@@ -115,7 +115,7 @@ resource "aws_iam_policy" "dynamodb_management" {
115115 }
116116 ],
117117 # to create test users in preprod
118- var. environment == " preprod" ? [
118+ var. environment == " preprod" ? [
119119 {
120120 Effect = " Allow"
121121 Action = [
@@ -249,7 +249,11 @@ resource "aws_iam_policy" "api_infrastructure" {
249249 # CloudWatch Logs creation and management
250250 " logs:CreateLogGroup"
251251 " logs:CreateLogStream"
252- " logs:PutLogEvents"
252+ " logs:PutLogEvents"
253+ # CloudWatch Logs subscription filters for CSOC forwarding
254+ " logs:PutSubscriptionFilter"
255+ " logs:DeleteSubscriptionFilter"
256+ " logs:DescribeSubscriptionFilters"
253257 ],
254258 Resource = [
255259 # VPC Flow Logs
@@ -279,7 +283,9 @@ resource "aws_iam_policy" "api_infrastructure" {
279283 " arn:aws:iam::${ data . aws_caller_identity . current . account_id } :role/eventbridge-firehose-role*"
280284 # Kinesis Firehose S3 backup roles
281285 " arn:aws:iam::${ data . aws_caller_identity . current . account_id } :role/*firehose*role*"
282- " arn:aws:iam::${ data . aws_caller_identity . current . account_id } :role/splunk-firehose-assume-role*"
286+ " arn:aws:iam::${ data . aws_caller_identity . current . account_id } :role/splunk-firehose-assume-role*"
287+ # CSOC CloudWatch Logs subscription role
288+ " arn:aws:iam::${ data . aws_caller_identity . current . account_id } :role/*-CWLogsSubscriptionRole"
283289 ],
284290 Condition = {
285291 StringEquals = {
@@ -288,7 +294,8 @@ resource "aws_iam_policy" "api_infrastructure" {
288294 " apigateway.amazonaws.com"
289295 " vpc-flow-logs.amazonaws.com"
290296 " events.amazonaws.com"
291- " firehose.amazonaws.com"
297+ " firehose.amazonaws.com"
298+ " logs.amazonaws.com"
292299 ]
293300 }
294301 }
@@ -477,9 +484,12 @@ resource "aws_iam_policy" "iam_management" {
477484 " arn:aws:iam::*:role/*-api-gateway-*-role"
478485 # External write role
479486 " arn:aws:iam::*:role/eligibility-signposting-api-*-external-write-role"
487+ # CSOC CloudWatch Logs subscription role
488+ " arn:aws:iam::*:role/*-CWLogsSubscriptionRole"
480489 # Project policies
481490 " arn:aws:iam::*:policy/*api-gateway-logging-policy"
482491 " arn:aws:iam::*:policy/*PermissionsBoundary"
492+ " arn:aws:iam::*:policy/*PutSubscriptionFilterPolicy"
483493 # VPC flow logs role
484494 " arn:aws:iam::*:role/vpc-flow-logs-role"
485495 # API role
@@ -500,8 +510,8 @@ resource "aws_iam_policy" "iam_management" {
500510# Assume role policy document for GitHub Actions
501511data "aws_iam_policy_document" "github_actions_assume_role" {
502512 statement {
503- sid = " OidcAssumeRoleWithWebIdentity"
504- effect = " Allow"
513+ sid = " OidcAssumeRoleWithWebIdentity"
514+ effect = " Allow"
505515 actions = " sts:AssumeRoleWithWebIdentity"
506516
507517 principals {
@@ -514,13 +524,13 @@ data "aws_iam_policy_document" "github_actions_assume_role" {
514524 condition {
515525 test = " StringLike"
516526 variable = " token.actions.githubusercontent.com:sub"
517- values = " repo:${ var . github_org } /${ var . github_repo } :*"
527+ values = " repo:${ var . github_org } /${ var . github_repo } :*"
518528 }
519529
520530 condition {
521531 test = " StringEquals"
522532 variable = " token.actions.githubusercontent.com:aud"
523- values = " sts.amazonaws.com"
533+ values = " sts.amazonaws.com"
524534 }
525535 }
526536}
0 commit comments