VED-501: Forward API Gateway logs to CSOC Sentinel (#774)

JamesW1-NHS · mfjarvis · web-flow · commit a03b01357ec8 · 2025-10-01T10:08:59.000+01:00
* steps 2-5

* steps 2-5 II

* steps 2-5 III

* log-group name

* retooled for existing log group

* retooled for existing log group II

* retooled for existing log group III

* added subscription policy permissions

* variables

* variables II

* there is no '$context.identity.apiKey'

* parameterization

---------

Co-authored-by: Matt Jarvis &lt;matt.jarvis2@nhs.net&gt;
diff --git a/terraform/endpoints.tf b/terraform/endpoints.tf
@@ -115,6 +115,9 @@ module "api_gateway" {
   environment     = var.environment
   sub_environment = var.sub_environment
   oas             = local.oas
+  aws_region      = var.aws_region
+  immunisation_account_id = var.immunisation_account_id
+  csoc_account_id = var.csoc_account_id
 }
 
 resource "aws_lambda_permission" "api_gw" {
diff --git a/terraform/environments/dev/int/variables.tfvars b/terraform/environments/dev/int/variables.tfvars
@@ -1,6 +1,7 @@
 environment                       = "dev"
 immunisation_account_id           = "345594581768"
 dspp_core_account_id              = "603871901111"
+csoc_account_id                   = "693466633220"
 pds_environment                   = "int"
 batch_error_notifications_enabled = true
 pds_check_enabled                 = false
diff --git a/terraform/environments/dev/internal-dev/variables.tfvars b/terraform/environments/dev/internal-dev/variables.tfvars
@@ -1,6 +1,7 @@
 environment                       = "dev"
 immunisation_account_id           = "345594581768"
 dspp_core_account_id              = "603871901111"
+csoc_account_id                   = "693466633220"
 pds_environment                   = "int"
 batch_error_notifications_enabled = true
 pds_check_enabled                 = true
diff --git a/terraform/environments/dev/pr/variables.tfvars b/terraform/environments/dev/pr/variables.tfvars
@@ -1,6 +1,7 @@
 environment                       = "dev"
 immunisation_account_id           = "345594581768"
 dspp_core_account_id              = "603871901111"
+csoc_account_id                   = "693466633220"
 pds_environment                   = "int"
 batch_error_notifications_enabled = false
 pds_check_enabled                 = true
diff --git a/terraform/environments/dev/ref/variables.tfvars b/terraform/environments/dev/ref/variables.tfvars
@@ -1,6 +1,7 @@
 environment                       = "dev"
 immunisation_account_id           = "345594581768"
 dspp_core_account_id              = "603871901111"
+csoc_account_id                   = "693466633220"
 pds_environment                   = "ref"
 batch_error_notifications_enabled = true
 pds_check_enabled                 = true
diff --git a/terraform/modules/api_gateway/api.tf b/terraform/modules/api_gateway/api.tf
@@ -21,7 +21,7 @@ resource "aws_apigatewayv2_stage" "default" {
   }
   access_log_settings {
     destination_arn = aws_cloudwatch_log_group.api_access_log.arn
-    format          = "{ \"requestId\":\"$context.requestId\", \"extendedRequestId\":\"$context.extendedRequestId\", \"ip\": \"$context.identity.sourceIp\", \"caller\":\"$context.identity.caller\", \"user\":\"$context.identity.user\", \"requestTime\":\"$context.requestTime\", \"httpMethod\":\"$context.httpMethod\", \"resourcePath\":\"$context.resourcePath\", \"status\":\"$context.status\", \"protocol\":\"$context.protocol\",  \"responseLength\":\"$context.responseLength\", \"authorizerError\":\"$context.authorizer.error\", \"authorizerStatus\":\"$context.authorizer.status\", \"requestIsValid\":\"$context.authorizer.is_valid\"\"environment\":\"$context.authorizer.environment\" }"
+    format          = "{ \"requestId\":\"$context.requestId\", \"extendedRequestId\":\"$context.extendedRequestId\", \"ip\":\"$context.identity.sourceIp\", \"caller\":\"$context.identity.caller\", \"user\":\"$context.identity.user\", \"requestTime\":\"$context.requestTime\", \"httpMethod\":\"$context.httpMethod\", \"resourcePath\":\"$context.resourcePath\", \"status\":\"$context.status\", \"protocol\":\"$context.protocol\", \"responseLength\":\"$context.responseLength\", \"accountId\":\"$context.accountId\", \"apiId\":\"$context.apiId\", \"stage\":\"$context.stage\", \"authorizerError\":\"$context.authorizer.error\", \"authorizerStatus\":\"$context.authorizer.status\", \"requestIsValid\":\"$context.authorizer.is_valid\", \"environment\":\"$context.authorizer.environment\" }"
   }
 
