Skip to content

Commit 6f24230

Browse files
anthony-nhsanthony-nhs
committed
forward csoc logs
1 parent 66eedf1 commit 6f24230

File tree

6 files changed

+72
-12
lines changed

6 files changed

+72
-12
lines changed

.github/scripts/fix_cdk_json.sh

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -47,3 +47,4 @@ fix_string_key versionNumber "${VERSION_NUMBER}"
4747
fix_string_key commitId "${COMMIT_ID}"
4848
fix_string_key cfnDriftDetectionGroup "${CFN_DRIFT_DETECTION_GROUP}"
4949
fix_boolean_number_key logRetentionInDays "${LOG_RETENTION_IN_DAYS}"
50+
fix_boolean_number_key forwardCsocLogs "${FORWARD_CSOC_LOGS}"

.github/workflows/cdk_release_code.yml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,9 @@ on:
1818
DEPLOY_CHANGE:
1919
type: boolean
2020
default: true
21+
FORWARD_CSOC_LOGS:
22+
type: boolean
23+
default: false
2124
secrets:
2225
CLOUD_FORMATION_DEPLOY_ROLE:
2326
required: true
@@ -89,6 +92,7 @@ jobs:
8992
VERSION_NUMBER: "${{ inputs.VERSION_NUMBER }}"
9093
COMMIT_ID: "${{ inputs.COMMIT_ID }}"
9194
LOG_RETENTION_IN_DAYS: "${{ inputs.LOG_RETENTION_IN_DAYS }}"
95+
FORWARD_CSOC_LOGS: "${{ inputs.FORWARD_CSOC_LOGS }}"
9296

9397
- name: Show diff
9498
run: |

.github/workflows/ci.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -103,6 +103,7 @@ jobs:
103103
COMMIT_ID: ${{needs.get_commit_id.outputs.commit_id}}
104104
LOG_RETENTION_IN_DAYS: 30
105105
DEPLOY_CHANGE: true
106+
FORWARD_CSOC_LOGS: false
106107
secrets:
107108
CDK_PULL_IMAGE_ROLE: ${{ secrets.DEV_CDK_PULL_IMAGE_ROLE }}
108109
CLOUD_FORMATION_DEPLOY_ROLE: ${{ secrets.DEV_CLOUD_FORMATION_DEPLOY_ROLE }}
@@ -132,6 +133,7 @@ jobs:
132133
COMMIT_ID: ${{needs.get_commit_id.outputs.commit_id}}
133134
LOG_RETENTION_IN_DAYS: 30
134135
DEPLOY_CHANGE: true
136+
FORWARD_CSOC_LOGS: false
135137
secrets:
136138
CDK_PULL_IMAGE_ROLE: ${{ secrets.QA_CDK_PULL_IMAGE_ROLE }}
137139
CLOUD_FORMATION_DEPLOY_ROLE: ${{ secrets.QA_CLOUD_FORMATION_DEPLOY_ROLE }}

.github/workflows/pull_request.yml

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -51,7 +51,7 @@ jobs:
5151
id: commit_id
5252
run: |
5353
echo "commit_id=${{ github.sha }}" >> "$GITHUB_OUTPUT"
54-
54+
5555
package_code:
5656
needs: [quality_checks, get_issue_number, get_commit_id]
5757
uses: ./.github/workflows/cdk_package_code.yml
@@ -68,6 +68,7 @@ jobs:
6868
COMMIT_ID: ${{needs.get_commit_id.outputs.commit_id}}
6969
LOG_RETENTION_IN_DAYS: 30
7070
DEPLOY_CHANGE: false
71+
FORWARD_CSOC_LOGS: true
7172
secrets:
7273
CDK_PULL_IMAGE_ROLE: ${{ secrets.DEV_CDK_PULL_IMAGE_ROLE }}
7374
CLOUD_FORMATION_DEPLOY_ROLE: ${{ secrets.DEV_CLOUD_FORMATION_DEPLOY_ROLE }}

