Merge branch 'MON-499-networks' into 'master'

MON-499: set of monitors using integrations http_check, dns_check and tls

See merge request claranet/pt-monitoring/projects/datadog/terraform/monitors!99

README.md

@@ -200,6 +200,12 @@ The `//` is very important, it's a terraform specific syntax used to separate gi
 	- [kong](https://git.fr.clara.net/claranet/pt-monitoring/projects/datadog/terraform/monitors/tree/master/middleware/kong/)
 	- [nginx](https://git.fr.clara.net/claranet/pt-monitoring/projects/datadog/terraform/monitors/tree/master/middleware/nginx/)
 	- [php-fpm](https://git.fr.clara.net/claranet/pt-monitoring/projects/datadog/terraform/monitors/tree/master/middleware/php-fpm/)
+- [network](https://git.fr.clara.net/claranet/pt-monitoring/projects/datadog/terraform/monitors/tree/master/network/)
+	- [dns](https://git.fr.clara.net/claranet/pt-monitoring/projects/datadog/terraform/monitors/tree/master/network/dns/)
+	- [http](https://git.fr.clara.net/claranet/pt-monitoring/projects/datadog/terraform/monitors/tree/master/network/http/)
+		- [ssl](https://git.fr.clara.net/claranet/pt-monitoring/projects/datadog/terraform/monitors/tree/master/network/http/ssl/)
+		- [webcheck](https://git.fr.clara.net/claranet/pt-monitoring/projects/datadog/terraform/monitors/tree/master/network/http/webcheck/)
+	- [tls](https://git.fr.clara.net/claranet/pt-monitoring/projects/datadog/terraform/monitors/tree/master/network/tls/)
 - [saas](https://git.fr.clara.net/claranet/pt-monitoring/projects/datadog/terraform/monitors/tree/master/saas/)
 	- [new-relic](https://git.fr.clara.net/claranet/pt-monitoring/projects/datadog/terraform/monitors/tree/master/saas/new-relic/)
 - [system](https://git.fr.clara.net/claranet/pt-monitoring/projects/datadog/terraform/monitors/tree/master/system/)

network/dns/README.md

@@ -0,0 +1,47 @@
+# NETWORK DNS DataDog monitors
+
+## How to use this module
+
+```
+module "datadog-monitors-network-dns" {
+  source = "git::ssh://git@git.fr.clara.net/claranet/pt-monitoring/projects/datadog/terraform/monitors.git//network/dns?ref={revision}"
+
+  environment = var.environment
+  message     = module.datadog-message-alerting.alerting-message
+}
+
+```
+
+## Purpose
+
+Creates DataDog monitors with the following checks:
+
+- DNS cannot resolve
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|:----:|:-----:|:-----:|
+| cannot\_resolve\_enabled | Flag to enable DNS cannot resolve monitor | string | `"true"` | no |
+| cannot\_resolve\_extra\_tags | Extra tags for DNS cannot resolve monitor | list(string) | `[]` | no |
+| cannot\_resolve\_message | Custom message for DNS cannot resolve monitor | string | `""` | no |
+| cannot\_resolve\_no\_data\_timeframe | DNS cannot resolve monitor no data timeframe | string | `"10"` | no |
+| cannot\_resolve\_threshold\_warning | DNS cannot resolve monitor (warning threshold) | string | `"3"` | no |
+| environment | Architecture Environment | string | n/a | yes |
+| evaluation\_delay | Delay in seconds for the metric evaluation | string | `"15"` | no |
+| filter\_tags\_custom | Tags used for custom filtering when filter_tags_use_defaults is false | string | `"*"` | no |
+| filter\_tags\_custom\_excluded | Tags excluded for custom filtering when filter_tags_use_defaults is false | string | `""` | no |
+| filter\_tags\_use\_defaults | Use default filter tags convention | string | `"true"` | no |
+| message | Message sent when an alert is triggered | string | n/a | yes |
+| new\_host\_delay | Delay in seconds before monitor new resource | string | `"300"` | no |
+| prefix\_slug | Prefix string to prepend between brackets on every monitors names | string | `""` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| cannot\_resolve\_id | id for monitor cannot_resolve |
+
+## Related documentation
+
+- [Datadog DNS integration](https://docs.datadoghq.com/integrations/dns_check/)

