add CloudWatch alerts construct with Auth0 monitoring and Slack integ…

iac/nag_suppressions.py

@@ -492,6 +492,22 @@ def suppress_api(stack: Stack) -> None:
             ],
         )
 
+    # --- MonitoringAlerts SNS topic ---
+    _suppress_by_path(
+        stack,
+        "Alerts/AlertsTopic/Resource",
+        [
+            NagPackSuppression(
+                id="AwsSolutions-SNS2",
+                reason=f"{TODO}: Encrypt the alerts SNS topic with a KMS CMK.",
+            ),
+            NagPackSuppression(
+                id="AwsSolutions-SNS3",
+                reason=f"{TODO}: Add aws:SecureTransport condition to the alerts SNS topic policy.",
+            ),
+        ],
+    )
+
 
 # ---------------------------------------------------------------------------
 # SagemakerStack (dev only)

iac/settings/dev.py

@@ -29,5 +29,8 @@
         ic_bucket_name="mermaid-image-processing",
         # Secrets
         env_secret_name="dev/mermaid-api-MzD7rS",
+        # Slack alerts via AWS Chatbot — fill in after connecting workspace in console
+        slack_workspace_id="",
+        slack_channel_id="",
     ),
 )

iac/settings/prod.py

@@ -31,5 +31,8 @@
         ic_s3_path_test="mermaid-production-test/",
         # Secrets
         env_secret_name="prod/mermaid-api-GUqRBj",
+        # Slack alerts via AWS Chatbot — fill in after connecting workspace in console
+        slack_workspace_id="",
+        slack_channel_id="",
     ),
 )

iac/settings/settings.py

@@ -58,6 +58,11 @@ class DjangoSettings:
     mc_user: str = "Mermaid"
     ic_bucket_name_test: str = ""
     ic_s3_path_test: str = ""
+    # AWS Chatbot Slack integration (leave empty to disable)
+    # workspace ID: AWS Console → Chatbot → Configured clients → Slack
+    # channel ID: right-click channel in Slack → View channel details → bottom of About tab
+    slack_workspace_id: str = ""
+    slack_channel_id: str = ""
 
 
 @dataclass

iac/stacks/api.py

@@ -26,6 +26,7 @@
 from constructs import Construct
 from settings.settings import ProjectSettings
 from stacks.constructs.adot import add_adot_sidecar
+from stacks.constructs.alerts import MonitoringAlerts
 from stacks.constructs.dashboard import MonitoringDashboard
 from stacks.constructs.worker import QueueWorker
 
@@ -288,6 +289,12 @@ def get_secret_object(stack: Stack, secret_name: str):
         task_definition = ecs.Ec2TaskDefinition(
             self, id="ApiTaskDefinition", network_mode=ecs.NetworkMode.AWS_VPC
         )
+        api_log_group = logs.LogGroup(
+            self,
+            "ApiLogGroup",
+            log_group_name=f"/mermaid/{config.env_id}/api",
+            retention=logs.RetentionDays.ONE_MONTH,
+        )
         task_definition.add_container(
             id="MermaidAPI",
             image=ecs.ContainerImage.from_docker_image_asset(image_asset),
@@ -297,7 +304,8 @@ def get_secret_object(stack: Stack, secret_name: str):
             environment={**environment, "OTEL_SERVICE_NAME": f"mermaid-api-{config.env_id}"},
             secrets=self.api_secrets,
             logging=ecs.LogDrivers.aws_logs(
-                stream_prefix=config.env_id, log_retention=logs.RetentionDays.ONE_MONTH
+                stream_prefix=config.env_id,
+                log_group=api_log_group,
             ),
         )
         add_adot_sidecar(task_definition, "Api")
@@ -481,3 +489,19 @@ def get_secret_object(stack: Stack, secret_name: str):
             distribution=distribution,
             sagemaker_domain_name=sagemaker_domain_name,
         )
+
+        # ── CloudWatch Alarms + Slack (AWS Chatbot) ──────────────────
+        MonitoringAlerts(
+            self,
+            "Alerts",
+            env_id=config.env_id,
+            load_balancer=load_balancer,
+            api_service=service,
+            database=database,
+            general_dlq=worker.dead_letter_queue,
+            image_dlq=image_worker.dead_letter_queue,
+            api_log_group=api_log_group,
+            sagemaker_domain_name=sagemaker_domain_name,
+            slack_workspace_id=config.api.slack_workspace_id or None,
+            slack_channel_id=config.api.slack_channel_id or None,
+        )