[NDR-193] removing splunk (#385)

SWhyteAnswer · robg-nhs · web-flow · commit 300922d6a8a1 · 2025-08-19T10:28:11.000+01:00
Co-authored-by: Sam Whyte &lt;sam.whyte@answerdigital.com&gt;
Co-authored-by: robg-nhs &lt;rob.gaskin@nhs.net&gt;
diff --git a/infrastructure/README.md b/infrastructure/README.md
diff --git a/infrastructure/audit.tf b/infrastructure/audit.tf
diff --git a/infrastructure/lambda-document-manifest-job.tf b/infrastructure/lambda-document-manifest-job.tf
@@ -79,24 +79,16 @@ module "document-manifest-job-lambda" {
     LLOYD_GEORGE_DYNAMODB_NAME   = "${terraform.workspace}_${var.lloyd_george_dynamodb_table_name}"
     ZIPPED_STORE_BUCKET_NAME     = "${terraform.workspace}-${var.zip_store_bucket_name}"
     ZIPPED_STORE_DYNAMODB_NAME   = "${terraform.workspace}_${var.zip_store_dynamodb_table_name}"
-    SPLUNK_SQS_QUEUE_URL         = try(module.sqs-splunk-queue[0].sqs_url, null)
     WORKSPACE                    = terraform.workspace
     PRESIGNED_ASSUME_ROLE        = aws_iam_role.manifest_presign_url_role.arn
   }
   depends_on = [
     aws_api_gateway_rest_api.ndr_doc_store_api,
     module.document-manifest-job-gateway,
-    aws_iam_policy.lambda_audit_splunk_sqs_queue_send_policy[0],
     module.ndr-app-config,
     module.lloyd_george_reference_dynamodb_table,
     module.document_reference_dynamodb_table,
     module.zip_store_reference_dynamodb_table,
     module.ndr-zip-request-store
   ]
 }
-
-resource "aws_iam_role_policy_attachment" "policy_manifest_lambda" {
-  count      = local.is_sandbox ? 0 : 1
-  role       = module.document-manifest-job-lambda.lambda_execution_role_name
-  policy_arn = try(aws_iam_policy.lambda_audit_splunk_sqs_queue_send_policy[0].arn, null)
-}
diff --git a/infrastructure/lambda-feature-flags.tf b/infrastructure/lambda-feature-flags.tf
@@ -76,7 +76,6 @@ module "feature-flags-lambda" {
   depends_on = [
     aws_api_gateway_rest_api.ndr_doc_store_api,
     module.feature-flags-gateway,
-    aws_iam_policy.lambda_audit_splunk_sqs_queue_send_policy[0],
     module.ndr-app-config
   ]
 }
diff --git a/infrastructure/lambda-generate-document-manifest.tf b/infrastructure/lambda-generate-document-manifest.tf
@@ -66,15 +66,13 @@ module "generate-document-manifest-lambda" {
     APPCONFIG_CONFIGURATION    = module.ndr-app-config.app_config_configuration_profile_id
     ZIPPED_STORE_BUCKET_NAME   = "${terraform.workspace}-${var.zip_store_bucket_name}"
     ZIPPED_STORE_DYNAMODB_NAME = "${terraform.workspace}_${var.zip_store_dynamodb_table_name}"
-    SPLUNK_SQS_QUEUE_URL       = try(module.sqs-splunk-queue[0].sqs_url, null)
     WORKSPACE                  = terraform.workspace
     PRESIGNED_ASSUME_ROLE      = aws_iam_role.manifest_presign_url_role.arn
   }
   is_gateway_integration_needed = false
   is_invoked_from_gateway       = false
 
   depends_on = [
-    aws_iam_policy.lambda_audit_splunk_sqs_queue_send_policy[0],
     module.ndr-app-config,
     module.zip_store_reference_dynamodb_table,
     module.ndr-zip-request-store,
@@ -99,12 +97,6 @@ resource "aws_iam_policy" "dynamodb_stream_manifest" {
   })
 }
 
