forward to correct region

Author: anthony-nhs

.github/scripts/fix_cdk_json.sh

@@ -181,7 +181,10 @@ fix_string_key logRetentionInDays "${LOG_RETENTION_IN_DAYS}"
 fix_string_key logLevel "${LOG_LEVEL}"
 fix_string_key cfnDriftDetectionGroup "${CFN_DRIFT_DETECTION_GROUP}"
 fix_boolean_number_key isPullRequest "${IS_PULL_REQUEST}"
-fix_string_key csocWafDestination "arn:aws:logs:eu-west-2:693466633220:destination:waf_log_destination" # CSOC WAF log destination - do not change
+fix_string_key csocUKWafDestination "arn:aws:logs:eu-west-2:693466633220:destination:waf_log_destination" # CSOC WAF log destination - do not change
+fix_string_key csocUSWafDestination "arn:aws:logs:us-east-1:693466633220:destination:waf_log_destination_virginia" # CSOC WAF log destination - do not change
+fix_string_key csocApiGatewayDestination "arn:aws:logs:eu-west-2:693466633220:destination:api_gateway_log_destination" # CSOC API Gateway log destination - do not change
+fix_boolean_number_key forwardCsocLogs "${FORWARD_CSOC_LOGS}"
 
 if [ "$CDK_APP_NAME" == "StatefulResourcesApp" ]; then
     fix_string_key primaryOidcClientId "${PRIMARY_OIDC_CLIENT_ID}"

.github/workflows/ci.yml

@@ -40,7 +40,7 @@ jobs:
         uses: asdf-vm/actions/setup@1902764435ca0dd2f3388eea723a4f92a4eb8302
         with:
           asdf_branch: v0.14.1
-  
+
       - name: Cache asdf
         uses: actions/cache@v4
         with:
@@ -133,8 +133,9 @@ jobs:
       MARK_JIRA_RELEASED: false
       CREATE_INT_RC_RELEASE_NOTES: false
       IS_PULL_REQUEST: false
+      FORWARD_CSOC_LOGS: false
     secrets: inherit
-  
+
   release_qa:
     needs: [tag_release, release_dev, package_code, get_commit_id]
     uses: ./.github/workflows/release_all_stacks.yml
@@ -170,4 +171,5 @@ jobs:
       REACT_LOG_LEVEL: "debug"
       LOG_RETENTION_IN_DAYS: 30
       IS_PULL_REQUEST: false
+      FORWARD_CSOC_LOGS: false
     secrets: inherit

.github/workflows/pull_request.yml

@@ -183,6 +183,7 @@ jobs:
       REACT_LOG_LEVEL: "debug"
       LOG_RETENTION_IN_DAYS: 30
       IS_PULL_REQUEST: true
+      FORWARD_CSOC_LOGS: true
     secrets: inherit
   report_deployed_url:
     needs: [release_code, get_issue_number]

.github/workflows/release.yml

@@ -39,7 +39,7 @@ jobs:
         uses: asdf-vm/actions/setup@1902764435ca0dd2f3388eea723a4f92a4eb8302
         with:
           asdf_branch: v0.14.1
-  
+
       - name: Cache asdf
         uses: actions/cache@v4
         with:
@@ -59,7 +59,7 @@ jobs:
       - name: Install dependencies
         run: |
           make install
-  
+
       - name: Set VERSION_TAG to be next tag varsion
         id: output_version_tag
         run: |
@@ -152,6 +152,7 @@ jobs:
       MARK_JIRA_RELEASED: false
       CREATE_INT_RC_RELEASE_NOTES: false
       IS_PULL_REQUEST: false
+      FORWARD_CSOC_LOGS: false
     secrets: inherit
 
   release_ref:
@@ -189,6 +190,7 @@ jobs:
       REACT_LOG_LEVEL: "debug"
       LOG_RETENTION_IN_DAYS: 30
       IS_PULL_REQUEST: false
+      FORWARD_CSOC_LOGS: false
     secrets: inherit
 
