From 5c4b7dea0640661ecfd7629ddbc0ff1071962163 Mon Sep 17 00:00:00 2001
From: Rafael Romero Carmona <rafael.romero.carmona@fr.clara.net>
Date: Tue, 20 Aug 2019 11:31:54 +0100
Subject: [PATCH] MON-499: set of monitors using integrations http_check,
 dns_check and tls

---
 README.md                     |   4 +
 network/dns/README.md         |  24 ++++
 network/dns/inputs.tf         |  85 +++++++++++++
 network/dns/modules.tf        |   9 ++
 network/dns/monitors-dns.tf   |  34 +++++
 network/dns/outputs.tf        |   5 +
 network/http/README.md        |  26 ++++
 network/http/inputs.tf        | 181 +++++++++++++++++++++++++++
 network/http/modules.tf       |   9 ++
 network/http/monitors-http.tf | 107 ++++++++++++++++
 network/http/outputs.tf       |  15 +++
 network/tls/README.md         |  28 +++++
 network/tls/inputs.tf         | 226 ++++++++++++++++++++++++++++++++++
 network/tls/modules.tf        |   9 ++
 network/tls/monitors-tls.tf   | 143 +++++++++++++++++++++
 network/tls/outputs.tf        |  20 +++
 16 files changed, 925 insertions(+)
 create mode 100644 network/dns/README.md
 create mode 100644 network/dns/inputs.tf
 create mode 100644 network/dns/modules.tf
 create mode 100644 network/dns/monitors-dns.tf
 create mode 100644 network/dns/outputs.tf
 create mode 100644 network/http/README.md
 create mode 100644 network/http/inputs.tf
 create mode 100644 network/http/modules.tf
 create mode 100644 network/http/monitors-http.tf
 create mode 100644 network/http/outputs.tf
 create mode 100644 network/tls/README.md
 create mode 100644 network/tls/inputs.tf
 create mode 100644 network/tls/modules.tf
 create mode 100644 network/tls/monitors-tls.tf
 create mode 100644 network/tls/outputs.tf

diff --git a/README.md b/README.md
index ab56880..2c4f1f5 100644
--- a/README.md
+++ b/README.md
@@ -200,6 +200,10 @@ The `//` is very important, it's a terraform specific syntax used to separate gi
 	- [kong](https://git.fr.clara.net/claranet/pt-monitoring/projects/datadog/terraform/monitors/tree/master/middleware/kong/)
 	- [nginx](https://git.fr.clara.net/claranet/pt-monitoring/projects/datadog/terraform/monitors/tree/master/middleware/nginx/)
 	- [php-fpm](https://git.fr.clara.net/claranet/pt-monitoring/projects/datadog/terraform/monitors/tree/master/middleware/php-fpm/)
+- [network](https://git.fr.clara.net/claranet/pt-monitoring/projects/datadog/terraform/monitors/tree/master/network/)
+	- [dns](https://git.fr.clara.net/claranet/pt-monitoring/projects/datadog/terraform/monitors/tree/master/network/dns/)
+	- [http](https://git.fr.clara.net/claranet/pt-monitoring/projects/datadog/terraform/monitors/tree/master/network/http/)
+	- [tls](https://git.fr.clara.net/claranet/pt-monitoring/projects/datadog/terraform/monitors/tree/master/network/tls/)
 - [saas](https://git.fr.clara.net/claranet/pt-monitoring/projects/datadog/terraform/monitors/tree/master/saas/)
 	- [new-relic](https://git.fr.clara.net/claranet/pt-monitoring/projects/datadog/terraform/monitors/tree/master/saas/new-relic/)
 - [system](https://git.fr.clara.net/claranet/pt-monitoring/projects/datadog/terraform/monitors/tree/master/system/)
diff --git a/network/dns/README.md b/network/dns/README.md
new file mode 100644
index 0000000..8d459a7
--- /dev/null
+++ b/network/dns/README.md
@@ -0,0 +1,24 @@
+# NETWORK DNS DataDog monitors
+
+## How to use this module
+
+```
+module "datadog-monitors-network-dns" {
+  source = "git::ssh://git@git.fr.clara.net/claranet/pt-monitoring/projects/datadog/terraform/monitors.git//network/dns?ref={revision}"
+
+  environment = var.environment
+  message     = module.datadog-message-alerting.alerting-message
+}
+
+```
+
+## Purpose
+
+Creates DataDog monitors with the following checks:
+
+- DNS cannot resolve
+
+
+## Related documentation
+
+- Datadog Documentation https://docs.datadoghq.com/integrations/dns_check/
diff --git a/network/dns/inputs.tf b/network/dns/inputs.tf
new file mode 100644
index 0000000..dfd4a03
--- /dev/null
+++ b/network/dns/inputs.tf
@@ -0,0 +1,85 @@
+# Global Terraform
+variable "environment" {
+  description = "Architecture Environment"
+  type        = string
+}
+
+# Global DataDog
