Skip to content

Commit d417c41

Browse files
oliverbeumkes-nhsrobg-nhs
oliverbeumkes-nhs
and
robg-nhs
authored
[PRMP-1588] Implementation of additional Session Attributes (#269)
* Enabled logging for cloudwatch_rum * Added specified log_group and policy/role to handle logging * Removed un-needed logging group * Attempt to add permissions to vended log group * Added DeleteResourcePolicy to test with permission on AWSRUMLoggingPolicy * try setting prevent_destroy to false * reformatted * Added dependency on app_monitor * additional permissions * made region and acc id vars for logging * changed rum_log_policy to rum_log * updated dependency --------- Co-authored-by: robg-nhs <[email protected]>
1 parent d891f21 commit d417c41

File tree

1 file changed

+31
-1
lines changed

1 file changed

+31
-1
lines changed

infrastructure/cloudwatch_rum.tf

Lines changed: 31 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,6 @@
11
locals {
22
cognito_role_name = "${terraform.workspace}-cognito-unauth-role"
3+
cw_log_group = "/aws/rum/my-rum-monitor/${terraform.workspace}-app-monitor"
34
}
45

56
resource "aws_iam_role" "cognito_unauthenticated" {
@@ -46,6 +47,33 @@ resource "aws_iam_policy" "cloudwatch_rum_cognito_access" {
4647
})
4748
}
4849

50+
resource "aws_cloudwatch_log_resource_policy" "rum_log" {
51+
policy_name = "AWSRUMLoggingPolicy"
52+
53+
policy_document = jsonencode({
54+
Version = "2012-10-17",
55+
Statement = [
56+
{
57+
Effect = "Allow",
58+
Principal = {
59+
Service = "rum.amazonaws.com"
60+
},
61+
Action = [
62+
"logs:CreateLogStream",
63+
"logs:PutLogEvents",
64+
"logs:DeleteResourcePolicy",
65+
"logs:DeleteLogGroup",
66+
"logs:DescribeLogGroups"
67+
],
68+
Resource = "arn:aws:logs:${local.current_region}:${local.current_account_id}:log-group:/aws/vendedlogs/RUMService-*"
69+
}
70+
]
71+
})
72+
lifecycle {
73+
prevent_destroy = false
74+
}
75+
}
76+
4977
resource "aws_iam_role_policy_attachment" "cloudwatch_rum_cognito_unauth" {
5078
count = local.is_production ? 0 : 1
5179
role = aws_iam_role.cognito_unauthenticated[0].name
@@ -71,7 +99,7 @@ resource "aws_rum_app_monitor" "ndr" {
7199
count = local.is_production ? 0 : 1
72100
name = "${terraform.workspace}-app-monitor"
73101
domain = "*.${var.domain}"
74-
cw_log_enabled = false
102+
cw_log_enabled = true
75103

76104
app_monitor_configuration {
77105
identity_pool_id = aws_cognito_identity_pool.cloudwatch_rum[0].id
@@ -80,4 +108,6 @@ resource "aws_rum_app_monitor" "ndr" {
80108
session_sample_rate = 1.0
81109
telemetries = ["errors", "performance", "http"]
82110
}
111+
112+
depends_on = [aws_cloudwatch_log_resource_policy.rum_log]
83113
}

0 commit comments

Comments
 (0)