CCM-8197: Cross Account Observability

Author: jamesthompson26-nhs

infrastructure/terraform/components/acct/oam_link_cross_account_obs.tf

@@ -0,0 +1,52 @@
+resource "aws_oam_link" "cross_account_obs" {
+  label_template  = "$AccountName"
+  resource_types  = [
+    "AWS::CloudWatch::Metric",
+    "AWS::CloudWatch::Log"
+  ]
+  sink_identifier = "arn:aws:oam:eu-west-2:${var.observability_account_id}:sink/cef2cdf0-a47d-4269-bfe3-887188f60cb4" # pre.sh to avoid having to provide it?
+  tags            = var.default_tags
+}
+
+data "aws_iam_policy" "cloudwatch_read_only" {
+  name = "CloudWatchReadOnlyAccess"
+}
+
+data "aws_iam_policy" "cloudwatch_automatic_dashboards" {
+  name = "CloudWatchAutomaticDashboardsAccess"
+}
+
+data "aws_iam_policy" "aws_xray_read_only" {
+  name = "AWSXrayReadOnlyAccess"
+}
+
+data "aws_iam_policy_document" "cross_account_obs_assume_role_policy" {
+  statement {
+    effect = "Allow"
+    principals {
+      type        = "AWS"
+      identifiers = [var.observability_account_id]
+    }
+    actions = ["sts:AssumeRole"]
+  }
+}
+
+resource "aws_iam_role" "cross_account_obs_role" {
+  name               = "CloudWatch-CrossAccountSharingRole"
+  assume_role_policy = data.aws_iam_policy_document.cross_account_obs_assume_role_policy.json
+}
+
+resource "aws_iam_role_policy_attachment" "cloudwatch_read_only_attachment" {
+  policy_arn = data.aws_iam_policy.cloudwatch_read_only.arn
+  role       = aws_iam_role.cross_account_obs_role.name
+}
+
+resource "aws_iam_role_policy_attachment" "cloudwatch_automatic_dashboards_attachment" {
+  policy_arn = data.aws_iam_policy.cloudwatch_automatic_dashboards.arn
+  role       = aws_iam_role.cross_account_obs_role.name
+}
+
+resource "aws_iam_role_policy_attachment" "aws_xray_read_only_attachment" {
+  policy_arn = data.aws_iam_policy.aws_xray_read_only.arn
+  role       = aws_iam_role.cross_account_obs_role.name
+}