Merge branch 'main' into feature/eja-eli-414-spin-our-own-FHIR-operation-outcome

eddalmond1 · web-flow · commit 9b97d5323b9f · 2025-11-04T09:31:51.000Z
diff --git a/infrastructure/stacks/api-layer/api_gateway.tf b/infrastructure/stacks/api-layer/api_gateway.tf
@@ -51,9 +51,11 @@ resource "aws_api_gateway_stage" "eligibility-signposting-api" {
   stage_name           = "${local.workspace}-eligibility-signposting-api-live"
   xray_tracing_enabled = true
 
+  # Access log settings
+  # A subscription filter (see csoc_log_forwarding.tf) forwards these logs to CSOC
   access_log_settings {
     destination_arn = module.eligibility_signposting_api_gateway.cloudwatch_destination_arn
-    format          = "{ \"requestId\":\"$context.requestId\", \"ip\": \"$context.identity.sourceIp\", \"caller\":\"$context.identity.caller\", \"user\":\"$context.identity.user\", \"requestTime\":\"$context.requestTime\", \"httpMethod\":\"$context.httpMethod\", \"resourcePath\":\"$context.resourcePath\", \"status\":\"$context.status\", \"protocol\":\"$context.protocol\", \"responseLength\":\"$context.responseLength\", \"accountId\":\"$context.accountId\", \"apiId\":\"$context.apiId\", \"stage\":\"$context.stage\", \"domainName\":\"$context.domainName\", \"error_message\":\"$context.error.message\", \"clientCertSerialNumber\":\"$context.identity.clientCert.serialNumber\", \"clientCertValidityNotBefore\":\"$context.identity.clientCert.validity.notBefore\", \"clientCertValidityNotAfter\":\"$context.identity.clientCert.validity.notAfter\" }"
+    format          = "{ \"requestId\":\"$context.requestId\", \"ip\": \"$context.identity.sourceIp\", \"caller\":\"$context.identity.caller\", \"user\":\"$context.identity.user\", \"requestTime\":\"$context.requestTime\", \"httpMethod\":\"$context.httpMethod\", \"resourcePath\":\"$context.resourcePath\", \"status\":\"$context.status\", \"protocol\":\"$context.protocol\", \"responseLength\":\"$context.responseLength\", \"accountId\":\"$context.accountId\", \"apiId\":\"$context.apiId\", \"stage\":\"$context.stage\", \"api_key\":\"$context.identity.apiKey\" }"
   }
 
