Merge pull request #276 from NHSDigital/feature/eja-eli-304-push-cloudwatch-alarms-to-itoc-splunk

Feature/eja eli 304 push cloudwatch alarms to itoc splunk

Author: eddalmond1

.github/workflows/base-deploy.yml

@@ -131,6 +131,9 @@ jobs:
           TF_VAR_API_CA_CERT: ${{ secrets.API_CA_CERT }}
           TF_VAR_API_CLIENT_CERT: ${{ secrets.API_CLIENT_CERT }}
           TF_VAR_API_PRIVATE_KEY_CERT: ${{ secrets.API_PRIVATE_KEY_CERT }}
+          TF_VAR_SPLUNK_HEC_TOKEN: ${{ secrets.SPLUNK_HEC_TOKEN }}
+          TF_VAR_SPLUNK_HEC_ENDPOINT: ${{ secrets.SPLUNK_HEC_ENDPOINT }}
+
         working-directory: ./infrastructure
         shell: bash
         run: |

.github/workflows/cicd-2-publish.yaml

@@ -93,13 +93,15 @@ jobs:
           role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/service-roles/github-actions-api-deployment-role
           aws-region: eu-west-2
 
-      - name: "Terraform Plan Stacks"
+      - name: "Terraform Apply"
         env:
           ENVIRONMENT: dev
           WORKSPACE: "default"
           TF_VAR_API_CA_CERT: ${{ secrets.API_CA_CERT }}
           TF_VAR_API_CLIENT_CERT: ${{ secrets.API_CLIENT_CERT }}
           TF_VAR_API_PRIVATE_KEY_CERT: ${{ secrets.API_PRIVATE_KEY_CERT }}
+          TF_VAR_SPLUNK_HEC_TOKEN: ${{ secrets.SPLUNK_HEC_TOKEN }}
+          TF_VAR_SPLUNK_HEC_ENDPOINT: ${{ secrets.SPLUNK_HEC_ENDPOINT }}
 
         # just planning for now for safety and until review
         run: |

.github/workflows/cicd-3-test.yaml

@@ -119,7 +119,8 @@ jobs:
           TF_VAR_API_CA_CERT: ${{ secrets.API_CA_CERT }}
           TF_VAR_API_CLIENT_CERT: ${{ secrets.API_CLIENT_CERT }}
           TF_VAR_API_PRIVATE_KEY_CERT: ${{ secrets.API_PRIVATE_KEY_CERT }}
-
+          TF_VAR_SPLUNK_HEC_TOKEN: ${{ secrets.SPLUNK_HEC_TOKEN }}
+          TF_VAR_SPLUNK_HEC_ENDPOINT: ${{ secrets.SPLUNK_HEC_ENDPOINT }}
         run: |
           mkdir -p ./build
           echo "Running: make terraform env=$ENVIRONMENT workspace=$WORKSPACE stack=networking tf-command=apply"

.github/workflows/manual-terraform-apply.yaml

@@ -63,7 +63,8 @@ jobs:
           TF_VAR_API_CA_CERT: ${{ secrets.API_CA_CERT }}
           TF_VAR_API_CLIENT_CERT: ${{ secrets.API_CLIENT_CERT }}
           TF_VAR_API_PRIVATE_KEY_CERT: ${{ secrets.API_PRIVATE_KEY_CERT }}
-
+          TF_VAR_SPLUNK_HEC_TOKEN: ${{ secrets.SPLUNK_HEC_TOKEN }}
+          TF_VAR_SPLUNK_HEC_ENDPOINT: ${{ secrets.SPLUNK_HEC_ENDPOINT }}
         run: |
           mkdir -p ./build
           echo "Running: make terraform env=$ENVIRONMENT workspace=$WORKSPACE stack=networking tf-command=plan args=\"-auto-approve\""

