CCM-9868: Adding subfilter to lambda module

sidnhs · sidnhs · commit 0b85c25cf3e3 · 2025-05-13T12:15:32.000+01:00
diff --git a/infrastructure/terraform/components/app/module_backend_api.tf b/infrastructure/terraform/components/app/module_backend_api.tf
@@ -21,4 +21,7 @@ module "backend_api" {
   enable_letters   = var.enable_letters
   enable_proofing  = var.enable_proofing
   letter_suppliers = var.letter_suppliers
+  destination_arn = "arn:aws:logs:${var.region}:${var.observability_account_id}:destination:nhs-notify-main-acct-firehose-logs"
+  subscription_role_arn = local.acct.log_subscription_role_arn
+
 }
diff --git a/infrastructure/terraform/modules/backend-api/cloudwatch_log_group_api_gateway_access.tf b/infrastructure/terraform/modules/backend-api/cloudwatch_log_group_api_gateway_access.tf
@@ -2,3 +2,11 @@ resource "aws_cloudwatch_log_group" "api_gateway_access" {
   name              = "/aws/api-gateway/${aws_api_gateway_rest_api.main.id}/${var.environment}/access-logs"
   retention_in_days = var.log_retention_in_days
 }
+
+resource "aws_cloudwatch_log_subscription_filter" "api_gateway_access" {
+  name            = replace(aws_cloudwatch_log_group.api_gateway_access.name, "/", "-")
+  log_group_name  = aws_cloudwatch_log_group.api_gateway_access.name
+  filter_pattern  = ""
+  destination_arn = var.destination_arn
+  role_arn        = var.subscription_role_arn
+}
diff --git a/infrastructure/terraform/modules/backend-api/cloudwatch_log_group_api_gateway_execution.tf b/infrastructure/terraform/modules/backend-api/cloudwatch_log_group_api_gateway_execution.tf
@@ -5,3 +5,11 @@ resource "aws_cloudwatch_log_group" "api_gateway_execution" {
   )
   retention_in_days = var.log_retention_in_days
 }
+
+resource "aws_cloudwatch_log_subscription_filter" "api_gateway_execution" {
+  name            = replace(aws_cloudwatch_log_group.api_gateway_execution.name, "/", "-")
+  log_group_name  = aws_cloudwatch_log_group.api_gateway_execution.name
+  filter_pattern  = ""
+  destination_arn = var.destination_arn
+  role_arn        = var.subscription_role_arn
+}
diff --git a/infrastructure/terraform/modules/backend-api/module_authorizer_lambda.tf b/infrastructure/terraform/modules/backend-api/module_authorizer_lambda.tf
@@ -19,6 +19,8 @@ module "authorizer_lambda" {
     USER_POOL_ID        = var.cognito_config["USER_POOL_ID"],
     USER_POOL_CLIENT_ID = var.cognito_config["USER_POOL_CLIENT_ID"],
   }
+  destination_arn       = var.destination_arn
+  subscription_role_arn = var.subscription_role_arn
 }
 
 module "authorizer_build" {
diff --git a/infrastructure/terraform/modules/backend-api/module_create_letter_template_lambda.tf b/infrastructure/terraform/modules/backend-api/module_create_letter_template_lambda.tf
@@ -16,6 +16,8 @@ module "create_letter_template_lambda" {
   environment_variables = local.backend_lambda_environment_variables
 
   execution_role_policy_document = data.aws_iam_policy_document.create_letter_template_lambda_policy.json
+  destination_arn                = var.destination_arn
+  subscription_role_arn          = var.subscription_role_arn
 }
 
 data "aws_iam_policy_document" "create_letter_template_lambda_policy" {
diff --git a/infrastructure/terraform/modules/backend-api/module_create_template_lambda.tf b/infrastructure/terraform/modules/backend-api/module_create_template_lambda.tf
@@ -15,6 +15,8 @@ module "create_template_lambda" {
   environment_variables = local.backend_lambda_environment_variables
 
