diff --git a/.tool-versions b/.tool-versions
index 5a59821f..2c67f30a 100644
--- a/.tool-versions
+++ b/.tool-versions
@@ -12,8 +12,8 @@ trivy 0.61.0
# The section below is reserved for Docker image versions.
# TODO: Move this section - consider using a different file for the repository template dependencies.
-# docker/ghcr.io/anchore/grype v0.69.1@sha256:d41fcb371d0af59f311e72123dff46900ebd6d0482391b5a830853ee4f9d1a76 # SEE: https://github.com/anchore/grype/pkgs/container/grype
-# docker/ghcr.io/anchore/syft v0.92.0@sha256:63c60f0a21efb13e80aa1359ab243e49213b6cc2d7e0f8179da38e6913b997e0 # SEE: https://github.com/anchore/syft/pkgs/container/syft
+# docker/ghcr.io/anchore/grype v0.92.2@sha256:651e558f9ba84f2a790b3449c8a57cbbf4f34e004f7d3f14ae8f8cbeede4cd33 # SEE: https://github.com/anchore/grype/pkgs/container/grype
+# docker/ghcr.io/anchore/syft v1.26.0@sha256:de078f51704a213906970b1475edd6006b8af50aa159852e125518237487b8c6 # SEE: https://github.com/anchore/syft/pkgs/container/syft
# docker/ghcr.io/gitleaks/gitleaks v8.18.0@sha256:fd2b5cab12b563d2cc538b14631764a1c25577780e3b7dba71657d58da45d9d9 # SEE: https://github.com/gitleaks/gitleaks/pkgs/container/gitleaks
# docker/ghcr.io/igorshubovych/markdownlint-cli v0.37.0@sha256:fb3e79946fce78e1cde84d6798c6c2a55f2de11fc16606a40d49411e281d950d # SEE: https://github.com/igorshubovych/markdownlint-cli/pkgs/container/markdownlint-cli
# docker/ghcr.io/make-ops-tools/gocloc latest@sha256:6888e62e9ae693c4ebcfed9f1d86c70fd083868acb8815fe44b561b9a73b5032 # SEE: https://github.com/make-ops-tools/gocloc/pkgs/container/gocloc
diff --git a/infrastructure/terraform/components/acct/README.md b/infrastructure/terraform/components/acct/README.md
index 428b2df3..641a0dec 100644
--- a/infrastructure/terraform/components/acct/README.md
+++ b/infrastructure/terraform/components/acct/README.md
@@ -18,17 +18,21 @@
| [default\_tags](#input\_default\_tags) | A map of default tags to apply to all taggable resources within the component | `map(string)` | `{}` | no |
| [environment](#input\_environment) | The name of the tfscaffold environment | `string` | n/a | yes |
| [group](#input\_group) | The group variables are being inherited from (often synonmous with account short-name) | `string` | n/a | yes |
-| [observability\_account\_id](#input\_observability\_account\_id) | The Observability Account ID that needs access | `string` | n/a | yes |
+| [oam\_sink\_id](#input\_oam\_sink\_id) | The ID of the Cloudwatch OAM sink in the appropriate observability account. | `string` | `null` | no |
+| [observability\_account\_id](#input\_observability\_account\_id) | The Observability Account ID that needs access | `string` | `null` | no |
| [project](#input\_project) | The name of the tfscaffold project | `string` | n/a | yes |
| [region](#input\_region) | The AWS Region | `string` | n/a | yes |
## Modules
-No modules.
