CCM-14044 Adding Event Alarms (#229)

aidenvaines-cgi · gareth-allan · web-flow · commit 121c58924c19 · 2026-03-05T09:55:45.000Z
* CCM-14044 Adding Event Alarms

* Update infrastructure/terraform/components/dl/cloudwatch_metric_alarm_core_notifier_subscriber_anomaly.tf

Co-authored-by: Gareth Allan &lt;157592212+gareth-allan@users.noreply.github.com&gt;

---------

Co-authored-by: Gareth Allan &lt;157592212+gareth-allan@users.noreply.github.com&gt;
diff --git a/infrastructure/terraform/components/dl/README.md b/infrastructure/terraform/components/dl/README.md
@@ -20,9 +20,15 @@ No requirements.
 | <a name="input_default_cloudwatch_event_bus_name"></a> [default\_cloudwatch\_event\_bus\_name](#input\_default\_cloudwatch\_event\_bus\_name) | The name of the default cloudwatch event bus. This is needed as GuardDuty Scan Result events are sent to the default bus | `string` | `"default"` | no |
 | <a name="input_default_tags"></a> [default\_tags](#input\_default\_tags) | A map of default tags to apply to all taggable resources within the component | `map(string)` | `{}` | no |
 | <a name="input_enable_dynamodb_delete_protection"></a> [enable\_dynamodb\_delete\_protection](#input\_enable\_dynamodb\_delete\_protection) | Enable DynamoDB Delete Protection on all Tables | `bool` | `true` | no |
+| <a name="input_enable_event_anomaly_detection"></a> [enable\_event\_anomaly\_detection](#input\_enable\_event\_anomaly\_detection) | Enable CloudWatch anomaly detection alarm for core notifier queue message reception | `bool` | `true` | no |
+| <a name="input_enable_event_cache"></a> [enable\_event\_cache](#input\_enable\_event\_cache) | Enable caching of events to an S3 bucket | `bool` | `true` | no |
 | <a name="input_enable_mock_mesh"></a> [enable\_mock\_mesh](#input\_enable\_mock\_mesh) | Enable mock mesh access (dev only). Grants lambda permission to read mock-mesh prefix in non-pii bucket. | `bool` | `false` | no |
 | <a name="input_enable_pdm_mock"></a> [enable\_pdm\_mock](#input\_enable\_pdm\_mock) | Flag indicating whether to deploy PDM mock API (should be false in production environments) | `bool` | `true` | no |
+| <a name="input_enable_sns_delivery_logging"></a> [enable\_sns\_delivery\_logging](#input\_enable\_sns\_delivery\_logging) | Enable SNS Delivery Failure Notifications | `bool` | `true` | no |
 | <a name="input_environment"></a> [environment](#input\_environment) | The name of the tfscaffold environment | `string` | n/a | yes |
+| <a name="input_event_anomaly_band_width"></a> [event\_anomaly\_band\_width](#input\_event\_anomaly\_band\_width) | The width of the anomaly detection band. Higher values (e.g. 4-6) reduce sensitivity and noise, lower values (e.g. 2-3) increase sensitivity. Recommended: 2-4. | `number` | `3` | no |
+| <a name="input_event_anomaly_evaluation_periods"></a> [event\_anomaly\_evaluation\_periods](#input\_event\_anomaly\_evaluation\_periods) | Number of evaluation periods for the anomaly alarm. Each period is defined by event\_anomaly\_period. | `number` | `2` | no |
+| <a name="input_event_anomaly_period"></a> [event\_anomaly\_period](#input\_event\_anomaly\_period) | The period in seconds over which the specified statistic is applied for anomaly detection. Minimum 300 seconds (5 minutes). Recommended: 300-600. | `number` | `300` | no |
 | <a name="input_eventpub_control_plane_bus_arn"></a> [eventpub\_control\_plane\_bus\_arn](#input\_eventpub\_control\_plane\_bus\_arn) | Event publisher control plane | `string` | n/a | yes |
 | <a name="input_eventpub_data_plane_bus_arn"></a> [eventpub\_data\_plane\_bus\_arn](#input\_eventpub\_data\_plane\_bus\_arn) | Event publisher data plane | `string` | n/a | yes |
 | <a name="input_force_destroy"></a> [force\_destroy](#input\_force\_destroy) | Flag to force deletion of S3 buckets | `bool` | `false` | no |
@@ -43,14 +49,15 @@ No requirements.
 | <a name="input_region"></a> [region](#input\_region) | The AWS Region | `string` | n/a | yes |
 | <a name="input_report_scheduler_schedule"></a> [report\_scheduler\_schedule](#input\_report\_scheduler\_schedule) | Schedule to trigger sender reports | `string` | `"cron(30 4 * * ? *)"` | no |
 | <a name="input_shared_infra_account_id"></a> [shared\_infra\_account\_id](#input\_shared\_infra\_account\_id) | The AWS Shared Infra Account ID (numeric) | `string` | n/a | yes |
+| <a name="input_sns_success_logging_sample_percent"></a> [sns\_success\_logging\_sample\_percent](#input\_sns\_success\_logging\_sample\_percent) | Enable SNS Delivery Successful Sample Percentage | `number` | `0` | no |
 | <a name="input_sqs_max_receive_count"></a> [sqs\_max\_receive\_count](#input\_sqs\_max\_receive\_count) | Maximum number of times a message can be received before being sent to the DLQ | `string` | `"3"` | no |
 | <a name="input_ttl_poll_schedule"></a> [ttl\_poll\_schedule](#input\_ttl\_poll\_schedule) | Schedule to poll for any overdue TTL records | `string` | `"rate(10 minutes)"` | no |
 ## Modules
 
