Skip to content

Commit 2259160

Browse files
anthony-nhsanthony-nhs
authored
Fix: [AEA-5895] - forward vpc logs to CSOC (#606)
## Summary - Routine Change ### Details - forward vpc logs to CSOC
1 parent 734a2df commit 2259160

File tree

6 files changed

+41
-5
lines changed

6 files changed

+41
-5
lines changed

.github/scripts/fix_cdk_json.sh

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -47,3 +47,4 @@ fix_string_key versionNumber "${VERSION_NUMBER}"
4747
fix_string_key commitId "${COMMIT_ID}"
4848
fix_string_key cfnDriftDetectionGroup "${CFN_DRIFT_DETECTION_GROUP}"
4949
fix_boolean_number_key logRetentionInDays "${LOG_RETENTION_IN_DAYS}"
50+
fix_boolean_number_key forwardCsocLogs "${FORWARD_CSOC_LOGS}"

.github/workflows/cdk_release_code.yml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,9 @@ on:
1818
DEPLOY_CHANGE:
1919
type: boolean
2020
default: true
21+
FORWARD_CSOC_LOGS:
22+
type: boolean
23+
default: false
2124
secrets:
2225
CLOUD_FORMATION_DEPLOY_ROLE:
2326
required: true
@@ -89,6 +92,7 @@ jobs:
8992
VERSION_NUMBER: "${{ inputs.VERSION_NUMBER }}"
9093
COMMIT_ID: "${{ inputs.COMMIT_ID }}"
9194
LOG_RETENTION_IN_DAYS: "${{ inputs.LOG_RETENTION_IN_DAYS }}"
95+
FORWARD_CSOC_LOGS: "${{ inputs.FORWARD_CSOC_LOGS }}"
9296

9397
- name: Show diff
9498
run: |

.github/workflows/ci.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -68,6 +68,7 @@ jobs:
6868
COMMIT_ID: ${{needs.get_commit_id.outputs.commit_id}}
6969
LOG_RETENTION_IN_DAYS: 30
7070
DEPLOY_CHANGE: true
71+
FORWARD_CSOC_LOGS: false
7172
secrets:
7273
CDK_PULL_IMAGE_ROLE: ${{ secrets.DEV_CDK_PULL_IMAGE_ROLE }}
7374
CLOUD_FORMATION_DEPLOY_ROLE: ${{ secrets.DEV_CLOUD_FORMATION_DEPLOY_ROLE }}
@@ -96,6 +97,7 @@ jobs:
9697
COMMIT_ID: ${{needs.get_commit_id.outputs.commit_id}}
9798
LOG_RETENTION_IN_DAYS: 30
9899
DEPLOY_CHANGE: true
100+
FORWARD_CSOC_LOGS: false
99101
secrets:
100102
CDK_PULL_IMAGE_ROLE: ${{ secrets.QA_CDK_PULL_IMAGE_ROLE }}
101103
CLOUD_FORMATION_DEPLOY_ROLE: ${{ secrets.QA_CLOUD_FORMATION_DEPLOY_ROLE }}

.github/workflows/pull_request.yml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -97,6 +97,7 @@ jobs:
9797
COMMIT_ID: ${{needs.get_commit_id.outputs.commit_id}}
9898
LOG_RETENTION_IN_DAYS: 30
9999
DEPLOY_CHANGE: false
100+
FORWARD_CSOC_LOGS: false
100101
secrets:
101102
CDK_PULL_IMAGE_ROLE: ${{ secrets.DEV_CDK_PULL_IMAGE_ROLE }}
102103
CLOUD_FORMATION_DEPLOY_ROLE: ${{ secrets.DEV_CLOUD_FORMATION_DEPLOY_ROLE }}