infrastructure/modules/splunk_forwarder/data.tf

@@ -0,0 +1 @@
+data "aws_caller_identity" "current" {}

infrastructure/modules/splunk_forwarder/firehose.tf

@@ -0,0 +1,45 @@
+# KMS Key for Firehose encryption
+resource "aws_kms_key" "firehose_splunk_cmk" {
+  description             = "KMS key for encrypting Kinesis Firehose delivery stream data"
+  deletion_window_in_days = 7
+  enable_key_rotation     = true
+  tags = {
+    Name      = "firehose-splunk-cmk"
+    Purpose   = "Firehose encryption"
+    ManagedBy = "terraform"
+  }
+}
+
+# KMS Key Alias for easier identification
+resource "aws_kms_alias" "firehose_splunk_cmk_alias" {
+  name          = "alias/firehose-splunk-cmk"
+  target_key_id = aws_kms_key.firehose_splunk_cmk.key_id
+}
+
+resource "aws_kinesis_firehose_delivery_stream" "splunk_delivery_stream" {
+  name        = "splunk-alarm-events"
+  destination = "splunk"
+  server_side_encryption {
+    enabled  = true
+    key_type = "CUSTOMER_MANAGED_CMK"
+    key_arn  = aws_kms_key.firehose_splunk_cmk.arn
+  }
+  # VPC configuration is only supported for HTTP endpoint destinations in Kinesis Firehose
+  # For Splunk destinations, the service runs in AWS-managed VPC but you can control network access
+  # via the subnets where EventBridge (the source) runs and IAM policies
+
+  splunk_configuration {
+    hec_endpoint      = var.splunk_hec_endpoint
+    hec_token         = var.splunk_hec_token
+    hec_endpoint_type = "Raw"
+    s3_backup_mode    = "FailedEventsOnly"
+
+    s3_configuration {
+      role_arn           = var.splunk_firehose_s3_role_arn
+      bucket_arn         = var.splunk_firehose_s3_backup_arn
+      buffering_size     = 10
+      buffering_interval = 400
+      compression_format = "GZIP"
+    }
+  }
+}

infrastructure/modules/splunk_forwarder/iam.tf

@@ -0,0 +1,56 @@
+# EventBridge IAM roles now defined in api-layer stack for specific integration
+
+resource "aws_kms_key_policy" "firehose_splunk_cmk_policy" {
+  key_id = aws_kms_key.firehose_splunk_cmk.id
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Sid       = "AllowRootAccountFullAccess"
+        Effect    = "Allow"
+        Principal = { AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root" }
+        Action    = "kms:*"
+        Resource  = "*"
+      },
+      {
+        Sid       = "AllowFirehoseServiceUseOfKey"
+        Effect    = "Allow"
+        Principal = { Service = "firehose.amazonaws.com" }
+        Action = [
+          "kms:Encrypt",
+          "kms:Decrypt",
+          "kms:ReEncrypt*",
+          "kms:GenerateDataKey*",
+          "kms:DescribeKey"
+        ]
+        Resource = "*"
+      },
+      {
+        Sid       = "AllowEventBridgeUseOfKey"
+        Effect    = "Allow"
+        Principal = { Service = "events.amazonaws.com" }
+        Action = [
+          "kms:Encrypt",
+          "kms:Decrypt",
+          "kms:ReEncrypt*",
+          "kms:GenerateDataKey*",
+          "kms:DescribeKey"
+        ]
+        Resource = "*"
+      },
+      {
+        Sid       = "AllowCloudWatchUseOfKey"
+        Effect    = "Allow"
+        Principal = { Service = "cloudwatch.amazonaws.com" }
+        Action = [
+          "kms:Encrypt",
+          "kms:Decrypt",
+          "kms:ReEncrypt*",
+          "kms:GenerateDataKey*",
+          "kms:DescribeKey"
+        ]
+        Resource = "*"
+      }
+    ]
+  })
+}

