CCM-9868: splunk subscription (#475)

Author: sidnhs

infrastructure/terraform/components/app/module_backend_api.tf

@@ -18,7 +18,10 @@ module "backend_api" {
 
   enable_backup = var.destination_vault_arn != null ? true : false
 
-  enable_letters   = var.enable_letters
-  enable_proofing  = var.enable_proofing
-  letter_suppliers = var.letter_suppliers
+  enable_letters                 = var.enable_letters
+  enable_proofing                = var.enable_proofing
+  letter_suppliers               = var.letter_suppliers
+  log_destination_arn = "arn:aws:logs:${var.region}:${var.observability_account_id}:destination:nhs-notify-main-acct-firehose-logs"
+  log_subscription_role_arn      = local.acct.log_subscription_role_arn
+
 }

infrastructure/terraform/modules/backend-api/README.md

@@ -21,7 +21,9 @@ No requirements.
 | <a name="input_group"></a> [group](#input\_group) | The group variables are being inherited from (often synonmous with account short-name) | `string` | n/a | yes |
 | <a name="input_kms_key_arn"></a> [kms\_key\_arn](#input\_kms\_key\_arn) | KMS Key ARN | `string` | n/a | yes |
 | <a name="input_letter_suppliers"></a> [letter\_suppliers](#input\_letter\_suppliers) | Letter suppliers enabled in the environment | <pre>map(object({<br/>    enable_polling   = bool<br/>    default_supplier = optional(bool)<br/>  }))</pre> | n/a | yes |
+| <a name="input_log_destination_arn"></a> [log\_destination\_arn](#input\_log\_destination\_arn) | Destination ARN to use for the log subscription filter | `string` | `""` | no |
 | <a name="input_log_retention_in_days"></a> [log\_retention\_in\_days](#input\_log\_retention\_in\_days) | The retention period in days for the Cloudwatch Logs events to be retained, default of 0 is indefinite | `number` | `0` | no |
+| <a name="input_log_subscription_role_arn"></a> [log\_subscription\_role\_arn](#input\_log\_subscription\_role\_arn) | The ARN of the IAM role to use for the log subscription filter | `string` | `""` | no |
 | <a name="input_module"></a> [module](#input\_module) | The variable encapsulating the name of this module | `string` | `"api"` | no |
 | <a name="input_parent_acct_environment"></a> [parent\_acct\_environment](#input\_parent\_acct\_environment) | Name of the environment responsible for the acct resources used | `string` | n/a | yes |
 | <a name="input_project"></a> [project](#input\_project) | The name of the tfscaffold project | `string` | n/a | yes |

infrastructure/terraform/modules/backend-api/cloudwatch_log_group_api_gateway_access.tf

@@ -2,3 +2,12 @@ resource "aws_cloudwatch_log_group" "api_gateway_access" {
   name              = "/aws/api-gateway/${aws_api_gateway_rest_api.main.id}/${var.environment}/access-logs"
   retention_in_days = var.log_retention_in_days
 }
+
+resource "aws_cloudwatch_log_subscription_filter" "api_gateway_access" {
+  count = var.log_destination_arn != "" ? 1 : 0
+  name            = replace(aws_cloudwatch_log_group.api_gateway_access.name, "/", "-")
+  log_group_name  = aws_cloudwatch_log_group.api_gateway_access.name
+  filter_pattern  = ""
+  destination_arn = var.log_destination_arn
+  role_arn        = var.log_subscription_role_arn
+}

infrastructure/terraform/modules/backend-api/cloudwatch_log_group_api_gateway_execution.tf

@@ -5,3 +5,12 @@ resource "aws_cloudwatch_log_group" "api_gateway_execution" {
   )
   retention_in_days = var.log_retention_in_days
 }
+
+resource "aws_cloudwatch_log_subscription_filter" "api_gateway_execution" {
+  count = var.log_destination_arn != "" ? 1 : 0
+  name            = replace(aws_cloudwatch_log_group.api_gateway_execution.name, "/", "-")
+  log_group_name  = aws_cloudwatch_log_group.api_gateway_execution.name
+  filter_pattern  = ""
+  destination_arn = var.log_destination_arn
+  role_arn        = var.log_subscription_role_arn
+}

infrastructure/terraform/modules/backend-api/module_authorizer_lambda.tf

@@ -19,6 +19,8 @@ module "authorizer_lambda" {
     USER_POOL_ID        = var.cognito_config["USER_POOL_ID"],
     USER_POOL_CLIENT_ID = var.cognito_config["USER_POOL_CLIENT_ID"],
   }
+  log_destination_arn = var.log_destination_arn
+  log_subscription_role_arn      = var.log_subscription_role_arn
 }
 
 module "authorizer_build" {

infrastructure/terraform/modules/backend-api/module_create_letter_template_lambda.tf

@@ -16,6 +16,8 @@ module "create_letter_template_lambda" {
   environment_variables = local.backend_lambda_environment_variables
 
   execution_role_policy_document = data.aws_iam_policy_document.create_letter_template_lambda_policy.json
+  log_destination_arn = var.log_destination_arn
+  log_subscription_role_arn      = var.log_subscription_role_arn
 }
 
 data "aws_iam_policy_document" "create_letter_template_lambda_policy" {

infrastructure/terraform/modules/backend-api/module_create_template_lambda.tf

@@ -15,6 +15,8 @@ module "create_template_lambda" {
   environment_variables = local.backend_lambda_environment_variables
 
   execution_role_policy_document = data.aws_iam_policy_document.create_template_lambda_policy.json
+  log_destination_arn = var.log_destination_arn
+  log_subscription_role_arn      = var.log_subscription_role_arn
 }
 
 data "aws_iam_policy_document" "create_template_lambda_policy" {

infrastructure/terraform/modules/backend-api/module_delete_template_lambda.tf

@@ -15,6 +15,8 @@ module "delete_template_lambda" {
   environment_variables = local.backend_lambda_environment_variables
 
   execution_role_policy_document = data.aws_iam_policy_document.delete_template_lambda_policy.json
+  log_destination_arn = var.log_destination_arn
+  log_subscription_role_arn      = var.log_subscription_role_arn
 }
 
 data "aws_iam_policy_document" "delete_template_lambda_policy" {

infrastructure/terraform/modules/backend-api/module_get_template_lambda.tf

@@ -15,6 +15,8 @@ module "get_template_lambda" {
   environment_variables = local.backend_lambda_environment_variables
 
   execution_role_policy_document = data.aws_iam_policy_document.get_template_lambda_policy.json
+  log_destination_arn = var.log_destination_arn
+  log_subscription_role_arn      = var.log_subscription_role_arn
 }
 
 data "aws_iam_policy_document" "get_template_lambda_policy" {

infrastructure/terraform/modules/backend-api/module_lambda_copy_scanned_object_to_internal.tf

@@ -10,7 +10,9 @@ module "lambda_copy_scanned_object_to_internal" {
   log_retention_in_days          = var.log_retention_in_days
   source_code_hash               = module.build_template_lambda.zips[local.backend_lambda_entrypoints.copy_scanned_object_to_internal].base64sha256
 
-  environment_variables = local.backend_lambda_environment_variables
+  environment_variables          = local.backend_lambda_environment_variables
+  log_destination_arn = var.log_destination_arn
+  log_subscription_role_arn      = var.log_subscription_role_arn
 }
 
 data "aws_iam_policy_document" "copy_scanned_object_to_internal" {