eli-304 amending firehose to use 'raw' endpoint

eddalmond1 · eddalmond1 · commit fcfc4f1bb236 · 2025-08-21T13:24:03.000+01:00
diff --git a/infrastructure/modules/splunk_forwarder/firehose.tf b/infrastructure/modules/splunk_forwarder/firehose.tf
@@ -31,7 +31,7 @@ resource "aws_kinesis_firehose_delivery_stream" "splunk_delivery_stream" {
   splunk_configuration {
     hec_endpoint      = var.splunk_hec_endpoint
     hec_token         = var.splunk_hec_token
-    hec_endpoint_type = "Event"
+    hec_endpoint_type = "Raw"
     s3_backup_mode    = "FailedEventsOnly"
 
     s3_configuration {
diff --git a/infrastructure/stacks/api-layer/eventbridge.tf b/infrastructure/stacks/api-layer/eventbridge.tf
@@ -75,17 +75,15 @@ resource "aws_cloudwatch_event_target" "firehose_target" {
 
     input_template = jsonencode({
       time = "<time>"
-      host = "aws"
-      source = "aws:cloudwatch:alarm"
+      source = "elid-${var.environment}:cloudwatch:alarm"
       sourcetype = "aws:cloudwatch:alarm"
       event = {
-        account_id  = "<account>"
-        region      = "<region>"
         alarm_name  = "<alarm_name>"
         new_state   = "<new_state>"
         old_state   = "<old_state>"
         reason      = "<reason>"
         severity    = "<new_state>" == "ALARM" ? "high" : "info"
+        region      = "<region>"
       }
     })
   }