+variable "evaluation_delay" {
+  description = "Delay in seconds for the metric evaluation"
+  default     = 15
+}
+
+variable "new_host_delay" {
+  description = "Delay in seconds before monitor new resource"
+  default     = 300
+}
+
+variable "prefix_slug" {
+  description = "Prefix string to prepend between brackets on every monitors names"
+  default     = ""
+}
+
+variable "message" {
+  description = "Message sent when an alert is triggered"
+}
+
+variable "filter_tags_use_defaults" {
+  description = "Use default filter tags convention"
+  default     = "true"
+}
+
+variable "filter_tags_custom" {
+  description = "Tags used for custom filtering when filter_tags_use_defaults is false"
+  default     = "*"
+}
+
+variable "filter_tags_custom_excluded" {
+  description = "Tags excluded for custom filtering when filter_tags_use_defaults is false"
+  default     = ""
+}
+
+#
+# Cannot Resolve
+#
+variable "cannot_resolve_enabled" {
+  description = "Flag to enable DNS cannot resolve monitor"
+  type        = string
+  default     = "true"
+}
+
+variable "cannot_resolve_message" {
+  description = "Custom message for DNS cannot resolve monitor"
+  type        = string
+  default     = ""
+}
+
+variable "cannot_resolve_last" {
+  description = "Parameter 'last' for the service check"
+  type        = string
+  default     = 6
+}
+
+variable "cannot_resolve_threshold_warning" {
+  description = "DNS cannot resolve monitor (warning threshold)"
+  type        = string
+  default     = 3
+}
+
+variable "cannot_resolve_threshold_critical" {
+  description = "DNS cannot resolve monitor (warning threshold)"
+  type        = string
+  default     = 5
+}
+
+variable "cannot_resolve_no_data_timeframe" {
+  description = "DNS cannot resolve monitor no data timeframe"
+  type        = string
+  default     = 10
+}
+
+variable "cannot_resolve_extra_tags" {
+  description = "Extra tags for DNS cannot resolve monitor"
+  type        = list(string)
+  default     = []
+}
\ No newline at end of file
diff --git a/network/dns/modules.tf b/network/dns/modules.tf
new file mode 100644
index 0000000..03747be
--- /dev/null
+++ b/network/dns/modules.tf
@@ -0,0 +1,9 @@
+module "filter-tags" {
+  source = "../../common/filter-tags"
+
+  environment                 = var.environment
+  resource                    = "dns"
+  filter_tags_use_defaults    = var.filter_tags_use_defaults
+  filter_tags_custom          = var.filter_tags_custom
+  filter_tags_custom_excluded = var.filter_tags_custom_excluded
+}
diff --git a/network/dns/monitors-dns.tf b/network/dns/monitors-dns.tf
new file mode 100644
index 0000000..48f1c8c
--- /dev/null
+++ b/network/dns/monitors-dns.tf
@@ -0,0 +1,34 @@
+#
+# Service Check
+#
+resource "datadog_monitor" "cannot_resolve" {
+  count   = var.cannot_resolve_enabled == "true" ? 1 : 0
+  name    = "${var.prefix_slug == "" ? "" : "[${var.prefix_slug}]"}[${var.environment}] DNS cannot resolve"
+  message = coalesce(var.cannot_resolve_message, var.message)
+  type    = "service check"
+
+  query = <<EOQ
+    "dns.can_resolve"${module.filter-tags.service_check}.by("nameserver","resolved_hostname").last(${var.cannot_resolve_last}).count_by_status()
+EOQ
+
+  thresholds = {
+    warning  = var.cannot_resolve_threshold_warning
+    critical = var.cannot_resolve_threshold_critical
+  }
+
+  new_host_delay      = var.new_host_delay
+  no_data_timeframe   = var.cannot_resolve_no_data_timeframe
+  notify_no_data      = true
+  notify_audit        = false
+  locked              = false
+  timeout_h           = 0
+  include_tags        = true
+  require_full_window = true
+  renotify_interval   = 0
+
+  tags = concat(["env:${var.environment}", "type:network", "provider:dns_check", "resource:dns", "team:claranet", "created-by:terraform"], var.cannot_resolve_extra_tags)
+
+  lifecycle {
+    ignore_changes = ["silenced"]
+  }
+}
\ No newline at end of file
diff --git a/network/dns/outputs.tf b/network/dns/outputs.tf
new file mode 100644
index 0000000..b834803
--- /dev/null
+++ b/network/dns/outputs.tf
@@ -0,0 +1,5 @@
+output "cannot_resolve_id" {
+  description = "id for monitor cannot_resolve"
+  value       = datadog_monitor.cannot_resolve.*.id