network/dns/inputs.tf

@@ -0,0 +1,73 @@
+# Global Terraform
+variable "environment" {
+  description = "Architecture Environment"
+  type        = string
+}
+
+# Global DataDog
+variable "evaluation_delay" {
+  description = "Delay in seconds for the metric evaluation"
+  default     = 15
+}
+
+variable "new_host_delay" {
+  description = "Delay in seconds before monitor new resource"
+  default     = 300
+}
+
+variable "prefix_slug" {
+  description = "Prefix string to prepend between brackets on every monitors names"
+  default     = ""
+}
+
+variable "message" {
+  description = "Message sent when an alert is triggered"
+}
+
+variable "filter_tags_use_defaults" {
+  description = "Use default filter tags convention"
+  default     = "true"
+}
+
+variable "filter_tags_custom" {
+  description = "Tags used for custom filtering when filter_tags_use_defaults is false"
+  default     = "*"
+}
+
+variable "filter_tags_custom_excluded" {
+  description = "Tags excluded for custom filtering when filter_tags_use_defaults is false"
+  default     = ""
+}
+
+#
+# Cannot Resolve
+#
+variable "cannot_resolve_enabled" {
+  description = "Flag to enable DNS cannot resolve monitor"
+  type        = string
+  default     = "true"
+}
+
+variable "cannot_resolve_message" {
+  description = "Custom message for DNS cannot resolve monitor"
+  type        = string
+  default     = ""
+}
+
+variable "cannot_resolve_threshold_warning" {
+  description = "DNS cannot resolve monitor (warning threshold)"
+  type        = string
+  default     = 3
+}
+
+variable "cannot_resolve_no_data_timeframe" {
+  description = "DNS cannot resolve monitor no data timeframe"
+  type        = string
+  default     = 10
+}
+
+variable "cannot_resolve_extra_tags" {
+  description = "Extra tags for DNS cannot resolve monitor"
+  type        = list(string)
+  default     = []
+}

network/dns/modules.tf

@@ -0,0 +1,9 @@
+module "filter-tags" {
+  source = "../../common/filter-tags"
+
+  environment                 = var.environment
+  resource                    = "dns"
+  filter_tags_use_defaults    = var.filter_tags_use_defaults
+  filter_tags_custom          = var.filter_tags_custom
+  filter_tags_custom_excluded = var.filter_tags_custom_excluded
+}

network/dns/monitors-dns.tf

@@ -0,0 +1,34 @@
+#
+# Service Check
+#
+resource "datadog_monitor" "cannot_resolve" {
+  count   = var.cannot_resolve_enabled == "true" ? 1 : 0
+  name    = "${var.prefix_slug == "" ? "" : "[${var.prefix_slug}]"}[${var.environment}] DNS cannot resolve"
+  message = coalesce(var.cannot_resolve_message, var.message)
+  type    = "service check"
+
+  query = <<EOQ
+    "dns.can_resolve"${module.filter-tags.service_check}.by("nameserver","resolved_hostname").last(6).count_by_status()
+EOQ
+
+  thresholds = {
+    warning  = var.cannot_resolve_threshold_warning
+    critical = 5
+  }
+
+  new_host_delay      = var.new_host_delay
+  no_data_timeframe   = var.cannot_resolve_no_data_timeframe
+  notify_no_data      = true
+  notify_audit        = false
+  locked              = false
+  timeout_h           = 0
+  include_tags        = true
+  require_full_window = true
+  renotify_interval   = 0
+
+  tags = concat(["env:${var.environment}", "type:network", "provider:dns_check", "resource:dns", "team:claranet", "created-by:terraform"], var.cannot_resolve_extra_tags)
+
+  lifecycle {
+    ignore_changes = ["silenced"]
+  }
+}

network/dns/outputs.tf

@@ -0,0 +1,5 @@
+output "cannot_resolve_id" {
+  description = "id for monitor cannot_resolve"
+  value       = datadog_monitor.cannot_resolve.*.id
+}
+

network/http/ssl/README.md

@@ -0,0 +1,55 @@
+# NETWORK HTTP SSL DataDog monitors
+
+## How to use this module
+
+```
+module "datadog-monitors-network-http-ssl" {
+  source = "git::ssh://git@git.fr.clara.net/claranet/pt-monitoring/projects/datadog/terraform/monitors.git//network/http/ssl?ref={revision}"
+
+  environment = var.environment
+  message     = module.datadog-message-alerting.alerting-message
+}
+
+```
+
+## Purpose
+
+Creates DataDog monitors with the following checks:
+
+- SSL certificate expiration (disabled by default)
+- SSL invalid certificate
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|:----:|:-----:|:-----:|
+| certificate\_expiration\_date\_enabled | Flag to enable Certificate Expiration Date monitor | string | `"false"` | no |
+| certificate\_expiration\_date\_extra\_tags | Extra tags for Certificate Expiration Date monitor | list(string) | `[]` | no |
+| certificate\_expiration\_date\_message | Custom message for the Certificate Expiration Date monitor | string | `""` | no |
+| certificate\_expiration\_date\_threshold\_critical | Certificate Expiration Date critical threshold | string | `"15"` | no |
+| certificate\_expiration\_date\_threshold\_warning | Certificate Expiration Date warning threshold | string | `"30"` | no |
+| certificate\_expiration\_date\_time\_aggregator | Time aggregator for the Certificate Expiration Date monitor | string | `"max"` | no |
+| certificate\_expiration\_date\_timeframe | Timeframe for the Certificate Expiration Date monitor | string | `"last_5m"` | no |
+| environment | Architecture Environment | string | n/a | yes |
+| evaluation\_delay | Delay in seconds for the metric evaluation | string | `"15"` | no |
+| filter\_tags\_custom | Tags used for custom filtering when filter_tags_use_defaults is false | string | `"*"` | no |
+| filter\_tags\_custom\_excluded | Tags excluded for custom filtering when filter_tags_use_defaults is false | string | `""` | no |
+| filter\_tags\_use\_defaults | Use default filter tags convention | string | `"true"` | no |
+| invalid\_ssl\_certificate\_enabled | Flag to enable SSL invalid certificate monitor | string | `"true"` | no |
+| invalid\_ssl\_certificate\_extra\_tags | Extra tags for SSL invalid certificate monitor | list(string) | `[]` | no |
+| invalid\_ssl\_certificate\_message | Custom message for SSL invalid certificate monitor | string | `""` | no |
+| invalid\_ssl\_certificate\_no\_data\_timeframe | SSL invalid certificate monitor no data timeframe | string | `"10"` | no |
+| invalid\_ssl\_certificate\_threshold\_warning | SSL invalid certificate monitor (warning threshold) | string | `"3"` | no |
+| message | Message sent when an alert is triggered | string | n/a | yes |
+| new\_host\_delay | Delay in seconds before monitor new resource | string | `"300"` | no |
+| prefix\_slug | Prefix string to prepend between brackets on every monitors names | string | `""` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| certificate\_expiration\_date\_id | id for monitor certificate_expiration_date |
+| invalid\_ssl\_certificate\_id | id for monitor invalid_ssl_certificate |
+
+## Related documentation
+