   execution_role_policy_document = data.aws_iam_policy_document.create_template_lambda_policy.json
+  destination_arn                = var.destination_arn
+  subscription_role_arn          = var.subscription_role_arn
 }
 
 data "aws_iam_policy_document" "create_template_lambda_policy" {
diff --git a/infrastructure/terraform/modules/backend-api/module_delete_template_lambda.tf b/infrastructure/terraform/modules/backend-api/module_delete_template_lambda.tf
@@ -15,6 +15,8 @@ module "delete_template_lambda" {
   environment_variables = local.backend_lambda_environment_variables
 
   execution_role_policy_document = data.aws_iam_policy_document.delete_template_lambda_policy.json
+  destination_arn                = var.destination_arn
+  subscription_role_arn          = var.subscription_role_arn
 }
 
 data "aws_iam_policy_document" "delete_template_lambda_policy" {
diff --git a/infrastructure/terraform/modules/backend-api/module_get_template_lambda.tf b/infrastructure/terraform/modules/backend-api/module_get_template_lambda.tf
@@ -15,6 +15,8 @@ module "get_template_lambda" {
   environment_variables = local.backend_lambda_environment_variables
 
   execution_role_policy_document = data.aws_iam_policy_document.get_template_lambda_policy.json
+  destination_arn                = var.destination_arn
+  subscription_role_arn          = var.subscription_role_arn
 }
 
 data "aws_iam_policy_document" "get_template_lambda_policy" {
diff --git a/infrastructure/terraform/modules/backend-api/module_lambda_copy_scanned_object_to_internal.tf b/infrastructure/terraform/modules/backend-api/module_lambda_copy_scanned_object_to_internal.tf
@@ -11,6 +11,8 @@ module "lambda_copy_scanned_object_to_internal" {
   source_code_hash               = module.build_template_lambda.zips[local.backend_lambda_entrypoints.copy_scanned_object_to_internal].base64sha256
 
   environment_variables = local.backend_lambda_environment_variables
+  destination_arn       = var.destination_arn
+  subscription_role_arn = var.subscription_role_arn
 }
 
 data "aws_iam_policy_document" "copy_scanned_object_to_internal" {
diff --git a/infrastructure/terraform/modules/backend-api/module_lambda_delete_failed_scanned_object.tf b/infrastructure/terraform/modules/backend-api/module_lambda_delete_failed_scanned_object.tf
@@ -10,6 +10,8 @@ module "lambda_delete_failed_scanned_object" {
   log_retention_in_days          = var.log_retention_in_days
   source_code_hash               = module.build_template_lambda.zips[local.backend_lambda_entrypoints.delete_failed_scanned_object].base64sha256
   environment_variables          = local.backend_lambda_environment_variables
+  destination_arn                = var.destination_arn
+  subscription_role_arn          = var.subscription_role_arn
 }
 
 data "aws_iam_policy_document" "delete_failed_scanned_object" {
diff --git a/infrastructure/terraform/modules/backend-api/module_lambda_process_proof.tf b/infrastructure/terraform/modules/backend-api/module_lambda_process_proof.tf
@@ -12,8 +12,10 @@ module "lambda_process_proof" {
 
   environment_variables = local.backend_lambda_environment_variables
 
-  timeout     = 30
-  memory_size = 512
+  timeout               = 30
+  memory_size           = 512
+  destination_arn       = var.destination_arn
+  subscription_role_arn = var.subscription_role_arn
 }
 
 data "aws_iam_policy_document" "process_proof" {
diff --git a/infrastructure/terraform/modules/backend-api/module_lambda_request_proof.tf b/infrastructure/terraform/modules/backend-api/module_lambda_request_proof.tf
@@ -16,6 +16,8 @@ module "request_proof_lambda" {
   environment_variables = local.backend_lambda_environment_variables
 
   execution_role_policy_document = data.aws_iam_policy_document.request_proof_lambda_policy.json
+  destination_arn                = var.destination_arn
+  subscription_role_arn          = var.subscription_role_arn
 }
 
