|
| 1 | +# https://nhsd-confluence.digital.nhs.uk/spaces/CCEP/pages/407374909/API+Gateway+Access+Logs |
| 2 | + |
| 3 | +# 2. IAM Role for Cross Account Log Subscriptions |
| 4 | +resource "aws_iam_role" "cwlogs_subscription_role" { |
| 5 | + name = "${local.short_prefix}-cwlogs-subscription-role" |
| 6 | + assume_role_policy = jsonencode({ |
| 7 | + Version = "2012-10-17", |
| 8 | + Statement = [{ |
| 9 | + Effect = "Allow", |
| 10 | + Sid = "", |
| 11 | + Principal = { |
| 12 | + Service = "logs.eu-west-2.amazonaws.com" |
| 13 | + }, |
| 14 | + Action = "sts:AssumeRole" |
| 15 | + }] |
| 16 | + }) |
| 17 | +} |
| 18 | + |
| 19 | +# 3. Log Group |
| 20 | +resource "aws_cloudwatch_log_group" "cwlogs_subscription_log_group" { |
| 21 | + name = "${local.short_prefix}-cwlogs-subscription-log-group" |
| 22 | + retention_in_days = 30 |
| 23 | +} |
| 24 | + |
| 25 | +# Permissions Policy for Subscription Filter |
| 26 | +# TODO: un-hardcode the destination account ID |
| 27 | +resource "aws_iam_policy" "cwlogs_subscription_policy" { |
| 28 | + name = "${local.short_prefix}-cwlogs-subscription-policy" |
| 29 | + policy = jsonencode({ |
| 30 | + Version = "2012-10-17", |
| 31 | + Statement = [ |
| 32 | + { |
| 33 | + Sid = "AllowPutAPIGSubFilter" |
| 34 | + Effect = "Allow" |
| 35 | + Action = [ |
| 36 | + "logs:PutSubscriptionFilter" |
| 37 | + ] |
| 38 | + Resource = "arn:aws:logs:${var.aws_region}:${var.immunisation_account_id}:log-group:/aws/lambda/${local.short_prefix}-cwlogs-subscription-log-group:*", |
| 39 | + "arn:aws:logs:eu-west-2:693466633220:destination:api_gateway_log_destination" |
| 40 | + } |
| 41 | + ] |
| 42 | + }) |
| 43 | +} |
| 44 | + |
| 45 | +# 4. Subscription Filter |
| 46 | +resource "aws_cloudwatch_log_subscription_filter" "cwlogs_subscription_logfilter" { |
| 47 | + name = "test_lambdafunction_logfilter" |
| 48 | + log_group_name = aws_cloudwatch_log_group.cwlogs_subscription_log_group.name |
| 49 | + filter_name = var.immunisation_account_id |
| 50 | + filter_pattern = "" |
| 51 | + destination_arn = "arn:aws:logs:eu-west-2:693466633220:destination:api_gateway_log_destination" |
| 52 | + role_arn = aws_iam_role.cwlogs_subscription_role.name |
| 53 | +} |
| 54 | + |
| 55 | +# 5. API Gateway Log Role |
| 56 | +resource "aws_iam_role" "cwlogs_apigateway_log_role" { |
| 57 | + name = "${local.short_prefix}-cwlogs-apigateway-log-role" |
| 58 | + assume_role_policy = jsonencode({ |
| 59 | + Version = "2012-10-17", |
| 60 | + Statement = [{ |
| 61 | + Effect = "Allow", |
| 62 | + Sid = "", |
| 63 | + Principal = { |
| 64 | + Service = "apigateway.amazonaws.com" |
| 65 | + }, |
| 66 | + Action = "sts:AssumeRole" |
| 67 | + }] |
| 68 | + }) |
| 69 | +} |
| 70 | + |
| 71 | +resource "aws_iam_role_policy_attachment" "cwlogs_apigateway_policy" { |
| 72 | + role = aws_iam_role.cwlogs_apigateway_log_role.name |
| 73 | + policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs" |
| 74 | +} |
| 75 | + |
| 76 | +# 6. Log Forwarding from API Gateway |
| 77 | +# TODO |
0 commit comments