+}
+
diff --git a/network/http/README.md b/network/http/README.md
new file mode 100644
index 0000000..d9a0003
--- /dev/null
+++ b/network/http/README.md
@@ -0,0 +1,26 @@
+# NETWORK HTTP DataDog monitors
+
+## How to use this module
+
+```
+module "datadog-monitors-network-http" {
+  source = "git::ssh://git@git.fr.clara.net/claranet/pt-monitoring/projects/datadog/terraform/monitors.git//network/http?ref={revision}"
+
+  environment = var.environment
+  message     = module.datadog-message-alerting.alerting-message
+}
+
+```
+
+## Purpose
+
+Creates DataDog monitors with the following checks:
+
+- HTTP cannot connect
+- SSL certificate expiration
+- SSL invalid certificate
+
+
+## Related documentation
+
+- Datadog Documentation https://docs.datadoghq.com/integrations/http_check/
\ No newline at end of file
diff --git a/network/http/inputs.tf b/network/http/inputs.tf
new file mode 100644
index 0000000..3b50be0
--- /dev/null
+++ b/network/http/inputs.tf
@@ -0,0 +1,181 @@
+# Global Terraform
+variable "environment" {
+  description = "Architecture Environment"
+  type        = string
+}
+
+# Global DataDog
+variable "evaluation_delay" {
+  description = "Delay in seconds for the metric evaluation"
+  default     = 15
+}
+
+variable "new_host_delay" {
+  description = "Delay in seconds before monitor new resource"
+  default     = 300
+}
+
+variable "prefix_slug" {
+  description = "Prefix string to prepend between brackets on every monitors names"
+  default     = ""
+}
+
+variable "message" {
+  description = "Message sent when an alert is triggered"
+}
+
+variable "filter_tags_use_defaults" {
+  description = "Use default filter tags convention"
+  default     = "true"
+}
+
+variable "filter_tags_custom" {
+  description = "Tags used for custom filtering when filter_tags_use_defaults is false"
+  default     = "*"
+}
+
+variable "filter_tags_custom_excluded" {
+  description = "Tags excluded for custom filtering when filter_tags_use_defaults is false"
+  default     = ""
+}
+
+#
+# HTTP Cannot Connect
+#
+variable "cannot_connect_enabled" {
+  description = "Flag to enable HTTP cannot connect monitor"
+  type        = string
+  default     = "true"
+}
+
+variable "cannot_connect_message" {
+  description = "Custom message for HTTP cannot connect monitor"
+  type        = string
+  default     = ""
+}
+
+variable "cannot_connect_last" {
+  description = "Parameter 'last' for the service check"
+  type        = string
+  default     = 6
+}
+
+variable "cannot_connect_threshold_warning" {
+  description = "HTTP cannot connect monitor (warning threshold)"
+  type        = string
+  default     = 2
+}
+
+variable "cannot_connect_threshold_critical" {
+  description = "HTTP cannot connect monitor (warning threshold)"
+  type        = string
+  default     = 3
+}
+
+variable "cannot_connect_threshold_ok" {
+  description = "HTTP cannot connect monitor (ok threshold)"
+  type        = string
+  default     = 3
+}
+
+variable "cannot_connect_no_data_timeframe" {
+  description = "HTTP cannot connect monitor no data timeframe"
+  type        = string
+  default     = 10
+}
+
+variable "cannot_connect_extra_tags" {
+  description = "Extra tags for HTTP cannot connect monitor"
+  type        = list(string)
+  default     = []
+}
+
+#
+# SSL invalid certificate
+#
+variable "invalid_ssl_certificate_enabled" {
+  description = "Flag to enable SSL invalid certificate monitor"
+  type        = string
+  default     = "true"
+}
+
+variable "invalid_ssl_certificate_message" {
+  description = "Custom message for SSL invalid certificate monitor"
+  type        = string
+  default     = ""
+}
+
+variable "invalid_ssl_certificate_last" {
+  description = "Parameter 'last' for the service check"
+  type        = string
+  default     = 6
+}
+
+variable "invalid_ssl_certificate_threshold_warning" {
+  description = "SSL invalid certificate monitor (warning threshold)"
+  type        = string
+  default     = 5
+}
+
+variable "invalid_ssl_certificate_threshold_critical" {
+  description = "SSL invalid certificate monitor (warning threshold)"
+  type        = string
+  default     = 5
+}
+
