Fix: [AEA-5895] - send waf logs to csoc (#1430)

## Summary

- Routine Change

### Details

- send waf logs to csoc

Author: anthony-nhs

.github/scripts/fix_cdk_json.sh

@@ -181,6 +181,9 @@ fix_string_key logRetentionInDays "${LOG_RETENTION_IN_DAYS}"
 fix_string_key logLevel "${LOG_LEVEL}"
 fix_string_key cfnDriftDetectionGroup "${CFN_DRIFT_DETECTION_GROUP}"
 fix_boolean_number_key isPullRequest "${IS_PULL_REQUEST}"
+fix_string_key csocUKWafDestination "arn:aws:logs:eu-west-2:693466633220:destination:waf_log_destination" # CSOC WAF log destination - do not change
+fix_string_key csocUSWafDestination "arn:aws:logs:us-east-1:693466633220:destination:waf_log_destination_virginia" # CSOC WAF log destination - do not change
+fix_boolean_number_key forwardCsocLogs "${FORWARD_CSOC_LOGS}"
 
 if [ "$CDK_APP_NAME" == "StatefulResourcesApp" ]; then
     fix_string_key primaryOidcClientId "${PRIMARY_OIDC_CLIENT_ID}"

.github/workflows/ci.yml

@@ -98,6 +98,7 @@ jobs:
       MARK_JIRA_RELEASED: false
       CREATE_INT_RC_RELEASE_NOTES: false
       IS_PULL_REQUEST: false
+      FORWARD_CSOC_LOGS: false
     secrets: inherit
 
   release_qa:
@@ -135,4 +136,5 @@ jobs:
       REACT_LOG_LEVEL: "debug"
       LOG_RETENTION_IN_DAYS: 30
       IS_PULL_REQUEST: false
+      FORWARD_CSOC_LOGS: false
     secrets: inherit

.github/workflows/pull_request.yml

@@ -212,6 +212,7 @@ jobs:
       REACT_LOG_LEVEL: "debug"
       LOG_RETENTION_IN_DAYS: 30
       IS_PULL_REQUEST: true
+      FORWARD_CSOC_LOGS: false
     secrets: inherit
   report_deployed_url:
     needs: [release_code, get_issue_number]

.github/workflows/release.yml

@@ -97,6 +97,7 @@ jobs:
       MARK_JIRA_RELEASED: false
       CREATE_INT_RC_RELEASE_NOTES: false
       IS_PULL_REQUEST: false
+      FORWARD_CSOC_LOGS: false
     secrets: inherit
 
   release_ref:
@@ -134,6 +135,7 @@ jobs:
       REACT_LOG_LEVEL: "debug"
       LOG_RETENTION_IN_DAYS: 30
       IS_PULL_REQUEST: false
+      FORWARD_CSOC_LOGS: false
     secrets: inherit
 
   release_qa:
@@ -171,6 +173,7 @@ jobs:
       REACT_LOG_LEVEL: "debug"
       LOG_RETENTION_IN_DAYS: 30
       IS_PULL_REQUEST: false
+      FORWARD_CSOC_LOGS: false
     secrets: inherit
   release_int:
     needs: [tag_release, package_code, get_commit_id, release_qa]
@@ -207,6 +210,7 @@ jobs:
       MARK_JIRA_RELEASED: false
       CREATE_INT_RC_RELEASE_NOTES: true
       IS_PULL_REQUEST: false
+      FORWARD_CSOC_LOGS: false
     secrets: inherit
   release_prod:
     needs: [tag_release, package_code, get_commit_id, release_int]
@@ -243,4 +247,5 @@ jobs:
       MARK_JIRA_RELEASED: false
       CREATE_INT_RC_RELEASE_NOTES: false
       IS_PULL_REQUEST: false
+      FORWARD_CSOC_LOGS: true
     secrets: inherit

.github/workflows/release_all_stacks.yml

@@ -90,6 +90,9 @@ on:
       IS_PULL_REQUEST:
         type: boolean
         required: true
+      FORWARD_CSOC_LOGS:
+        type: boolean
+        required: true
 jobs:
   release_all_code:
     runs-on: ubuntu-22.04
@@ -245,6 +248,7 @@ jobs:
           WAF_ALLOW_GA_RUNNER_CONNECTIVITY: ${{ inputs.WAF_ALLOW_GA_RUNNER_CONNECTIVITY }}
           CLOUDFRONT_ORIGIN_CUSTOM_HEADER: ${{secrets.CLOUDFRONT_ORIGIN_CUSTOM_HEADER }}
           IS_PULL_REQUEST: ${{inputs.IS_PULL_REQUEST}}
+          FORWARD_CSOC_LOGS: ${{ inputs.FORWARD_CSOC_LOGS }}
 
