send waf to csoc

Author: anthony-nhs

.github/scripts/fix_cdk_json.sh

@@ -181,6 +181,7 @@ fix_string_key logRetentionInDays "${LOG_RETENTION_IN_DAYS}"
 fix_string_key logLevel "${LOG_LEVEL}"
 fix_string_key cfnDriftDetectionGroup "${CFN_DRIFT_DETECTION_GROUP}"
 fix_boolean_number_key isPullRequest "${IS_PULL_REQUEST}"
+fix_string_key csocWafDestination "arn:aws:logs:eu-west-2:693466633220:destination:waf_log_destination" # CSOC WAF log destination - do not change
 
 if [ "$CDK_APP_NAME" == "StatefulResourcesApp" ]; then
     fix_string_key primaryOidcClientId "${PRIMARY_OIDC_CLIENT_ID}"

packages/cdk/resources/ukRegionLogGroups.ts

@@ -12,6 +12,7 @@ export interface ukRegionLogGroupsProps {
   readonly splunkSubscriptionFilterRole: IRole
   readonly wafLogGroupName: string
   readonly stackName: string
+  readonly csocWafDestination: string
 }
 
 export class ukRegionLogGroups extends Construct {
@@ -43,6 +44,13 @@ export class ukRegionLogGroups extends Construct {
       roleArn: props.splunkSubscriptionFilterRole.roleArn
     })
 
+    new CfnSubscriptionFilter(this, "CsocWafSplunkSubscriptionFilter", {
+      destinationArn: props.csocWafDestination,
+      filterPattern: "",
+      logGroupName: wafLogGroup.logGroupName,
+      roleArn: props.splunkSubscriptionFilterRole.roleArn
+    })
+
     this.wafLogGroup = wafLogGroup
   }
 

packages/cdk/resources/usRegionLogGroups.ts

@@ -26,6 +26,7 @@ export interface usRegionLogGroupsProps {
   readonly splunkDeliveryStream: string
   readonly splunkSubscriptionFilterRole: string
   readonly isPullRequest: boolean
+  readonly csocWafDestination: string
 }
 
 export class usRegionLogGroups extends Construct {
@@ -126,6 +127,13 @@ export class usRegionLogGroups extends Construct {
       removalPolicy: RemovalPolicy.DESTROY
     })
 
+    new CfnSubscriptionFilter(this, "CsocWafSplunkSubscriptionFilter", {
+      destinationArn: props.csocWafDestination,
+      filterPattern: "",
+      logGroupName: wafLogGroup.logGroupName,
+      roleArn: props.splunkSubscriptionFilterRole
+    })
+
     const cfnWafLogGroup = wafLogGroup.node.defaultChild as CfnLogGroup
     cfnWafLogGroup.cfnOptions.metadata = {
       guard: {

packages/cdk/stacks/StatelessResourcesStack.ts

@@ -97,6 +97,7 @@ export class StatelessResourcesStack extends Stack {
     const githubAllowListIpv4 = this.node.tryGetContext("githubAllowListIpv4")
     const githubAllowListIpv6 = this.node.tryGetContext("githubAllowListIpv6")
     const cloudfrontOriginCustomHeader = this.node.tryGetContext("cloudfrontOriginCustomHeader")
+    const csocWafDestination: string = this.node.tryGetContext("csocWafDestination")
 
     // Imports
     const baseImportPath = `${props.serviceName}-stateful-resources`
@@ -316,7 +317,8 @@ export class StatelessResourcesStack extends Stack {
       splunkSubscriptionFilterRole: splunkSubscriptionFilterRole,
       // waf log groups must start with aws-waf-logs-
       wafLogGroupName: `aws-waf-logs-${props.serviceName}-apigw`,
-      stackName: this.stackName
+      stackName: this.stackName,
+      csocWafDestination: csocWafDestination
     })
 
     // API Gateway WAF Web ACL

packages/cdk/stacks/UsCertsStack.ts

@@ -51,6 +51,7 @@ export class UsCertsStack extends Stack {
     const cloudfrontDistributionArn: string = this.node.tryGetContext("cloudfrontDistributionArn")
     const logRetentionInDays: number = Number(this.node.tryGetContext("logRetentionInDays"))
     const isPullRequest: boolean = this.node.tryGetContext("isPullRequest")
+    const csocWafDestination: string = this.node.tryGetContext("csocWafDestination")
 
     // Coerce context and imports to relevant types
     const hostedZone = HostedZone.fromHostedZoneAttributes(this, "hostedZone", {
@@ -107,7 +108,8 @@ export class UsCertsStack extends Stack {
       account: this.account,
       splunkDeliveryStream: splunkDeliveryStream,
       splunkSubscriptionFilterRole: splunkSubscriptionFilterRole,
-      isPullRequest: isPullRequest
+      isPullRequest: isPullRequest,
+      csocWafDestination: csocWafDestination
     })
 
     // WAF Web ACL