   # Bug in terraform-aws-provider with perpetual diff
diff --git a/terraform/modules/api_gateway/logs.tf b/terraform/modules/api_gateway/logs.tf
@@ -53,3 +53,56 @@ resource "aws_iam_role_policy" "cloudwatch" {
 }
 EOF
 }
+
+resource "aws_iam_role_policy_attachment" "api_logs_apigateway_policy" {
+  role       = aws_iam_role.api_cloudwatch.name
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs"
+}
+
+resource "aws_iam_policy" "api_logs_subscription_policy" {
+  name = "${var.short_prefix}-api-logs-subscription-policy"
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Sid = "AllowPutAPIGSubFilter"
+        Effect = "Allow"
+        Action = [
+          "logs:PutSubscriptionFilter"
+        ]
+        Resource = [
+          "arn:aws:logs:${var.aws_region}:${var.immunisation_account_id}:log-group:/aws/vendedlogs/${aws_apigatewayv2_api.service_api.id}/${var.sub_environment}:*",
+          "arn:aws:logs:${var.aws_region}:${var.csoc_account_id}:destination:api_gateway_log_destination"
+        ]
+      }
+    ]
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "api_logs_subscription_policy" {
+  role       = aws_iam_role.api_cloudwatch.name
+  policy_arn = aws_iam_policy.api_logs_subscription_policy.arn
+}
+
+resource "aws_iam_role" "api_logs_subscription_role" {
+  name = "${var.short_prefix}-api-logs-subscription-role"
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [{
+      Effect = "Allow",
+      Sid    = "",
+      Principal = {
+        Service = "logs.${var.aws_region}.amazonaws.com"
+      },
+      Action = "sts:AssumeRole"
+    }]
+  })
+}
+
+resource "aws_cloudwatch_log_subscription_filter" "api_logs_subscription_logfilter" {
+  name            = "${var.short_prefix}-api-logs-subscription-logfilter"
+  log_group_name  = aws_cloudwatch_log_group.api_access_log.name
+  filter_pattern  = ""
+  destination_arn = "arn:aws:logs:${var.aws_region}:${var.csoc_account_id}:destination:api_gateway_log_destination"
+  role_arn        = aws_iam_role.api_logs_subscription_role.arn
+}
diff --git a/terraform/modules/api_gateway/variables.tf b/terraform/modules/api_gateway/variables.tf
@@ -5,3 +5,6 @@ variable "api_domain_name" {}
 variable "environment" {}
 variable "sub_environment" {}
 variable "oas" {}
+variable "aws_region" {}
+variable "immunisation_account_id" {}
+variable "csoc_account_id" {}
diff --git a/terraform/variables.tf b/terraform/variables.tf
@@ -6,6 +6,7 @@ variable "sub_environment" {
 
 variable "immunisation_account_id" {}
 variable "dspp_core_account_id" {}
+variable "csoc_account_id" {}
 
 variable "create_mesh_processor" {
   default = false

Original file line number	Diff line number	Diff line change
`@@ -115,6 +115,9 @@ module "api_gateway" {`
`115`	`115`	`environment = var.environment`
`116`	`116`	`sub_environment = var.sub_environment`
`117`	`117`	`oas = local.oas`
	`118`	`+ aws_region = var.aws_region`
	`119`	`+ immunisation_account_id = var.immunisation_account_id`
	`120`	`+ csoc_account_id = var.csoc_account_id`
`118`	`121`	`}`
`119`	`122`
`120`	`123`	`resource "aws_lambda_permission" "api_gw" {`
Original file line number	Diff line number	Diff line change
`@@ -21,7 +21,7 @@ resource "aws_apigatewayv2_stage" "default" {`
`21`	`21`	`}`
`22`	`22`	`access_log_settings {`
`23`	`23`	`destination_arn = aws_cloudwatch_log_group.api_access_log.arn`
`24`		- format = "{ \"requestId\":\"$context.requestId\", \"extendedRequestId\":\"$context.extendedRequestId\", \"ip\": \"$context.identity.sourceIp\", \"caller\":\"$context.identity.caller\", \"user\":\"$context.identity.user\", \"requestTime\":\"$context.requestTime\", \"httpMethod\":\"$context.httpMethod\", \"resourcePath\":\"$context.resourcePath\", \"status\":\"$context.status\", \"protocol\":\"$context.protocol\", \"responseLength\":\"$context.responseLength\", \"authorizerError\":\"$context.authorizer.error\", \"authorizerStatus\":\"$context.authorizer.status\", \"requestIsValid\":\"$context.authorizer.is_valid\"\"environment\":\"$context.authorizer.environment\" }"
	`24`	+ format = "{ \"requestId\":\"$context.requestId\", \"extendedRequestId\":\"$context.extendedRequestId\", \"ip\":\"$context.identity.sourceIp\", \"caller\":\"$context.identity.caller\", \"user\":\"$context.identity.user\", \"requestTime\":\"$context.requestTime\", \"httpMethod\":\"$context.httpMethod\", \"resourcePath\":\"$context.resourcePath\", \"status\":\"$context.status\", \"protocol\":\"$context.protocol\", \"responseLength\":\"$context.responseLength\", \"accountId\":\"$context.accountId\", \"apiId\":\"$context.apiId\", \"stage\":\"$context.stage\", \"authorizerError\":\"$context.authorizer.error\", \"authorizerStatus\":\"$context.authorizer.status\", \"requestIsValid\":\"$context.authorizer.is_valid\", \"environment\":\"$context.authorizer.environment\" }"
`25`	`25`	`}`
`26`	`26`
`27`	`27`	`# Bug in terraform-aws-provider with perpetual diff`