 data "aws_iam_policy_document" "request_proof_lambda_policy" {
diff --git a/infrastructure/terraform/modules/backend-api/module_lambda_send_letter_proof.tf b/infrastructure/terraform/modules/backend-api/module_lambda_send_letter_proof.tf
@@ -13,6 +13,8 @@ module "lambda_send_letter_proof" {
   log_retention_in_days = var.log_retention_in_days
 
   execution_role_policy_document = data.aws_iam_policy_document.send_letter_proof.json
+  destination_arn                = var.destination_arn
+  subscription_role_arn          = var.subscription_role_arn
 
   environment_variables = {
     CREDENTIALS_TTL_SECONDS = 900
diff --git a/infrastructure/terraform/modules/backend-api/module_lambda_set_letter_file_virus_scan_status_for_upload.tf b/infrastructure/terraform/modules/backend-api/module_lambda_set_letter_file_virus_scan_status_for_upload.tf
@@ -12,8 +12,10 @@ module "lambda_set_file_virus_scan_status_for_upload" {
 
   environment_variables = local.backend_lambda_environment_variables
 
-  timeout     = 20
-  memory_size = 512
+  timeout               = 20
+  memory_size           = 512
+  destination_arn       = var.destination_arn
+  subscription_role_arn = var.subscription_role_arn
 }
 
 data "aws_iam_policy_document" "set_file_virus_scan_status_for_upload" {
diff --git a/infrastructure/terraform/modules/backend-api/module_lambda_sftp_poll.tf b/infrastructure/terraform/modules/backend-api/module_lambda_sftp_poll.tf
@@ -29,6 +29,8 @@ module "lambda_sftp_poll" {
     subnet_ids         = data.aws_subnets.account_vpc_private_subnets.ids
     security_group_ids = [data.aws_security_group.account_vpc_sg_allow_sftp_egress.id]
   }
+  destination_arn       = var.destination_arn
+  subscription_role_arn = var.subscription_role_arn
 }
 
 data "aws_iam_policy_document" "sftp_poll" {
diff --git a/infrastructure/terraform/modules/backend-api/module_lambda_validate_letter_template_files.tf b/infrastructure/terraform/modules/backend-api/module_lambda_validate_letter_template_files.tf
@@ -15,7 +15,9 @@ module "lambda_validate_letter_template_files" {
     sqs_queue_arn = module.sqs_validate_letter_template_files.sqs_queue_arn
     batch_size    = 1
   }
-  timeout = 10
+  timeout               = 10
+  destination_arn       = var.destination_arn
+  subscription_role_arn = var.subscription_role_arn
 }
 
 data "aws_iam_policy_document" "validate_letter_template_files" {
diff --git a/infrastructure/terraform/modules/backend-api/module_list_template_lambda.tf b/infrastructure/terraform/modules/backend-api/module_list_template_lambda.tf
@@ -15,6 +15,8 @@ module "list_template_lambda" {
   environment_variables = local.backend_lambda_environment_variables
 
   execution_role_policy_document = data.aws_iam_policy_document.list_template_lambda_policy.json
+  destination_arn                = var.destination_arn
+  subscription_role_arn          = var.subscription_role_arn
 }
 
 data "aws_iam_policy_document" "list_template_lambda_policy" {
diff --git a/infrastructure/terraform/modules/backend-api/module_submit_template_lambda.tf b/infrastructure/terraform/modules/backend-api/module_submit_template_lambda.tf
@@ -15,6 +15,8 @@ module "submit_template_lambda" {
   environment_variables = local.backend_lambda_environment_variables
 
   execution_role_policy_document = data.aws_iam_policy_document.submit_template_lambda_policy.json
+  destination_arn                = var.destination_arn
+  subscription_role_arn          = var.subscription_role_arn
 }
 
 data "aws_iam_policy_document" "submit_template_lambda_policy" {
diff --git a/infrastructure/terraform/modules/backend-api/module_update_template_lambda.tf b/infrastructure/terraform/modules/backend-api/module_update_template_lambda.tf
@@ -15,6 +15,8 @@ module "update_template_lambda" {
   environment_variables = local.backend_lambda_environment_variables
 
