Feature/ccm 8197 cross account observability (#449)

Author: jamesthompson26-nhs

infrastructure/terraform/components/acct/README.md

@@ -21,6 +21,7 @@
 | <a name="input_kms_deletion_window"></a> [kms\_deletion\_window](#input\_kms\_deletion\_window) | When a kms key is deleted, how long should it wait in the pending deletion state? | `string` | `"30"` | no |
 | <a name="input_letter_suppliers"></a> [letter\_suppliers](#input\_letter\_suppliers) | Letter suppliers enabled in the account (across all environments) | <pre>map(object({<br/>    enable_polling   = bool<br/>    default_supplier = optional(bool)<br/>  }))</pre> | `{}` | no |
 | <a name="input_log_retention_in_days"></a> [log\_retention\_in\_days](#input\_log\_retention\_in\_days) | The retention period in days for the Cloudwatch Logs events to be retained, default of 0 is indefinite | `number` | `0` | no |
+| <a name="input_oam_sink_id"></a> [oam\_sink\_id](#input\_oam\_sink\_id) | The ID of the Cloudwatch OAM sink in the appropriate observability account. | `string` | `""` | no |
 | <a name="input_observability_account_id"></a> [observability\_account\_id](#input\_observability\_account\_id) | The Observability Account ID that needs access | `string` | n/a | yes |
 | <a name="input_project"></a> [project](#input\_project) | The name of the tfscaffold project | `string` | n/a | yes |
 | <a name="input_region"></a> [region](#input\_region) | The AWS Region | `string` | n/a | yes |
@@ -33,6 +34,7 @@
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_kms_sandbox"></a> [kms\_sandbox](#module\_kms\_sandbox) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/kms | v1.0.8 |
+| <a name="module_obs_datasource"></a> [obs\_datasource](#module\_obs\_datasource) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/obs-datasource | v2.0.3 |
 | <a name="module_s3bucket_access_logs"></a> [s3bucket\_access\_logs](#module\_s3bucket\_access\_logs) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/s3bucket | v1.0.9 |
 | <a name="module_s3bucket_backup_reports"></a> [s3bucket\_backup\_reports](#module\_s3bucket\_backup\_reports) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/s3bucket | v1.0.8 |
 | <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | 5.19.0 |

infrastructure/terraform/components/acct/iam_policy_github_deploy_overload.tf

@@ -23,6 +23,8 @@ data "aws_iam_policy_document" "github_deploy" {
       "cloudformation:*",
       "cognito-idp:*",
       "firehose:*",
+      "logs:*",
+      "oam:*",
       "pipes:*",
       "ses:*",
       "sns:*",

infrastructure/terraform/components/acct/module_obs_datasource.tf

@@ -0,0 +1,14 @@
+module "obs_datasource" {
+  source = "git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/obs-datasource?ref=v2.0.3"
+
+  name = "obs-datasource"
+
+  aws_account_id = var.aws_account_id
+  region         = var.region
+  project        = var.project
+  environment    = var.environment
+  component      = var.component
+
+  oam_sink_id               = var.oam_sink_id
+  observability_account_id  = var.observability_account_id
+}

infrastructure/terraform/components/acct/variables.tf

@@ -114,3 +114,9 @@ variable "letter_suppliers" {
 
   default = {}
 }
+
+variable "oam_sink_id" {
+  description = "The ID of the Cloudwatch OAM sink in the appropriate observability account."
+  type        = string
+  default     = ""
+}

infrastructure/terraform/components/app/cloudwatch_log_group_amplify.tf

@@ -2,3 +2,11 @@ resource "aws_cloudwatch_log_group" "amplify" {
   name              = "/aws/amplify/${aws_amplify_app.main.id}"
   retention_in_days = var.log_retention_in_days
 }
+
+resource "aws_cloudwatch_log_subscription_filter" "amplify" {
+  name            = "${local.csi}-amplify-${aws_amplify_app.main.id}"
+  log_group_name  = aws_cloudwatch_log_group.amplify.name
+  filter_pattern  = ""
+  destination_arn = "arn:aws:logs:${var.region}:${var.observability_account_id}:destination:nhs-notify-main-acct-firehose-logs"
+  role_arn        = local.acct.log_subscription_role_arn
+}