CCM-12417: PR Env destroy failure event rule (#763)

sidnhs · web-flow · commit 94f9c4683e32 · 2025-11-10T09:34:09.000Z
diff --git a/infrastructure/terraform/components/acct/README.md b/infrastructure/terraform/components/acct/README.md
@@ -18,6 +18,7 @@
 | <a name="input_cost_alarm_recipients"></a> [cost\_alarm\_recipients](#input\_cost\_alarm\_recipients) | A list of email addresses to receive alarm notifications | `list(string)` | `[]` | no |
 | <a name="input_cost_anomaly_threshold"></a> [cost\_anomaly\_threshold](#input\_cost\_anomaly\_threshold) | The threshold percentage for cost anomaly detection | `number` | `10` | no |
 | <a name="input_default_tags"></a> [default\_tags](#input\_default\_tags) | A map of default tags to apply to all taggable resources within the component | `map(string)` | `{}` | no |
+| <a name="input_enable_env_destroy_event_rule"></a> [enable\_env\_destroy\_event\_rule](#input\_enable\_env\_destroy\_event\_rule) | Toggles the creation of the CloudWatch Event Rule for environment destruction failures | `bool` | `false` | no |
 | <a name="input_environment"></a> [environment](#input\_environment) | The name of the tfscaffold environment | `string` | n/a | yes |
 | <a name="input_group"></a> [group](#input\_group) | The group variables are being inherited from (often synonmous with account short-name) | `string` | n/a | yes |
 | <a name="input_initial_cli_secrets_provision_override"></a> [initial\_cli\_secrets\_provision\_override](#input\_initial\_cli\_secrets\_provision\_override) | A map of default value to intialise SSM secret values with. Only useful for initial setup of the account due to lifecycle rules. | `map(string)` | `{}` | no |
diff --git a/infrastructure/terraform/components/acct/cloudwatch_event_rule_env_destroy.tf b/infrastructure/terraform/components/acct/cloudwatch_event_rule_env_destroy.tf
@@ -0,0 +1,52 @@
+resource "aws_cloudwatch_event_rule" "env_destroy" {
+  count = var.enable_env_destroy_event_rule ? 1 : 0
+  name        = "${local.csi}-env-destroy"
+  description = "Forwards Environment Destroy Failed events to Custom Event Bus in Observability Account"
+
+  event_pattern = jsonencode({
+    "source"      = ["notify.envDestroyFailed"],
+  })
+}
+
+resource "aws_cloudwatch_event_target" "env_destroy" {
+  count    = var.enable_env_destroy_event_rule ? 1 : 0
+  rule     = aws_cloudwatch_event_rule.env_destroy[0].name
+  arn      = local.event_bus_arn
+  role_arn = aws_iam_role.env_destroy[0].arn
+}
+
+resource "aws_iam_role" "env_destroy" {
+  count  = var.enable_env_destroy_event_rule ? 1 : 0
+  name = "${local.csi}-env-destroy"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [{
+      Effect = "Allow",
+      Principal = {
+        Service = "events.amazonaws.com"
+      },
+      Action = "sts:AssumeRole"
+    }]
+  })
+}
+
+resource "aws_iam_policy" "env_destroy" {
+  count  = var.enable_env_destroy_event_rule ? 1 : 0
+  name = "${local.csi}-env-destroy"
+
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [{
+      Effect   = "Allow",
+      Action   = "events:PutEvents",
+      Resource = local.event_bus_arn
+    }]
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "env_destroy" {
+  count      = var.enable_env_destroy_event_rule ? 1 : 0
+  role       = aws_iam_role.env_destroy[0].name
+  policy_arn = aws_iam_policy.env_destroy[0].arn
+}
diff --git a/infrastructure/terraform/components/acct/variables.tf b/infrastructure/terraform/components/acct/variables.tf
@@ -138,3 +138,9 @@ variable "cost_anomaly_threshold" {
   description = "The threshold percentage for cost anomaly detection"
   default     = 10
 }
+
+variable "enable_env_destroy_event_rule" {
+  type        = bool
+  description = "Toggles the creation of the CloudWatch Event Rule for environment destruction failures"
+  default     = false
+}