+variable "invalid_ssl_certificate_no_data_timeframe" {
+  description = "SSL invalid certificate monitor no data timeframe"
+  type        = string
+  default     = 10
+}
+
+variable "invalid_ssl_certificate_extra_tags" {
+  description = "Extra tags for SSL invalid certificate monitor"
+  type        = list(string)
+  default     = []
+}
+
+#
+# Certificate Expiration Date
+#
+variable "certificate_expiration_date_enabled" {
+  description = "Flag to enable Certificate Expiration Date monitor"
+  type        = string
+  default     = "true"
+}
+
+variable "certificate_expiration_date_message" {
+  description = "Custom message for the Certificate Expiration Date monitor"
+  type        = string
+  default     = ""
+}
+
+variable "certificate_expiration_date_time_aggregator" {
+  description = "Time aggregator for the Certificate Expiration Date monitor"
+  type        = string
+  default     = "max"
+}
+
+variable "certificate_expiration_date_timeframe" {
+  description = "Timeframe for the Certificate Expiration Date monitor"
+  type        = string
+  default     = "last_5m"
+}
+
+variable "certificate_expiration_date_threshold_warning" {
+  description = "Certificate Expiration Date warning threshold"
+  type        = string
+  default     = 30
+}
+
+variable "certificate_expiration_date_threshold_critical" {
+  description = "Certificate Expiration Date critical threshold"
+  type        = string
+  default     = 8
+}
+
+variable "certificate_expiration_date_extra_tags" {
+  description = "Extra tags for Certificate Expiration Date monitor"
+  type        = list(string)
+  default     = []
+}
diff --git a/network/http/modules.tf b/network/http/modules.tf
new file mode 100644
index 0000000..e96052c
--- /dev/null
+++ b/network/http/modules.tf
@@ -0,0 +1,9 @@
+module "filter-tags" {
+  source = "../../common/filter-tags"
+
+  environment                 = var.environment
+  resource                    = "http"
+  filter_tags_use_defaults    = var.filter_tags_use_defaults
+  filter_tags_custom          = var.filter_tags_custom
+  filter_tags_custom_excluded = var.filter_tags_custom_excluded
+}
diff --git a/network/http/monitors-http.tf b/network/http/monitors-http.tf
new file mode 100644
index 0000000..1d4b776
--- /dev/null
+++ b/network/http/monitors-http.tf
@@ -0,0 +1,107 @@
+#
+# HTTP Cannot Connect
+#
+resource "datadog_monitor" "cannot_connect" {
+  count   = var.cannot_connect_enabled == "true" ? 1 : 0
+  name    = "${var.prefix_slug == "" ? "" : "[${var.prefix_slug}]"}[${var.environment}] HTTP cannot connect"
+  message = coalesce(var.cannot_connect_message, var.message)
+  type    = "service check"
+
+  query = <<EOQ
+    "http.can_connect"${module.filter-tags.service_check}.by("instance","url").last(${var.cannot_connect_last}).count_by_status()
+EOQ
+
+  thresholds = {
+    warning  = var.cannot_connect_threshold_warning
+    critical = var.cannot_connect_threshold_critical
+    ok       = var.cannot_connect_threshold_ok
+  }
+
+  new_host_delay      = var.new_host_delay
+  no_data_timeframe   = var.cannot_connect_no_data_timeframe
+  notify_no_data      = true
+  notify_audit        = false
+  locked              = false
+  timeout_h           = 0
+  include_tags        = true
+  require_full_window = true
+  renotify_interval   = 0
+
+  tags = concat(["env:${var.environment}", "type:network", "provider:http_check", "resource:webcheck", "team:claranet", "created-by:terraform"], var.cannot_connect_extra_tags)
+
+  lifecycle {
+    ignore_changes = ["silenced"]
+  }
+}
+
+#
+# Invalid SSL Certificate
+#
+resource "datadog_monitor" "invalid_ssl_certificate" {
+  count   = var.invalid_ssl_certificate_enabled == "true" ? 1 : 0
+  name    = "${var.prefix_slug == "" ? "" : "[${var.prefix_slug}]"}[${var.environment}] SSL invalid certificate"
+  message = coalesce(var.invalid_ssl_certificate_message, var.message)
+  type    = "service check"
+
+  query = <<EOQ
+    "http.ssl_cert"${module.filter-tags.service_check}.by("instance","url").last(${var.invalid_ssl_certificate_last}).count_by_status()
+EOQ
+
+  thresholds = {
+    warning  = var.invalid_ssl_certificate_threshold_warning
+    critical = var.invalid_ssl_certificate_threshold_critical