infrastructure/modules/splunk_forwarder/outputs.tf

@@ -0,0 +1,11 @@
+# Output the Firehose delivery stream ARN for use by EventBridge
+output "firehose_delivery_stream_arn" {
+  description = "ARN of the Kinesis Firehose delivery stream for Splunk"
+  value       = aws_kinesis_firehose_delivery_stream.splunk_delivery_stream.arn
+}
+
+# Output the KMS key ARN for reference
+output "firehose_kms_key_arn" {
+  description = "ARN of the KMS key used for Firehose encryption"
+  value       = aws_kms_key.firehose_splunk_cmk.arn
+}

infrastructure/modules/splunk_forwarder/variables.tf

@@ -0,0 +1,19 @@
+variable "splunk_hec_endpoint" {
+  description = "Splunk HEC endpoint URL"
+  type        = string
+}
+
+variable "splunk_hec_token" {
+  description = "Splunk HEC token"
+  type        = string
+}
+
+variable "splunk_firehose_s3_backup_arn" {
+  description = "s3 bucket ARN for Firehose backups"
+  type        = string
+}
+
+variable "splunk_firehose_s3_role_arn" {
+  description = "IAM role ARN for Firehose to access S3"
+  type        = string
+}

infrastructure/stacks/api-layer/eventbridge.tf

@@ -0,0 +1,89 @@
+# IAM role for EventBridge to write to Firehose
+resource "aws_iam_role" "eventbridge_firehose_role" {
+  name = "${var.environment}-eventbridge-to-firehose-role"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [{
+      Effect = "Allow"
+      Principal = {
+        Service = "events.amazonaws.com"
+      }
+      Action = "sts:AssumeRole"
+    }]
+  })
+
+  tags = {
+    Environment = var.environment
+    Purpose     = "splunk-forwarding"
+    ManagedBy   = "terraform"
+  }
+}
+
+# IAM policy for EventBridge to access Firehose
+resource "aws_iam_role_policy" "eventbridge_to_firehose_policy" {
+  name = "${var.environment}-eventbridge-to-firehose-policy"
+  role = aws_iam_role.eventbridge_firehose_role.id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [{
+      Effect = "Allow"
+      Action = [
+        "firehose:PutRecord",
+        "firehose:PutRecordBatch"
+      ]
+      Resource = module.splunk_forwarder.firehose_delivery_stream_arn
+    }]
+  })
+}
+
+# EventBridge rule to capture CloudWatch alarm state changes
+resource "aws_cloudwatch_event_rule" "alarm_state_change" {
+  name        = "cloudwatch-alarm-state-change-to-splunk"
+  description = "Forward CloudWatch alarm state changes to Splunk via Firehose"
+
+  event_pattern = jsonencode({
+    source      = ["aws.cloudwatch"]
+    detail-type = ["CloudWatch Alarm State Change"]
+  })
+
+  tags = {
+    Environment = var.environment
+    Purpose     = "splunk-forwarding"
+    ManagedBy   = "terraform"
+  }
+}
+
+# EventBridge target to send events to Firehose
+resource "aws_cloudwatch_event_target" "firehose_target" {
+  rule     = aws_cloudwatch_event_rule.alarm_state_change.name
+  arn      = module.splunk_forwarder.firehose_delivery_stream_arn
+  role_arn = aws_iam_role.eventbridge_firehose_role.arn
+
+  # Transform the CloudWatch alarm event into a format suitable for Splunk
+  input_transformer {
+    input_paths = {
+      account    = "$.account"
+      region     = "$.region"
+      time       = "$.time"
+      alarm_name = "$.detail.alarmName"
+      new_state  = "$.detail.state.value"
+      old_state  = "$.detail.previousState.value"
+      reason     = "$.detail.state.reason"
+    }
+
+    input_template = jsonencode({
+      time = "<time>"
+      source = "elid-${var.environment}:cloudwatch:alarm"
+      sourcetype = "aws:cloudwatch:alarm"
+      event = {
+        alarm_name  = "<alarm_name>"
+        new_state   = "<new_state>"
+        old_state   = "<old_state>"
+        reason      = "<reason>"
+        region      = "<region>"
+      }
+    })
+  }
+}