Merge pull request #2821 from guardian/mm/new-alarms

Alarm Blindness | Add some alarms!

cloudformation.yaml

@@ -691,3 +691,135 @@ Resources:
         - !Ref 'TopicSendEmail'
       InsufficientDataActions:
         - !Ref 'TopicSendEmail'
+  OAuthAuthenticationCallbackInactivityAlarm:
+    Type: AWS::CloudWatch::Alarm
+    Condition: IsProd
+    Properties:
+      AlarmName: !Sub
+        - '${Priority} - ${App} ${Stage} has had no success OAuth Authorization code flow callbacks for Authentication in the last 20 minutes'
+        - Priority: !FindInMap [StageVariables, AlarmPriorities, P1]
+      AlarmDescription: No one has successfully completed OAuth Authorization code flow callbacks for Authentication in the last 20 minutes.
+      Metrics:
+        - Id: totalOAuthAuthenticationCallbackCount
+          Expression: oktaOAuthAuthenticationCallbackCount
+          Label: 'Total OAuth Authorization Callbacks for Authentication in Okta'
+        - Id: oktaOAuthAuthenticationCallbackCount
+          MetricStat:
+            Metric:
+              Namespace: Gateway
+              MetricName: 'OAuthAuthenticationCallback::Success'
+              Dimensions:
+                - Name: Stage
+                  Value: !Ref 'Stage'
+                - Name: ApiMode
+                  Value: identity-gateway
+            Period: 1200
+            Stat: Sum
+            Unit: Count
+          ReturnData: false
+      ComparisonOperator: LessThanThreshold
+      Threshold: 1
+      EvaluationPeriods: 1
+      AlarmActions:
+        - !Ref 'TopicSendEmail'
+      InsufficientDataActions:
+        - !Ref 'TopicSendEmail'
+  OAuthApplicationCallbackInactivityAlarm:
+    Type: AWS::CloudWatch::Alarm
+    Condition: IsProd
+    Properties:
+      AlarmName: !Sub
+        - '${Priority} - ${App} ${Stage} has had no success OAuth Authorization code flow callbacks for internal Gateway routes in the last 1 hour'
+        - Priority: !FindInMap [StageVariables, AlarmPriorities, P1]
+      AlarmDescription: No one has successfully completed OAuth Authorization code flow callbacks for internal Gateway routes in the last 1 hour.
+      Metrics:
+        - Id: totalOAuthApplicationCallbackCount
+          Expression: oktaOAuthApplicationCallbackCount
+          Label: 'Total OAuth Authorization Callbacks for internal Gateway routes in Okta'
+        - Id: oktaOAuthApplicationCallbackCount
+          MetricStat:
+            Metric:
+              Namespace: Gateway
+              MetricName: 'OAuthApplicationCallback::Success'
+              Dimensions:
+                - Name: Stage
+                  Value: !Ref 'Stage'
+                - Name: ApiMode
+                  Value: identity-gateway
+            Period: 3600
+            Stat: Sum
+            Unit: Count
+          ReturnData: false
+      ComparisonOperator: LessThanThreshold
+      Threshold: 1
+      EvaluationPeriods: 1
+      AlarmActions:
+        - !Ref 'TopicSendEmail'
+      InsufficientDataActions:
+        - !Ref 'TopicSendEmail'
+  DeletionInactivityAlarm:
+    Type: AWS::CloudWatch::Alarm
+    Condition: IsProd
+    Properties:
+      AlarmName: !Sub
+        - '${Priority} - ${App} ${Stage} has had no success self service user deletion in the last 6 hours'
+        - Priority: !FindInMap [StageVariables, AlarmPriorities, P2]
+      AlarmDescription: No one has successfully deleted their account in the last 6 hours.
+      Metrics:
+        - Id: totalDeletionCount
+          Expression: deleteAccountCount
+          Label: 'Total self service user deletions'
+        - Id: deleteAccountCount
+          MetricStat:
+            Metric:
+              Namespace: Gateway
+              MetricName: 'OAuthDeleteCallback::Success'
+              Dimensions:
+                - Name: Stage
+                  Value: !Ref 'Stage'
+                - Name: ApiMode
+                  Value: identity-gateway
+            Period: 21600
+            Stat: Sum
+            Unit: Count
+          ReturnData: false
+      ComparisonOperator: LessThanThreshold
+      Threshold: 1
+      EvaluationPeriods: 1
+      AlarmActions:
+        - !Ref 'TopicSendEmail'
+      InsufficientDataActions:
+        - !Ref 'TopicSendEmail'
+  UnsubscribeAllInactivityAlarm:
+    Type: AWS::CloudWatch::Alarm
+    Condition: IsProd
+    Properties:
+      AlarmName: !Sub
+        - '${Priority} - ${App} ${Stage} has had successful no unsubscribe all from email clients in the last hour'
+        - Priority: !FindInMap [StageVariables, AlarmPriorities, P2]
+      AlarmDescription: 'No one has successfully unsubscribed all from email clients in the last hour.'
+      Metrics:
+        - Id: totalUnsubscribeAllCount
+          Expression: unsubscribeAllCount
+          Label: 'Total unsubscribe all'
+        - Id: unsubscribeAllCount
+          MetricStat:
+            Metric:
+              Namespace: Gateway
+              MetricName: 'UnsubscribeAll::Success'
+              Dimensions:
+                - Name: Stage
+                  Value: !Ref 'Stage'
+                - Name: ApiMode
+                  Value: identity-gateway
+            Period: 3600
+            Stat: Sum
+            Unit: Count
+          ReturnData: false
+      ComparisonOperator: LessThanThreshold
+      Threshold: 1
+      EvaluationPeriods: 1
+      AlarmActions:
+        - !Ref 'TopicSendEmail'
+      InsufficientDataActions:
+        - !Ref 'TopicSendEmail'