Merge pull request #448 from NHSDigital/feature/eja-eli-510-add-CSOC-api-log-forwarding

eli-510 adding CSOC log forwarding of our API Gateway logs

Author: eddalmond1

infrastructure/stacks/api-layer/api_gateway.tf

@@ -51,9 +51,11 @@ resource "aws_api_gateway_stage" "eligibility-signposting-api" {
   stage_name           = "${local.workspace}-eligibility-signposting-api-live"
   xray_tracing_enabled = true
 
+  # Access log settings
+  # A subscription filter (see csoc_log_forwarding.tf) forwards these logs to CSOC
   access_log_settings {
     destination_arn = module.eligibility_signposting_api_gateway.cloudwatch_destination_arn
-    format          = "{ \"requestId\":\"$context.requestId\", \"ip\": \"$context.identity.sourceIp\", \"caller\":\"$context.identity.caller\", \"user\":\"$context.identity.user\", \"requestTime\":\"$context.requestTime\", \"httpMethod\":\"$context.httpMethod\", \"resourcePath\":\"$context.resourcePath\", \"status\":\"$context.status\", \"protocol\":\"$context.protocol\", \"responseLength\":\"$context.responseLength\", \"accountId\":\"$context.accountId\", \"apiId\":\"$context.apiId\", \"stage\":\"$context.stage\", \"domainName\":\"$context.domainName\", \"error_message\":\"$context.error.message\", \"clientCertSerialNumber\":\"$context.identity.clientCert.serialNumber\", \"clientCertValidityNotBefore\":\"$context.identity.clientCert.validity.notBefore\", \"clientCertValidityNotAfter\":\"$context.identity.clientCert.validity.notAfter\" }"
+    format          = "{ \"requestId\":\"$context.requestId\", \"ip\": \"$context.identity.sourceIp\", \"caller\":\"$context.identity.caller\", \"user\":\"$context.identity.user\", \"requestTime\":\"$context.requestTime\", \"httpMethod\":\"$context.httpMethod\", \"resourcePath\":\"$context.resourcePath\", \"status\":\"$context.status\", \"protocol\":\"$context.protocol\", \"responseLength\":\"$context.responseLength\", \"accountId\":\"$context.accountId\", \"apiId\":\"$context.apiId\", \"stage\":\"$context.stage\", \"api_key\":\"$context.identity.apiKey\" }"
   }
 
   depends_on = [

infrastructure/stacks/api-layer/csoc_log_forwarding.tf

@@ -0,0 +1,86 @@
+# CSOC Log Forwarding Configuration
+# This file implements the requirements for forwarding API Gateway logs to CSOC
+# Based on https://nhsd-confluence.digital.nhs.uk/spaces/CCEP/pages/407374909/API+Gateway+Access+Logs
+#
+# This implementation uses the existing API Gateway log group and adds a subscription
+# filter to forward logs to CSOC, avoiding the need to create a duplicate log group.
+
+# IAM Role for Cross Account Log Subscriptions
+# This role allows CloudWatch Logs service to assume a role for cross-account log delivery
+data "aws_iam_policy_document" "cwl_subscription_assume_role" {
+  statement {
+    effect  = "Allow"
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["logs.${var.default_aws_region}.amazonaws.com"]
+    }
+  }
+}
+
+resource "aws_iam_role" "cwl_subscription_role" {
+  name               = "${var.environment}-${local.workspace}-CWLogsSubscriptionRole"
+  description        = "IAM role for CloudWatch Logs subscription filter to forward logs to CSOC"
+  assume_role_policy = data.aws_iam_policy_document.cwl_subscription_assume_role.json
+
+  tags = merge(
+    local.tags,
+    {
+      Name    = "${var.environment}-${local.workspace}-CWLogsSubscriptionRole"
+      Purpose = "CSOC log forwarding"
+    }
+  )
+}
+
+# IAM policy to allow PutSubscriptionFilter on the existing API Gateway log group and CSOC destination
+data "aws_iam_policy_document" "put_subscription_filter" {
+  statement {
+    sid    = "AllowPutAPIGSubFilter"
+    effect = "Allow"
+    actions = [
+      "logs:PutSubscriptionFilter"
+    ]
+    resources = [
+      "${module.eligibility_signposting_api_gateway.cloudwatch_destination_arn}:*",
+      "arn:aws:logs:${var.default_aws_region}:693466633220:destination:api_gateway_log_destination"
+    ]
+  }
+}
+
+resource "aws_iam_policy" "put_subscription_filter" {
+  name        = "${var.environment}-${local.workspace}-PutSubscriptionFilterPolicy"
+  description = "Policy to allow creating subscription filters for CSOC log forwarding"
+  policy      = data.aws_iam_policy_document.put_subscription_filter.json
+
+  tags = merge(
+    local.tags,
+    {
+      Name    = "${var.environment}-${local.workspace}-PutSubscriptionFilterPolicy"
+      Purpose = "CSOC log forwarding"
+    }
+  )
+}
+
+# Attach the policy to the subscription role
+resource "aws_iam_role_policy_attachment" "put_subscription_filter" {
+  role       = aws_iam_role.cwl_subscription_role.name
+  policy_arn = aws_iam_policy.put_subscription_filter.arn
+}
+
+# Create the subscription filter to forward logs to CSOC
+# This forwards all logs from the existing API Gateway log group to the CSOC destination
+# Note: A log group can have up to 2 subscription filters
+resource "aws_cloudwatch_log_subscription_filter" "csoc_forwarding" {
+  name            = "${local.workspace}-csoc-subscription"
+  log_group_name  = split(":", module.eligibility_signposting_api_gateway.cloudwatch_destination_arn)[6]
+  filter_pattern  = "" # Empty filter pattern captures all log events
+  destination_arn = "arn:aws:logs:${var.default_aws_region}:693466633220:destination:api_gateway_log_destination"
+  role_arn        = aws_iam_role.cwl_subscription_role.arn
+
+  depends_on = [
+    module.eligibility_signposting_api_gateway,
+    aws_iam_role.cwl_subscription_role,
+    aws_iam_role_policy_attachment.put_subscription_filter
+  ]
+}