-resource "aws_iam_role_policy_attachment" "policy_generate_manifest_lambda" {
-  count      = local.is_sandbox ? 0 : 1
-  role       = module.generate-document-manifest-lambda.lambda_execution_role_name
-  policy_arn = try(aws_iam_policy.lambda_audit_splunk_sqs_queue_send_policy[0].arn, null)
-}
-
 resource "aws_lambda_event_source_mapping" "dynamodb_stream_manifest" {
   event_source_arn  = module.zip_store_reference_dynamodb_table.dynamodb_stream_arn
   function_name     = module.generate-document-manifest-lambda.lambda_arn
diff --git a/infrastructure/lambda-generate-stitch-record.tf b/infrastructure/lambda-generate-stitch-record.tf
@@ -64,7 +64,6 @@ module "generate-lloyd-george-stitch-lambda" {
     APPCONFIG_APPLICATION         = module.ndr-app-config.app_config_application_id
     APPCONFIG_ENVIRONMENT         = module.ndr-app-config.app_config_environment_id
     APPCONFIG_CONFIGURATION       = module.ndr-app-config.app_config_configuration_profile_id
-    SPLUNK_SQS_QUEUE_URL          = try(module.sqs-splunk-queue[0].sqs_url, null)
     STITCH_METADATA_DYNAMODB_NAME = "${terraform.workspace}_${var.stitch_metadata_dynamodb_table_name}"
     WORKSPACE                     = terraform.workspace
     PRESIGNED_ASSUME_ROLE         = aws_iam_role.stitch_presign_url_role.arn
@@ -75,7 +74,6 @@ module "generate-lloyd-george-stitch-lambda" {
   is_invoked_from_gateway       = false
 
   depends_on = [
-    aws_iam_policy.lambda_audit_splunk_sqs_queue_send_policy[0],
     module.ndr-app-config,
     module.ndr-document-store,
     module.ndr-lloyd-george-store,
@@ -99,12 +97,6 @@ resource "aws_iam_policy" "dynamodb_stream_stitch_policy" {
   })
 }
 
-resource "aws_iam_role_policy_attachment" "policy_generate_stitch_lambda" {
-  count      = local.is_sandbox ? 0 : 1
-  role       = module.generate-lloyd-george-stitch-lambda.lambda_execution_role_name
-  policy_arn = try(aws_iam_policy.lambda_audit_splunk_sqs_queue_send_policy[0].arn, null)
-}
-
 resource "aws_lambda_event_source_mapping" "dynamodb_stream_stitch" {
   event_source_arn  = module.stitch_metadata_reference_dynamodb_table.dynamodb_stream_arn
   function_name     = module.generate-lloyd-george-stitch-lambda.lambda_arn
diff --git a/infrastructure/lambda-get-report-by-ods.tf b/infrastructure/lambda-get-report-by-ods.tf
@@ -76,13 +76,6 @@ module "get-report-by-ods-lambda" {
   }
   depends_on = [
     aws_api_gateway_rest_api.ndr_doc_store_api,
-    module.get-report-by-ods-gateway,
-    aws_iam_policy.lambda_audit_splunk_sqs_queue_send_policy[0]
+    module.get-report-by-ods-gateway
   ]
 }
-
-resource "aws_iam_role_policy_attachment" "policy_audit_get-report-by-ods-lambda" {
-  count      = local.is_sandbox ? 0 : 1
-  role       = module.get-report-by-ods-lambda.lambda_execution_role_name
-  policy_arn = try(aws_iam_policy.lambda_audit_splunk_sqs_queue_send_policy[0].arn, null)
-}
diff --git a/infrastructure/lambda-lloyd-george-record-stitch.tf b/infrastructure/lambda-lloyd-george-record-stitch.tf
@@ -78,7 +78,6 @@ module "lloyd-george-stitch-lambda" {
     LLOYD_GEORGE_DYNAMODB_NAME    = "${terraform.workspace}_${var.lloyd_george_dynamodb_table_name}"
     STITCH_METADATA_DYNAMODB_NAME = "${terraform.workspace}_${var.stitch_metadata_dynamodb_table_name}"
     CLOUDFRONT_URL                = module.cloudfront-distribution-lg.cloudfront_url
-    SPLUNK_SQS_QUEUE_URL          = try(module.sqs-splunk-queue[0].sqs_url, null)
     WORKSPACE                     = terraform.workspace
     PRESIGNED_ASSUME_ROLE         = aws_iam_role.stitch_presign_url_role.arn
     EDGE_REFERENCE_TABLE          = module.cloudfront_edge_dynamodb_table.table_name
@@ -87,16 +86,9 @@ module "lloyd-george-stitch-lambda" {
     aws_api_gateway_rest_api.ndr_doc_store_api,
     module.ndr-lloyd-george-store,
     module.lloyd-george-stitch-gateway,
-    aws_iam_policy.lambda_audit_splunk_sqs_queue_send_policy[0],
     module.ndr-app-config,
     module.cloudfront-distribution-lg,
     module.stitch_metadata_reference_dynamodb_table,
     module.lloyd_george_reference_dynamodb_table
   ]
 }
-
-resource "aws_iam_role_policy_attachment" "lambda_stitch-lambda" {
-  count      = local.is_sandbox ? 0 : 1
-  role       = module.lloyd-george-stitch-lambda.lambda_execution_role_name
-  policy_arn = try(aws_iam_policy.lambda_audit_splunk_sqs_queue_send_policy[0].arn, null)
-}
diff --git a/infrastructure/lambda-search-patient.tf b/infrastructure/lambda-search-patient.tf
@@ -70,21 +70,13 @@ module "search-patient-details-lambda" {
     APPCONFIG_CONFIGURATION        = module.ndr-app-config.app_config_configuration_profile_id
     SSM_PARAM_JWT_TOKEN_PUBLIC_KEY = "jwt_token_public_key"
     PDS_FHIR_IS_STUBBED            = local.is_sandbox,
-    SPLUNK_SQS_QUEUE_URL           = try(module.sqs-splunk-queue[0].sqs_url, null)
     WORKSPACE                      = terraform.workspace
     AUTH_SESSION_TABLE_NAME        = "${terraform.workspace}_${var.auth_session_dynamodb_table_name}"
   }
   api_execution_arn = aws_api_gateway_rest_api.ndr_doc_store_api.execution_arn
   depends_on = [
     aws_api_gateway_rest_api.ndr_doc_store_api,
     module.search-patient-details-gateway,
-    aws_iam_policy.lambda_audit_splunk_sqs_queue_send_policy[0],
     module.ndr-app-config
   ]
 }
-
-resource "aws_iam_role_policy_attachment" "policy_audit_search-patient-details-lambda" {
-  count      = local.is_sandbox ? 0 : 1
-  role       = module.search-patient-details-lambda.lambda_execution_role_name
-  policy_arn = try(aws_iam_policy.lambda_audit_splunk_sqs_queue_send_policy[0].arn, null)
-}
diff --git a/infrastructure/lambda-token.tf b/infrastructure/lambda-token.tf
@@ -36,15 +36,13 @@ module "create-token-lambda" {
     AUTH_STATE_TABLE_NAME   = "${terraform.workspace}_${var.auth_state_dynamodb_table_name}"
     AUTH_SESSION_TABLE_NAME = "${terraform.workspace}_${var.auth_session_dynamodb_table_name}"
     ENVIRONMENT             = var.environment
-    SPLUNK_SQS_QUEUE_URL    = try(module.sqs-splunk-queue[0].sqs_url, null)
   }
   depends_on = [
     aws_api_gateway_rest_api.ndr_doc_store_api,
     aws_iam_policy.ssm_access_policy,
     module.auth_session_dynamodb_table,
     module.auth_state_dynamodb_table,
     module.create-token-gateway,
-    aws_iam_policy.lambda_audit_splunk_sqs_queue_send_policy[0],
     module.ndr-app-config
   ]
   memory_size = 1769
@@ -91,10 +89,3 @@ module "create_token-alarm_topic" {
 
