CCM-9868: Adding subfilter to lambda module

Author: sidnhs

infrastructure/terraform/components/app/module_backend_api.tf

@@ -18,10 +18,10 @@ module "backend_api" {
 
   enable_backup = var.destination_vault_arn != null ? true : false
 
-  enable_letters   = var.enable_letters
-  enable_proofing  = var.enable_proofing
-  letter_suppliers = var.letter_suppliers
-  destination_arn = "arn:aws:logs:${var.region}:${var.observability_account_id}:destination:nhs-notify-main-acct-firehose-logs"
-  subscription_role_arn = local.acct.log_subscription_role_arn
+  enable_letters                 = var.enable_letters
+  enable_proofing                = var.enable_proofing
+  letter_suppliers               = var.letter_suppliers
+  cloudwatch_log_destination_arn = "arn:aws:logs:${var.region}:${var.observability_account_id}:destination:nhs-notify-main-acct-firehose-logs"
+  log_subscription_role_arn      = local.acct.log_subscription_role_arn
 
 }

infrastructure/terraform/modules/backend-api/README.md

@@ -10,10 +10,10 @@ No requirements.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_aws_account_id"></a> [aws\_account\_id](#input\_aws\_account\_id) | The AWS Account ID (numeric) | `string` | n/a | yes |
+| <a name="input_cloudwatch_log_destination_arn"></a> [cloudwatch\_log\_destination\_arn](#input\_cloudwatch\_log\_destination\_arn) | Destination ARN to use for the log subscription filter | `string` | `""` | no |
 | <a name="input_cognito_config"></a> [cognito\_config](#input\_cognito\_config) | Cognito config | <pre>object({<br/>    USER_POOL_ID : string,<br/>    USER_POOL_CLIENT_ID : string<br/>  })</pre> | n/a | yes |
 | <a name="input_component"></a> [component](#input\_component) | The variable encapsulating the name of this component | `string` | n/a | yes |
 | <a name="input_csi"></a> [csi](#input\_csi) | CSI from the parent component | `string` | n/a | yes |
-| <a name="input_destination_arn"></a> [destination\_arn](#input\_destination\_arn) | The Observability Destination ARN | `string` | n/a | yes |
 | <a name="input_dynamodb_kms_key_arn"></a> [dynamodb\_kms\_key\_arn](#input\_dynamodb\_kms\_key\_arn) | KMS Key ARN for encrypting DynamoDB data. If not given, a key will be created. | `string` | `""` | no |
 | <a name="input_enable_backup"></a> [enable\_backup](#input\_enable\_backup) | Enable Backups for the DynamoDB table? | `bool` | `true` | no |
 | <a name="input_enable_letters"></a> [enable\_letters](#input\_enable\_letters) | Enable letters feature flag | `bool` | n/a | yes |
@@ -23,11 +23,11 @@ No requirements.
 | <a name="input_kms_key_arn"></a> [kms\_key\_arn](#input\_kms\_key\_arn) | KMS Key ARN | `string` | n/a | yes |
 | <a name="input_letter_suppliers"></a> [letter\_suppliers](#input\_letter\_suppliers) | Letter suppliers enabled in the environment | <pre>map(object({<br/>    enable_polling   = bool<br/>    default_supplier = optional(bool)<br/>  }))</pre> | n/a | yes |
 | <a name="input_log_retention_in_days"></a> [log\_retention\_in\_days](#input\_log\_retention\_in\_days) | The retention period in days for the Cloudwatch Logs events to be retained, default of 0 is indefinite | `number` | `0` | no |
+| <a name="input_log_subscription_role_arn"></a> [log\_subscription\_role\_arn](#input\_log\_subscription\_role\_arn) | The ARN of the IAM role to use for the log subscription filter | `string` | `""` | no |
 | <a name="input_module"></a> [module](#input\_module) | The variable encapsulating the name of this module | `string` | `"api"` | no |
 | <a name="input_parent_acct_environment"></a> [parent\_acct\_environment](#input\_parent\_acct\_environment) | Name of the environment responsible for the acct resources used | `string` | n/a | yes |
 | <a name="input_project"></a> [project](#input\_project) | The name of the tfscaffold project | `string` | n/a | yes |
 | <a name="input_region"></a> [region](#input\_region) | The AWS Region | `string` | n/a | yes |
-| <a name="input_subscription_role_arn"></a> [subscription\_role\_arn](#input\_subscription\_role\_arn) | The cloudwatch subscription role ARN | `string` | n/a | yes |
 ## Modules
 
 | Name | Source | Version |

infrastructure/terraform/modules/backend-api/cloudwatch_log_group_api_gateway_access.tf

@@ -7,6 +7,6 @@ resource "aws_cloudwatch_log_subscription_filter" "api_gateway_access" {
   name            = replace(aws_cloudwatch_log_group.api_gateway_access.name, "/", "-")
   log_group_name  = aws_cloudwatch_log_group.api_gateway_access.name
   filter_pattern  = ""
-  destination_arn = var.destination_arn
-  role_arn        = var.subscription_role_arn
+  destination_arn = var.cloudwatch_log_destination_arn
+  role_arn        = var.log_subscription_role_arn
 }

infrastructure/terraform/modules/backend-api/cloudwatch_log_group_api_gateway_execution.tf

