Merge pull request #455 from NHSDigital/feature/eja-eli-510-add-CSOC-api-log-forwarding

eddalmond1 · web-flow · commit 60d567d18eb4 · 2025-11-03T16:31:16.000Z
Feature/eja eli 510 add csoc api log forwarding
diff --git a/infrastructure/stacks/api-layer/csoc_log_forwarding.tf b/infrastructure/stacks/api-layer/csoc_log_forwarding.tf
@@ -14,7 +14,13 @@ data "aws_iam_policy_document" "cwl_subscription_assume_role" {
 
     principals {
       type        = "Service"
-      identifiers = ["logs.${var.default_aws_region}.amazonaws.com"]
+      identifiers = ["logs.amazonaws.com"]
+    }
+
+    condition {
+      test     = "StringEquals"
+      variable = "aws:SourceAccount"
+      values   = [data.aws_caller_identity.current.account_id]
     }
   }
 }
@@ -33,39 +39,39 @@ resource "aws_iam_role" "cwl_subscription_role" {
   )
 }
 
-# IAM policy to allow PutSubscriptionFilter on the existing API Gateway log group and CSOC destination
-data "aws_iam_policy_document" "put_subscription_filter" {
+# IAM policy to allow CloudWatch Logs to write to the CSOC destination
+# This is the permission policy for the role that CloudWatch Logs assumes
+data "aws_iam_policy_document" "cwl_to_csoc_destination" {
   statement {
-    sid    = "AllowPutAPIGSubFilter"
+    sid    = "AllowPutLogEventsToDestination"
     effect = "Allow"
     actions = [
-      "logs:PutSubscriptionFilter"
+      "logs:PutLogEvents"
     ]
     resources = [
-      "${module.eligibility_signposting_api_gateway.cloudwatch_destination_arn}:*",
       "arn:aws:logs:${var.default_aws_region}:693466633220:destination:api_gateway_log_destination"
     ]
   }
 }
 
-resource "aws_iam_policy" "put_subscription_filter" {
-  name        = "${var.environment}-${local.workspace}-PutSubscriptionFilterPolicy"
-  description = "Policy to allow creating subscription filters for CSOC log forwarding"
-  policy      = data.aws_iam_policy_document.put_subscription_filter.json
+resource "aws_iam_policy" "cwl_to_csoc_destination" {
+  name        = "${var.environment}-${local.workspace}-CWLogsToCSOCDestinationPolicy"
+  description = "Policy to allow CloudWatch Logs to write to CSOC destination"
+  policy      = data.aws_iam_policy_document.cwl_to_csoc_destination.json
 
   tags = merge(
     local.tags,
     {
-      Name    = "${var.environment}-${local.workspace}-PutSubscriptionFilterPolicy"
+      Name    = "${var.environment}-${local.workspace}-CWLogsToCSOCDestinationPolicy"
       Purpose = "CSOC log forwarding"
     }
   )
 }
 
 # Attach the policy to the subscription role
-resource "aws_iam_role_policy_attachment" "put_subscription_filter" {
+resource "aws_iam_role_policy_attachment" "cwl_to_csoc_destination" {
   role       = aws_iam_role.cwl_subscription_role.name
-  policy_arn = aws_iam_policy.put_subscription_filter.arn
+  policy_arn = aws_iam_policy.cwl_to_csoc_destination.arn
 }
 
 # Create the subscription filter to forward logs to CSOC
@@ -81,6 +87,6 @@ resource "aws_cloudwatch_log_subscription_filter" "csoc_forwarding" {
   depends_on = [
     module.eligibility_signposting_api_gateway,
     aws_iam_role.cwl_subscription_role,
-    aws_iam_role_policy_attachment.put_subscription_filter
+    aws_iam_role_policy_attachment.cwl_to_csoc_destination
   ]
 }
diff --git a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf
@@ -266,6 +266,17 @@ resource "aws_iam_policy" "api_infrastructure" {
           "arn:aws:logs:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:log-group:/aws/kinesisfirehose/*"
         ]
       },
+      {
+        Effect = "Allow",
+        Action = [
+          # CloudWatch Logs subscription to CSOC cross-account destination
+          "logs:PutSubscriptionFilter"
+        ],
+        Resource = [
+          # CSOC cross-account destination for API Gateway logs
+          "arn:aws:logs:${var.default_aws_region}:693466633220:destination:api_gateway_log_destination"
+        ]
+      },
       {
         Effect = "Allow",
         Action = [
@@ -464,12 +475,15 @@ resource "aws_iam_policy" "iam_management" {
           "iam:CreateRole",
           "iam:DeleteRole",
           "iam:UpdateRole",
+          "iam:UpdateAssumeRolePolicy",
           "iam:PutRolePolicy",
           "iam:PutRolePermissionsBoundary",
           "iam:AttachRolePolicy",
           "iam:DetachRolePolicy",
           "iam:CreatePolicy",
           "iam:CreatePolicyVersion",
+          "iam:DeletePolicy",
+          "iam:DeletePolicyVersion",
           "iam:TagRole",
           "iam:PassRole",
           "iam:TagPolicy",
@@ -490,6 +504,7 @@ resource "aws_iam_policy" "iam_management" {
           "arn:aws:iam::*:policy/*api-gateway-logging-policy",
           "arn:aws:iam::*:policy/*PermissionsBoundary",
           "arn:aws:iam::*:policy/*PutSubscriptionFilterPolicy",
+          "arn:aws:iam::*:policy/*CWLogsToCSOCDestinationPolicy",
           # VPC flow logs role
           "arn:aws:iam::*:role/vpc-flow-logs-role",
           # API role
diff --git a/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf b/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf
@@ -101,12 +101,15 @@ data "aws_iam_policy_document" "permissions_boundary" {
       "iam:CreateRole",
       "iam:DeleteRole",
       "iam:UpdateRole",
+      "iam:UpdateAssumeRolePolicy",
       "iam:PutRolePolicy",
       "iam:PutRolePermissionsBoundary",
       "iam:AttachRolePolicy",
       "iam:DetachRolePolicy",
       "iam:CreatePolicy",
       "iam:CreatePolicyVersion",
+      "iam:DeletePolicy",
+      "iam:DeletePolicyVersion",
       "iam:TagRole",
       "iam:UntagPolicy",
       "iam:PassRole",