   execution_role_policy_document = data.aws_iam_policy_document.update_template_lambda_policy.json
+  destination_arn                = var.destination_arn
+  subscription_role_arn          = var.subscription_role_arn
 }
 
 data "aws_iam_policy_document" "update_template_lambda_policy" {
diff --git a/infrastructure/terraform/modules/backend-api/variables.tf b/infrastructure/terraform/modules/backend-api/variables.tf
@@ -104,3 +104,13 @@ variable "parent_acct_environment" {
   type        = string
   description = "Name of the environment responsible for the acct resources used"
 }
+
+variable "destination_arn" {
+  type        = string
+  description = "The Observability Destination ARN"
+}
+
+variable "subscription_role_arn" {
+  type        = string
+  description = "The cloudwatch subscription role ARN"
+}
diff --git a/infrastructure/terraform/modules/lambda-function/cloudwatch_log_subscription_filter_firehose.tf b/infrastructure/terraform/modules/lambda-function/cloudwatch_log_subscription_filter_firehose.tf
@@ -0,0 +1,7 @@
+resource "aws_cloudwatch_log_subscription_filter" "firehose" {
+  name            = replace(aws_cloudwatch_log_group.lambda.name, "/", "-")
+  log_group_name  = aws_cloudwatch_log_group.lambda.name
+  filter_pattern  = var.filter_pattern
+  destination_arn = var.destination_arn
+  role_arn        = var.subscription_role_arn
+}
diff --git a/infrastructure/terraform/modules/lambda-function/variables.tf b/infrastructure/terraform/modules/lambda-function/variables.tf
@@ -94,3 +94,21 @@ variable "sqs_event_source_mapping" {
   })
   default = null
 }
+
+variable "filter_pattern" {
+  type        = string
+  description = "Filter pattern to use for the log subscription filter"
+  default     = ""
+}
+
+variable "destination_arn" {
+  type        = string
+  description = "Destination ARN to use for the log subscription filter"
+  default     = ""
+}
+
+variable "subscription_role_arn" {
+  type        = string
+  description = "The ARN of the IAM role to use for the log subscription filter"
+  default     = ""
+}