network/http/ssl/inputs.tf

@@ -0,0 +1,118 @@
+# Global Terraform
+variable "environment" {
+  description = "Architecture Environment"
+  type        = string
+}
+
+# Global DataDog
+variable "evaluation_delay" {
+  description = "Delay in seconds for the metric evaluation"
+  default     = 15
+}
+
+variable "new_host_delay" {
+  description = "Delay in seconds before monitor new resource"
+  default     = 300
+}
+
+variable "prefix_slug" {
+  description = "Prefix string to prepend between brackets on every monitors names"
+  default     = ""
+}
+
+variable "message" {
+  description = "Message sent when an alert is triggered"
+}
+
+variable "filter_tags_use_defaults" {
+  description = "Use default filter tags convention"
+  default     = "true"
+}
+
+variable "filter_tags_custom" {
+  description = "Tags used for custom filtering when filter_tags_use_defaults is false"
+  default     = "*"
+}
+
+variable "filter_tags_custom_excluded" {
+  description = "Tags excluded for custom filtering when filter_tags_use_defaults is false"
+  default     = ""
+}
+
+#
+# SSL invalid certificate
+#
+variable "invalid_ssl_certificate_enabled" {
+  description = "Flag to enable SSL invalid certificate monitor"
+  type        = string
+  default     = "true"
+}
+
+variable "invalid_ssl_certificate_message" {
+  description = "Custom message for SSL invalid certificate monitor"
+  type        = string
+  default     = ""
+}
+
+variable "invalid_ssl_certificate_threshold_warning" {
+  description = "SSL invalid certificate monitor (warning threshold)"
+  type        = string
+  default     = 3
+}
+
+variable "invalid_ssl_certificate_no_data_timeframe" {
+  description = "SSL invalid certificate monitor no data timeframe"
+  type        = string
+  default     = 10
+}
+
+variable "invalid_ssl_certificate_extra_tags" {
+  description = "Extra tags for SSL invalid certificate monitor"
+  type        = list(string)
+  default     = []
+}
+
+#
+# Certificate Expiration Date
+#
+variable "certificate_expiration_date_enabled" {
+  description = "Flag to enable Certificate Expiration Date monitor"
+  type        = string
+  default     = "false"
+}
+
+variable "certificate_expiration_date_message" {
+  description = "Custom message for the Certificate Expiration Date monitor"
+  type        = string
+  default     = ""
+}
+
+variable "certificate_expiration_date_time_aggregator" {
+  description = "Time aggregator for the Certificate Expiration Date monitor"
+  type        = string
+  default     = "max"
+}
+
+variable "certificate_expiration_date_timeframe" {
+  description = "Timeframe for the Certificate Expiration Date monitor"
+  type        = string
+  default     = "last_5m"
+}
+
+variable "certificate_expiration_date_threshold_warning" {
+  description = "Certificate Expiration Date warning threshold"
+  type        = string
+  default     = 30
+}
+
+variable "certificate_expiration_date_threshold_critical" {
+  description = "Certificate Expiration Date critical threshold"
+  type        = string
+  default     = 15
+}
+
+variable "certificate_expiration_date_extra_tags" {
+  description = "Extra tags for Certificate Expiration Date monitor"
+  type        = list(string)
+  default     = []
+}

network/http/ssl/modules.tf

@@ -0,0 +1,9 @@
+module "filter-tags" {
+  source = "../../common/filter-tags"
+
+  environment                 = var.environment
+  resource                    = "http"
+  filter_tags_use_defaults    = var.filter_tags_use_defaults
+  filter_tags_custom          = var.filter_tags_custom
+  filter_tags_custom_excluded = var.filter_tags_custom_excluded
+}

