diff --git a/infrastructure/modules/api_gateway/cloudwatch.tf b/infrastructure/modules/api_gateway/cloudwatch.tf index 272a1c465..fdc45dcfa 100644 --- a/infrastructure/modules/api_gateway/cloudwatch.tf +++ b/infrastructure/modules/api_gateway/cloudwatch.tf @@ -4,6 +4,11 @@ resource "aws_cloudwatch_log_group" "api_gateway" { tags = var.tags kms_key_id = aws_kms_key.api_gateway.arn + depends_on = [ + aws_kms_key.api_gateway, + aws_kms_key_policy.api_gateway + ] + lifecycle { prevent_destroy = false } diff --git a/infrastructure/modules/kinesis_firehose/cloudwatch.tf b/infrastructure/modules/kinesis_firehose/cloudwatch.tf new file mode 100644 index 000000000..2da36c9ca --- /dev/null +++ b/infrastructure/modules/kinesis_firehose/cloudwatch.tf @@ -0,0 +1,26 @@ +# CloudWatch Log Group for Kinesis + +resource "aws_cloudwatch_log_group" "firehose_audit" { + name = "/aws/kinesisfirehose/${var.project_name}-${var.environment}-audit" + retention_in_days = 365 + kms_key_id = aws_kms_key.firehose_cmk.arn + + tags = { + Name = "kinesis-firehose-logs" + Stack = var.stack_name + } + + depends_on = [ + aws_kms_key.firehose_cmk, + aws_kms_key_policy.firehose_key_policy + ] +} + +resource "aws_cloudwatch_log_stream" "firehose_audit_stream" { + name = "audit_stream_log" + log_group_name = aws_cloudwatch_log_group.firehose_audit.name + + depends_on = [ + aws_cloudwatch_log_group.firehose_audit + ] +} diff --git a/infrastructure/modules/kinesis_firehose/kinesis_firehose_delivery_stream.tf b/infrastructure/modules/kinesis_firehose/kinesis_firehose_delivery_stream.tf index ef6bbba3f..efba0b01c 100644 --- a/infrastructure/modules/kinesis_firehose/kinesis_firehose_delivery_stream.tf +++ b/infrastructure/modules/kinesis_firehose/kinesis_firehose_delivery_stream.tf @@ -14,8 +14,8 @@ resource "aws_kinesis_firehose_delivery_stream" "eligibility_audit_firehose_deli cloudwatch_logging_options { enabled = true - log_group_name = var.kinesis_cloud_watch_log_group_name - log_stream_name = var.kinesis_cloud_watch_log_stream + log_group_name = aws_cloudwatch_log_group.firehose_audit.name + log_stream_name = aws_cloudwatch_log_stream.firehose_audit_stream.name } } diff --git a/infrastructure/modules/kinesis_firehose/variables.tf b/infrastructure/modules/kinesis_firehose/variables.tf index 03d81ebaf..40666402a 100644 --- a/infrastructure/modules/kinesis_firehose/variables.tf +++ b/infrastructure/modules/kinesis_firehose/variables.tf @@ -13,16 +13,6 @@ variable "s3_audit_bucket_arn" { type = string } -variable "kinesis_cloud_watch_log_group_name" { - description = "kinesis cloud watch log group name" - type = string -} - -variable "kinesis_cloud_watch_log_stream" { - description = "kinesis cloud watch log stream" - type = string -} - variable "eligibility_lambda_role_arn" { description = "iam role of eligibility lambda" type = any diff --git a/infrastructure/modules/lambda/cloudwatch.tf b/infrastructure/modules/lambda/cloudwatch.tf new file mode 100644 index 000000000..60f79af6f --- /dev/null +++ b/infrastructure/modules/lambda/cloudwatch.tf @@ -0,0 +1,11 @@ +# CloudWatch Log Group for lambda Flow Logs +resource "aws_cloudwatch_log_group" "lambda_logs" { + name = "/aws/lambda/${aws_lambda_function.eligibility_signposting_lambda.id}" + retention_in_days = 365 + kms_key_id = aws_kms_key.lambda_cmk.arn + + tags = { + Name = "lambda-execution-logs" + Stack = var.stack_name + } +} diff --git a/infrastructure/stacks/api-layer/cloudwatch.tf b/infrastructure/stacks/api-layer/cloudwatch.tf deleted file mode 100644 index babe1753f..000000000 --- a/infrastructure/stacks/api-layer/cloudwatch.tf +++ /dev/null @@ -1,35 +0,0 @@ -# CloudWatch Log Group for lambda Flow Logs -resource "aws_cloudwatch_log_group" "lambda_logs" { - name = "/aws/lambda/${module.eligibility_signposting_lambda_function.aws_lambda_function_id}" - retention_in_days = 365 - kms_key_id = module.eligibility_signposting_lambda_function.lambda_cmk_arn - - tags = { - Name = "lambda-execution-logs" - Stack = local.stack_name - } -} - -resource "aws_cloudwatch_log_group" "firehose_audit" { - name = "/aws/kinesisfirehose/${var.project_name}-${var.environment}-audit" - retention_in_days = 365 - kms_key_id = module.eligibility_audit_firehose_delivery_stream.kinesis_firehose_cmk_arn - - tags = { - Name = "kinesis-firehose-logs" - Stack = local.stack_name - } - - depends_on = [ - module.eligibility_audit_firehose_delivery_stream.kinesis_firehose_cmk_arn - ] -} - -resource "aws_cloudwatch_log_stream" "firehose_audit_stream" { - name = "audit_stream_log" - log_group_name = aws_cloudwatch_log_group.firehose_audit.name - - depends_on = [ - aws_cloudwatch_log_group.firehose_audit - ] -} diff --git a/infrastructure/stacks/api-layer/kinesis_firehose.tf b/infrastructure/stacks/api-layer/kinesis_firehose.tf index 850097b96..02523f6ac 100644 --- a/infrastructure/stacks/api-layer/kinesis_firehose.tf +++ b/infrastructure/stacks/api-layer/kinesis_firehose.tf @@ -7,7 +7,5 @@ module "eligibility_audit_firehose_delivery_stream" { stack_name = local.stack_name workspace = local.workspace tags = local.tags - kinesis_cloud_watch_log_group_name = aws_cloudwatch_log_group.firehose_audit.name - kinesis_cloud_watch_log_stream = aws_cloudwatch_log_stream.firehose_audit_stream.name eligibility_lambda_role_arn = aws_iam_role.eligibility_lambda_role.arn } diff --git a/infrastructure/stacks/api-layer/truststore_s3_bucket.tf b/infrastructure/stacks/api-layer/truststore_s3_bucket.tf index 48cd73a73..19c91841a 100644 --- a/infrastructure/stacks/api-layer/truststore_s3_bucket.tf +++ b/infrastructure/stacks/api-layer/truststore_s3_bucket.tf @@ -56,10 +56,17 @@ resource "aws_s3_object" "pem_file" { acl = "private" + override_provider { + default_tags { + tags = {} + } + } + # Explicitly set empty tags to override default_tags due to S3 object 10-tag limit tags = {} lifecycle { ignore_changes = [tags_all] } + }