   depends_on = [
diff --git a/infrastructure/stacks/api-layer/csoc_log_forwarding.tf b/infrastructure/stacks/api-layer/csoc_log_forwarding.tf
@@ -0,0 +1,92 @@
+# CSOC Log Forwarding Configuration
+# This file implements the requirements for forwarding API Gateway logs to CSOC
+# Based on https://nhsd-confluence.digital.nhs.uk/spaces/CCEP/pages/407374909/API+Gateway+Access+Logs
+#
+# This implementation uses the existing API Gateway log group and adds a subscription
+# filter to forward logs to CSOC, avoiding the need to create a duplicate log group.
+
+# IAM Role for Cross Account Log Subscriptions
+# This role allows CloudWatch Logs service to assume a role for cross-account log delivery
+data "aws_iam_policy_document" "cwl_subscription_assume_role" {
+  statement {
+    effect  = "Allow"
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["logs.amazonaws.com"]
+    }
+
+    condition {
+      test     = "StringEquals"
+      variable = "aws:SourceAccount"
+      values   = [data.aws_caller_identity.current.account_id]
+    }
+  }
+}
+
+resource "aws_iam_role" "cwl_subscription_role" {
+  name               = "${var.environment}-${local.workspace}-CWLogsSubscriptionRole"
+  description        = "IAM role for CloudWatch Logs subscription filter to forward logs to CSOC"
+  assume_role_policy = data.aws_iam_policy_document.cwl_subscription_assume_role.json
+
+  tags = merge(
+    local.tags,
+    {
+      Name    = "${var.environment}-${local.workspace}-CWLogsSubscriptionRole"
+      Purpose = "CSOC log forwarding"
+    }
+  )
+}
+
+# IAM policy to allow CloudWatch Logs to write to the CSOC destination
+# This is the permission policy for the role that CloudWatch Logs assumes
+data "aws_iam_policy_document" "cwl_to_csoc_destination" {
+  statement {
+    sid    = "AllowPutLogEventsToDestination"
+    effect = "Allow"
+    actions = [
+      "logs:PutLogEvents"
+    ]
+    resources = [
+      "arn:aws:logs:${var.default_aws_region}:693466633220:destination:api_gateway_log_destination"
+    ]
+  }
+}
+
+resource "aws_iam_policy" "cwl_to_csoc_destination" {
+  name        = "${var.environment}-${local.workspace}-CWLogsToCSOCDestinationPolicy"
+  description = "Policy to allow CloudWatch Logs to write to CSOC destination"
+  policy      = data.aws_iam_policy_document.cwl_to_csoc_destination.json
+
+  tags = merge(
+    local.tags,
+    {
+      Name    = "${var.environment}-${local.workspace}-CWLogsToCSOCDestinationPolicy"
+      Purpose = "CSOC log forwarding"
+    }
+  )
+}
+
+# Attach the policy to the subscription role
+resource "aws_iam_role_policy_attachment" "cwl_to_csoc_destination" {
+  role       = aws_iam_role.cwl_subscription_role.name
+  policy_arn = aws_iam_policy.cwl_to_csoc_destination.arn
+}
+
+# Create the subscription filter to forward logs to CSOC
+# This forwards all logs from the existing API Gateway log group to the CSOC destination
+# Note: A log group can have up to 2 subscription filters
+resource "aws_cloudwatch_log_subscription_filter" "csoc_forwarding" {
+  name            = "${local.workspace}-csoc-subscription"
+  log_group_name  = split(":", module.eligibility_signposting_api_gateway.cloudwatch_destination_arn)[6]
+  filter_pattern  = "" # Empty filter pattern captures all log events
+  destination_arn = "arn:aws:logs:${var.default_aws_region}:693466633220:destination:api_gateway_log_destination"
+  role_arn        = aws_iam_role.cwl_subscription_role.arn
+
+  depends_on = [
+    module.eligibility_signposting_api_gateway,
+    aws_iam_role.cwl_subscription_role,
+    aws_iam_role_policy_attachment.cwl_to_csoc_destination
+  ]
+}
diff --git a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf
@@ -115,7 +115,7 @@ resource "aws_iam_policy" "dynamodb_management" {
         }
       ],
       # to create test users in preprod
-        var.environment == "preprod" ? [
+      var.environment == "preprod" ? [
         {
           Effect = "Allow",
           Action = [
@@ -249,7 +249,11 @@ resource "aws_iam_policy" "api_infrastructure" {
           # CloudWatch Logs creation and management
           "logs:CreateLogGroup",
           "logs:CreateLogStream",
-          "logs:PutLogEvents"
+          "logs:PutLogEvents",
+          # CloudWatch Logs subscription filters for CSOC forwarding
+          "logs:PutSubscriptionFilter",
+          "logs:DeleteSubscriptionFilter",
+          "logs:DescribeSubscriptionFilters"
         ],
         Resource = [
           # VPC Flow Logs
@@ -262,6 +266,17 @@ resource "aws_iam_policy" "api_infrastructure" {
           "arn:aws:logs:${var.default_aws_region}:${data.aws_caller_identity.current.account_id}:log-group:/aws/kinesisfirehose/*"
         ]
       },
+      {
+        Effect = "Allow",
+        Action = [
+          # CloudWatch Logs subscription to CSOC cross-account destination
+          "logs:PutSubscriptionFilter"
+        ],
+        Resource = [
+          # CSOC cross-account destination for API Gateway logs
+          "arn:aws:logs:${var.default_aws_region}:693466633220:destination:api_gateway_log_destination"
+        ]
+      },
       {
         Effect = "Allow",
         Action = [
@@ -279,7 +294,9 @@ resource "aws_iam_policy" "api_infrastructure" {
           "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/eventbridge-firehose-role*",
           # Kinesis Firehose S3 backup roles
           "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/*firehose*role*",
-          "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/splunk-firehose-assume-role*"
+          "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/splunk-firehose-assume-role*",
+          # CSOC CloudWatch Logs subscription role
+          "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/*-CWLogsSubscriptionRole"
         ],
         Condition = {
           StringEquals = {
@@ -288,7 +305,8 @@ resource "aws_iam_policy" "api_infrastructure" {
               "apigateway.amazonaws.com",
               "vpc-flow-logs.amazonaws.com",
               "events.amazonaws.com",
-              "firehose.amazonaws.com"
+              "firehose.amazonaws.com",
+              "logs.amazonaws.com"
             ]
           }
         }
@@ -457,12 +475,15 @@ resource "aws_iam_policy" "iam_management" {
           "iam:CreateRole",
           "iam:DeleteRole",
           "iam:UpdateRole",
+          "iam:UpdateAssumeRolePolicy",
           "iam:PutRolePolicy",
           "iam:PutRolePermissionsBoundary",
           "iam:AttachRolePolicy",
           "iam:DetachRolePolicy",
           "iam:CreatePolicy",
           "iam:CreatePolicyVersion",
+          "iam:DeletePolicy",
+          "iam:DeletePolicyVersion",
           "iam:TagRole",
           "iam:PassRole",
           "iam:TagPolicy",
@@ -477,9 +498,13 @@ resource "aws_iam_policy" "iam_management" {
           "arn:aws:iam::*:role/*-api-gateway-*-role",
           # External write role
           "arn:aws:iam::*:role/eligibility-signposting-api-*-external-write-role",
+          # CSOC CloudWatch Logs subscription role
+          "arn:aws:iam::*:role/*-CWLogsSubscriptionRole",
           # Project policies
           "arn:aws:iam::*:policy/*api-gateway-logging-policy",
           "arn:aws:iam::*:policy/*PermissionsBoundary",
+          "arn:aws:iam::*:policy/*PutSubscriptionFilterPolicy",
+          "arn:aws:iam::*:policy/*CWLogsToCSOCDestinationPolicy",
           # VPC flow logs role
           "arn:aws:iam::*:role/vpc-flow-logs-role",
           # API role
@@ -500,8 +525,8 @@ resource "aws_iam_policy" "iam_management" {
 # Assume role policy document for GitHub Actions
 data "aws_iam_policy_document" "github_actions_assume_role" {
   statement {
-    sid    = "OidcAssumeRoleWithWebIdentity"
-    effect = "Allow"
+    sid     = "OidcAssumeRoleWithWebIdentity"
+    effect  = "Allow"
     actions = ["sts:AssumeRoleWithWebIdentity"]
 
