feat: grafana IRM escalation module

новый модуль modules/grafana_irm_escalation, dev/adibrov подключён. секреты (oncall_access_token, user id) хранятся в Vault, в git не попадают
2026-04-01 08:21:03 +03:00
parent a9e7ad4831
commit 5d05640e80
9 changed files with 161 additions and 0 deletions
--- a/environments/dev/adibrov/locals.tf
+++ b/environments/dev/adibrov/locals.tf
@ -5,6 +5,32 @@ locals {
    "X-Disable-Provenance" = var.disable_provenance ? "true" : "false"
  }

+  # IRM escalation chains
+  # ID пользователей/расписаний хранятся в Vault: app/groups/monitoring/grafana/dev/ext
+  irm_escalation_chains = [
+    {
+      name = "infra-default"
+      steps = [
+        {
+          type              = "notify_persons"
+          persons_to_notify = [data.vault_kv_secret_v2.secret_ext.data["irm_user_adibrov"]]
+        },
+        {
+          type             = "wait"
+          duration_seconds = 300
+        },
+        {
+          type              = "notify_persons"
+          persons_to_notify = [data.vault_kv_secret_v2.secret_ext.data["irm_user_adibrov"]]
+          important         = true
+        },
+        {
+          type = "repeat_escalation"
+        }
+      ]
+    }
+  ]
+
  # Contact points configuration
  contact_points = [
    {
--- a/environments/dev/adibrov/main.tf
+++ b/environments/dev/adibrov/main.tf
@ -85,3 +85,19 @@ module "grafana_rule_group01" {
    module.grafana_contact_points01
  ]
 }
+
+# Модуль управления цепочками эскалации Grafana IRM
+# Включается через enable_irm = true в terraform.tfvars
+# Перед включением: добавить oncall_access_token в Vault (app/groups/monitoring/grafana/dev/int)
+module "grafana_irm_escalation" {
+  for_each = var.enable_irm ? { for chain in local.irm_escalation_chains : chain.name => chain } : {}
+
+  source  = "../../modules/grafana_irm_escalation"
+  name    = each.value.name
+  team_id = try(each.value.team_id, null)
+  steps   = each.value.steps
+
+  providers = {
+    grafana = grafana.grafana01
+  }
+}
--- a/environments/dev/adibrov/providers.tf
+++ b/environments/dev/adibrov/providers.tf
@ -18,4 +18,8 @@ provider "grafana" {
  auth                 = "admin:${data.vault_kv_secret_v2.secret_int.data["grafana_local_admin_password"]}"
  insecure_skip_verify = true
  http_headers         = local.grafana_headers
+
+  # Grafana IRM / OnCall (Grafana Cloud)
+  oncall_access_token = try(data.vault_kv_secret_v2.secret_int.data["oncall_access_token"], null)
+  oncall_url          = "https://oncall-prod-us-central-0.grafana.net/oncall"
 }
--- a/environments/dev/adibrov/terraform.tfvars
+++ b/environments/dev/adibrov/terraform.tfvars
@ -153,3 +153,9 @@ notification_policies = [
    ]
  }
 ]
+
+# ── Grafana IRM ──────────────────────────────────────────────────────────────
+# Цепочки эскалации описаны в locals.tf, ID пользователей — в Vault
+# (app/groups/monitoring/grafana/dev/ext → irm_user_adibrov)
+
+enable_irm = true
--- a/environments/dev/adibrov/variables_irm.tf
+++ b/environments/dev/adibrov/variables_irm.tf
@ -0,0 +1,5 @@
+variable "enable_irm" {
+  description = "Включить управление цепочками эскалации Grafana IRM"
+  type        = bool
+  default     = false
+}