NHSDigital · jamesthompson26-nhs · Mar 17, 2025 · Mar 14, 2025 · Mar 17, 2025 · Mar 17, 2025
@@ -19,6 +19,7 @@
 | <a name="input_group"></a> [group](#input\_group) | The group variables are being inherited from (often synonmous with account short-name) | `string` | n/a | yes |
 | <a name="input_initial_cli_secrets_provision_override"></a> [initial\_cli\_secrets\_provision\_override](#input\_initial\_cli\_secrets\_provision\_override) | A map of default value to intialise SSM secret values with. Only useful for initial setup of the account due to lifecycle rules. | `map(string)` | `{}` | no |
 | <a name="input_log_retention_in_days"></a> [log\_retention\_in\_days](#input\_log\_retention\_in\_days) | The retention period in days for the Cloudwatch Logs events to be retained, default of 0 is indefinite | `number` | `0` | no |
+| <a name="input_observability_account_id"></a> [observability\_account\_id](#input\_observability\_account\_id) | The Observability Account ID that needs access | `string` | n/a | yes |
 | <a name="input_project"></a> [project](#input\_project) | The name of the tfscaffold project | `string` | n/a | yes |
 | <a name="input_region"></a> [region](#input\_region) | The AWS Region | `string` | n/a | yes |
 | <a name="input_root_domain_name"></a> [root\_domain\_name](#input\_root\_domain\_name) | The service's root DNS root nameespace, like nonprod.nhsnotify.national.nhs.uk | `string` | `"nonprod.nhsnotify.national.nhs.uk"` | no |

@@ -0,0 +1,51 @@
+resource "aws_cloudwatch_event_rule" "aws_backup_errors" {
+  name          = "${local.csi}-aws-backup-errors"
+  description = "Forwards AWS Backup state changes to Custom Event Bus in Observability Account"
+
+  event_pattern = jsonencode({
+    source      = ["aws.backup"],
+    "detail-type" = ["Backup Job State Change", "Restore Job State Change", "Copy Job State Change"],
+    detail = {
+      state = ["FAILED", "ABORTED"]
+    }
+  })
+}
+
+resource "aws_cloudwatch_event_target" "aws_backup_errors" {
+  rule     = aws_cloudwatch_event_rule.aws_backup_errors.name
+  arn      = local.event_bus_arn
+  role_arn = aws_iam_role.aws_backup_errors.arn
+}
+
+resource "aws_iam_role" "aws_backup_errors" {
+  name = "${local.csi}-aws-backup-errors"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [{
+      Effect = "Allow",
+      Principal = {
+        Service = "events.amazonaws.com"
+      },
+      Action = "sts:AssumeRole"
+    }]
+  })
+}
+
+resource "aws_iam_policy" "aws_backup_errors" {
+  name = "${local.csi}-aws-backup-errors"
+
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [{
+      Effect   = "Allow",
+      Action   = "events:PutEvents",
+      Resource = local.event_bus_arn
+    }]
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "aws_backup_errors" {
+  role       = aws_iam_role.aws_backup_errors.name
+  policy_arn = aws_iam_policy.aws_backup_errors.arn
+}
@@ -0,0 +1,48 @@
+resource "aws_cloudwatch_event_rule" "cloudwatch_alarms" {
+  name        = "${local.csi}-cloudwatch-alarm-fowarding"
+  description = "Forwards CloudWatch Alarm state changes to Custom Event Bus in Observability Account"
+
+  event_pattern = jsonencode({
+    "source"      = ["aws.cloudwatch"],
+    "detail-type" = ["CloudWatch Alarm State Change"]
+  })
+}
+
+resource "aws_cloudwatch_event_target" "cloudwatch_alarms" {
+  rule     = aws_cloudwatch_event_rule.cloudwatch_alarms.name
+  arn      = local.event_bus_arn
+  role_arn = aws_iam_role.cloudwatch_alarms.arn
+}
+
+resource "aws_iam_role" "cloudwatch_alarms" {
+  name = "${local.csi}-cloudwatch-alarms"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [{
+      Effect = "Allow",
+      Principal = {
+        Service = "events.amazonaws.com"
+      },
+      Action = "sts:AssumeRole"
+    }]
+  })
+}
+
+resource "aws_iam_policy" "cloudwatch_alarms" {
+  name = "${local.csi}-cloudwatch-alarms"
+
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [{
+      Effect   = "Allow",
+      Action   = "events:PutEvents",
+      Resource = local.event_bus_arn
+    }]
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "cloudwatch_alarms" {
+  role       = aws_iam_role.cloudwatch_alarms.name
+  policy_arn = aws_iam_policy.cloudwatch_alarms.arn
+}
@@ -0,0 +1,3 @@
+locals {
+    event_bus_arn = "arn:aws:events:eu-west-2:${var.observability_account_id}:event-bus/nhs-notify-main-acct-alerts-bus"
+}
@@ -70,3 +70,8 @@ variable "initial_cli_secrets_provision_override" {
   # Usage like:
   #  ... -a apply -- -var initial_cli_secrets_provision_override={\"github_pat\":\"l0ngstr1ng"}
 }
+
+variable "observability_account_id" {
+  type        = string
+  description = "The Observability Account ID that needs access"
+}
@@ -1,5 +1,5 @@
 resource "aws_iam_role" "grafana_access" {
-  name               = replace("${local.csi}-grafana-cross-access-role", "-${var.component}", "")
+  name               = replace("${local.csi}-obs-cross-access-role", "-${var.component}", "")
   assume_role_policy = data.aws_iam_policy_document.observability_grafana_role_assume_role_policy.json
 }
 
@@ -18,7 +18,7 @@ data "aws_iam_policy_document" "observability_grafana_role_assume_role_policy" {
       variable = "aws:PrincipalArn"
 
       values = [
-        "arn:aws:iam::${var.observability_account_id}:role/*grafana-workspace-role"
+        "arn:aws:iam::${var.observability_account_id}:role/*obs-workspace-role"
       ]
     }
   }