CCM-8197: Firehose Splunk Delivery

jamesthompson26-nhs · jamesthompson26-nhs · commit 1b11034e2309 · 2025-04-28T16:41:32.000+01:00
diff --git a/infrastructure/terraform/components/acct/cloudwatch_metrics_stream_to_obs_firehose.tf b/infrastructure/terraform/components/acct/cloudwatch_metrics_stream_to_obs_firehose.tf
@@ -0,0 +1,51 @@
+resource "aws_cloudwatch_metric_stream" "metrics_to_obs_firehose" {
+  name           = "metrics-to-obs-firehose"
+  role_arn       = aws_iam_role.metrics_to_obs_firehose_role.arn
+  firehose_arn   = "arn:aws:firehose:${var.region}:${var.observability_account_id}:deliverystream/nhs-notify-main-obs-splunk-metrics-firehose"
+  output_format  = "json"
+}
+
+resource "aws_iam_role" "metrics_to_obs_firehose_role" {
+  name               = "metric-stream-to-firehose-role"
+  assume_role_policy = data.aws_iam_policy_document.metric_stream_assume_role_policy.json
+}
+
+data "aws_iam_policy_document" "metric_stream_assume_role_policy" {
+  statement {
+    effect = "Allow"
+
+    principals {
+      type        = "Service"
+      identifiers = ["streams.metrics.cloudwatch.amazonaws.com"]
+    }
+
+    actions = ["sts:AssumeRole"]
+  }
+}
+
+resource "aws_iam_policy" "metrics_to_obs_firehose_policy" {
+  name        = "metric-stream-to-firehose-policy"
+  description = "Policy to allow CloudWatch Metric Stream to send data to Firehose"
+
+  policy = data.aws_iam_policy_document.metric_stream_firehose_policy.json
+}
+
+data "aws_iam_policy_document" "metric_stream_firehose_policy" {
+  statement {
+    effect = "Allow"
+
+    actions = [
+      "firehose:PutRecord",
+      "firehose:PutRecordBatch"
+    ]
+
+    resources = [
+      "arn:aws:firehose:${var.region}:${var.observability_account_id}:deliverystream/nhs-notify-main-obs-splunk-metrics-firehose"
+    ]
+  }
+}
+
+resource "aws_iam_role_policy_attachment" "metric_stream_to_firehose_attachment" {
+  role       = aws_iam_role.metrics_to_obs_firehose_role.name
+  policy_arn = aws_iam_policy.metrics_to_obs_firehose_policy.arn
+}
diff --git a/infrastructure/terraform/components/app/cloudwatch_log_group_amplify.tf b/infrastructure/terraform/components/app/cloudwatch_log_group_amplify.tf
@@ -2,3 +2,11 @@ resource "aws_cloudwatch_log_group" "amplify" {
   name              = "/aws/amplify/${aws_amplify_app.main.id}"
   retention_in_days = var.log_retention_in_days
 }
+
+resource "aws_cloudwatch_log_subscription_filter" "amplify_logs_to_firehose" {
+  name            = "${local.csi}-amplify-logs-to-firehose"
+  log_group_name  = aws_cloudwatch_log_group.amplify.name
+  filter_pattern  = ""
+  destination_arn = "arn:aws:logs:${var.region}:${var.observability_account_id}:destination:nhs-notify-main-obs-firehose-logs"
+  role_arn        = aws_iam_role.amplify_logs_to_firehose_role.arn
+}