   release_qa:
@@ -226,6 +228,7 @@ jobs:
       REACT_LOG_LEVEL: "debug"
       LOG_RETENTION_IN_DAYS: 30
       IS_PULL_REQUEST: false
+      FORWARD_CSOC_LOGS: false
     secrets: inherit
   release_int:
     needs: [tag_release, package_code, get_commit_id, release_qa]
@@ -262,6 +265,7 @@ jobs:
       MARK_JIRA_RELEASED: false
       CREATE_INT_RC_RELEASE_NOTES: true
       IS_PULL_REQUEST: false
+      FORWARD_CSOC_LOGS: false
     secrets: inherit
   release_prod:
     needs: [tag_release, package_code, get_commit_id, release_int]
@@ -298,4 +302,5 @@ jobs:
       MARK_JIRA_RELEASED: false
       CREATE_INT_RC_RELEASE_NOTES: false
       IS_PULL_REQUEST: false
+      FORWARD_CSOC_LOGS: true
     secrets: inherit

.github/workflows/release_all_stacks.yml

@@ -90,6 +90,9 @@ on:
       IS_PULL_REQUEST:
         type: boolean
         required: true
+      FORWARD_CSOC_LOGS:
+        type: boolean
+        required: true
 jobs:
   release_all_code:
     runs-on: ubuntu-22.04
@@ -245,6 +248,7 @@ jobs:
           WAF_ALLOW_GA_RUNNER_CONNECTIVITY: ${{ inputs.WAF_ALLOW_GA_RUNNER_CONNECTIVITY }}
           CLOUDFRONT_ORIGIN_CUSTOM_HEADER: ${{secrets.CLOUDFRONT_ORIGIN_CUSTOM_HEADER }}
           IS_PULL_REQUEST: ${{inputs.IS_PULL_REQUEST}}
+          FORWARD_CSOC_LOGS: ${{ inputs.FORWARD_CSOC_LOGS }}
 
       - name: Show diff for stateful stack
         run: |
@@ -383,6 +387,7 @@ jobs:
           WAF_ALLOW_GA_RUNNER_CONNECTIVITY: ${{ inputs.WAF_ALLOW_GA_RUNNER_CONNECTIVITY }}
           CLOUDFRONT_ORIGIN_CUSTOM_HEADER: ${{secrets.CLOUDFRONT_ORIGIN_CUSTOM_HEADER }}
           IS_PULL_REQUEST: ${{inputs.IS_PULL_REQUEST}}
+          FORWARD_CSOC_LOGS: ${{ inputs.FORWARD_CSOC_LOGS }}
 
       - name: Show diff for stateless stack
         run: |
@@ -510,6 +515,7 @@ jobs:
           WAF_ALLOW_GA_RUNNER_CONNECTIVITY: ${{ inputs.WAF_ALLOW_GA_RUNNER_CONNECTIVITY }}
           CLOUDFRONT_ORIGIN_CUSTOM_HEADER: ${{secrets.CLOUDFRONT_ORIGIN_CUSTOM_HEADER }}
           IS_PULL_REQUEST: ${{inputs.IS_PULL_REQUEST}}
+          FORWARD_CSOC_LOGS: ${{ inputs.FORWARD_CSOC_LOGS }}
 
       - name: Show diff for stateful stack redeployment
         if: ${{ steps.check_redeploy_stateful_stack.outputs.REDEPLOY_STATEFUL_STACK == 'true' }}

packages/cdk/resources/ukRegionLogGroups.ts

@@ -12,7 +12,8 @@ export interface ukRegionLogGroupsProps {
   readonly splunkSubscriptionFilterRole: IRole
   readonly wafLogGroupName: string
   readonly stackName: string
-  readonly csocWafDestination: string
+  readonly csocUKWafDestination: string
+  readonly forwardCsocLogs: boolean
 }
 
 export class ukRegionLogGroups extends Construct {
@@ -44,12 +45,14 @@ export class ukRegionLogGroups extends Construct {
       roleArn: props.splunkSubscriptionFilterRole.roleArn
     })
 