network/http/ssl/monitors-ssl.tf

@@ -0,0 +1,71 @@
+#
+# Invalid SSL Certificate
+#
+resource "datadog_monitor" "invalid_ssl_certificate" {
+  count   = var.invalid_ssl_certificate_enabled == "true" ? 1 : 0
+  name    = "${var.prefix_slug == "" ? "" : "[${var.prefix_slug}]"}[${var.environment}] SSL invalid certificate"
+  message = coalesce(var.invalid_ssl_certificate_message, var.message)
+  type    = "service check"
+
+  query = <<EOQ
+    "http.ssl_cert"${module.filter-tags.service_check}.by("instance","url").last(6).count_by_status()
+EOQ
+
+  thresholds = {
+    warning  = var.invalid_ssl_certificate_threshold_warning
+    critical = 5
+  }
+
+  new_host_delay      = var.new_host_delay
+  no_data_timeframe   = var.invalid_ssl_certificate_no_data_timeframe
+  notify_no_data      = false
+  notify_audit        = false
+  locked              = false
+  timeout_h           = 0
+  include_tags        = true
+  require_full_window = true
+  renotify_interval   = 0
+
+  tags = concat(["env:${var.environment}", "type:network", "provider:http_check", "resource:ssl-certificate", "team:claranet", "created-by:terraform"], var.invalid_ssl_certificate_extra_tags)
+
+  lifecycle {
+    ignore_changes = ["silenced"]
+  }
+}
+
+#
+# Certificate Expiration Date
+#
+resource "datadog_monitor" "certificate_expiration_date" {
+  count   = var.certificate_expiration_date_enabled == "true" ? 1 : 0
+  name    = "${var.prefix_slug == "" ? "" : "[${var.prefix_slug}]"}[${var.environment}] SSL certificate expiration {{#is_alert}}{{{comparator}}} {{threshold}} ({{value}} days){{/is_alert}}{{#is_warning}}{{{comparator}}} {{warn_threshold}} ({{value}} days){{/is_warning}}"
+  message = coalesce(var.certificate_expiration_date_message, var.message)
+  type    = "query alert"
+
+  query = <<EOQ
+    ${var.certificate_expiration_date_time_aggregator}(${var.certificate_expiration_date_timeframe}):
+      avg:http.ssl.days_left${module.filter-tags.query_alert} by {url}
+    < ${var.certificate_expiration_date_threshold_critical}
+EOQ
+
+  thresholds = {
+    warning  = var.certificate_expiration_date_threshold_warning
+    critical = var.certificate_expiration_date_threshold_critical
+  }
+
+  evaluation_delay    = var.evaluation_delay
+  new_host_delay      = var.new_host_delay
+  notify_no_data      = false
+  renotify_interval   = 0
+  notify_audit        = false
+  timeout_h           = 0
+  include_tags        = true
+  locked              = false
+  require_full_window = true
+
+  tags = concat(["env:${var.environment}", "type:network", "provider:http_check", "resource:ssl-certificate", "team:claranet", "created-by:terraform"], var.certificate_expiration_date_extra_tags)
+
+  lifecycle {
+    ignore_changes = ["silenced"]
+  }
+}

network/http/ssl/outputs.tf

@@ -0,0 +1,10 @@
+output "certificate_expiration_date_id" {
+  description = "id for monitor certificate_expiration_date"
+  value       = datadog_monitor.certificate_expiration_date.*.id
+}
+
+output "invalid_ssl_certificate_id" {
+  description = "id for monitor invalid_ssl_certificate"
+  value       = datadog_monitor.invalid_ssl_certificate.*.id
+}
+

network/http/webcheck/README.md

@@ -0,0 +1,46 @@
+# NETWORK HTTP WEBCHECK DataDog monitors
+
+## How to use this module
+
+```
+module "datadog-monitors-network-http-webcheck" {
+  source = "git::ssh://git@git.fr.clara.net/claranet/pt-monitoring/projects/datadog/terraform/monitors.git//network/http/webcheck?ref={revision}"
+
+  environment = var.environment
+  message     = module.datadog-message-alerting.alerting-message
+}
+
+```
+
+## Purpose
+
+Creates DataDog monitors with the following checks:
+
+- HTTP cannot connect
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|:----:|:-----:|:-----:|
+| cannot\_connect\_enabled | Flag to enable HTTP cannot connect monitor | string | `"true"` | no |
+| cannot\_connect\_extra\_tags | Extra tags for HTTP cannot connect monitor | list(string) | `[]` | no |
+| cannot\_connect\_message | Custom message for HTTP cannot connect monitor | string | `""` | no |
+| cannot\_connect\_no\_data\_timeframe | HTTP cannot connect monitor no data timeframe | string | `"10"` | no |
+| cannot\_connect\_threshold\_warning | HTTP cannot connect monitor (warning threshold) | string | `"3"` | no |
+| environment | Architecture Environment | string | n/a | yes |
+| evaluation\_delay | Delay in seconds for the metric evaluation | string | `"15"` | no |
+| filter\_tags\_custom | Tags used for custom filtering when filter_tags_use_defaults is false | string | `"*"` | no |
+| filter\_tags\_custom\_excluded | Tags excluded for custom filtering when filter_tags_use_defaults is false | string | `""` | no |
+| filter\_tags\_use\_defaults | Use default filter tags convention | string | `"true"` | no |
+| message | Message sent when an alert is triggered | string | n/a | yes |
+| new\_host\_delay | Delay in seconds before monitor new resource | string | `"300"` | no |
+| prefix\_slug | Prefix string to prepend between brackets on every monitors names | string | `""` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| cannot\_connect\_id | id for monitor cannot_connect |
+
+## Related documentation
+