     principals {
@@ -514,13 +539,13 @@ data "aws_iam_policy_document" "github_actions_assume_role" {
     condition {
       test     = "StringLike"
       variable = "token.actions.githubusercontent.com:sub"
-      values = ["repo:${var.github_org}/${var.github_repo}:*"]
+      values   = ["repo:${var.github_org}/${var.github_repo}:*"]
     }
 
     condition {
       test     = "StringEquals"
       variable = "token.actions.githubusercontent.com:aud"
-      values = ["sts.amazonaws.com"]
+      values   = ["sts.amazonaws.com"]
     }
   }
 }
diff --git a/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf b/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf
@@ -101,12 +101,15 @@ data "aws_iam_policy_document" "permissions_boundary" {
       "iam:CreateRole",
       "iam:DeleteRole",
       "iam:UpdateRole",
+      "iam:UpdateAssumeRolePolicy",
       "iam:PutRolePolicy",
       "iam:PutRolePermissionsBoundary",
       "iam:AttachRolePolicy",
       "iam:DetachRolePolicy",
       "iam:CreatePolicy",
       "iam:CreatePolicyVersion",
+      "iam:DeletePolicy",
+      "iam:DeletePolicyVersion",
       "iam:TagRole",
       "iam:UntagPolicy",
       "iam:PassRole",
@@ -177,6 +180,9 @@ data "aws_iam_policy_document" "permissions_boundary" {
       "logs:PutRetentionPolicy",
       "logs:AssociateKmsKey",
       "logs:PutMetricFilter",
+      "logs:PutSubscriptionFilter",
+      "logs:DeleteSubscriptionFilter",
+      "logs:DescribeSubscriptionFilters",
 
       # S3 - bucket and object management
       "s3:GetLifecycleConfiguration",
