CCM-8197: Cross Account Observability

jamesthompson26-nhs · jamesthompson26-nhs · commit 3252fae959d2 · 2025-05-01T14:19:33.000+01:00
diff --git a/infrastructure/terraform/components/acct/README.md b/infrastructure/terraform/components/acct/README.md
@@ -43,6 +43,7 @@
 |------|-------------|
 | <a name="output_dns_zone"></a> [dns\_zone](#output\_dns\_zone) | n/a |
 | <a name="output_github_pat_ssm_param_name"></a> [github\_pat\_ssm\_param\_name](#output\_github\_pat\_ssm\_param\_name) | n/a |
+| <a name="output_log_subscription_role_arn"></a> [log\_subscription\_role\_arn](#output\_log\_subscription\_role\_arn) | The ARN of the log subscription IAM role. |
 | <a name="output_s3_buckets"></a> [s3\_buckets](#output\_s3\_buckets) | n/a |
 | <a name="output_vpc_nat_ips"></a> [vpc\_nat\_ips](#output\_vpc\_nat\_ips) | n/a |
 | <a name="output_vpc_subnets"></a> [vpc\_subnets](#output\_vpc\_subnets) | n/a |
diff --git a/infrastructure/terraform/components/acct/iam_role_log_subscription_role.tf b/infrastructure/terraform/components/acct/iam_role_log_subscription_role.tf
@@ -0,0 +1,42 @@
+resource "aws_iam_role" "log_subscription_role" {
+  name = "${local.csi}-log-subscription-role"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Principal = {
+          Service = "logs.${var.region}.amazonaws.com"
+        }
+        Action = "sts:AssumeRole"
+      }
+    ]
+  })
+}
+
+resource "aws_iam_policy" "log_subscription_policy" {
+  name        = "${local.csi}-log-subscription-policy"
+  description = "Policy for log subscription to send logs to the destination"
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Action = [
+          "logs:PutSubscriptionFilter",
+          "logs:DescribeLogGroups",
+          "logs:DescribeLogStreams",
+          "logs:PutLogEvents"
+        ]
+        Resource = "*"
+      }
+    ]
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "log_subscription_policy_attachment" {
+  role       = aws_iam_role.log_subscription_role.name
+  policy_arn = aws_iam_policy.log_subscription_policy.arn
+}
diff --git a/infrastructure/terraform/components/acct/outputs.tf b/infrastructure/terraform/components/acct/outputs.tf
@@ -30,3 +30,8 @@ output "vpc_subnets" {
 output "vpc_nat_ips" {
   value = module.vpc.nat_public_ips
 }
+
+output "log_subscription_role_arn" {
+  description = "The ARN of the log subscription IAM role."
+  value       = aws_iam_role.log_subscription_role.arn
+}
diff --git a/infrastructure/terraform/components/app/cloudwatch_log_group_amplify.tf b/infrastructure/terraform/components/app/cloudwatch_log_group_amplify.tf
@@ -8,4 +8,5 @@ resource "aws_cloudwatch_log_subscription_filter" "amplify" {
   log_group_name  = aws_cloudwatch_log_group.amplify.name
   filter_pattern  = ""
   destination_arn = "arn:aws:logs:${var.region}:${var.observability_account_id}:destination:nhs-notify-main-acct-firehose-logs"
+  role_arn        = local.acct.log_subscription_role_arn
 }

Original file line number	Diff line number	Diff line change
`@@ -30,3 +30,8 @@ output "vpc_subnets" {`
`30`	`30`	`output "vpc_nat_ips" {`
`31`	`31`	`value = module.vpc.nat_public_ips`
`32`	`32`	`}`
	`33`	`+`
	`34`	`+output "log_subscription_role_arn" {`
	`35`	`+ description = "The ARN of the log subscription IAM role."`
	`36`	`+ value = aws_iam_role.log_subscription_role.arn`
	`37`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -8,4 +8,5 @@ resource "aws_cloudwatch_log_subscription_filter" "amplify" {`
`8`	`8`	`log_group_name = aws_cloudwatch_log_group.amplify.name`
`9`	`9`	`filter_pattern = ""`
`10`	`10`	`destination_arn = "arn:aws:logs:${var.region}:${var.observability_account_id}:destination:nhs-notify-main-acct-firehose-logs"`
	`11`	`+ role_arn = local.acct.log_subscription_role_arn`
`11`	`12`	`}`