network/http/webcheck/inputs.tf

@@ -0,0 +1,73 @@
+# Global Terraform
+variable "environment" {
+  description = "Architecture Environment"
+  type        = string
+}
+
+# Global DataDog
+variable "evaluation_delay" {
+  description = "Delay in seconds for the metric evaluation"
+  default     = 15
+}
+
+variable "new_host_delay" {
+  description = "Delay in seconds before monitor new resource"
+  default     = 300
+}
+
+variable "prefix_slug" {
+  description = "Prefix string to prepend between brackets on every monitors names"
+  default     = ""
+}
+
+variable "message" {
+  description = "Message sent when an alert is triggered"
+}
+
+variable "filter_tags_use_defaults" {
+  description = "Use default filter tags convention"
+  default     = "true"
+}
+
+variable "filter_tags_custom" {
+  description = "Tags used for custom filtering when filter_tags_use_defaults is false"
+  default     = "*"
+}
+
+variable "filter_tags_custom_excluded" {
+  description = "Tags excluded for custom filtering when filter_tags_use_defaults is false"
+  default     = ""
+}
+
+#
+# HTTP Cannot Connect
+#
+variable "cannot_connect_enabled" {
+  description = "Flag to enable HTTP cannot connect monitor"
+  type        = string
+  default     = "true"
+}
+
+variable "cannot_connect_message" {
+  description = "Custom message for HTTP cannot connect monitor"
+  type        = string
+  default     = ""
+}
+
+variable "cannot_connect_threshold_warning" {
+  description = "HTTP cannot connect monitor (warning threshold)"
+  type        = string
+  default     = 3
+}
+
+variable "cannot_connect_no_data_timeframe" {
+  description = "HTTP cannot connect monitor no data timeframe"
+  type        = string
+  default     = 10
+}
+
+variable "cannot_connect_extra_tags" {
+  description = "Extra tags for HTTP cannot connect monitor"
+  type        = list(string)
+  default     = []
+}

network/http/webcheck/modules.tf

@@ -0,0 +1,9 @@
+module "filter-tags" {
+  source = "../../common/filter-tags"
+
+  environment                 = var.environment
+  resource                    = "http"
+  filter_tags_use_defaults    = var.filter_tags_use_defaults
+  filter_tags_custom          = var.filter_tags_custom
+  filter_tags_custom_excluded = var.filter_tags_custom_excluded
+}

network/http/webcheck/monitors-webcheck.tf

@@ -0,0 +1,34 @@
+#
+# HTTP Cannot Connect
+#
+resource "datadog_monitor" "cannot_connect" {
+  count   = var.cannot_connect_enabled == "true" ? 1 : 0
+  name    = "${var.prefix_slug == "" ? "" : "[${var.prefix_slug}]"}[${var.environment}] HTTP cannot connect"
+  message = coalesce(var.cannot_connect_message, var.message)
+  type    = "service check"
+
+  query = <<EOQ
+    "http.can_connect"${module.filter-tags.service_check}.by("instance","url").last(6).count_by_status()
+EOQ
+
+  thresholds = {
+    warning  = var.cannot_connect_threshold_warning
+    critical = 5
+  }
+
+  new_host_delay      = var.new_host_delay
+  no_data_timeframe   = var.cannot_connect_no_data_timeframe
+  notify_no_data      = true
+  notify_audit        = false
+  locked              = false
+  timeout_h           = 0
+  include_tags        = true
+  require_full_window = true
+  renotify_interval   = 0
+
+  tags = concat(["env:${var.environment}", "type:network", "provider:http_check", "resource:webcheck", "team:claranet", "created-by:terraform"], var.cannot_connect_extra_tags)
+
+  lifecycle {
+    ignore_changes = ["silenced"]
+  }
+}

network/http/webcheck/outputs.tf

@@ -0,0 +1,5 @@
+output "cannot_connect_id" {
+  description = "id for monitor cannot_connect"
+  value       = datadog_monitor.cannot_connect.*.id
+}
+