.github/workflows/release.yml

Lines changed: 35 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -39,7 +39,7 @@ jobs:
3939
uses: asdf-vm/actions/setup@1902764435ca0dd2f3388eea723a4f92a4eb8302
4040
with:
4141
asdf_branch: v0.14.1
42-
42+
4343
- name: Cache asdf
4444
uses: actions/cache@v4
4545
with:
@@ -59,7 +59,7 @@ jobs:
5959
- name: Install dependencies
6060
run: |
6161
make install
62-
62+
6363
- name: Set VERSION_TAG to be next tag varsion
6464
id: output_version_tag
6565
run: |
@@ -122,10 +122,11 @@ jobs:
122122
COMMIT_ID: ${{needs.get_commit_id.outputs.commit_id}}
123123
LOG_RETENTION_IN_DAYS: 30
124124
DEPLOY_CHANGE: true
125+
FORWARD_CSOC_LOGS: false
125126
secrets:
126127
CDK_PULL_IMAGE_ROLE: ${{ secrets.DEV_CDK_PULL_IMAGE_ROLE }}
127128
CLOUD_FORMATION_DEPLOY_ROLE: ${{ secrets.DEV_CLOUD_FORMATION_DEPLOY_ROLE }}
128-
129+
129130
create_release_notes:
130131
needs: [tag_release, package_code, get_commit_id, release_dev]
131132
uses: ./.github/workflows/create_release_notes.yml
@@ -150,6 +151,7 @@ jobs:
150151
COMMIT_ID: ${{needs.get_commit_id.outputs.commit_id}}
151152
LOG_RETENTION_IN_DAYS: 30
152153
DEPLOY_CHANGE: true
154+
FORWARD_CSOC_LOGS: false
153155
secrets:
154156
CDK_PULL_IMAGE_ROLE: ${{ secrets.REF_CDK_PULL_IMAGE_ROLE }}
155157
CLOUD_FORMATION_DEPLOY_ROLE: ${{ secrets.REF_CLOUD_FORMATION_DEPLOY_ROLE }}
@@ -163,6 +165,7 @@ jobs:
163165
COMMIT_ID: ${{needs.get_commit_id.outputs.commit_id}}
164166
LOG_RETENTION_IN_DAYS: 30
165167
DEPLOY_CHANGE: true
168+
FORWARD_CSOC_LOGS: false
166169
secrets:
167170
CDK_PULL_IMAGE_ROLE: ${{ secrets.QA_CDK_PULL_IMAGE_ROLE }}
168171
CLOUD_FORMATION_DEPLOY_ROLE: ${{ secrets.QA_CLOUD_FORMATION_DEPLOY_ROLE }}
@@ -183,20 +186,36 @@ jobs:
183186
PROD_CLOUD_FORMATION_CHECK_VERSION_ROLE: ${{ secrets.PROD_CLOUD_FORMATION_CHECK_VERSION_ROLE }}
184187

185188
release_int:
186-
needs: [tag_release, package_code, get_commit_id, release_qa, create_rc_release_notes]
189+
needs:
190+
[
191+
tag_release,
192+
package_code,
193+
get_commit_id,
194+
release_qa,
195+
create_rc_release_notes,
196+
]
187197
uses: ./.github/workflows/cdk_release_code.yml
188198
with:
189199
TARGET_ENVIRONMENT: int
190200
VERSION_NUMBER: ${{needs.tag_release.outputs.version_tag}}
191201
COMMIT_ID: ${{needs.get_commit_id.outputs.commit_id}}
192202
LOG_RETENTION_IN_DAYS: 30
193203
DEPLOY_CHANGE: true
204+
FORWARD_CSOC_LOGS: false
194205
secrets:
195206
CDK_PULL_IMAGE_ROLE: ${{ secrets.INT_CDK_PULL_IMAGE_ROLE }}
196207
CLOUD_FORMATION_DEPLOY_ROLE: ${{ secrets.INT_CLOUD_FORMATION_DEPLOY_ROLE }}
197208

198209
create_release_notes_post_int:
199-
needs: [tag_release, package_code, get_commit_id, release_dev, release_qa, release_int]
210+
needs:
211+
[
212+
tag_release,
213+
package_code,
214+
get_commit_id,
215+
release_dev,
216+
release_qa,
217+
release_int,
218+
]
200219
uses: ./.github/workflows/create_release_notes.yml
201220
with:
202221
VERSION_NUMBER: ${{needs.tag_release.outputs.version_tag}}
@@ -219,12 +238,22 @@ jobs:
219238
COMMIT_ID: ${{needs.get_commit_id.outputs.commit_id}}
220239
LOG_RETENTION_IN_DAYS: 30
221240
DEPLOY_CHANGE: true
241+
FORWARD_CSOC_LOGS: true
222242
secrets:
223243
CDK_PULL_IMAGE_ROLE: ${{ secrets.PROD_CDK_PULL_IMAGE_ROLE }}
224244
CLOUD_FORMATION_DEPLOY_ROLE: ${{ secrets.PROD_CLOUD_FORMATION_DEPLOY_ROLE }}
225245