infrastructure/stacks/iams-developer-roles/github_actions_policies.tf

@@ -115,7 +115,7 @@ resource "aws_iam_policy" "dynamodb_management" {
         }
       ],
       # to create test users in preprod
-        var.environment == "preprod" ? [
+      var.environment == "preprod" ? [
         {
           Effect = "Allow",
           Action = [
@@ -249,7 +249,11 @@ resource "aws_iam_policy" "api_infrastructure" {
           # CloudWatch Logs creation and management
           "logs:CreateLogGroup",
           "logs:CreateLogStream",
-          "logs:PutLogEvents"
+          "logs:PutLogEvents",
+          # CloudWatch Logs subscription filters for CSOC forwarding
+          "logs:PutSubscriptionFilter",
+          "logs:DeleteSubscriptionFilter",
+          "logs:DescribeSubscriptionFilters"
         ],
         Resource = [
           # VPC Flow Logs
@@ -279,7 +283,9 @@ resource "aws_iam_policy" "api_infrastructure" {
           "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/eventbridge-firehose-role*",
           # Kinesis Firehose S3 backup roles
           "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/*firehose*role*",
-          "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/splunk-firehose-assume-role*"
+          "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/splunk-firehose-assume-role*",
+          # CSOC CloudWatch Logs subscription role
+          "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/*-CWLogsSubscriptionRole"
         ],
         Condition = {
           StringEquals = {
@@ -288,7 +294,8 @@ resource "aws_iam_policy" "api_infrastructure" {
               "apigateway.amazonaws.com",
               "vpc-flow-logs.amazonaws.com",
               "events.amazonaws.com",
-              "firehose.amazonaws.com"
+              "firehose.amazonaws.com",
+              "logs.amazonaws.com"
             ]
           }
         }
@@ -477,9 +484,12 @@ resource "aws_iam_policy" "iam_management" {
           "arn:aws:iam::*:role/*-api-gateway-*-role",
           # External write role
           "arn:aws:iam::*:role/eligibility-signposting-api-*-external-write-role",
+          # CSOC CloudWatch Logs subscription role
+          "arn:aws:iam::*:role/*-CWLogsSubscriptionRole",
           # Project policies
           "arn:aws:iam::*:policy/*api-gateway-logging-policy",
           "arn:aws:iam::*:policy/*PermissionsBoundary",
+          "arn:aws:iam::*:policy/*PutSubscriptionFilterPolicy",
           # VPC flow logs role
           "arn:aws:iam::*:role/vpc-flow-logs-role",
           # API role
@@ -500,8 +510,8 @@ resource "aws_iam_policy" "iam_management" {
 # Assume role policy document for GitHub Actions
 data "aws_iam_policy_document" "github_actions_assume_role" {
   statement {
-    sid    = "OidcAssumeRoleWithWebIdentity"
-    effect = "Allow"
+    sid     = "OidcAssumeRoleWithWebIdentity"
+    effect  = "Allow"
     actions = ["sts:AssumeRoleWithWebIdentity"]
 
     principals {
@@ -514,13 +524,13 @@ data "aws_iam_policy_document" "github_actions_assume_role" {
     condition {
       test     = "StringLike"
       variable = "token.actions.githubusercontent.com:sub"
-      values = ["repo:${var.github_org}/${var.github_repo}:*"]
+      values   = ["repo:${var.github_org}/${var.github_repo}:*"]
     }
 
     condition {
       test     = "StringEquals"
       variable = "token.actions.githubusercontent.com:aud"
-      values = ["sts.amazonaws.com"]
+      values   = ["sts.amazonaws.com"]
     }
   }
 }

infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf

@@ -177,6 +177,9 @@ data "aws_iam_policy_document" "permissions_boundary" {
       "logs:PutRetentionPolicy",
       "logs:AssociateKmsKey",
       "logs:PutMetricFilter",
+      "logs:PutSubscriptionFilter",
+      "logs:DeleteSubscriptionFilter",
+      "logs:DescribeSubscriptionFilters",
 
       # S3 - bucket and object management
       "s3:GetLifecycleConfiguration",