network/tls/README.md

@@ -0,0 +1,71 @@
+# NETWORK TLS DataDog monitors
+
+## How to use this module
+
+```
+module "datadog-monitors-network-tls" {
+  source = "git::ssh://git@git.fr.clara.net/claranet/pt-monitoring/projects/datadog/terraform/monitors.git//network/tls?ref={revision}"
+
+  environment = var.environment
+  message     = module.datadog-message-alerting.alerting-message
+}
+
+```
+
+## Purpose
+
+Creates DataDog monitors with the following checks:
+
+- TLS cannot connect
+- TLS certificate expiration (disabled by default)
+- TLS certificate expiring
+- TLS invalid certificate
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|:----:|:-----:|:-----:|
+| cannot\_connect\_enabled | Flag to enable TLS cannot connect monitor | string | `"true"` | no |
+| cannot\_connect\_extra\_tags | Extra tags for TLS cannot connect monitor | list(string) | `[]` | no |
+| cannot\_connect\_message | Custom message for TLS cannot connect monitor | string | `""` | no |
+| cannot\_connect\_no\_data\_timeframe | TLS cannot connect monitor no data timeframe | string | `"10"` | no |
+| cannot\_connect\_threshold\_warning | TLS cannot connect monitor (warning threshold) | string | `"3"` | no |
+| certificate\_expiration\_date\_enabled | Flag to enable Certificate Expiration Date monitor | string | `"false"` | no |
+| certificate\_expiration\_date\_extra\_tags | Extra tags for Certificate Expiration Date monitor | list(string) | `[]` | no |
+| certificate\_expiration\_date\_message | Custom message for the Certificate Expiration Date monitor | string | `""` | no |
+| certificate\_expiration\_date\_threshold\_critical | Container Memory Usage critical threshold | string | `"15"` | no |
+| certificate\_expiration\_date\_threshold\_warning | Container Memory Usage warning threshold | string | `"30"` | no |
+| certificate\_expiration\_date\_time\_aggregator | Time aggregator for the Certificate Expiration Date monitor | string | `"max"` | no |
+| certificate\_expiration\_date\_timeframe | Timeframe for the Certificate Expiration Date monitor | string | `"last_5m"` | no |
+| environment | Architecture Environment | string | n/a | yes |
+| evaluation\_delay | Delay in seconds for the metric evaluation | string | `"15"` | no |
+| filter\_tags\_custom | Tags used for custom filtering when filter_tags_use_defaults is false | string | `"*"` | no |
+| filter\_tags\_custom\_excluded | Tags excluded for custom filtering when filter_tags_use_defaults is false | string | `""` | no |
+| filter\_tags\_use\_defaults | Use default filter tags convention | string | `"true"` | no |
+| invalid\_tls\_certificate\_enabled | Flag to enable TLS certificate expiration monitor | string | `"true"` | no |
+| invalid\_tls\_certificate\_extra\_tags | Extra tags for TLS certificate expiration monitor | list(string) | `[]` | no |
+| invalid\_tls\_certificate\_message | Custom message for TLS certificate expiration monitor | string | `""` | no |
+| invalid\_tls\_certificate\_no\_data\_timeframe | TLS certificate expiration monitor no data timeframe | string | `"10"` | no |
+| invalid\_tls\_certificate\_threshold\_warning | TLS certificate expiration monitor (warning threshold) | string | `"3"` | no |
+| message | Message sent when an alert is triggered | string | n/a | yes |
+| new\_host\_delay | Delay in seconds before monitor new resource | string | `"300"` | no |
+| prefix\_slug | Prefix string to prepend between brackets on every monitors names | string | `""` | no |
+| tls\_certificate\_expiration\_enabled | Flag to enable TLS certificate expiration monitor | string | `"true"` | no |
+| tls\_certificate\_expiration\_extra\_tags | Extra tags for TLS certificate expiration monitor | list(string) | `[]` | no |
+| tls\_certificate\_expiration\_message | Custom message for TLS certificate expiration monitor | string | `""` | no |
+| tls\_certificate\_expiration\_no\_data\_timeframe | TLS certificate expiration monitor no data timeframe | string | `"10"` | no |
+| tls\_certificate\_expiration\_threshold\_warning | TLS certificate expiration monitor (warning threshold) | string | `"5"` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| cannot\_connect\_id | id for monitor cannot_connect |
+| certificate\_expiration\_date\_id | id for monitor certificate_expiration_date |
+| invalid\_tls\_certificate\_id | id for monitor invalid_tls_certificate |
+| tls\_certificate\_expiration\_id | id for monitor tls_certificate_expiration |
+
+## Related documentation
+
+- [Datadog TLS integration](https://docs.datadoghq.com/integrations/tls/)
+

