eli-520 amending permissions to act on the log object

eddalmond1 · eddalmond1 · commit 8a6536b200f5 · 2025-11-03T16:06:17.000Z
diff --git a/infrastructure/stacks/api-layer/csoc_log_forwarding.tf b/infrastructure/stacks/api-layer/csoc_log_forwarding.tf
@@ -39,39 +39,39 @@ resource "aws_iam_role" "cwl_subscription_role" {
   )
 }
 
-# IAM policy to allow PutSubscriptionFilter on the existing API Gateway log group and CSOC destination
-data "aws_iam_policy_document" "put_subscription_filter" {
+# IAM policy to allow CloudWatch Logs to write to the CSOC destination
+# This is the permission policy for the role that CloudWatch Logs assumes
+data "aws_iam_policy_document" "cwl_to_csoc_destination" {
   statement {
-    sid    = "AllowPutAPIGSubFilter"
+    sid    = "AllowPutLogEventsToDestination"
     effect = "Allow"
     actions = [
-      "logs:PutSubscriptionFilter"
+      "logs:PutLogEvents"
     ]
     resources = [
-      "${module.eligibility_signposting_api_gateway.cloudwatch_destination_arn}:*",
       "arn:aws:logs:${var.default_aws_region}:693466633220:destination:api_gateway_log_destination"
     ]
   }
 }
 
-resource "aws_iam_policy" "put_subscription_filter" {
-  name        = "${var.environment}-${local.workspace}-PutSubscriptionFilterPolicy"
-  description = "Policy to allow creating subscription filters for CSOC log forwarding"
-  policy      = data.aws_iam_policy_document.put_subscription_filter.json
+resource "aws_iam_policy" "cwl_to_csoc_destination" {
+  name        = "${var.environment}-${local.workspace}-CWLogsToCSOCDestinationPolicy"
+  description = "Policy to allow CloudWatch Logs to write to CSOC destination"
+  policy      = data.aws_iam_policy_document.cwl_to_csoc_destination.json
 
   tags = merge(
     local.tags,
     {
-      Name    = "${var.environment}-${local.workspace}-PutSubscriptionFilterPolicy"
+      Name    = "${var.environment}-${local.workspace}-CWLogsToCSOCDestinationPolicy"
       Purpose = "CSOC log forwarding"
     }
   )
 }
 
 # Attach the policy to the subscription role
-resource "aws_iam_role_policy_attachment" "put_subscription_filter" {
+resource "aws_iam_role_policy_attachment" "cwl_to_csoc_destination" {
   role       = aws_iam_role.cwl_subscription_role.name
-  policy_arn = aws_iam_policy.put_subscription_filter.arn
+  policy_arn = aws_iam_policy.cwl_to_csoc_destination.arn
 }
 
 # Create the subscription filter to forward logs to CSOC
@@ -87,6 +87,6 @@ resource "aws_cloudwatch_log_subscription_filter" "csoc_forwarding" {
   depends_on = [
     module.eligibility_signposting_api_gateway,
     aws_iam_role.cwl_subscription_role,
-    aws_iam_role_policy_attachment.put_subscription_filter
+    aws_iam_role_policy_attachment.cwl_to_csoc_destination
   ]
 }

Original file line number	Diff line number	Diff line change
`@@ -39,39 +39,39 @@ resource "aws_iam_role" "cwl_subscription_role" {`
`39`	`39`	`)`
`40`	`40`	`}`
`41`	`41`
`42`		`-# IAM policy to allow PutSubscriptionFilter on the existing API Gateway log group and CSOC destination`
`43`		`-data "aws_iam_policy_document" "put_subscription_filter" {`
	`42`	`+# IAM policy to allow CloudWatch Logs to write to the CSOC destination`
	`43`	`+# This is the permission policy for the role that CloudWatch Logs assumes`
	`44`	`+data "aws_iam_policy_document" "cwl_to_csoc_destination" {`
`44`	`45`	`statement {`
`45`		`- sid = "AllowPutAPIGSubFilter"`
	`46`	`+ sid = "AllowPutLogEventsToDestination"`
`46`	`47`	`effect = "Allow"`
`47`	`48`	`actions = [`
`48`		`- "logs:PutSubscriptionFilter"`
	`49`	`+ "logs:PutLogEvents"`
`49`	`50`	`]`
`50`	`51`	`resources = [`
`51`		`- "${module.eligibility_signposting_api_gateway.cloudwatch_destination_arn}:*",`
`52`	`52`	`"arn:aws:logs:${var.default_aws_region}:693466633220:destination:api_gateway_log_destination"`
`53`	`53`	`]`
`54`	`54`	`}`
`55`	`55`	`}`
`56`	`56`
`57`		`-resource "aws_iam_policy" "put_subscription_filter" {`
`58`		`- name = "${var.environment}-${local.workspace}-PutSubscriptionFilterPolicy"`
`59`		`- description = "Policy to allow creating subscription filters for CSOC log forwarding"`
`60`		`- policy = data.aws_iam_policy_document.put_subscription_filter.json`
	`57`	`+resource "aws_iam_policy" "cwl_to_csoc_destination" {`
	`58`	`+ name = "${var.environment}-${local.workspace}-CWLogsToCSOCDestinationPolicy"`
	`59`	`+ description = "Policy to allow CloudWatch Logs to write to CSOC destination"`
	`60`	`+ policy = data.aws_iam_policy_document.cwl_to_csoc_destination.json`
`61`	`61`
`62`	`62`	`tags = merge(`
`63`	`63`	`local.tags,`
`64`	`64`	`{`
`65`		`- Name = "${var.environment}-${local.workspace}-PutSubscriptionFilterPolicy"`
	`65`	`+ Name = "${var.environment}-${local.workspace}-CWLogsToCSOCDestinationPolicy"`
`66`	`66`	`Purpose = "CSOC log forwarding"`
`67`	`67`	`}`
`68`	`68`	`)`
`69`	`69`	`}`
`70`	`70`
`71`	`71`	`# Attach the policy to the subscription role`
`72`		`-resource "aws_iam_role_policy_attachment" "put_subscription_filter" {`
	`72`	`+resource "aws_iam_role_policy_attachment" "cwl_to_csoc_destination" {`
`73`	`73`	`role = aws_iam_role.cwl_subscription_role.name`
`74`		`- policy_arn = aws_iam_policy.put_subscription_filter.arn`
	`74`	`+ policy_arn = aws_iam_policy.cwl_to_csoc_destination.arn`
`75`	`75`	`}`
`76`	`76`
`77`	`77`	`# Create the subscription filter to forward logs to CSOC`
`@@ -87,6 +87,6 @@ resource "aws_cloudwatch_log_subscription_filter" "csoc_forwarding" {`
`87`	`87`	`depends_on = [`
`88`	`88`	`module.eligibility_signposting_api_gateway,`
`89`	`89`	`aws_iam_role.cwl_subscription_role,`
`90`		`- aws_iam_role_policy_attachment.put_subscription_filter`
	`90`	`+ aws_iam_role_policy_attachment.cwl_to_csoc_destination`
`91`	`91`	`]`
`92`	`92`	`}`