Skip to content

Commit 72aa0f3

Browse files
committed
CCM-11007: Adding log subscription for Splunk forwarding
1 parent 8ba6091 commit 72aa0f3

7 files changed

Lines changed: 40 additions & 8 deletions

File tree

infrastructure/terraform/components/api/cloudwatch_log_group_api_gateway_access.tf

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2,3 +2,11 @@ resource "aws_cloudwatch_log_group" "api_gateway_access" {
22
name = "/aws/api-gateway/${aws_api_gateway_rest_api.main.id}/${var.environment}/access-logs"
33
retention_in_days = var.log_retention_in_days
44
}
5+
6+
resource "aws_cloudwatch_log_subscription_filter" "api_gateway_access" {
7+
name = replace(aws.cloudwatch_log_group.api_gateway_access.name, "/", "-")
8+
role_arn = local.acct.log_subscription_role_arn
9+
log_group_name = aws_cloudwatch_log_group.api_gateway_access.name
10+
filter_pattern = ""
11+
destination_arn = local.destination_arn
12+
}

infrastructure/terraform/components/api/cloudwatch_log_group_api_gateway_execution.tf

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,3 +5,11 @@ resource "aws_cloudwatch_log_group" "api_gateway_execution" {
55
)
66
retention_in_days = var.log_retention_in_days
77
}
8+
9+
resource "aws_cloudwatch_log_subscription_filter" "api_gateway_execution" {
10+
name = replace(aws.cloudwatch_log_group.api_gateway_access.name, "/", "-")
11+
role_arn = local.acct.log_subscription_role_arn
12+
log_group_name = aws_cloudwatch_log_group.api_gateway_access.name
13+
filter_pattern = ""
14+
destination_arn = local.destination_arn
15+
}
Lines changed: 9 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -1,10 +1,12 @@
11
locals {
2-
aws_lambda_functions_dir_path = "../../../../lambdas"
2+
aws_lambda_functions_dir_path = "../../../../lambdas"
33

4-
openapi_spec = templatefile("${path.module}/resources/spec.tmpl.json", {
5-
APIG_EXECUTION_ROLE_ARN = aws_iam_role.api_gateway_execution_role.arn
6-
AWS_REGION = var.region
7-
AUTHORIZER_LAMBDA_ARN = module.authorizer_lambda.function_arn
8-
HELLO_WORLD_LAMBDA_ARN = module.hello_world.function_arn
9-
})
4+
openapi_spec = templatefile("${path.module}/resources/spec.tmpl.json", {
5+
APIG_EXECUTION_ROLE_ARN = aws_iam_role.api_gateway_execution_role.arn
6+
AWS_REGION = var.region
7+
AUTHORIZER_LAMBDA_ARN = module.authorizer_lambda.function_arn
8+
HELLO_WORLD_LAMBDA_ARN = module.hello_world.function_arn
9+
})
10+
11+
destination_arn = "arn:aws:logs:${var.region}:${var.shared_infra_account_id}:destination:nhs-${var.environment}-obs-firehose-logs"
1012
}

infrastructure/terraform/components/api/module_authorizer_lambda.tf

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -26,4 +26,8 @@ module "authorizer_lambda" {
2626

2727
enable_lambda_insights = false
2828
force_lambda_code_deploy = var.force_lambda_code_deploy
29+
30+
send_to_firehose = true
31+
log_destination_arn = local.destination_arn
32+
log_subscription_role_arn = local.acct.log_subscription_role_arn
2933
}

infrastructure/terraform/components/api/module_kms.tf

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@ module "kms" {
22
source = "git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/kms?ref=v2.0.10"
33

44
providers = {
5-
aws = aws
5+
aws = aws
66
aws.us-east-1 = aws.us-east-1
77
}
88

infrastructure/terraform/components/api/module_lambda_hello_world.tf

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -31,6 +31,10 @@ module "hello_world" {
3131
force_lambda_code_deploy = var.force_lambda_code_deploy
3232
enable_lambda_insights = false
3333

34+
send_to_firehose = true
35+
log_destination_arn = local.destination_arn
36+
log_subscription_role_arn = local.acct.log_subscription_role_arn
37+
3438
lambda_env_vars = {
3539
}
3640
}

infrastructure/terraform/components/api/variables.tf

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -80,3 +80,9 @@ variable "parent_acct_environment" {
8080
description = "Name of the environment responsible for the acct resources used, affects things like DNS zone. Useful for named dev environments"
8181
default = "main"
8282
}
83+
84+
variable "shared_infra_account_id" {
85+
type = string
86+
description = "The AWS Account ID of the shared infrastructure account"
87+
default = "000000000000"
88+
}

0 commit comments

Comments
 (0)