+  }
+
+  new_host_delay      = var.new_host_delay
+  no_data_timeframe   = var.invalid_ssl_certificate_no_data_timeframe
+  notify_no_data      = true
+  notify_audit        = false
+  locked              = false
+  timeout_h           = 0
+  include_tags        = true
+  require_full_window = true
+  renotify_interval   = 0
+
+  tags = concat(["env:${var.environment}", "type:network", "provider:http_check", "resource:ssl-certificate", "team:claranet", "created-by:terraform"], var.invalid_ssl_certificate_extra_tags)
+
+  lifecycle {
+    ignore_changes = ["silenced"]
+  }
+}
+
+#
+# Certificate Expiration Date
+#
+resource "datadog_monitor" "certificate_expiration_date" {
+  count   = var.certificate_expiration_date_enabled == "true" ? 1 : 0
+  name    = "${var.prefix_slug == "" ? "" : "[${var.prefix_slug}]"}[${var.environment}] SSL certificate expiration {{#is_alert}}{{{comparator}}} {{threshold}} ({{value}} days){{/is_alert}}{{#is_warning}}{{{comparator}}} {{warn_threshold}} ({{value}} days){{/is_warning}}"
+  message = coalesce(var.certificate_expiration_date_message, var.message)
+  type    = "query alert"
+
+  query = <<EOQ
+    ${var.certificate_expiration_date_time_aggregator}(${var.certificate_expiration_date_timeframe}):
+      avg:http.ssl.days_left${module.filter-tags.query_alert} by {url}
+    < ${var.certificate_expiration_date_threshold_critical}
+EOQ
+
+  thresholds = {
+    warning  = var.certificate_expiration_date_threshold_warning
+    critical = var.certificate_expiration_date_threshold_critical
+  }
+
+  evaluation_delay    = var.evaluation_delay
+  new_host_delay      = var.new_host_delay
+  notify_no_data      = false
+  renotify_interval   = 0
+  notify_audit        = false
+  timeout_h           = 0
+  include_tags        = true
+  locked              = false
+  require_full_window = true
+
+  tags = concat(["env:${var.environment}", "type:network", "provider:http_check", "resource:ssl-certificate", "team:claranet", "created-by:terraform"], var.certificate_expiration_date_extra_tags)
+
+  lifecycle {
+    ignore_changes = ["silenced"]
+  }
+}
\ No newline at end of file
diff --git a/network/http/outputs.tf b/network/http/outputs.tf
new file mode 100644
index 0000000..f028c03
--- /dev/null
+++ b/network/http/outputs.tf
@@ -0,0 +1,15 @@
+output "cannot_connect_id" {
+  description = "id for monitor cannot_connect"
+  value       = datadog_monitor.cannot_connect.*.id
+}
+
+output "invalid_ssl_certificate_id" {
+  description = "id for monitor invalid_ssl_certificate"
+  value       = datadog_monitor.invalid_ssl_certificate.*.id
+}
+
+output "certificate_expiration_date_id" {
+  description = "id for monitor certificate_expiration_date"
+  value       = datadog_monitor.certificate_expiration_date.*.id
+}
+
diff --git a/network/tls/README.md b/network/tls/README.md
new file mode 100644
index 0000000..d3d3082
--- /dev/null
+++ b/network/tls/README.md
@@ -0,0 +1,28 @@
+# NETWORK TLS DataDog monitors
+
+## How to use this module
+
+```
+module "datadog-monitors-network-tls" {
+  source = "git::ssh://git@git.fr.clara.net/claranet/pt-monitoring/projects/datadog/terraform/monitors.git//network/tls?ref={revision}"
+
+  environment = var.environment
+  message     = module.datadog-message-alerting.alerting-message
+}
+
+```
+
+## Purpose
+
+Creates DataDog monitors with the following checks:
+
+- TLS cannot connect
+- TLS certificate expiration
+- TLS certificate expiring
+- TLS invalid certificate
+
+
+## Related documentation
+
+- Datadog Documentation https://docs.datadoghq.com/integrations/tls/
+
diff --git a/network/tls/inputs.tf b/network/tls/inputs.tf
new file mode 100644
index 0000000..bb92313
--- /dev/null
+++ b/network/tls/inputs.tf
@@ -0,0 +1,226 @@
+# Global Terraform
+variable "environment" {
+  description = "Architecture Environment"
+  type        = string
+}
+
+# Global DataDog
+variable "evaluation_delay" {
+  description = "Delay in seconds for the metric evaluation"
+  default     = 15
+}
+
+variable "new_host_delay" {
+  description = "Delay in seconds before monitor new resource"
+  default     = 300
+}
+
+variable "prefix_slug" {
+  description = "Prefix string to prepend between brackets on every monitors names"
+  default     = ""
+}
+
+variable "message" {
+  description = "Message sent when an alert is triggered"
+}
+
+variable "filter_tags_use_defaults" {
+  description = "Use default filter tags convention"
+  default     = "true"
+}
+
+variable "filter_tags_custom" {
+  description = "Tags used for custom filtering when filter_tags_use_defaults is false"
+  default     = "*"
+}
+
+variable "filter_tags_custom_excluded" {
+  description = "Tags excluded for custom filtering when filter_tags_use_defaults is false"
+  default     = ""
+}
+
+#
+# TLS Cannot Connect
+#
+variable "cannot_connect_enabled" {
+  description = "Flag to enable TLS cannot connect monitor"
+  type        = string
+  default     = "true"
+}
+
+variable "cannot_connect_message" {
+  description = "Custom message for TLS cannot connect monitor"
+  type        = string
+  default     = ""
+}
+
+variable "cannot_connect_last" {
+  description = "Parameter 'last' for the service check"
+  type        = string
+  default     = 6
+}
+
+variable "cannot_connect_threshold_warning" {
+  description = "TLS cannot connect monitor (warning threshold)"
+  type        = string
+  default     = 2
+}
+
+variable "cannot_connect_threshold_critical" {
+  description = "TLS cannot connect monitor (warning threshold)"
+  type        = string
+  default     = 3
+}
+
+variable "cannot_connect_threshold_ok" {
+  description = "TLS cannot connect monitor (ok threshold)"
+  type        = string
+  default     = 3
+}
+
+variable "cannot_connect_no_data_timeframe" {
+  description = "TLS cannot connect monitor no data timeframe"
+  type        = string
+  default     = 10
+}
+
+variable "cannot_connect_extra_tags" {
+  description = "Extra tags for TLS cannot connect monitor"
+  type        = list(string)
+  default     = []
+}
+
+#
+# TLS invalid certificate
+#
+variable "invalid_tls_certificate_enabled" {
+  description = "Flag to enable TLS certificate expiration monitor"
+  type        = string
+  default     = "true"
+}
+
+variable "invalid_tls_certificate_message" {
+  description = "Custom message for TLS certificate expiration monitor"
+  type        = string
+  default     = ""
+}
+
+variable "invalid_tls_certificate_last" {
+  description = "Parameter 'last' for the service check"
+  type        = string
+  default     = 6
+}
+
+variable "invalid_tls_certificate_threshold_warning" {
+  description = "TLS certificate expiration monitor (warning threshold)"
+  type        = string
+  default     = 5
+}
+
+variable "invalid_tls_certificate_threshold_critical" {
+  description = "TLS certificate expiration monitor (warning threshold)"
+  type        = string
+  default     = 5
+}
+
+variable "invalid_tls_certificate_no_data_timeframe" {
+  description = "TLS certificate expiration monitor no data timeframe"
+  type        = string
+  default     = 10
+}
+
+variable "invalid_tls_certificate_extra_tags" {
+  description = "Extra tags for TLS certificate expiration monitor"
+  type        = list(string)
+  default     = []
+}
+
+#
+# TLS Certificate Expiration
+#
+variable "tls_certificate_expiration_enabled" {
+  description = "Flag to enable TLS certificate expiration monitor"
+  type        = string
+  default     = "true"
+}
+
+variable "tls_certificate_expiration_message" {
+  description = "Custom message for TLS certificate expiration monitor"
+  type        = string
+  default     = ""
+}
+
+variable "tls_certificate_expiration_last" {
+  description = "Parameter 'last' for the service check"
+  type        = string
+  default     = 6
+}
+
+variable "tls_certificate_expiration_threshold_warning" {
+  description = "TLS certificate expiration monitor (warning threshold)"
+  type        = string
+  default     = 5
+}
+
+variable "tls_certificate_expiration_threshold_critical" {
+  description = "TLS certificate expiration monitor (warning threshold)"
+  type        = string
+  default     = 5
+}
+
+variable "tls_certificate_expiration_no_data_timeframe" {
+  description = "TLS certificate expiration monitor no data timeframe"
+  type        = string
+  default     = 10
+}
+
