CCM-8197: Cross Account Observability

jamesthompson26-nhs · jamesthompson26-nhs · commit fd42cf212844 · 2025-05-01T11:55:56.000+01:00
diff --git a/infrastructure/terraform/components/acct/README.md b/infrastructure/terraform/components/acct/README.md
@@ -21,6 +21,7 @@
 | <a name="input_kms_deletion_window"></a> [kms\_deletion\_window](#input\_kms\_deletion\_window) | When a kms key is deleted, how long should it wait in the pending deletion state? | `string` | `"30"` | no |
 | <a name="input_letter_suppliers"></a> [letter\_suppliers](#input\_letter\_suppliers) | Letter suppliers enabled in the account (across all environments) | <pre>map(object({<br/>    enable_polling   = bool<br/>    default_supplier = optional(bool)<br/>  }))</pre> | `{}` | no |
 | <a name="input_log_retention_in_days"></a> [log\_retention\_in\_days](#input\_log\_retention\_in\_days) | The retention period in days for the Cloudwatch Logs events to be retained, default of 0 is indefinite | `number` | `0` | no |
+| <a name="input_oam_sink_id"></a> [oam\_sink\_id](#input\_oam\_sink\_id) | The ID of the Cloudwatch OAM sink in the appropriate observability account. | `string` | `""` | no |
 | <a name="input_observability_account_id"></a> [observability\_account\_id](#input\_observability\_account\_id) | The Observability Account ID that needs access | `string` | n/a | yes |
 | <a name="input_project"></a> [project](#input\_project) | The name of the tfscaffold project | `string` | n/a | yes |
 | <a name="input_region"></a> [region](#input\_region) | The AWS Region | `string` | n/a | yes |
diff --git a/infrastructure/terraform/components/acct/iam_policy_github_deploy_overload.tf b/infrastructure/terraform/components/acct/iam_policy_github_deploy_overload.tf
@@ -23,6 +23,8 @@ data "aws_iam_policy_document" "github_deploy" {
       "cloudformation:*",
       "cognito-idp:*",
       "firehose:*",
+      "logs:*",
+      "oam:*",
       "pipes:*",
       "ses:*",
       "sns:*",
diff --git a/infrastructure/terraform/components/acct/oam_link_cross_account_obs.tf b/infrastructure/terraform/components/acct/oam_link_cross_account_obs.tf
@@ -0,0 +1,61 @@
+resource "aws_oam_link" "cross_account_obs" {
+  count           = var.oam_sink_id != "" ? 1 : 0
+  label_template  = "$AccountName"
+  resource_types  = [
+    "AWS::CloudWatch::Metric",
+    "AWS::Logs::LogGroup"
+  ]
+  sink_identifier = "arn:aws:oam:eu-west-2:${var.observability_account_id}:sink/${var.oam_sink_id}"
+  tags            = var.default_tags
+}
+
+data "aws_iam_policy" "cloudwatch_read_only" {
+  count = var.oam_sink_id != "" ? 1 : 0
+  name  = "CloudWatchReadOnlyAccess"
+}
+
+data "aws_iam_policy" "cloudwatch_automatic_dashboards" {
+  count = var.oam_sink_id != "" ? 1 : 0
+  name  = "CloudWatchAutomaticDashboardsAccess"
+}
+
+data "aws_iam_policy" "aws_xray_read_only" {
+  count = var.oam_sink_id != "" ? 1 : 0
+  name  = "AWSXrayReadOnlyAccess"
+}
+
+data "aws_iam_policy_document" "cross_account_obs_assume_role_policy" {
+  count = var.oam_sink_id != "" ? 1 : 0
+  statement {
+    effect = "Allow"
+    principals {
+      type        = "AWS"
+      identifiers = [var.observability_account_id]
+    }
+    actions = ["sts:AssumeRole"]
+  }
+}
+
+resource "aws_iam_role" "cross_account_obs_role" {
+  count              = var.oam_sink_id != "" ? 1 : 0
+  name               = "CloudWatch-CrossAccountSharingRole"
+  assume_role_policy = data.aws_iam_policy_document.cross_account_obs_assume_role_policy[0].json
+}
+
+resource "aws_iam_role_policy_attachment" "cloudwatch_read_only_attachment" {
+  count      = var.oam_sink_id != "" ? 1 : 0
+  policy_arn = data.aws_iam_policy.cloudwatch_read_only[0].arn
+  role       = aws_iam_role.cross_account_obs_role[0].name
+}
+
+resource "aws_iam_role_policy_attachment" "cloudwatch_automatic_dashboards_attachment" {
+  count      = var.oam_sink_id != "" ? 1 : 0
+  policy_arn = data.aws_iam_policy.cloudwatch_automatic_dashboards[0].arn
+  role       = aws_iam_role.cross_account_obs_role[0].name
+}
+
+resource "aws_iam_role_policy_attachment" "aws_xray_read_only_attachment" {
+  count      = var.oam_sink_id != "" ? 1 : 0
+  policy_arn = data.aws_iam_policy.aws_xray_read_only[0].arn
+  role       = aws_iam_role.cross_account_obs_role[0].name
+}
diff --git a/infrastructure/terraform/components/acct/variables.tf b/infrastructure/terraform/components/acct/variables.tf
@@ -114,3 +114,9 @@ variable "letter_suppliers" {
 
   default = {}
 }
+
+variable "oam_sink_id" {
+  description = "The ID of the Cloudwatch OAM sink in the appropriate observability account."
+  type        = string
+  default     = ""
+}
diff --git a/infrastructure/terraform/components/app/cloudwatch_log_group_amplify.tf b/infrastructure/terraform/components/app/cloudwatch_log_group_amplify.tf
@@ -2,3 +2,10 @@ resource "aws_cloudwatch_log_group" "amplify" {
   name              = "/aws/amplify/${aws_amplify_app.main.id}"
   retention_in_days = var.log_retention_in_days
 }
+
+resource "aws_cloudwatch_log_subscription_filter" "amplify" {
+  name            = "${local.csi}-amplify"
+  log_group_name  = aws_cloudwatch_log_group.amplify.name
+  filter_pattern  = ""
+  destination_arn = "arn:aws:logs:${var.region}:${var.observability_account_id}:destination:nhs-notify-main-acct-firehose-logs"
+}

Original file line number	Diff line number	Diff line change
`@@ -114,3 +114,9 @@ variable "letter_suppliers" {`
`114`	`114`
`115`	`115`	`default = {}`
`116`	`116`	`}`
	`117`	`+`
	`118`	`+variable "oam_sink_id" {`
	`119`	`+ description = "The ID of the Cloudwatch OAM sink in the appropriate observability account."`
	`120`	`+ type = string`
	`121`	`+ default = ""`
	`122`	`+}`