.github/workflows/release.yml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -67,6 +67,7 @@ jobs:
6767
COMMIT_ID: ${{needs.get_commit_id.outputs.commit_id}}
6868
LOG_RETENTION_IN_DAYS: 30
6969
DEPLOY_CHANGE: true
70+
FORWARD_CSOC_LOGS: false
7071
secrets:
7172
CDK_PULL_IMAGE_ROLE: ${{ secrets.DEV_CDK_PULL_IMAGE_ROLE }}
7273
CLOUD_FORMATION_DEPLOY_ROLE: ${{ secrets.DEV_CLOUD_FORMATION_DEPLOY_ROLE }}
@@ -95,6 +96,7 @@ jobs:
9596
COMMIT_ID: ${{needs.get_commit_id.outputs.commit_id}}
9697
LOG_RETENTION_IN_DAYS: 30
9798
DEPLOY_CHANGE: true
99+
FORWARD_CSOC_LOGS: false
98100
secrets:
99101
CDK_PULL_IMAGE_ROLE: ${{ secrets.REF_CDK_PULL_IMAGE_ROLE }}
100102
CLOUD_FORMATION_DEPLOY_ROLE: ${{ secrets.REF_CLOUD_FORMATION_DEPLOY_ROLE }}
@@ -108,6 +110,7 @@ jobs:
108110
COMMIT_ID: ${{needs.get_commit_id.outputs.commit_id}}
109111
LOG_RETENTION_IN_DAYS: 30
110112
DEPLOY_CHANGE: true
113+
FORWARD_CSOC_LOGS: false
111114
secrets:
112115
CDK_PULL_IMAGE_ROLE: ${{ secrets.QA_CDK_PULL_IMAGE_ROLE }}
113116
CLOUD_FORMATION_DEPLOY_ROLE: ${{ secrets.QA_CLOUD_FORMATION_DEPLOY_ROLE }}
@@ -143,6 +146,7 @@ jobs:
143146
COMMIT_ID: ${{needs.get_commit_id.outputs.commit_id}}
144147
LOG_RETENTION_IN_DAYS: 30
145148
DEPLOY_CHANGE: true
149+
FORWARD_CSOC_LOGS: false
146150
secrets:
147151
CDK_PULL_IMAGE_ROLE: ${{ secrets.INT_CDK_PULL_IMAGE_ROLE }}
148152
CLOUD_FORMATION_DEPLOY_ROLE: ${{ secrets.INT_CLOUD_FORMATION_DEPLOY_ROLE }}
@@ -179,6 +183,7 @@ jobs:
179183
COMMIT_ID: ${{needs.get_commit_id.outputs.commit_id}}
180184
LOG_RETENTION_IN_DAYS: 30
181185
DEPLOY_CHANGE: true
186+
FORWARD_CSOC_LOGS: true
182187
secrets:
183188
CDK_PULL_IMAGE_ROLE: ${{ secrets.PROD_CDK_PULL_IMAGE_ROLE }}
184189
CLOUD_FORMATION_DEPLOY_ROLE: ${{ secrets.PROD_CLOUD_FORMATION_DEPLOY_ROLE }}

packages/cdk/stacks/VpcResourcesStack.ts

Lines changed: 28 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,9 @@ import {
1010
import {
1111
CfnSubnet,
1212
FlowLogDestination,
13+
FlowLogMaxAggregationInterval,
14+
FlowLogOptions,
15+
FlowLogTrafficType,
1316
GatewayVpcEndpoint,
1417
InterfaceVpcEndpoint,
1518
InterfaceVpcEndpointAwsService,
@@ -19,6 +22,7 @@ import {
1922
Vpc
2023
} from "aws-cdk-lib/aws-ec2"
2124
import {Role, ServicePrincipal} from "aws-cdk-lib/aws-iam"
25+
import {Bucket} from "aws-cdk-lib/aws-s3"
2226
import {Key} from "aws-cdk-lib/aws-kms"
2327
import {LogGroup} from "aws-cdk-lib/aws-logs"
2428
import {AwsCustomResource, AwsCustomResourcePolicy, PhysicalResourceId} from "aws-cdk-lib/custom-resources"
@@ -43,6 +47,7 @@ export class VpcResourcesStack extends Stack {
4347
// Context
4448
/* context values passed as --context cli arguments are passed as strings so coerce them to expected types*/
4549
const logRetentionInDays: number = Number(this.node.tryGetContext("logRetentionInDays"))
50+
const forwardCsocLogs: boolean = Boolean(this.node.tryGetContext("forwardCsocLogs"))
4651

4752
// Imports
4853
const cloudwatchKmsKey = Key.fromKeyArn(
@@ -60,16 +65,34 @@ export class VpcResourcesStack extends Stack {
6065
removalPolicy: RemovalPolicy.DESTROY
6166
})
6267

68+
// Build flow logs configuration
69+
const flowLogsConfig: Record<string, FlowLogOptions> = {
70+
"FlowLogCloudwatch": {
71+
destination: FlowLogDestination.toCloudWatchLogs(flowLogsLogGroup, flowLogsRole)
72+
}
73+
}
74+
75+
// Conditionally add S3 flow logs if forwardCsocLogs is true
76+
if (forwardCsocLogs) {
77+
const vpcFlowLogsBucket = Bucket.fromBucketArn(
78+
this,
79+
"VpcFlowLogsBucket",
80+
"arn:aws:s3:::nhsd-audit-vpcflowlogs"
81+
)
82+
83+
flowLogsConfig["FlowLogS3"] = {
84+
destination: FlowLogDestination.toS3(vpcFlowLogsBucket),
85+
trafficType: FlowLogTrafficType.ALL,
86+
maxAggregationInterval: FlowLogMaxAggregationInterval.TEN_MINUTES
87+
}
88+
}
89+
6390
const vpc = new Vpc(this, "vpc", {
6491
ipAddresses: IpAddresses.cidr("10.190.0.0/16"),
6592
enableDnsSupport: true,
6693
enableDnsHostnames: true,
6794
availabilityZones: props.availabilityZones,
68-
flowLogs: {
69-
"FlowLogCloudwatch": {
70-
destination: FlowLogDestination.toCloudWatchLogs(flowLogsLogGroup, flowLogsRole)
71-
}
72-
}
95+
flowLogs: flowLogsConfig
7396
})
7497

7598
// Add cfn-guard suppressions

0 commit comments

Comments
 (0)