+| Name | Source | Version |
+|------|--------|---------|
+| [obs\_datasource](#module\_obs\_datasource) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/obs-datasource | v2.0.3 |
## Outputs
| Name | Description |
|------|-------------|
| [aws\_account\_id](#output\_aws\_account\_id) | n/a |
+| [log\_subscription\_role\_arn](#output\_log\_subscription\_role\_arn) | n/a |
diff --git a/infrastructure/terraform/components/acct/iam_policy_github_deploy_overload.tf b/infrastructure/terraform/components/acct/iam_policy_github_deploy_overload.tf
index 458bfae2..e99216be 100644
--- a/infrastructure/terraform/components/acct/iam_policy_github_deploy_overload.tf
+++ b/infrastructure/terraform/components/acct/iam_policy_github_deploy_overload.tf
@@ -19,6 +19,7 @@ data "aws_iam_policy_document" "github_deploy" {
"firehose:*",
"glue:*",
"kinesis:*",
+ "oam:*",
]
resources = ["*"]
}
diff --git a/infrastructure/terraform/components/acct/module_obs_datasource.tf b/infrastructure/terraform/components/acct/module_obs_datasource.tf
new file mode 100644
index 00000000..8a1e85e0
--- /dev/null
+++ b/infrastructure/terraform/components/acct/module_obs_datasource.tf
@@ -0,0 +1,14 @@
+module "obs_datasource" {
+ source = "git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/obs-datasource?ref=v2.0.3"
+
+ name = "obs-datasource"
+
+ aws_account_id = var.aws_account_id
+ region = var.region
+ project = var.project
+ environment = var.environment
+ component = var.component
+
+ oam_sink_id = var.oam_sink_id
+ observability_account_id = var.observability_account_id
+}
diff --git a/infrastructure/terraform/components/acct/outputs.tf b/infrastructure/terraform/components/acct/outputs.tf
index 7bad4731..89925005 100644
--- a/infrastructure/terraform/components/acct/outputs.tf
+++ b/infrastructure/terraform/components/acct/outputs.tf
@@ -1,3 +1,7 @@
output "aws_account_id" {
value = var.aws_account_id
}
+
+output "log_subscription_role_arn" {
+ value = module.obs_datasource.log_subscription_role_arn
+}
diff --git a/infrastructure/terraform/components/acct/variables.tf b/infrastructure/terraform/components/acct/variables.tf
index 6712cfb0..cf882e34 100644
--- a/infrastructure/terraform/components/acct/variables.tf
+++ b/infrastructure/terraform/components/acct/variables.tf
@@ -60,4 +60,11 @@ variable "core_account_ids" {
variable "observability_account_id" {
type = string
description = "The Observability Account ID that needs access"
+ default = null
+}
+
+variable "oam_sink_id" {
+ description = "The ID of the Cloudwatch OAM sink in the appropriate observability account."
+ type = string
+ default = null
}
diff --git a/infrastructure/terraform/components/reporting/README.md b/infrastructure/terraform/components/reporting/README.md
index 8af6015f..1afa99ed 100644
--- a/infrastructure/terraform/components/reporting/README.md
+++ b/infrastructure/terraform/components/reporting/README.md
@@ -13,6 +13,7 @@ No requirements.
| [account\_name](#input\_account\_name) | The name of the AWS Account to deploy into (see globals.tfvars) | `string` | n/a | yes |
| [app\_deployer\_role\_name](#input\_app\_deployer\_role\_name) | Name of the app deployer role that is allowed to deploy Comms Mgr applications but not create other IAM roles | `string` | n/a | yes |
| [app\_deployer\_role\_permission\_account\_ids](#input\_app\_deployer\_role\_permission\_account\_ids) | All AWS Account IDs for this project that have the AppDeployer role created | `map(string)` | `{}` | no |
+| [aws\_account\_id](#input\_aws\_account\_id) | The AWS Account ID (numeric) | `string` | n/a | yes |
| [batch\_client\_ids](#input\_batch\_client\_ids) | List of client ids that require additional batch identifier dimensions when aggregating data | `list(string)` | [
"NULL"
]
| no |
| [cloudtrail\_log\_group\_name](#input\_cloudtrail\_log\_group\_name) | The name of the Cloudtrail log group name on the account (see globals.tfvars) | `string` | n/a | yes |
| [component](#input\_component) | The name of the component | `string` | `"reporting"` | no |
@@ -21,6 +22,7 @@ No requirements.