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_core_notifier"></a> [core\_notifier](#module\_core\_notifier) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.29/terraform-lambda.zip | n/a |
-| <a name="module_eventpub"></a> [eventpub](#module\_eventpub) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.30/terraform-eventpub.zip | n/a |
+| <a name="module_eventpub"></a> [eventpub](#module\_eventpub) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/3.0.6/terraform-eventpub.zip | n/a |
 | <a name="module_file_scanner"></a> [file\_scanner](#module\_file\_scanner) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.29/terraform-lambda.zip | n/a |
 | <a name="module_kms"></a> [kms](#module\_kms) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.24/terraform-kms.zip | n/a |
 | <a name="module_lambda_apim_key_generation"></a> [lambda\_apim\_key\_generation](#module\_lambda\_apim\_key\_generation) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.29/terraform-lambda.zip | n/a |
diff --git a/infrastructure/terraform/components/dl/cloudwatch_metric_alarm_core_notifier_subscriber_anomaly.tf b/infrastructure/terraform/components/dl/cloudwatch_metric_alarm_core_notifier_subscriber_anomaly.tf
@@ -0,0 +1,40 @@
+resource "aws_cloudwatch_metric_alarm" "core_notifier_subscriber_anomaly" {
+  count = var.enable_event_anomaly_detection ? 1 : 0
+
+  alarm_name          = "${local.csi}-core-notifier-subscriber-anomaly"
+  alarm_description   = "ANOMALY: Detects anomalous patterns in messages received from the core notifier queue"
+  comparison_operator = "LessThanLowerOrGreaterThanUpperThreshold"
+  evaluation_periods  = var.event_anomaly_evaluation_periods
+  threshold_metric_id = "ad1"
+  treat_missing_data  = "notBreaching"
+
+  metric_query {
+    id          = "m1"
+    return_data = true
+
+    metric {
+      metric_name = "NumberOfMessagesReceived"
+      namespace   = "AWS/SQS"
+      period      = var.event_anomaly_period
+      stat        = "Sum"
+
+      dimensions = {
+        QueueName = module.sqs_print_status_handler.sqs_queue_name
+      }
+    }
+  }
+
+  metric_query {
+    id          = "ad1"
+    expression  = "ANOMALY_DETECTION_BAND(m1, ${var.event_anomaly_band_width})"
+    label       = "NumberOfMessagesReceived (expected)"
+    return_data = true
+  }
+
+  tags = merge(
+    var.default_tags,
+    {
+      Name = "${local.csi}-core-notifier-subscriber-anomaly"
+    }
+  )
+}
diff --git a/infrastructure/terraform/components/dl/modules_eventpub.tf b/infrastructure/terraform/components/dl/modules_eventpub.tf
@@ -1,5 +1,5 @@
 module "eventpub" {
-  source = "https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.30/terraform-eventpub.zip"
+  source = "https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/3.0.6/terraform-eventpub.zip"
 
   name = "eventpub"
 