Original file line number	Diff line number	Diff line change
`@@ -21,4 +21,7 @@ module "backend_api" {`
`21`	`21`	`enable_letters = var.enable_letters`
`22`	`22`	`enable_proofing = var.enable_proofing`
`23`	`23`	`letter_suppliers = var.letter_suppliers`
	`24`	`+ destination_arn = "arn:aws:logs:${var.region}:${var.observability_account_id}:destination:nhs-notify-main-acct-firehose-logs"`
	`25`	`+ subscription_role_arn = local.acct.log_subscription_role_arn`
	`26`	`+`
`24`	`27`	`}`
Original file line number	Diff line number	Diff line change
`@@ -5,3 +5,11 @@ resource "aws_cloudwatch_log_group" "api_gateway_execution" {`
`5`	`5`	`)`
`6`	`6`	`retention_in_days = var.log_retention_in_days`
`7`	`7`	`}`
	`8`	`+`
	`9`	`+resource "aws_cloudwatch_log_subscription_filter" "api_gateway_execution" {`
	`10`	`+ name = replace(aws_cloudwatch_log_group.api_gateway_execution.name, "/", "-")`
	`11`	`+ log_group_name = aws_cloudwatch_log_group.api_gateway_execution.name`
	`12`	`+ filter_pattern = ""`
	`13`	`+ destination_arn = var.destination_arn`
	`14`	`+ role_arn = var.subscription_role_arn`
	`15`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -19,6 +19,8 @@ module "authorizer_lambda" {`
`19`	`19`	`USER_POOL_ID = var.cognito_config["USER_POOL_ID"],`
`20`	`20`	`USER_POOL_CLIENT_ID = var.cognito_config["USER_POOL_CLIENT_ID"],`
`21`	`21`	`}`
	`22`	`+ destination_arn = var.destination_arn`
	`23`	`+ subscription_role_arn = var.subscription_role_arn`
`22`	`24`	`}`
`23`	`25`
`24`	`26`	`module "authorizer_build" {`
Original file line number	Diff line number	Diff line change
`@@ -16,6 +16,8 @@ module "create_letter_template_lambda" {`
`16`	`16`	`environment_variables = local.backend_lambda_environment_variables`
`17`	`17`
`18`	`18`	`execution_role_policy_document = data.aws_iam_policy_document.create_letter_template_lambda_policy.json`
	`19`	`+ destination_arn = var.destination_arn`
	`20`	`+ subscription_role_arn = var.subscription_role_arn`
`19`	`21`	`}`
`20`	`22`
`21`	`23`	`data "aws_iam_policy_document" "create_letter_template_lambda_policy" {`
Original file line number	Diff line number	Diff line change
`@@ -15,6 +15,8 @@ module "create_template_lambda" {`
`15`	`15`	`environment_variables = local.backend_lambda_environment_variables`
`16`	`16`
`17`	`17`	`execution_role_policy_document = data.aws_iam_policy_document.create_template_lambda_policy.json`
	`18`	`+ destination_arn = var.destination_arn`
	`19`	`+ subscription_role_arn = var.subscription_role_arn`
`18`	`20`	`}`
`19`	`21`
`20`	`22`	`data "aws_iam_policy_document" "create_template_lambda_policy" {`
Original file line number	Diff line number	Diff line change
`@@ -15,6 +15,8 @@ module "delete_template_lambda" {`
`15`	`15`	`environment_variables = local.backend_lambda_environment_variables`
`16`	`16`
`17`	`17`	`execution_role_policy_document = data.aws_iam_policy_document.delete_template_lambda_policy.json`
	`18`	`+ destination_arn = var.destination_arn`
	`19`	`+ subscription_role_arn = var.subscription_role_arn`
`18`	`20`	`}`
`19`	`21`
`20`	`22`	`data "aws_iam_policy_document" "delete_template_lambda_policy" {`
Original file line number	Diff line number	Diff line change
`@@ -15,6 +15,8 @@ module "get_template_lambda" {`
`15`	`15`	`environment_variables = local.backend_lambda_environment_variables`
`16`	`16`
`17`	`17`	`execution_role_policy_document = data.aws_iam_policy_document.get_template_lambda_policy.json`
	`18`	`+ destination_arn = var.destination_arn`
	`19`	`+ subscription_role_arn = var.subscription_role_arn`
`18`	`20`	`}`
`19`	`21`
`20`	`22`	`data "aws_iam_policy_document" "get_template_lambda_policy" {`
Original file line number	Diff line number	Diff line change
`@@ -11,6 +11,8 @@ module "lambda_copy_scanned_object_to_internal" {`
`11`	`11`	`source_code_hash = module.build_template_lambda.zips[local.backend_lambda_entrypoints.copy_scanned_object_to_internal].base64sha256`
`12`	`12`
`13`	`13`	`environment_variables = local.backend_lambda_environment_variables`
	`14`	`+ destination_arn = var.destination_arn`
	`15`	`+ subscription_role_arn = var.subscription_role_arn`
`14`	`16`	`}`
`15`	`17`
`16`	`18`	`data "aws_iam_policy_document" "copy_scanned_object_to_internal" {`
Original file line number	Diff line number	Diff line change
`@@ -10,6 +10,8 @@ module "lambda_delete_failed_scanned_object" {`
`10`	`10`	`log_retention_in_days = var.log_retention_in_days`
`11`	`11`	`source_code_hash = module.build_template_lambda.zips[local.backend_lambda_entrypoints.delete_failed_scanned_object].base64sha256`
`12`	`12`	`environment_variables = local.backend_lambda_environment_variables`
	`13`	`+ destination_arn = var.destination_arn`
	`14`	`+ subscription_role_arn = var.subscription_role_arn`
`13`	`15`	`}`
`14`	`16`
`15`	`17`	`data "aws_iam_policy_document" "delete_failed_scanned_object" {`