network/tls/inputs.tf

@@ -0,0 +1,184 @@
+# Global Terraform
+variable "environment" {
+  description = "Architecture Environment"
+  type        = string
+}
+
+# Global DataDog
+variable "evaluation_delay" {
+  description = "Delay in seconds for the metric evaluation"
+  default     = 15
+}
+
+variable "new_host_delay" {
+  description = "Delay in seconds before monitor new resource"
+  default     = 300
+}
+
+variable "prefix_slug" {
+  description = "Prefix string to prepend between brackets on every monitors names"
+  default     = ""
+}
+
+variable "message" {
+  description = "Message sent when an alert is triggered"
+}
+
+variable "filter_tags_use_defaults" {
+  description = "Use default filter tags convention"
+  default     = "true"
+}
+
+variable "filter_tags_custom" {
+  description = "Tags used for custom filtering when filter_tags_use_defaults is false"
+  default     = "*"
+}
+
+variable "filter_tags_custom_excluded" {
+  description = "Tags excluded for custom filtering when filter_tags_use_defaults is false"
+  default     = ""
+}
+
+#
+# TLS Cannot Connect
+#
+variable "cannot_connect_enabled" {
+  description = "Flag to enable TLS cannot connect monitor"
+  type        = string
+  default     = "true"
+}
+
+variable "cannot_connect_message" {
+  description = "Custom message for TLS cannot connect monitor"
+  type        = string
+  default     = ""
+}
+
+variable "cannot_connect_threshold_warning" {
+  description = "TLS cannot connect monitor (warning threshold)"
+  type        = string
+  default     = 3
+}
+
+variable "cannot_connect_no_data_timeframe" {
+  description = "TLS cannot connect monitor no data timeframe"
+  type        = string
+  default     = 10
+}
+
+variable "cannot_connect_extra_tags" {
+  description = "Extra tags for TLS cannot connect monitor"
+  type        = list(string)
+  default     = []
+}
+
+#
+# TLS invalid certificate
+#
+variable "invalid_tls_certificate_enabled" {
+  description = "Flag to enable TLS certificate expiration monitor"
+  type        = string
+  default     = "true"
+}
+
+variable "invalid_tls_certificate_message" {
+  description = "Custom message for TLS certificate expiration monitor"
+  type        = string
+  default     = ""
+}
+
+variable "invalid_tls_certificate_threshold_warning" {
+  description = "TLS certificate expiration monitor (warning threshold)"
+  type        = string
+  default     = 3
+}
+
+variable "invalid_tls_certificate_no_data_timeframe" {
+  description = "TLS certificate expiration monitor no data timeframe"
+  type        = string
+  default     = 10
+}
+
+variable "invalid_tls_certificate_extra_tags" {
+  description = "Extra tags for TLS certificate expiration monitor"
+  type        = list(string)
+  default     = []
+}
+
+#
+# TLS Certificate Expiration
+#
+variable "tls_certificate_expiration_enabled" {
+  description = "Flag to enable TLS certificate expiration monitor"
+  type        = string
+  default     = "true"
+}
+
+variable "tls_certificate_expiration_message" {
+  description = "Custom message for TLS certificate expiration monitor"
+  type        = string
+  default     = ""
+}
+
+variable "tls_certificate_expiration_threshold_warning" {
+  description = "TLS certificate expiration monitor (warning threshold)"
+  type        = string
+  default     = 5
+}
+
+variable "tls_certificate_expiration_no_data_timeframe" {
+  description = "TLS certificate expiration monitor no data timeframe"
+  type        = string
+  default     = 10
+}
+
+variable "tls_certificate_expiration_extra_tags" {
+  description = "Extra tags for TLS certificate expiration monitor"
+  type        = list(string)
+  default     = []
+}
+
+#
+# Certificate Expiration Date
+#
+variable "certificate_expiration_date_enabled" {
+  description = "Flag to enable Certificate Expiration Date monitor"
+  type        = string
+  default     = "false"
+}
+
+variable "certificate_expiration_date_message" {
+  description = "Custom message for the Certificate Expiration Date monitor"
+  type        = string
+  default     = ""
+}
+
+variable "certificate_expiration_date_time_aggregator" {
+  description = "Time aggregator for the Certificate Expiration Date monitor"
+  type        = string
+  default     = "max"
+}
+
+variable "certificate_expiration_date_timeframe" {
+  description = "Timeframe for the Certificate Expiration Date monitor"
+  type        = string
+  default     = "last_5m"
+}
+
+variable "certificate_expiration_date_threshold_warning" {
+  description = "Container Memory Usage warning threshold"
+  type        = string
+  default     = 30
+}
+
+variable "certificate_expiration_date_threshold_critical" {
+  description = "Container Memory Usage critical threshold"
+  type        = string
+  default     = 15
+}
+
+variable "certificate_expiration_date_extra_tags" {
+  description = "Extra tags for Certificate Expiration Date monitor"
+  type        = list(string)
+  default     = []
+}

network/tls/modules.tf

@@ -0,0 +1,9 @@
+module "filter-tags" {
+  source = "../../common/filter-tags"
+
+  environment                 = var.environment
+  resource                    = "tls"
+  filter_tags_use_defaults    = var.filter_tags_use_defaults
+  filter_tags_custom          = var.filter_tags_custom
+  filter_tags_custom_excluded = var.filter_tags_custom_excluded
+}