   depends_on = [module.create-token-lambda, module.sns_encryption_key]
 }
-
-
-resource "aws_iam_role_policy_attachment" "policy_audit_token_lambda" {
-  count      = local.is_sandbox ? 0 : 1
-  role       = module.create-token-lambda.lambda_execution_role_name
-  policy_arn = try(aws_iam_policy.lambda_audit_splunk_sqs_queue_send_policy[0].arn, null)
-}
diff --git a/infrastructure/modules/lambda/README.md b/infrastructure/modules/lambda/README.md
@@ -78,6 +78,7 @@ module "lambda" {
 | Name | Type |
 |------|------|
 | [aws_api_gateway_integration.lambda_integration](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_integration) | resource |
+| [aws_cloudwatch_log_group.lambda_logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
 | [aws_iam_policy.combined_policies](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_role.lambda_execution_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role_policy_attachment.default_policies](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
@@ -92,7 +93,9 @@ module "lambda" {
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_api_execution_arn"></a> [api\_execution\_arn](#input\_api\_execution\_arn) | Execution ARN of the API Gateway used for granting invoke permissions. | `string` | `""` | no |
+| <a name="input_default_lambda_layers"></a> [default\_lambda\_layers](#input\_default\_lambda\_layers) | n/a | `list(string)` | <pre>[<br/>  "arn:aws:lambda:eu-west-2:282860088358:layer:AWS-AppConfig-Extension:120"<br/>]</pre> | no |
 | <a name="input_default_policies"></a> [default\_policies](#input\_default\_policies) | List of default IAM policy ARNs to attach to the Lambda execution role. | `list(string)` | <pre>[<br/>  "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",<br/>  "arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy"<br/>]</pre> | no |
+| <a name="input_extra_lambda_layers"></a> [extra\_lambda\_layers](#input\_extra\_lambda\_layers) | n/a | `list(string)` | <pre>[<br/>  "arn:aws:lambda:eu-west-2:580247275435:layer:LambdaInsightsExtension:53"<br/>]</pre> | no |
 | <a name="input_handler"></a> [handler](#input\_handler) | Function entry point in the codebase (e.g., 'index.handler'). | `string` | n/a | yes |
 | <a name="input_http_methods"></a> [http\_methods](#input\_http\_methods) | List of HTTP methods to integrate with the Lambda function. | `list(string)` | `[]` | no |
 | <a name="input_iam_role_policy_documents"></a> [iam\_role\_policy\_documents](#input\_iam\_role\_policy\_documents) | List of IAM policy document ARNs to attach to the Lambda execution role. | `list(string)` | `[]` | no |
@@ -103,6 +106,7 @@ module "lambda" {
 | <a name="input_lambda_timeout"></a> [lambda\_timeout](#input\_lambda\_timeout) | Function timeout in seconds. | `number` | `30` | no |
 | <a name="input_memory_size"></a> [memory\_size](#input\_memory\_size) | Amount of memory to allocate to the Lambda function (in MB). | `number` | `512` | no |
 | <a name="input_name"></a> [name](#input\_name) | Unique name for the Lambda function. | `string` | n/a | yes |
+| <a name="input_persistent_workspaces"></a> [persistent\_workspaces](#input\_persistent\_workspaces) | A list of workspaces that require persistent logs | `list(string)` | <pre>[<br/>  "ndr-dev",<br/>  "ndr-test",<br/>  "pre-prod",<br/>  "prod"<br/>]</pre> | no |
 | <a name="input_reserved_concurrent_executions"></a> [reserved\_concurrent\_executions](#input\_reserved\_concurrent\_executions) | The number of concurrent execution allowed for lambda. A value of 0 will stop lambda from running, and -1 removes any concurrency limitations. Default to -1. | `number` | `-1` | no |
 | <a name="input_resource_id"></a> [resource\_id](#input\_resource\_id) | ID of the API Gateway resource (path) to attach Lambda to. | `string` | `""` | no |
 | <a name="input_rest_api_id"></a> [rest\_api\_id](#input\_rest\_api\_id) | ID of the associated API Gateway REST API. | `string` | `""` | no |
diff --git a/infrastructure/queues.tf b/infrastructure/queues.tf
@@ -1,12 +1,3 @@
-module "sqs-splunk-queue" {
-  source      = "./modules/sqs"
-  name        = "splunk-queue"
-  count       = local.is_sandbox ? 0 : 1
-  environment = var.environment
-  owner       = var.owner
-}
-
-
 module "sqs-lg-bulk-upload-metadata-queue" {
   source               = "./modules/sqs"
   name                 = "lg-bulk-upload-metadata-queue.fifo"