| [core\_account\_ids](#input\_core\_account\_ids) | List of all corresponding core account id's that exist in the Non-Prod domain | `list(string)` | `[]` | no |
| [core\_env](#input\_core\_env) | The core environment that contains the corresponding Glue table/S3 buckets etc. | `string` | `"internal-dev"` | no |
| [default\_kms\_deletion\_window\_in\_days](#input\_default\_kms\_deletion\_window\_in\_days) | Default number of days to set KMS key deletion window | `number` | `14` | no |
+| [default\_tags](#input\_default\_tags) | A map of default tags to apply to all taggable resources within the component | `map(string)` | `{}` | no |
| [desired\_capacity](#input\_desired\_capacity) | The desired number of instances in the Power BI On-Premises Gateway Auto Scaling group. | `number` | `1` | no |
| [enable\_powerbi\_gateway](#input\_enable\_powerbi\_gateway) | Deploy EC2 instance for PowerBI On-Premises Gateway | `bool` | `true` | no |
| [enable\_s3\_backup](#input\_enable\_s3\_backup) | Enable AWS S3 Backup of the data bucket | `bool` | `true` | no |
@@ -33,7 +35,7 @@ No requirements.
| [max\_size](#input\_max\_size) | The maximum number of instances in the Power BI On-Premises Gateway Auto Scaling group. | `number` | `1` | no |
| [min\_size](#input\_min\_size) | The minimum number of instances in the Power BI On-Premises Gateway Auto Scaling group. | `number` | `1` | no |
| [module](#input\_module) | The variable encapsulating the name of this module | `string` | `"n/a"` | no |
-| [observability\_account\_id](#input\_observability\_account\_id) | The Observability Account ID that needs access | `string` | n/a | yes |
+| [observability\_account\_id](#input\_observability\_account\_id) | The Observability Account ID that needs access | `string` | `null` | no |
| [periodic\_s3backup\_retention\_days](#input\_periodic\_s3backup\_retention\_days) | number of days to retain weekly s3 backups | `number` | `90` | no |
| [periodic\_s3backup\_schedule](#input\_periodic\_s3backup\_schedule) | Crontab formatted schedule for Periodic S3 Backups | `string` | `"cron(0 5 ? * 7 *)"` | no |
| [private\_subnet\_cidrs](#input\_private\_subnet\_cidrs) | List of CIDR blocks for private subnets. | `list(string)` | `[]` | no |
diff --git a/infrastructure/terraform/components/reporting/cloudwatch_log_group_reporting.tf b/infrastructure/terraform/components/reporting/cloudwatch_log_group_reporting.tf
index 7ea83c36..0d61494a 100644
--- a/infrastructure/terraform/components/reporting/cloudwatch_log_group_reporting.tf
+++ b/infrastructure/terraform/components/reporting/cloudwatch_log_group_reporting.tf
@@ -2,3 +2,11 @@ resource "aws_cloudwatch_log_group" "reporting" {
name = "/aws/sfn-state-machine/${local.csi}"
retention_in_days = var.log_retention_days
}
+
+resource "aws_cloudwatch_log_subscription_filter" "reporting" {
+ name = "${local.csi}-reporting"
+ log_group_name = aws_cloudwatch_log_group.reporting.name
+ filter_pattern = ""
+ destination_arn = "arn:aws:logs:${var.region}:${var.observability_account_id}:destination:nhs-notify-main-acct-firehose-logs"
+ role_arn = local.acct.log_subscription_role_arn
+}
diff --git a/infrastructure/terraform/components/reporting/locals_remote_state.tf b/infrastructure/terraform/components/reporting/locals_remote_state.tf