network/tls/monitors-tls.tf

@@ -0,0 +1,142 @@
+#
+# TLS Cannot Connect
+#
+resource "datadog_monitor" "cannot_connect" {
+  count   = var.cannot_connect_enabled == "true" ? 1 : 0
+  name    = "${var.prefix_slug == "" ? "" : "[${var.prefix_slug}]"}[${var.environment}] TLS cannot connect"
+  message = coalesce(var.cannot_connect_message, var.message)
+  type    = "service check"
+
+  query = <<EOQ
+    "tls.can_connect"${module.filter-tags.service_check}.by("name","server","port","server_hostname").last(6).count_by_status()
+EOQ
+
+  thresholds = {
+    warning  = var.cannot_connect_threshold_warning
+    critical = 5
+  }
+
+  new_host_delay      = var.new_host_delay
+  no_data_timeframe   = var.cannot_connect_no_data_timeframe
+  notify_no_data      = true
+  notify_audit        = false
+  locked              = false
+  timeout_h           = 0
+  include_tags        = true
+  require_full_window = true
+  renotify_interval   = 0
+
+  tags = concat(["env:${var.environment}", "type:network", "provider:tls", "resource:webcheck", "team:claranet", "created-by:terraform"], var.cannot_connect_extra_tags)
+
+  lifecycle {
+    ignore_changes = ["silenced"]
+  }
+}
+
+#
+# Invalid TLS Certificate
+#
+resource "datadog_monitor" "invalid_tls_certificate" {
+  count   = var.invalid_tls_certificate_enabled == "true" ? 1 : 0
+  name    = "${var.prefix_slug == "" ? "" : "[${var.prefix_slug}]"}[${var.environment}] TLS invalid certificate"
+  message = coalesce(var.invalid_tls_certificate_message, var.message)
+  type    = "service check"
+
+  query = <<EOQ
+    "tls.cert_validation"${module.filter-tags.service_check}.by("name","server","port","server_hostname").last(6).count_by_status()
+EOQ
+
+  thresholds = {
+    warning  = var.invalid_tls_certificate_threshold_warning
+    critical = 5
+  }
+
+  new_host_delay      = var.new_host_delay
+  no_data_timeframe   = var.invalid_tls_certificate_no_data_timeframe
+  notify_no_data      = false
+  notify_audit        = false
+  locked              = false
+  timeout_h           = 0
+  include_tags        = true
+  require_full_window = true
+  renotify_interval   = 0
+
+  tags = concat(["env:${var.environment}", "type:network", "provider:tls", "resource:tls-certificate", "team:claranet", "created-by:terraform"], var.invalid_tls_certificate_extra_tags)
+
+  lifecycle {
+    ignore_changes = ["silenced"]
+  }
+}
+
+#
+# TLS Certificate Expiration
+#
+resource "datadog_monitor" "tls_certificate_expiration" {
+  count   = var.tls_certificate_expiration_enabled == "true" ? 1 : 0
+  name    = "${var.prefix_slug == "" ? "" : "[${var.prefix_slug}]"}[${var.environment}] TLS certificate expiring"
+  message = coalesce(var.tls_certificate_expiration_message, var.message)
+  type    = "service check"
+
+  query = <<EOQ
+    "tls.cert_expiration"${module.filter-tags.service_check}.by("name","server","port","server_hostname").last(6).count_by_status()
+EOQ
+
+  thresholds = {
+    warning  = var.tls_certificate_expiration_threshold_warning
+    critical = 5
+  }
+
+  new_host_delay      = var.new_host_delay
+  no_data_timeframe   = var.tls_certificate_expiration_no_data_timeframe
+  notify_no_data      = false
+  notify_audit        = false
+  locked              = false
+  timeout_h           = 0
+  include_tags        = true
+  require_full_window = true
+  renotify_interval   = 0
+
+  tags = concat(["env:${var.environment}", "type:network", "provider:tls", "resource:tls-certificate", "team:claranet", "created-by:terraform"], var.tls_certificate_expiration_extra_tags)
+
+  lifecycle {
+    ignore_changes = ["silenced"]
+  }
+}
+
+#
+# Certificate Expiration Date
+#
+resource "datadog_monitor" "certificate_expiration_date" {
+  count   = var.certificate_expiration_date_enabled == "true" ? 1 : 0
+  name    = "${var.prefix_slug == "" ? "" : "[${var.prefix_slug}]"}[${var.environment}] TLS certificate expiration {{#is_alert}}{{{comparator}}} {{threshold}} ({{value}} days){{/is_alert}}{{#is_warning}}{{{comparator}}} {{warn_threshold}} ({{value}} days){{/is_warning}}"
+  message = var.certificate_expiration_date_message
+  type    = "query alert"
+
+  query = <<EOQ
+    ${var.certificate_expiration_date_time_aggregator}(${var.certificate_expiration_date_timeframe}):
+      avg:tls.days_left${module.filter-tags.query_alert} by {name,server,port,server_hostname}
+    < ${var.certificate_expiration_date_threshold_critical}
+EOQ
+
+
+  thresholds = {
+    warning  = var.certificate_expiration_date_threshold_warning
+    critical = var.certificate_expiration_date_threshold_critical
+  }
+
+  evaluation_delay    = var.evaluation_delay
+  new_host_delay      = var.new_host_delay
+  notify_no_data      = false
+  renotify_interval   = 0
+  notify_audit        = false
+  timeout_h           = 0
+  include_tags        = true
+  locked              = false
+  require_full_window = true
+
+  tags = concat(["env:${var.environment}", "type:network", "provider:tls", "resource:tls-certificate", "team:claranet", "created-by:terraform"], var.certificate_expiration_date_extra_tags)
+
+  lifecycle {
+    ignore_changes = ["silenced"]
+  }
+}

network/tls/outputs.tf

@@ -0,0 +1,20 @@
+output "cannot_connect_id" {
+  description = "id for monitor cannot_connect"
+  value       = datadog_monitor.cannot_connect.*.id
+}
+
+output "certificate_expiration_date_id" {
+  description = "id for monitor certificate_expiration_date"
+  value       = datadog_monitor.certificate_expiration_date.*.id
+}
+
+output "invalid_tls_certificate_id" {
+  description = "id for monitor invalid_tls_certificate"
+  value       = datadog_monitor.invalid_tls_certificate.*.id
+}
+
+output "tls_certificate_expiration_id" {
+  description = "id for monitor tls_certificate_expiration"
+  value       = datadog_monitor.tls_certificate_expiration.*.id
+}
+