226246
create_release_notes_post_prod:
227-
needs: [tag_release, package_code, get_commit_id, release_dev, release_qa, release_int, release_prod]
247+
needs:
248+
[
249+
tag_release,
250+
package_code,
251+
get_commit_id,
252+
release_dev,
253+
release_qa,
254+
release_int,
255+
release_prod,
256+
]
228257
uses: ./.github/workflows/create_release_notes.yml
229258
with:
230259
VERSION_NUMBER: ${{needs.tag_release.outputs.version_tag}}

packages/cdk/stacks/VpcResourcesStack.ts

Lines changed: 28 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,9 @@ import {
1010
import {
1111
CfnSubnet,
1212
FlowLogDestination,
13+
FlowLogMaxAggregationInterval,
14+
FlowLogOptions,
15+
FlowLogTrafficType,
1316
GatewayVpcEndpoint,
1417
InterfaceVpcEndpoint,
1518
InterfaceVpcEndpointAwsService,
@@ -19,6 +22,7 @@ import {
1922
Vpc
2023
} from "aws-cdk-lib/aws-ec2"
2124
import {Role, ServicePrincipal} from "aws-cdk-lib/aws-iam"
25+
import {Bucket} from "aws-cdk-lib/aws-s3"
2226
import {Key} from "aws-cdk-lib/aws-kms"
2327
import {LogGroup} from "aws-cdk-lib/aws-logs"
2428
import {AwsCustomResource, AwsCustomResourcePolicy, PhysicalResourceId} from "aws-cdk-lib/custom-resources"
@@ -43,6 +47,7 @@ export class VpcResourcesStack extends Stack {
4347
// Context
4448
/* context values passed as --context cli arguments are passed as strings so coerce them to expected types*/
4549
const logRetentionInDays: number = Number(this.node.tryGetContext("logRetentionInDays"))
50+
const forwardCsocLogs: boolean = this.node.tryGetContext("forwardCsocLogs") === "true"
4651

4752
// Imports
4853
const cloudwatchKmsKey = Key.fromKeyArn(
@@ -60,16 +65,34 @@ export class VpcResourcesStack extends Stack {
6065
removalPolicy: RemovalPolicy.DESTROY
6166
})
6267

68+
// Build flow logs configuration
69+
const flowLogsConfig: Record<string, FlowLogOptions> = {
70+
"FlowLogCloudwatch": {
71+
destination: FlowLogDestination.toCloudWatchLogs(flowLogsLogGroup, flowLogsRole)
72+
}
73+
}
74+
75+
// Conditionally add S3 flow logs if forwardCsocLogs is true
76+
if (forwardCsocLogs) {
77+
const vpcFlowLogsBucket = Bucket.fromBucketArn(
78+
this,
79+
"VpcFlowLogsBucket",
80+
"arn:aws:s3:::nhsd-audit-vpcflowlogs"
81+
)
82+
83+
flowLogsConfig["FlowLogS3"] = {
84+
destination: FlowLogDestination.toS3(vpcFlowLogsBucket),
85+
trafficType: FlowLogTrafficType.ALL,
86+
maxAggregationInterval: FlowLogMaxAggregationInterval.TEN_MINUTES
87+
}
88+
}
89+
6390
const vpc = new Vpc(this, "vpc", {
6491
ipAddresses: IpAddresses.cidr("10.190.0.0/16"),
6592
enableDnsSupport: true,
6693
enableDnsHostnames: true,
6794
availabilityZones: props.availabilityZones,
68-
flowLogs: {
69-
"FlowLogCloudwatch": {
70-
destination: FlowLogDestination.toCloudWatchLogs(flowLogsLogGroup, flowLogsRole)
71-
}
72-
}
95+
flowLogs: flowLogsConfig
7396
})
7497

7598
// Add cfn-guard suppressions

0 commit comments

Comments
 (0)