new file mode 100644
index 00000000..f5b3d9cb
--- /dev/null
+++ b/infrastructure/terraform/components/reporting/locals_remote_state.tf
@@ -0,0 +1,40 @@
+locals {
+ bootstrap = data.terraform_remote_state.bootstrap.outputs
+ acct = data.terraform_remote_state.acct.outputs
+}
+
+data "terraform_remote_state" "bootstrap" {
+ backend = "s3"
+
+ config = {
+ bucket = local.terraform_state_bucket
+
+ key = format(
+ "%s/%s/%s/%s/bootstrap.tfstate",
+ var.project,
+ var.aws_account_id,
+ "eu-west-2",
+ "bootstrap"
+ )
+
+ region = "eu-west-2"
+ }
+}
+
+data "terraform_remote_state" "acct" {
+ backend = "s3"
+
+ config = {
+ bucket = local.terraform_state_bucket
+
+ key = format(
+ "%s/%s/%s/%s/acct.tfstate",
+ var.project,
+ var.aws_account_id,
+ "eu-west-2",
+ var.environment
+ )
+
+ region = "eu-west-2"
+ }
+}
diff --git a/infrastructure/terraform/components/reporting/locals_tfscaffold.tf b/infrastructure/terraform/components/reporting/locals_tfscaffold.tf
new file mode 100644
index 00000000..c7bc867c
--- /dev/null
+++ b/infrastructure/terraform/components/reporting/locals_tfscaffold.tf
@@ -0,0 +1,19 @@
+locals {
+ terraform_state_bucket = format(
+ "%s-tfscaffold-%s-%s",
+ var.project,
+ var.aws_account_id,
+ var.region,
+ )
+
+ default_tags = merge(
+ var.default_tags,
+ {
+ Project = var.project
+ Environment = var.environment
+ Component = var.component
+ Group = var.group
+ Name = local.csi
+ },
+ )
+}
diff --git a/infrastructure/terraform/components/reporting/variables.tf b/infrastructure/terraform/components/reporting/variables.tf
index 1c756f06..a2862548 100644
--- a/infrastructure/terraform/components/reporting/variables.tf
+++ b/infrastructure/terraform/components/reporting/variables.tf
@@ -9,11 +9,22 @@ variable "account_ids" {
default = {}
}
+variable "aws_account_id" {
+ type = string
+ description = "The AWS Account ID (numeric)"
+}
+
variable "account_name" {
type = string
description = "The name of the AWS Account to deploy into (see globals.tfvars)"
}
+variable "default_tags" {
+ type = map(string)
+ description = "A map of default tags to apply to all taggable resources within the component"
+ default = {}
+}
+
variable "app_deployer_role_permission_account_ids" {
type = map(string)
description = "All AWS Account IDs for this project that have the AppDeployer role created"
@@ -203,4 +214,5 @@ variable "enable_vault_lock_configuration" {
variable "observability_account_id" {
type = string
description = "The Observability Account ID that needs access"
+ default = null
}
diff --git a/infrastructure/terraform/etc/env_eu-west-2_int.tfvars b/infrastructure/terraform/etc/env_eu-west-2_int.tfvars
index 6d21b877..3112d64e 100644
--- a/infrastructure/terraform/etc/env_eu-west-2_int.tfvars
+++ b/infrastructure/terraform/etc/env_eu-west-2_int.tfvars
@@ -1,5 +1,6 @@
-environment = "int"
-account_name = "notify-reporting-dev"
+environment = "int"
+account_name = "notify-reporting-dev"
+aws_account_id = "381492132479"
core_account_id = "736102632839"
core_env = "int"
@@ -31,3 +32,4 @@ enable_s3_backup = false
# Allow Grafana cross account access
observability_account_id = "273354664196"
+oam_sink_id = "e04b741a-9ba8-43e2-865d-3a76519b675e"