Original file line number	Diff line number	Diff line change
`@@ -14,7 +14,13 @@ data "aws_iam_policy_document" "cwl_subscription_assume_role" {`
`14`	`14`
`15`	`15`	`principals {`
`16`	`16`	`type = "Service"`
`17`		`- identifiers = ["logs.${var.default_aws_region}.amazonaws.com"]`
	`17`	`+ identifiers = ["logs.amazonaws.com"]`
	`18`	`+ }`
	`19`	`+`
	`20`	`+ condition {`
	`21`	`+ test = "StringEquals"`
	`22`	`+ variable = "aws:SourceAccount"`
	`23`	`+ values = [data.aws_caller_identity.current.account_id]`
`18`	`24`	`}`
`19`	`25`	`}`
`20`	`26`	`}`
`@@ -33,39 +39,39 @@ resource "aws_iam_role" "cwl_subscription_role" {`
`33`	`39`	`)`
`34`	`40`	`}`
`35`	`41`
`36`		`-# IAM policy to allow PutSubscriptionFilter on the existing API Gateway log group and CSOC destination`
`37`		`-data "aws_iam_policy_document" "put_subscription_filter" {`
	`42`	`+# IAM policy to allow CloudWatch Logs to write to the CSOC destination`
	`43`	`+# This is the permission policy for the role that CloudWatch Logs assumes`
	`44`	`+data "aws_iam_policy_document" "cwl_to_csoc_destination" {`
`38`	`45`	`statement {`
`39`		`- sid = "AllowPutAPIGSubFilter"`
	`46`	`+ sid = "AllowPutLogEventsToDestination"`
`40`	`47`	`effect = "Allow"`
`41`	`48`	`actions = [`
`42`		`- "logs:PutSubscriptionFilter"`
	`49`	`+ "logs:PutLogEvents"`
`43`	`50`	`]`
`44`	`51`	`resources = [`
`45`		`- "${module.eligibility_signposting_api_gateway.cloudwatch_destination_arn}:*",`
`46`	`52`	`"arn:aws:logs:${var.default_aws_region}:693466633220:destination:api_gateway_log_destination"`
`47`	`53`	`]`
`48`	`54`	`}`
`49`	`55`	`}`
`50`	`56`
`51`		`-resource "aws_iam_policy" "put_subscription_filter" {`
`52`		`- name = "${var.environment}-${local.workspace}-PutSubscriptionFilterPolicy"`
`53`		`- description = "Policy to allow creating subscription filters for CSOC log forwarding"`
`54`		`- policy = data.aws_iam_policy_document.put_subscription_filter.json`
	`57`	`+resource "aws_iam_policy" "cwl_to_csoc_destination" {`
	`58`	`+ name = "${var.environment}-${local.workspace}-CWLogsToCSOCDestinationPolicy"`
	`59`	`+ description = "Policy to allow CloudWatch Logs to write to CSOC destination"`
	`60`	`+ policy = data.aws_iam_policy_document.cwl_to_csoc_destination.json`
`55`	`61`
`56`	`62`	`tags = merge(`
`57`	`63`	`local.tags,`
`58`	`64`	`{`
`59`		`- Name = "${var.environment}-${local.workspace}-PutSubscriptionFilterPolicy"`
	`65`	`+ Name = "${var.environment}-${local.workspace}-CWLogsToCSOCDestinationPolicy"`
`60`	`66`	`Purpose = "CSOC log forwarding"`
`61`	`67`	`}`
`62`	`68`	`)`
`63`	`69`	`}`
`64`	`70`
`65`	`71`	`# Attach the policy to the subscription role`
`66`		`-resource "aws_iam_role_policy_attachment" "put_subscription_filter" {`
	`72`	`+resource "aws_iam_role_policy_attachment" "cwl_to_csoc_destination" {`
`67`	`73`	`role = aws_iam_role.cwl_subscription_role.name`
`68`		`- policy_arn = aws_iam_policy.put_subscription_filter.arn`
	`74`	`+ policy_arn = aws_iam_policy.cwl_to_csoc_destination.arn`
`69`	`75`	`}`
`70`	`76`
`71`	`77`	`# Create the subscription filter to forward logs to CSOC`
`@@ -81,6 +87,6 @@ resource "aws_cloudwatch_log_subscription_filter" "csoc_forwarding" {`
`81`	`87`	`depends_on = [`
`82`	`88`	`module.eligibility_signposting_api_gateway,`
`83`	`89`	`aws_iam_role.cwl_subscription_role,`
`84`		`- aws_iam_role_policy_attachment.put_subscription_filter`
	`90`	`+ aws_iam_role_policy_attachment.cwl_to_csoc_destination`
`85`	`91`	`]`
`86`	`92`	`}`