feat: Automatically run the exporter when the queue is empty. (#41)

Author: jamesiarmes

tofu/modules/ephemeral_service/outputs.tf

@@ -13,7 +13,17 @@ docker push ${module.ecr.repository_url}:latest
 EOT
 }
 
+output "execution_role_arn" {
+  description = "ARN of the ECS task execution role."
+  value       = aws_iam_role.execution.arn
+}
+
 output "task_definition_arn" {
   description = "ARN of the ECS task definition."
   value       = module.ecs_task.arn
 }
+
+output "task_role_arn" {
+  description = "ARN of the ECS task role."
+  value       = aws_iam_role.task.arn
+}

tofu/modules/system/alarms.tf

@@ -45,3 +45,43 @@ resource "aws_cloudwatch_metric_alarm" "queue_empty" {
 
   tags = var.tags
 }
+
+resource "aws_cloudwatch_event_rule" "export" {
+  name          = "${local.prefix}-queue-empty-export"
+  description   = "Run the exporter task when the ingestion queue is empty."
+  force_destroy = !var.deletion_protection
+
+  event_pattern = jsonencode({
+    source      = ["aws.cloudwatch"],
+    detail-type = ["CloudWatch Alarm State Change"],
+    resources   = [aws_cloudwatch_metric_alarm.queue_empty.arn],
+    detail = {
+      state         = { value = ["ALARM"] },
+      previousState = { value = ["OK", "INSUFFICIENT_DATA"] }
+    }
+  })
+
+  tags = var.tags
+}
+
+resource "aws_cloudwatch_event_target" "exporter" {
+  rule          = aws_cloudwatch_event_rule.export.name
+  arn           = module.ecs.arn
+  role_arn      = aws_iam_role.eventbridge.arn
+  force_destroy = !var.deletion_protection
+  target_id     = "export"
+
+  ecs_target {
+    task_definition_arn     = module.exporter.task_definition_arn
+    launch_type             = "FARGATE"
+    task_count              = 1
+    propagate_tags          = "TASK_DEFINITION"
+    enable_ecs_managed_tags = true
+
+    network_configuration {
+      subnets          = var.container_subnets
+      security_groups  = [module.task_security_group.security_group_id]
+      assign_public_ip = false
+    }
+  }
+}

tofu/modules/system/iam.tf

@@ -51,3 +51,28 @@ resource "aws_iam_policy" "secrets" {
     create_before_destroy = true
   }
 }
+
+resource "aws_iam_role" "eventbridge" {
+  name = "${local.prefix}-eventbridge-run-task"
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [{
+      Effect    = "Allow",
+      Principal = { Service = "events.amazonaws.com" },
+      Action    = "sts:AssumeRole"
+    }]
+  })
+
+  tags = var.tags
+}
+
+resource "aws_iam_role_policy" "eventbridge" {
+  name = "${local.prefix}-eventbridge-run-task"
+  role = aws_iam_role.eventbridge.id
+
+  policy = jsonencode(yamldecode(templatefile("${path.module}/templates/eventbridge-policy.yaml.tftpl", {
+    export_task_arn    = module.exporter.task_definition_arn
+    execution_role_arn = module.exporter.execution_role_arn
+    task_role_arn      = module.exporter.task_role_arn
+  })))
+}

tofu/modules/system/templates/aws-otel-config.yaml.tftpl

@@ -180,11 +180,11 @@ exporters:
   awsxray:
   awsemf/application:
     namespace: "${app_namespace}"
-    log_group_name: '/aws/ecs/application/metrics'
+    log_group_name: /aws/ecs/application/metrics
   awsemf/performance:
     namespace: ECS/ContainerInsights
-    log_group_name: '/aws/ecs/containerinsights/{ClusterName}/performance'
-    log_stream_name: '{TaskId}'
+    log_group_name: "/aws/ecs/containerinsights/{ClusterName}/performance"
+    log_stream_name: "{TaskId}"
     resource_to_telemetry_conversion:
       enabled: true
     dimension_rollup_option: NoDimensionRollup

tofu/modules/system/templates/container-key-policy.yaml.tftpl

@@ -1,4 +1,4 @@
-Version: '2012-10-17'
+Version: "2012-10-17"
 Id: Encryption key for Senzing containers.
 Statement:
 - Sid: Enable IAM User Permissions

tofu/modules/system/templates/eventbridge-policy.yaml.tftpl

@@ -0,0 +1,15 @@
+Version: "2012-10-17"
+Statement:
+  - Action:
+      - ecs:RunTask
+    Effect: Allow
+    Resource:
+      - ${export_task_arn}
+    Sid: RunTask
+  - Action:
+      - iam:PassRole
+    Effect: Allow
+    Resource:
+      - ${execution_role_arn}
+      - ${task_role_arn}
+    Sid: PassRoles

tofu/modules/system/templates/exports-access-policy.yaml.tftpl

@@ -1,4 +1,4 @@
-Version: '2012-10-17'
+Version: "2012-10-17"
 Statement:
   - Sid: KeyAccess
     Effect: Allow

tofu/modules/system/templates/queue-access-policy.yaml.tftpl

@@ -1,4 +1,4 @@
-Version: '2012-10-17'
+Version: "2012-10-17"
 Statement:
   - Sid: KeyAccess
     Effect: Allow

tofu/modules/system/templates/secrets-access-policy.yaml.tftpl

@@ -1,4 +1,4 @@
-Version: '2012-10-17'
+Version: "2012-10-17"
 Statement:
   - Sid: KeyAccess
     Effect: Allow