Original file line number	Diff line number	Diff line change
`@@ -76,7 +76,6 @@ module "feature-flags-lambda" {`
`76`	`76`	`depends_on = [`
`77`	`77`	`aws_api_gateway_rest_api.ndr_doc_store_api,`
`78`	`78`	`module.feature-flags-gateway,`
`79`		`- aws_iam_policy.lambda_audit_splunk_sqs_queue_send_policy[0],`
`80`	`79`	`module.ndr-app-config`
`81`	`80`	`]`
`82`	`81`	`}`
Original file line number	Diff line number	Diff line change
`@@ -76,13 +76,6 @@ module "get-report-by-ods-lambda" {`
`76`	`76`	`}`
`77`	`77`	`depends_on = [`
`78`	`78`	`aws_api_gateway_rest_api.ndr_doc_store_api,`
`79`		`- module.get-report-by-ods-gateway,`
`80`		`- aws_iam_policy.lambda_audit_splunk_sqs_queue_send_policy[0]`
	`79`	`+ module.get-report-by-ods-gateway`
`81`	`80`	`]`
`82`	`81`	`}`
`83`		`-`
`84`		`-resource "aws_iam_role_policy_attachment" "policy_audit_get-report-by-ods-lambda" {`
`85`		`- count = local.is_sandbox ? 0 : 1`
`86`		`- role = module.get-report-by-ods-lambda.lambda_execution_role_name`
`87`		`- policy_arn = try(aws_iam_policy.lambda_audit_splunk_sqs_queue_send_policy[0].arn, null)`
`88`		`-}`