[PRMP-1553] - Implement CloudWatch RUM PoC (UI Analytics) (#258)

oliverbeumkes-nhs · chrisbloe · web-flow · commit ce033e2e1011 · 2025-03-04T16:52:35.000Z
* Fix Type

* test will deploy with module's separated from cloudwatch logs

* changes count for cloud watch rum

* FIxed typo missing _

* FIxed typo trailing /

* moved couldwatch rum to root

* Fixed formatting

* fixed resource name and removed identity pool from rum

* Added roles for cognito

* Update Rum policies

* fmt fix

* Update role and policies

* Amended AssumeRole type

* more changes to roles

* Another refactor of policies and roles for rum

* Replaced Service with Principal for role

* another attempt to fix some of the role errors

* reformatting

* removed prohibited line

* all users for test

* generated policy

* commented out potential unused policy attachment

* refactor of policies and roles

* disabled cs_log_enabled

* Added Authorization for app rum monitoring

* reformatted cloudwatch

* Updated roles and polices to match required permissions and resources, using web identity

* Removed un needed additional region on string equals

* Renaming some Terraform objects

* Everything is optional

* Made changes requested in the pull request, removed potentially un-needed policies and roles

* Commented out ServiceRole tag

* Removed un-needed code commented on last commit

---------

Co-authored-by: Kris Bloe &lt;kris.bloe@answerdigital.com&gt;
diff --git a/infrastructure/cloudwatch_rum.tf b/infrastructure/cloudwatch_rum.tf
@@ -0,0 +1,83 @@
+locals {
+  cognito_role_name = "${terraform.workspace}-cognito-unauth-role"
+}
+
+resource "aws_iam_role" "cognito_unauthenticated" {
+  count = local.is_production ? 0 : 1
+  name  = local.cognito_role_name
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Effect = "Allow",
+        Principal : {
+          Federated : "cognito-identity.amazonaws.com"
+        },
+        Action = "sts:AssumeRoleWithWebIdentity",
+        Condition = {
+          StringEquals = {
+            "cognito-identity.amazonaws.com:aud" = aws_cognito_identity_pool.cloudwatch_rum[0].id
+          },
+          "ForAnyValue:StringLike" = {
+            "cognito-identity.amazonaws.com:amr" = "unauthenticated"
+          }
+        }
+      }
+    ]
+  })
+}
+
+resource "aws_iam_policy" "cloudwatch_rum_cognito_access" {
+  count       = local.is_production ? 0 : 1
+  name        = "${terraform.workspace}-cloudwatch-rum-cognito-access-policy"
+  description = "Policy for unauthenticated Cognito identities"
+
+  policy = jsonencode(
+    {
+      "Version" : "2012-10-17",
+      "Statement" : [
+        {
+          "Effect" : "Allow",
+          "Action" : "rum:PutRumEvents",
+          "Resource" : "arn:aws:rum:${local.current_region}:${local.current_account_id}:appmonitor/${aws_rum_app_monitor.ndr[0].id}"
+        }
+      ]
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "cloudwatch_rum_cognito_unauth" {
+  count      = local.is_production ? 0 : 1
+  role       = aws_iam_role.cognito_unauthenticated[0].name
+  policy_arn = aws_iam_policy.cloudwatch_rum_cognito_access[0].arn
+}
+
+resource "aws_cognito_identity_pool_roles_attachment" "cloudwatch_rum" {
+  count            = local.is_production ? 0 : 1
+  identity_pool_id = aws_cognito_identity_pool.cloudwatch_rum[0].id
+
+  roles = {
+    unauthenticated = aws_iam_role.cognito_unauthenticated[0].arn
+  }
+}
+
+resource "aws_cognito_identity_pool" "cloudwatch_rum" {
+  count                            = local.is_production ? 0 : 1
+  identity_pool_name               = "${terraform.workspace}-cloudwatch-rum-identity-pool"
+  allow_unauthenticated_identities = true
+}
+
+resource "aws_rum_app_monitor" "ndr" {
+  count          = local.is_production ? 0 : 1
+  name           = "${terraform.workspace}-app-monitor"
+  domain         = "*.${var.domain}"
+  cw_log_enabled = false
+
+  app_monitor_configuration {
+    identity_pool_id    = aws_cognito_identity_pool.cloudwatch_rum[0].id
+    allow_cookies       = true
+    enable_xray         = false
+    session_sample_rate = 1.0
+    telemetries         = ["errors", "performance", "http"]
+  }
+}
diff --git a/infrastructure/modules/cloudwatch/main.tf b/infrastructure/modules/cloudwatch/main.tf
@@ -13,7 +13,6 @@ resource "aws_cloudwatch_log_group" "ndr_cloudwatch_log_group" {
 resource "aws_cloudwatch_log_stream" "log_stream" {
   name           = "${terraform.workspace}_${var.cloudwatch_log_stream_name}_log_Stream"
   log_group_name = "aws_cloudwatch_log_group.ndr_cloudwatch_log_group"
-
   tags = {
     Name        = "${terraform.workspace}_${var.cloudwatch_log_stream_name}_log_stream"
     Owner       = var.owner
