search

wellcomecollection / platform-infrastructure

:building_construction: Infrastructure for the Wellcome Digital Platform
MIT License
24 stars 8 forks source link

Digitisation lambda logging #441

Closed paul-butcher closed 1 month ago

paul-butcher commented 2 months ago

What's changing and why?

This adds the log forwarder SSM parameter to the digitisation account and updates kinesis in the platform account so that digitisation Lambdas can forward logs to our common logging platform

terraform plan diff

  # aws_ssm_parameter.log_destination_arn_digitisation will be created
  + resource "aws_ssm_parameter" "log_destination_arn_digitisation" {
      + arn            = (known after apply)
      + data_type      = (known after apply)
      + id             = (known after apply)
      + insecure_value = (known after apply)
      + key_id         = (known after apply)
      + name           = "/logging/forwarder/destination_arn"
      + tags_all       = {
          + "TerraformConfigurationURL" = "https://github.com/wellcomecollection/platform-infrastructure/tree/main/critical"
        }
      + tier           = (known after apply)
      + type           = "String"
      + value          = (sensitive value)
      + version        = (known after apply)
    }

  # module.kinesis_log_destination.aws_cloudwatch_log_destination_policy.cross_account_subscriptions will be updated in-place
  ~ resource "aws_cloudwatch_log_destination_policy" "cross_account_subscriptions" {
      ~ access_policy    = jsonencode(
          ~ {
              ~ Statement = [
                  ~ {
                      ~ Principal = {
                          ~ AWS = [
                                # (4 unchanged elements hidden)
                                "653428163053",
                              + "404315009621",
                                "299497370133",
                                # (2 unchanged elements hidden)
                            ]
                        }
                      - Sid       = ""
                        # (3 unchanged attributes hidden)
                    },
                ]
                # (1 unchanged attribute hidden)
            }
        )
        id               = "elasticsearch-forwarder-logs"
        # (1 unchanged attribute hidden)
    }

  # module.kinesis_log_destination.aws_iam_role.cloudwatch_to_kinesis_role will be updated in-place
  ~ resource "aws_iam_role" "cloudwatch_to_kinesis_role" {
      ~ assume_role_policy    = jsonencode(
          ~ {
              ~ Statement = [
                  ~ {
                      ~ Condition = {
                          ~ StringLike = {
                              ~ "aws:SourceArn" = [
                                    # (2 unchanged elements hidden)
                                    "arn:aws:logs:eu-west-1:299497370133:*",
                                  + "arn:aws:logs:eu-west-1:404315009621:*",
                                    "arn:aws:logs:eu-west-1:653428163053:*",
                                    # (4 unchanged elements hidden)
                                ]
                            }
                        }
                      - Sid       = ""
                        # (3 unchanged attributes hidden)
                    },
                ]
                # (1 unchanged attribute hidden)
            }
        )
        id                    = "elasticsearch-forwarder-logs-role"
        name                  = "elasticsearch-forwarder-logs-role"
        tags                  = {}
        # (11 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }