources = [for kv_pair in local.parameter_values[each.key] : kv_pair["valueFrom"]]
-      effect    = "Allow"
+      sid     = "ssmParameterStoreAccessSid"
+      actions = ["ssm:GetParameters"]
+      resources = concat(
+        [for kv_pair in local.parameter_values[each.key] : kv_pair["valueFrom"]],
+        [aws_ssm_parameter.prometheus_config.arn, aws_ssm_parameter.cloudwatch_agent_config.arn]
+      )
+      effect = "Allow"
     }
   }
   dynamic "statement" {