@@ -10,6 +10,6 @@ resource "aws_cloudwatch_log_subscription_filter" "api_gateway_execution" {
   name            = replace(aws_cloudwatch_log_group.api_gateway_execution.name, "/", "-")
   log_group_name  = aws_cloudwatch_log_group.api_gateway_execution.name
   filter_pattern  = ""
-  destination_arn = var.destination_arn
-  role_arn        = var.subscription_role_arn
+  destination_arn = var.cloudwatch_log_destination_arn
+  role_arn        = var.log_subscription_role_arn
 }

infrastructure/terraform/modules/backend-api/module_authorizer_lambda.tf

@@ -19,8 +19,8 @@ module "authorizer_lambda" {
     USER_POOL_ID        = var.cognito_config["USER_POOL_ID"],
     USER_POOL_CLIENT_ID = var.cognito_config["USER_POOL_CLIENT_ID"],
   }
-  destination_arn       = var.destination_arn
-  subscription_role_arn = var.subscription_role_arn
+  cloudwatch_log_destination_arn = var.cloudwatch_log_destination_arn
+  log_subscription_role_arn      = var.log_subscription_role_arn
 }
 
 module "authorizer_build" {

infrastructure/terraform/modules/backend-api/module_create_letter_template_lambda.tf

@@ -16,8 +16,8 @@ module "create_letter_template_lambda" {
   environment_variables = local.backend_lambda_environment_variables
 
   execution_role_policy_document = data.aws_iam_policy_document.create_letter_template_lambda_policy.json
-  destination_arn                = var.destination_arn
-  subscription_role_arn          = var.subscription_role_arn
+  cloudwatch_log_destination_arn = var.cloudwatch_log_destination_arn
+  log_subscription_role_arn      = var.log_subscription_role_arn
 }
 
 data "aws_iam_policy_document" "create_letter_template_lambda_policy" {

infrastructure/terraform/modules/backend-api/module_create_template_lambda.tf

@@ -15,8 +15,8 @@ module "create_template_lambda" {
   environment_variables = local.backend_lambda_environment_variables
 
   execution_role_policy_document = data.aws_iam_policy_document.create_template_lambda_policy.json
-  destination_arn                = var.destination_arn
-  subscription_role_arn          = var.subscription_role_arn
+  cloudwatch_log_destination_arn = var.cloudwatch_log_destination_arn
+  log_subscription_role_arn      = var.log_subscription_role_arn
 }
 
 data "aws_iam_policy_document" "create_template_lambda_policy" {

infrastructure/terraform/modules/backend-api/module_delete_template_lambda.tf

@@ -15,8 +15,8 @@ module "delete_template_lambda" {
   environment_variables = local.backend_lambda_environment_variables
 
   execution_role_policy_document = data.aws_iam_policy_document.delete_template_lambda_policy.json
-  destination_arn                = var.destination_arn
-  subscription_role_arn          = var.subscription_role_arn
+  cloudwatch_log_destination_arn = var.cloudwatch_log_destination_arn
+  log_subscription_role_arn      = var.log_subscription_role_arn
 }
 
 data "aws_iam_policy_document" "delete_template_lambda_policy" {

infrastructure/terraform/modules/backend-api/module_get_template_lambda.tf

@@ -15,8 +15,8 @@ module "get_template_lambda" {
   environment_variables = local.backend_lambda_environment_variables
 
   execution_role_policy_document = data.aws_iam_policy_document.get_template_lambda_policy.json
-  destination_arn                = var.destination_arn
-  subscription_role_arn          = var.subscription_role_arn
+  cloudwatch_log_destination_arn = var.cloudwatch_log_destination_arn
+  log_subscription_role_arn      = var.log_subscription_role_arn
 }
 
 data "aws_iam_policy_document" "get_template_lambda_policy" {

infrastructure/terraform/modules/backend-api/module_lambda_copy_scanned_object_to_internal.tf

@@ -10,9 +10,9 @@ module "lambda_copy_scanned_object_to_internal" {
   log_retention_in_days          = var.log_retention_in_days
   source_code_hash               = module.build_template_lambda.zips[local.backend_lambda_entrypoints.copy_scanned_object_to_internal].base64sha256
 
-  environment_variables = local.backend_lambda_environment_variables
-  destination_arn       = var.destination_arn
-  subscription_role_arn = var.subscription_role_arn
+  environment_variables          = local.backend_lambda_environment_variables
+  cloudwatch_log_destination_arn = var.cloudwatch_log_destination_arn
+  log_subscription_role_arn      = var.log_subscription_role_arn
 }
 
 data "aws_iam_policy_document" "copy_scanned_object_to_internal" {