+variable "tls_certificate_expiration_extra_tags" {
+  description = "Extra tags for TLS certificate expiration monitor"
+  type        = list(string)
+  default     = []
+}
+
+#
+# Certificate Expiration Date
+#
+variable "certificate_expiration_date_enabled" {
+  description = "Flag to enable Certificate Expiration Date monitor"
+  type        = string
+  default     = "true"
+}
+
+variable "certificate_expiration_date_message" {
+  description = "Custom message for the Certificate Expiration Date monitor"
+  type        = string
+  default     = ""
+}
+
+variable "certificate_expiration_date_time_aggregator" {
+  description = "Time aggregator for the Certificate Expiration Date monitor"
+  type        = string
+  default     = "max"
+}
+
+variable "certificate_expiration_date_timeframe" {
+  description = "Timeframe for the Certificate Expiration Date monitor"
+  type        = string
+  default     = "last_5m"
+}
+
+variable "certificate_expiration_date_threshold_warning" {
+  description = "Container Memory Usage warning threshold"
+  type        = string
+  default     = 30
+}
+
+variable "certificate_expiration_date_threshold_critical" {
+  description = "Container Memory Usage critical threshold"
+  type        = string
+  default     = 8
+}
+
+variable "certificate_expiration_date_extra_tags" {
+  description = "Extra tags for Certificate Expiration Date monitor"
+  type        = list(string)
+  default     = []
+}
\ No newline at end of file
diff --git a/network/tls/modules.tf b/network/tls/modules.tf
new file mode 100644
index 0000000..941bec4
--- /dev/null
+++ b/network/tls/modules.tf
@@ -0,0 +1,9 @@
+module "filter-tags" {
+  source = "../../common/filter-tags"
+
+  environment                 = var.environment
+  resource                    = "tls"
+  filter_tags_use_defaults    = var.filter_tags_use_defaults
+  filter_tags_custom          = var.filter_tags_custom
+  filter_tags_custom_excluded = var.filter_tags_custom_excluded
+}
diff --git a/network/tls/monitors-tls.tf b/network/tls/monitors-tls.tf
new file mode 100644
index 0000000..cad2aae
--- /dev/null
+++ b/network/tls/monitors-tls.tf
@@ -0,0 +1,143 @@
+#
+# TLS Cannot Connect
+#
+resource "datadog_monitor" "cannot_connect" {
+  count   = var.cannot_connect_enabled == "true" ? 1 : 0
+  name    = "${var.prefix_slug == "" ? "" : "[${var.prefix_slug}]"}[${var.environment}] TLS cannot connect"
+  message = coalesce(var.cannot_connect_message, var.message)
+  type    = "service check"
+
+  query = <<EOQ
+    "tls.can_connect"${module.filter-tags.service_check}.by("name","server","port","server_hostname").last(${var.cannot_connect_last}).count_by_status()
+EOQ
+
+  thresholds = {
+    warning  = var.cannot_connect_threshold_warning
+    critical = var.cannot_connect_threshold_critical
+    ok       = var.cannot_connect_threshold_ok
+  }
+
+  new_host_delay      = var.new_host_delay
+  no_data_timeframe   = var.cannot_connect_no_data_timeframe
+  notify_no_data      = true
+  notify_audit        = false
+  locked              = false
+  timeout_h           = 0
+  include_tags        = true
+  require_full_window = true
+  renotify_interval   = 0
+
+  tags = concat(["env:${var.environment}", "type:network", "provider:tls", "resource:webcheck", "team:claranet", "created-by:terraform"], var.cannot_connect_extra_tags)
+
+  lifecycle {
+    ignore_changes = ["silenced"]
+  }
+}
+
+#
+# Invalid TLS Certificate
+#
+resource "datadog_monitor" "invalid_tls_certificate" {
+  count   = var.invalid_tls_certificate_enabled == "true" ? 1 : 0
+  name    = "${var.prefix_slug == "" ? "" : "[${var.prefix_slug}]"}[${var.environment}] TLS invalid certificate"
+  message = coalesce(var.invalid_tls_certificate_message, var.message)
+  type    = "service check"
+
+  query = <<EOQ
+    "tls.cert_validation"${module.filter-tags.service_check}.by("name","server","port","server_hostname").last(${var.invalid_tls_certificate_last}).count_by_status()
+EOQ
+
+  thresholds = {
+    warning  = var.invalid_tls_certificate_threshold_warning
+    critical = var.invalid_tls_certificate_threshold_critical
+  }
+
+  new_host_delay      = var.new_host_delay