@@ -19,14 +19,19 @@ module "eventpub" {
   force_destroy = var.force_destroy
 
   event_cache_buffer_interval        = 500
-  enable_sns_delivery_logging        = true
-  sns_success_logging_sample_percent = 0
+  enable_sns_delivery_logging        = var.enable_sns_delivery_logging
+  sns_success_logging_sample_percent = var.sns_success_logging_sample_percent
+  access_logging_bucket              = local.acct.s3_buckets["access_logs"]["id"]
 
   event_cache_expiry_days = 30
-  enable_event_cache      = true
+  enable_event_cache      = var.enable_event_cache
+  data_plane_bus_arn      = var.eventpub_data_plane_bus_arn
+  control_plane_bus_arn   = var.eventpub_control_plane_bus_arn
 
-  data_plane_bus_arn    = var.eventpub_data_plane_bus_arn
-  control_plane_bus_arn = var.eventpub_control_plane_bus_arn
+  enable_event_anomaly_detection   = var.enable_event_anomaly_detection
+  event_anomaly_band_width         = var.event_anomaly_band_width
+  event_anomaly_evaluation_periods = var.event_anomaly_evaluation_periods
+  event_anomaly_period             = var.event_anomaly_period
 }
 
 resource "aws_sns_topic_policy" "eventbridge_publish" {
diff --git a/infrastructure/terraform/components/dl/variables.tf b/infrastructure/terraform/components/dl/variables.tf
@@ -225,3 +225,50 @@ variable "sqs_max_receive_count" {
   description = "Maximum number of times a message can be received before being sent to the DLQ"
   default     = "3"
 }
+
+variable "enable_event_cache" {
+  type        = bool
+  description = "Enable caching of events to an S3 bucket"
+  default     = true
+}
+
+variable "enable_sns_delivery_logging" {
+  type        = bool
+  description = "Enable SNS Delivery Failure Notifications"
+  default     = true
+}
+
+variable "sns_success_logging_sample_percent" {
+  type        = number
+  description = "Enable SNS Delivery Successful Sample Percentage"
+  default     = 0
+}
+
+variable "enable_event_anomaly_detection" {
+  type        = bool
+  description = "Enable CloudWatch anomaly detection alarm for core notifier queue message reception"
+  default     = true
+}
+
+variable "event_anomaly_evaluation_periods" {
+  type        = number
+  description = "Number of evaluation periods for the anomaly alarm. Each period is defined by event_anomaly_period."
+  default     = 2
+}
+
+variable "event_anomaly_period" {
+  type        = number
+  description = "The period in seconds over which the specified statistic is applied for anomaly detection. Minimum 300 seconds (5 minutes). Recommended: 300-600."
+  default     = 300
+}
+
+variable "event_anomaly_band_width" {
+  type        = number
+  description = "The width of the anomaly detection band. Higher values (e.g. 4-6) reduce sensitivity and noise, lower values (e.g. 2-3) increase sensitivity. Recommended: 2-4."
+  default     = 3
+
+  validation {
+    condition     = var.event_anomaly_band_width >= 2 && var.event_anomaly_band_width <= 10
+    error_message = "Band width must be between 2 and 10"
+  }
+}
diff --git a/scripts/config/pre-commit.yaml b/scripts/config/pre-commit.yaml
@@ -15,7 +15,8 @@ repos:
       - id: detect-private-key
         exclude: |
           (?x)^(
-            .*/validate-private-key\.test\.ts
+            .*/validate-private-key\.test\.ts |
+            utils/utils/src/__tests__/key-generation/get-private-key.test.ts
           )$
       - id: end-of-file-fixer
       - id: forbid-new-submodules