       - name: Show diff for stateful stack
         run: |
@@ -383,6 +387,7 @@ jobs:
           WAF_ALLOW_GA_RUNNER_CONNECTIVITY: ${{ inputs.WAF_ALLOW_GA_RUNNER_CONNECTIVITY }}
           CLOUDFRONT_ORIGIN_CUSTOM_HEADER: ${{secrets.CLOUDFRONT_ORIGIN_CUSTOM_HEADER }}
           IS_PULL_REQUEST: ${{inputs.IS_PULL_REQUEST}}
+          FORWARD_CSOC_LOGS: ${{ inputs.FORWARD_CSOC_LOGS }}
 
       - name: Show diff for stateless stack
         run: |
@@ -510,6 +515,7 @@ jobs:
           WAF_ALLOW_GA_RUNNER_CONNECTIVITY: ${{ inputs.WAF_ALLOW_GA_RUNNER_CONNECTIVITY }}
           CLOUDFRONT_ORIGIN_CUSTOM_HEADER: ${{secrets.CLOUDFRONT_ORIGIN_CUSTOM_HEADER }}
           IS_PULL_REQUEST: ${{inputs.IS_PULL_REQUEST}}
+          FORWARD_CSOC_LOGS: ${{ inputs.FORWARD_CSOC_LOGS }}
 
       - name: Show diff for stateful stack redeployment
         if: ${{ steps.check_redeploy_stateful_stack.outputs.REDEPLOY_STATEFUL_STACK == 'true' }}

Makefile

@@ -218,6 +218,7 @@ cdk-synth-stateful-resources-no-mock:
 	DO_NOT_GET_AWS_EXPORT=true \
 	IS_PULL_REQUEST=false \
 	USE_ZONE_APEX=false \
+	FORWARD_CSOC_LOGS=true \
 		 ./.github/scripts/fix_cdk_json.sh .local_config/stateful_app.config.json
 	CONFIG_FILE_NAME=.local_config/stateful_app.config.json npx cdk synth \
 		--quiet \
@@ -267,6 +268,7 @@ cdk-synth-stateless-resources-no-mock:
 	CLOUDFRONT_ORIGIN_CUSTOM_HEADER=foo \
 	IS_PULL_REQUEST=false \
 	USE_ZONE_APEX=false \
+	FORWARD_CSOC_LOGS=true \
 		 ./.github/scripts/fix_cdk_json.sh .local_config/stateless_app.config.json
 	CONFIG_FILE_NAME=.local_config/stateless_app.config.json npx cdk synth \
 		--quiet \
@@ -313,6 +315,7 @@ cdk-synth-stateful-resources-mock:
 	DO_NOT_GET_AWS_EXPORT=true \
 	IS_PULL_REQUEST=false \
 	USE_ZONE_APEX=false \
+	FORWARD_CSOC_LOGS=true \
 		 ./.github/scripts/fix_cdk_json.sh .local_config/stateful_app.config.json
 	CONFIG_FILE_NAME=.local_config/stateful_app.config.json npx cdk synth \
 		--quiet \
@@ -368,6 +371,7 @@ cdk-synth-stateless-resources-mock:
 	CLOUDFRONT_ORIGIN_CUSTOM_HEADER=foo \
 	IS_PULL_REQUEST=false \
 	USE_ZONE_APEX=false \
+	FORWARD_CSOC_LOGS=true \
 		 ./.github/scripts/fix_cdk_json.sh .local_config/stateless_app.config.json
 	CONFIG_FILE_NAME=.local_config/stateless_app.config.json npx cdk synth \
 		--quiet \

packages/cdk/resources/ukRegionLogGroups.ts

@@ -12,6 +12,8 @@ export interface ukRegionLogGroupsProps {
   readonly splunkSubscriptionFilterRole: IRole
   readonly wafLogGroupName: string
   readonly stackName: string
+  readonly csocUKWafDestination: string
+  readonly forwardCsocLogs: boolean
 }
 
 export class ukRegionLogGroups extends Construct {
@@ -43,6 +45,15 @@ export class ukRegionLogGroups extends Construct {
       roleArn: props.splunkSubscriptionFilterRole.roleArn
     })
 