+  no_data_timeframe   = var.invalid_tls_certificate_no_data_timeframe
+  notify_no_data      = true
+  notify_audit        = false
+  locked              = false
+  timeout_h           = 0
+  include_tags        = true
+  require_full_window = true
+  renotify_interval   = 0
+
+  tags = concat(["env:${var.environment}", "type:network", "provider:tls", "resource:tls-certificate", "team:claranet", "created-by:terraform"], var.invalid_tls_certificate_extra_tags)
+
+  lifecycle {
+    ignore_changes = ["silenced"]
+  }
+}
+
+#
+# TLS Certificate Expiration
+#
+resource "datadog_monitor" "tls_certificate_expiration" {
+  count   = var.tls_certificate_expiration_enabled == "true" ? 1 : 0
+  name    = "${var.prefix_slug == "" ? "" : "[${var.prefix_slug}]"}[${var.environment}] TLS certificate expiring"
+  message = coalesce(var.tls_certificate_expiration_message, var.message)
+  type    = "service check"
+
+  query = <<EOQ
+    "tls.cert_expiration"${module.filter-tags.service_check}.by("name","server","port","server_hostname").last(${var.tls_certificate_expiration_last}).count_by_status()
+EOQ
+
+  thresholds = {
+    warning  = var.tls_certificate_expiration_threshold_warning
+    critical = var.tls_certificate_expiration_threshold_critical
+  }
+
+  new_host_delay      = var.new_host_delay
+  no_data_timeframe   = var.tls_certificate_expiration_no_data_timeframe
+  notify_no_data      = true
+  notify_audit        = false
+  locked              = false
+  timeout_h           = 0
+  include_tags        = true
+  require_full_window = true
+  renotify_interval   = 0
+
+  tags = concat(["env:${var.environment}", "type:network", "provider:tls", "resource:tls-certificate", "team:claranet", "created-by:terraform"], var.tls_certificate_expiration_extra_tags)
+
+  lifecycle {
+    ignore_changes = ["silenced"]
+  }
+}
+
+#
+# Certificate Expiration Date
+#
+resource "datadog_monitor" "certificate_expiration_date" {
+  count   = var.certificate_expiration_date_enabled == "true" ? 1 : 0
+  name    = "${var.prefix_slug == "" ? "" : "[${var.prefix_slug}]"}[${var.environment}] TLS certificate expiration {{#is_alert}}{{{comparator}}} {{threshold}} ({{value}} days){{/is_alert}}{{#is_warning}}{{{comparator}}} {{warn_threshold}} ({{value}} days){{/is_warning}}"
+  message = var.certificate_expiration_date_message
+  type    = "query alert"
+
+  query = <<EOQ
+    ${var.certificate_expiration_date_time_aggregator}(${var.certificate_expiration_date_timeframe}):
+      avg:tls.days_left${module.filter-tags.query_alert} by {name,server,port,server_hostname}
+    < ${var.certificate_expiration_date_threshold_critical}
+EOQ
+
+
+  thresholds = {
+    warning  = var.certificate_expiration_date_threshold_warning
+    critical = var.certificate_expiration_date_threshold_critical
+  }
+
+  evaluation_delay    = var.evaluation_delay
+  new_host_delay      = var.new_host_delay
+  notify_no_data      = false
+  renotify_interval   = 0
+  notify_audit        = false
+  timeout_h           = 0
+  include_tags        = true
+  locked              = false
+  require_full_window = true
+
+  tags = concat(["env:${var.environment}", "type:network", "provider:tls", "resource:tls-certificate", "team:claranet", "created-by:terraform"], var.certificate_expiration_date_extra_tags)
+
+  lifecycle {
+    ignore_changes = ["silenced"]
+  }
+}
\ No newline at end of file
diff --git a/network/tls/outputs.tf b/network/tls/outputs.tf
new file mode 100644
index 0000000..e40331d
--- /dev/null
+++ b/network/tls/outputs.tf
@@ -0,0 +1,20 @@
+output "cannot_connect_id" {
+  description = "id for monitor cannot_connect"
+  value       = datadog_monitor.cannot_connect.*.id
+}
+
+output "invalid_tls_certificate_id" {
+  description = "id for monitor invalid_tls_certificate"
+  value       = datadog_monitor.invalid_tls_certificate.*.id
+}
+
+output "tls_certificate_expiration_id" {
+  description = "id for monitor tls_certificate_expiration"
+  value       = datadog_monitor.tls_certificate_expiration.*.id
+}
+
+output "certificate_expiration_date_id" {
+  description = "id for monitor certificate_expiration_date"
+  value       = datadog_monitor.certificate_expiration_date.*.id
+}
+