diff --git a/infrastructure/terraform/etc/env_eu-west-2_main.tfvars b/infrastructure/terraform/etc/env_eu-west-2_main.tfvars
index 96a75ccd..10261138 100644
--- a/infrastructure/terraform/etc/env_eu-west-2_main.tfvars
+++ b/infrastructure/terraform/etc/env_eu-west-2_main.tfvars
@@ -1,5 +1,7 @@
-environment = "main"
-account_name = "notify-reporting-dev"
+environment = "main"
+account_name = "notify-reporting-dev"
+aws_account_id = "381492132479"
+
core_account_id = "257995483745"
core_env = "internal-dev"
@@ -29,3 +31,4 @@ spot_max_price = "0.3"
# Allow Grafana cross account access
observability_account_id = "273354664196"
+oam_sink_id = "e04b741a-9ba8-43e2-865d-3a76519b675e"
diff --git a/infrastructure/terraform/etc/env_eu-west-2_prod.tfvars b/infrastructure/terraform/etc/env_eu-west-2_prod.tfvars
index cdacde28..3ce3fa28 100644
--- a/infrastructure/terraform/etc/env_eu-west-2_prod.tfvars
+++ b/infrastructure/terraform/etc/env_eu-west-2_prod.tfvars
@@ -1,5 +1,7 @@
-environment = "prod"
-account_name = "notify-reporting-prod"
+environment = "prod"
+account_name = "notify-reporting-prod"
+aws_account_id = "211125615884"
+
core_account_id = "746418818434"
core_env = "prod"
@@ -36,3 +38,4 @@ enable_vault_lock_configuration = true
# Allow Grafana cross account access
observability_account_id = "677276089126"
+oam_sink_id = "14dab7f7-c89f-46b5-9cf7-45d9643133c4"
diff --git a/infrastructure/terraform/etc/env_eu-west-2_ref.tfvars b/infrastructure/terraform/etc/env_eu-west-2_ref.tfvars
index 55f5715d..5410c091 100644
--- a/infrastructure/terraform/etc/env_eu-west-2_ref.tfvars
+++ b/infrastructure/terraform/etc/env_eu-west-2_ref.tfvars
@@ -1,5 +1,7 @@
-environment = "ref"
-account_name = "notify-reporting-dev"
+environment = "ref"
+account_name = "notify-reporting-dev"
+aws_account_id = "381492132479"
+
core_account_id = "815490582396"
core_env = "ref"
@@ -36,3 +38,4 @@ enable_s3_backup = false
# Allow Grafana cross account access
observability_account_id = "273354664196"
+oam_sink_id = "e04b741a-9ba8-43e2-865d-3a76519b675e"
diff --git a/infrastructure/terraform/etc/env_eu-west-2_uat.tfvars b/infrastructure/terraform/etc/env_eu-west-2_uat.tfvars
index ebf07dfa..eea7528e 100644
--- a/infrastructure/terraform/etc/env_eu-west-2_uat.tfvars
+++ b/infrastructure/terraform/etc/env_eu-west-2_uat.tfvars
@@ -1,5 +1,7 @@
-environment = "uat"
-account_name = "notify-reporting-dev"
+environment = "uat"
+account_name = "notify-reporting-dev"
+aws_account_id = "381492132479"
+
core_account_id = "736102632839"
core_env = "uat"
@@ -31,3 +33,4 @@ enable_s3_backup = false
# Allow Grafana cross account access
observability_account_id = "273354664196"
+oam_sink_id = "e04b741a-9ba8-43e2-865d-3a76519b675e"
diff --git a/infrastructure/terraform/etc/group_nhs-notify-reporting-prod.tfvars b/infrastructure/terraform/etc/group_nhs-notify-reporting-prod.tfvars
index a4ffc32a..87c12e95 100644
--- a/infrastructure/terraform/etc/group_nhs-notify-reporting-prod.tfvars
+++ b/infrastructure/terraform/etc/group_nhs-notify-reporting-prod.tfvars
@@ -6,4 +6,4 @@ core_account_ids = [
]
# Allow Grafana cross account access
-observability_account_id = "677276089126"
+observability_account_id = "273354664196"