NRL-1188 Add reporting bucket to firehose policy

jackleary · jackleary · commit 3135c3bc4001 · 2024-12-17T10:19:17.000Z
diff --git a/terraform/infrastructure/modules/firehose/cloudwatch.tf b/terraform/infrastructure/modules/firehose/cloudwatch.tf
@@ -7,3 +7,13 @@ resource "aws_cloudwatch_log_stream" "firehose" {
   name           = "${var.prefix}-firehose"
   log_group_name = aws_cloudwatch_log_group.firehose.name
 }
+
+resource "aws_cloudwatch_log_group" "firehose_reporting" {
+  name              = "/aws/kinesisfirehose/${var.prefix}-firehose-reporting"
+  retention_in_days = local.cloudwatch.retention.days
+}
+
+resource "aws_cloudwatch_log_stream" "firehose_reporting" {
+  name           = "${var.prefix}-firehose-reporting"
+  log_group_name = aws_cloudwatch_log_group.firehose_reporting.name
+}
diff --git a/terraform/infrastructure/modules/firehose/iam_firehose.tf b/terraform/infrastructure/modules/firehose/iam_firehose.tf
@@ -30,6 +30,8 @@ data "aws_iam_policy_document" "firehose" {
     resources = [
       aws_s3_bucket.firehose.arn,
       "${aws_s3_bucket.firehose.arn}/*",
+      var.reporting_bucket_arn,
+      "${var.reporting_bucket_arn}/*",
     ]
     effect = "Allow"
   }
diff --git a/terraform/infrastructure/modules/firehose/kinesis.tf b/terraform/infrastructure/modules/firehose/kinesis.tf
@@ -66,22 +66,13 @@ resource "aws_kinesis_firehose_delivery_stream" "reporting_stream" {
     bucket_arn = var.reporting_bucket_arn
 
     processing_configuration {
-      enabled = "true"
-
-      processors {
-        type = "CloudWatchLogProcessing"
-
-        parameters {
-          parameter_name  = "DataMessageExtraction"
-          parameter_value = "true"
-        }
-      }
+      enabled = "false"
     }
 
     cloudwatch_logging_options {
       enabled         = true
-      log_group_name  = aws_cloudwatch_log_group.firehose.name
-      log_stream_name = aws_cloudwatch_log_stream.firehose.name
+      log_group_name  = aws_cloudwatch_log_group.firehose_reporting.name
+      log_stream_name = aws_cloudwatch_log_stream.firehose_reporting.name
     }
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -30,6 +30,8 @@ data "aws_iam_policy_document" "firehose" {`
`30`	`30`	`resources = [`
`31`	`31`	`aws_s3_bucket.firehose.arn,`
`32`	`32`	`"${aws_s3_bucket.firehose.arn}/*",`
	`33`	`+ var.reporting_bucket_arn,`
	`34`	`+ "${var.reporting_bucket_arn}/*",`
`33`	`35`	`]`
`34`	`36`	`effect = "Allow"`
`35`	`37`	`}`
Original file line number	Diff line number	Diff line change
`@@ -66,22 +66,13 @@ resource "aws_kinesis_firehose_delivery_stream" "reporting_stream" {`
`66`	`66`	`bucket_arn = var.reporting_bucket_arn`
`67`	`67`
`68`	`68`	`processing_configuration {`
`69`		`- enabled = "true"`
`70`		`-`
`71`		`- processors {`
`72`		`- type = "CloudWatchLogProcessing"`
`73`		`-`
`74`		`- parameters {`
`75`		`- parameter_name = "DataMessageExtraction"`
`76`		`- parameter_value = "true"`
`77`		`- }`
`78`		`- }`
	`69`	`+ enabled = "false"`
`79`	`70`	`}`
`80`	`71`
`81`	`72`	`cloudwatch_logging_options {`
`82`	`73`	`enabled = true`
`83`		`- log_group_name = aws_cloudwatch_log_group.firehose.name`
`84`		`- log_stream_name = aws_cloudwatch_log_stream.firehose.name`
	`74`	`+ log_group_name = aws_cloudwatch_log_group.firehose_reporting.name`
	`75`	`+ log_stream_name = aws_cloudwatch_log_stream.firehose_reporting.name`
`85`	`76`	`}`
`86`	`77`	`}`
`87`	`78`	`}`