-    new CfnSubscriptionFilter(this, "CsocWafSplunkSubscriptionFilter", {
-      destinationArn: props.csocWafDestination,
-      filterPattern: "",
-      logGroupName: wafLogGroup.logGroupName,
-      roleArn: props.splunkSubscriptionFilterRole.roleArn
-    })
+    if (props.forwardCsocLogs) {
+      new CfnSubscriptionFilter(this, "CsocWafSplunkSubscriptionFilter", {
+        destinationArn: props.csocUKWafDestination,
+        filterPattern: "",
+        logGroupName: wafLogGroup.logGroupName,
+        roleArn: props.splunkSubscriptionFilterRole.roleArn
+      })
+    }
 
     this.wafLogGroup = wafLogGroup
   }

packages/cdk/resources/usRegionLogGroups.ts

@@ -26,7 +26,8 @@ export interface usRegionLogGroupsProps {
   readonly splunkDeliveryStream: string
   readonly splunkSubscriptionFilterRole: string
   readonly isPullRequest: boolean
-  readonly csocWafDestination: string
+  readonly csocUSWafDestination: string
+  readonly forwardCsocLogs: boolean
 }
 
 export class usRegionLogGroups extends Construct {
@@ -127,12 +128,14 @@ export class usRegionLogGroups extends Construct {
       removalPolicy: RemovalPolicy.DESTROY
     })
 
-    new CfnSubscriptionFilter(this, "CsocWafSplunkSubscriptionFilter", {
-      destinationArn: props.csocWafDestination,
-      filterPattern: "",
-      logGroupName: wafLogGroup.logGroupName,
-      roleArn: props.splunkSubscriptionFilterRole
-    })
+    if (props.forwardCsocLogs) {
+      new CfnSubscriptionFilter(this, "CsocWafSplunkSubscriptionFilter", {
+        destinationArn: props.csocUSWafDestination,
+        filterPattern: "",
+        logGroupName: wafLogGroup.logGroupName,
+        roleArn: props.splunkSubscriptionFilterRole
+      })
+    }
 
     const cfnWafLogGroup = wafLogGroup.node.defaultChild as CfnLogGroup
     cfnWafLogGroup.cfnOptions.metadata = {

packages/cdk/stacks/StatelessResourcesStack.ts

@@ -97,7 +97,9 @@ export class StatelessResourcesStack extends Stack {
     const githubAllowListIpv4 = this.node.tryGetContext("githubAllowListIpv4")
     const githubAllowListIpv6 = this.node.tryGetContext("githubAllowListIpv6")
     const cloudfrontOriginCustomHeader = this.node.tryGetContext("cloudfrontOriginCustomHeader")
-    const csocWafDestination: string = this.node.tryGetContext("csocWafDestination")
+    const csocUKWafDestination: string = this.node.tryGetContext("csocUKWafDestination")
+    // const csocApiGatewayDestination: string = this.node.tryGetContext("csocApiGatewayDestination")
+    const forwardCsocLogs: boolean = this.node.tryGetContext("forwardCsocLogs")
 
     // Imports
     const baseImportPath = `${props.serviceName}-stateful-resources`
@@ -318,7 +320,8 @@ export class StatelessResourcesStack extends Stack {
       // waf log groups must start with aws-waf-logs-
       wafLogGroupName: `aws-waf-logs-${props.serviceName}-apigw`,
       stackName: this.stackName,
-      csocWafDestination: csocWafDestination
+      csocUKWafDestination: csocUKWafDestination,
+      forwardCsocLogs: forwardCsocLogs
     })
 
     // API Gateway WAF Web ACL

packages/cdk/stacks/UsCertsStack.ts

@@ -51,7 +51,8 @@ export class UsCertsStack extends Stack {
     const cloudfrontDistributionArn: string = this.node.tryGetContext("cloudfrontDistributionArn")
     const logRetentionInDays: number = Number(this.node.tryGetContext("logRetentionInDays"))
     const isPullRequest: boolean = this.node.tryGetContext("isPullRequest")
-    const csocWafDestination: string = this.node.tryGetContext("csocWafDestination")
+    const csocUSWafDestination: string = this.node.tryGetContext("csocUSWafDestination")
+    const forwardCsocLogs: boolean = this.node.tryGetContext("forwardCsocLogs")
 
     // Coerce context and imports to relevant types
     const hostedZone = HostedZone.fromHostedZoneAttributes(this, "hostedZone", {
@@ -109,7 +110,8 @@ export class UsCertsStack extends Stack {
       splunkDeliveryStream: splunkDeliveryStream,
       splunkSubscriptionFilterRole: splunkSubscriptionFilterRole,
       isPullRequest: isPullRequest,
-      csocWafDestination: csocWafDestination
+      csocUSWafDestination: csocUSWafDestination,
+      forwardCsocLogs: forwardCsocLogs
     })
 
     // WAF Web ACL