+    if (props.forwardCsocLogs) {
+      new CfnSubscriptionFilter(this, "CsocWafSplunkSubscriptionFilter", {
+        destinationArn: props.csocUKWafDestination,
+        filterPattern: "",
+        logGroupName: wafLogGroup.logGroupName,
+        roleArn: props.splunkSubscriptionFilterRole.roleArn
+      })
+    }
+
     this.wafLogGroup = wafLogGroup
   }
 

packages/cdk/resources/usRegionLogGroups.ts

@@ -26,6 +26,8 @@ export interface usRegionLogGroupsProps {
   readonly splunkDeliveryStream: string
   readonly splunkSubscriptionFilterRole: string
   readonly isPullRequest: boolean
+  readonly csocUSWafDestination: string
+  readonly forwardCsocLogs: boolean
 }
 
 export class usRegionLogGroups extends Construct {
@@ -126,6 +128,15 @@ export class usRegionLogGroups extends Construct {
       removalPolicy: RemovalPolicy.DESTROY
     })
 
+    if (props.forwardCsocLogs) {
+      new CfnSubscriptionFilter(this, "CsocWafSplunkSubscriptionFilter", {
+        destinationArn: props.csocUSWafDestination,
+        filterPattern: "",
+        logGroupName: wafLogGroup.logGroupName,
+        roleArn: props.splunkSubscriptionFilterRole
+      })
+    }
+
     const cfnWafLogGroup = wafLogGroup.node.defaultChild as CfnLogGroup
     cfnWafLogGroup.cfnOptions.metadata = {
       guard: {

packages/cdk/stacks/StatelessResourcesStack.ts

@@ -97,6 +97,8 @@ export class StatelessResourcesStack extends Stack {
     const githubAllowListIpv4 = this.node.tryGetContext("githubAllowListIpv4")
     const githubAllowListIpv6 = this.node.tryGetContext("githubAllowListIpv6")
     const cloudfrontOriginCustomHeader = this.node.tryGetContext("cloudfrontOriginCustomHeader")
+    const csocUKWafDestination: string = this.node.tryGetContext("csocUKWafDestination")
+    const forwardCsocLogs: boolean = this.node.tryGetContext("forwardCsocLogs")
 
     // Imports
     const baseImportPath = `${props.serviceName}-stateful-resources`
@@ -316,7 +318,9 @@ export class StatelessResourcesStack extends Stack {
       splunkSubscriptionFilterRole: splunkSubscriptionFilterRole,
       // waf log groups must start with aws-waf-logs-
       wafLogGroupName: `aws-waf-logs-${props.serviceName}-apigw`,
-      stackName: this.stackName
+      stackName: this.stackName,
+      csocUKWafDestination: csocUKWafDestination,
+      forwardCsocLogs: forwardCsocLogs
     })
 
     // API Gateway WAF Web ACL

packages/cdk/stacks/UsCertsStack.ts

@@ -51,6 +51,8 @@ export class UsCertsStack extends Stack {
     const cloudfrontDistributionArn: string = this.node.tryGetContext("cloudfrontDistributionArn")
     const logRetentionInDays: number = Number(this.node.tryGetContext("logRetentionInDays"))
     const isPullRequest: boolean = this.node.tryGetContext("isPullRequest")
+    const csocUSWafDestination: string = this.node.tryGetContext("csocUSWafDestination")
+    const forwardCsocLogs: boolean = this.node.tryGetContext("forwardCsocLogs")
 
     // Coerce context and imports to relevant types
     const hostedZone = HostedZone.fromHostedZoneAttributes(this, "hostedZone", {
@@ -107,7 +109,9 @@ export class UsCertsStack extends Stack {
       account: this.account,
       splunkDeliveryStream: splunkDeliveryStream,
       splunkSubscriptionFilterRole: splunkSubscriptionFilterRole,
-      isPullRequest: isPullRequest
+      isPullRequest: isPullRequest,
+      csocUSWafDestination: csocUSWafDestination,
+      forwardCsocLogs: forwardCsocLogs
     })
 
     // WAF Web ACL