From a1569dd939c931ab6b6487db2ee3a706a16c023d Mon Sep 17 00:00:00 2001 From: jamesthompson26-nhs Date: Wed, 21 May 2025 11:25:39 +0100 Subject: [PATCH 01/19] CCM-10203: Add Observability Datasource --- .../acct/iam_policy_github_deploy_overload.tf | 1 + .../components/acct/module_obs_datasource.tf | 14 +++++++ .../terraform/components/acct/outputs.tf | 4 ++ .../terraform/components/acct/variables.tf | 6 +++ .../cloudwatch_log_group_reporting.tf | 8 ++++ .../reporting/locals_remote_state.tf | 40 +++++++++++++++++++ 6 files changed, 73 insertions(+) create mode 100644 infrastructure/terraform/components/acct/module_obs_datasource.tf create mode 100644 infrastructure/terraform/components/reporting/locals_remote_state.tf diff --git a/infrastructure/terraform/components/acct/iam_policy_github_deploy_overload.tf b/infrastructure/terraform/components/acct/iam_policy_github_deploy_overload.tf index 458bfae2..e99216be 100644 --- a/infrastructure/terraform/components/acct/iam_policy_github_deploy_overload.tf +++ b/infrastructure/terraform/components/acct/iam_policy_github_deploy_overload.tf @@ -19,6 +19,7 @@ data "aws_iam_policy_document" "github_deploy" { "firehose:*", "glue:*", "kinesis:*", + "oam:*", ] resources = ["*"] } diff --git a/infrastructure/terraform/components/acct/module_obs_datasource.tf b/infrastructure/terraform/components/acct/module_obs_datasource.tf new file mode 100644 index 00000000..8a1e85e0 --- /dev/null +++ b/infrastructure/terraform/components/acct/module_obs_datasource.tf @@ -0,0 +1,14 @@ +module "obs_datasource" { + source = "git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/obs-datasource?ref=v2.0.3" + + name = "obs-datasource" + + aws_account_id = var.aws_account_id + region = var.region + project = var.project + environment = var.environment + component = var.component + + oam_sink_id = var.oam_sink_id + observability_account_id = var.observability_account_id +} diff --git a/infrastructure/terraform/components/acct/outputs.tf b/infrastructure/terraform/components/acct/outputs.tf index 7bad4731..89925005 100644 --- a/infrastructure/terraform/components/acct/outputs.tf +++ b/infrastructure/terraform/components/acct/outputs.tf @@ -1,3 +1,7 @@ output "aws_account_id" { value = var.aws_account_id } + +output "log_subscription_role_arn" { + value = module.obs_datasource.log_subscription_role_arn +} diff --git a/infrastructure/terraform/components/acct/variables.tf b/infrastructure/terraform/components/acct/variables.tf index 6712cfb0..8cd83b96 100644 --- a/infrastructure/terraform/components/acct/variables.tf +++ b/infrastructure/terraform/components/acct/variables.tf @@ -61,3 +61,9 @@ variable "observability_account_id" { type = string description = "The Observability Account ID that needs access" } + +variable "oam_sink_id" { + description = "The ID of the Cloudwatch OAM sink in the appropriate observability account." + type = string + default = "" +} diff --git a/infrastructure/terraform/components/reporting/cloudwatch_log_group_reporting.tf b/infrastructure/terraform/components/reporting/cloudwatch_log_group_reporting.tf index 7ea83c36..0d61494a 100644 --- a/infrastructure/terraform/components/reporting/cloudwatch_log_group_reporting.tf +++ b/infrastructure/terraform/components/reporting/cloudwatch_log_group_reporting.tf @@ -2,3 +2,11 @@ resource "aws_cloudwatch_log_group" "reporting" { name = "/aws/sfn-state-machine/${local.csi}" retention_in_days = var.log_retention_days } + +resource "aws_cloudwatch_log_subscription_filter" "reporting" { + name = "${local.csi}-reporting" + log_group_name = aws_cloudwatch_log_group.reporting.name + filter_pattern = "" + destination_arn = "arn:aws:logs:${var.region}:${var.observability_account_id}:destination:nhs-notify-main-acct-firehose-logs" + role_arn = local.acct.log_subscription_role_arn +} diff --git a/infrastructure/terraform/components/reporting/locals_remote_state.tf b/infrastructure/terraform/components/reporting/locals_remote_state.tf new file mode 100644 index 00000000..7f87c1fa --- /dev/null +++ b/infrastructure/terraform/components/reporting/locals_remote_state.tf @@ -0,0 +1,40 @@ +locals { + bootstrap = data.terraform_remote_state.bootstrap.outputs + acct = data.terraform_remote_state.acct.outputs +} + +data "terraform_remote_state" "bootstrap" { + backend = "s3" + + config = { + bucket = local.terraform_state_bucket + + key = format( + "%s/%s/%s/%s/bootstrap.tfstate", + var.project, + var.aws_account_id, + "eu-west-2", + "bootstrap" + ) + + region = "eu-west-2" + } +} + +data "terraform_remote_state" "acct" { + backend = "s3" + + config = { + bucket = local.terraform_state_bucket + + key = format( + "%s/%s/%s/%s/acct.tfstate", + var.project, + var.aws_account_id, + "eu-west-2", + var.parent_acct_environment + ) + + region = "eu-west-2" + } +} From 17ebaedaacd68ec101a5bb991d5498fbcba4db6e Mon Sep 17 00:00:00 2001 From: jamesthompson26-nhs Date: Wed, 21 May 2025 11:28:12 +0100 Subject: [PATCH 02/19] CCM-10203: Add Observability Datasource --- infrastructure/terraform/etc/env_eu-west-2_int.tfvars | 3 --- infrastructure/terraform/etc/env_eu-west-2_main.tfvars | 3 --- infrastructure/terraform/etc/env_eu-west-2_ref.tfvars | 3 --- infrastructure/terraform/etc/env_eu-west-2_uat.tfvars | 3 --- .../terraform/etc/group_nhs-notify-reporting-dev.tfvars | 1 + .../terraform/etc/group_nhs-notify-reporting-prod.tfvars | 1 + 6 files changed, 2 insertions(+), 12 deletions(-) diff --git a/infrastructure/terraform/etc/env_eu-west-2_int.tfvars b/infrastructure/terraform/etc/env_eu-west-2_int.tfvars index 6d21b877..44cc79d6 100644 --- a/infrastructure/terraform/etc/env_eu-west-2_int.tfvars +++ b/infrastructure/terraform/etc/env_eu-west-2_int.tfvars @@ -28,6 +28,3 @@ enable_spot = false spot_max_price = "0.3" enable_s3_backup = false - -# Allow Grafana cross account access -observability_account_id = "273354664196" diff --git a/infrastructure/terraform/etc/env_eu-west-2_main.tfvars b/infrastructure/terraform/etc/env_eu-west-2_main.tfvars index 96a75ccd..a728a2f3 100644 --- a/infrastructure/terraform/etc/env_eu-west-2_main.tfvars +++ b/infrastructure/terraform/etc/env_eu-west-2_main.tfvars @@ -26,6 +26,3 @@ min_size = 1 max_size = 1 enable_spot = false spot_max_price = "0.3" - -# Allow Grafana cross account access -observability_account_id = "273354664196" diff --git a/infrastructure/terraform/etc/env_eu-west-2_ref.tfvars b/infrastructure/terraform/etc/env_eu-west-2_ref.tfvars index 55f5715d..9e1a4ad1 100644 --- a/infrastructure/terraform/etc/env_eu-west-2_ref.tfvars +++ b/infrastructure/terraform/etc/env_eu-west-2_ref.tfvars @@ -33,6 +33,3 @@ batch_client_ids = [ ] enable_s3_backup = false - -# Allow Grafana cross account access -observability_account_id = "273354664196" diff --git a/infrastructure/terraform/etc/env_eu-west-2_uat.tfvars b/infrastructure/terraform/etc/env_eu-west-2_uat.tfvars index ebf07dfa..43eb83f1 100644 --- a/infrastructure/terraform/etc/env_eu-west-2_uat.tfvars +++ b/infrastructure/terraform/etc/env_eu-west-2_uat.tfvars @@ -28,6 +28,3 @@ enable_spot = false spot_max_price = "0.3" enable_s3_backup = false - -# Allow Grafana cross account access -observability_account_id = "273354664196" diff --git a/infrastructure/terraform/etc/group_nhs-notify-reporting-dev.tfvars b/infrastructure/terraform/etc/group_nhs-notify-reporting-dev.tfvars index 4df0bf2a..a57e28cc 100644 --- a/infrastructure/terraform/etc/group_nhs-notify-reporting-dev.tfvars +++ b/infrastructure/terraform/etc/group_nhs-notify-reporting-dev.tfvars @@ -11,3 +11,4 @@ core_account_ids = [ # Allow Grafana cross account access observability_account_id = "273354664196" +oam_sink_id = "e04b741a-9ba8-43e2-865d-3a76519b675e" diff --git a/infrastructure/terraform/etc/group_nhs-notify-reporting-prod.tfvars b/infrastructure/terraform/etc/group_nhs-notify-reporting-prod.tfvars index a4ffc32a..a8588be4 100644 --- a/infrastructure/terraform/etc/group_nhs-notify-reporting-prod.tfvars +++ b/infrastructure/terraform/etc/group_nhs-notify-reporting-prod.tfvars @@ -7,3 +7,4 @@ core_account_ids = [ # Allow Grafana cross account access observability_account_id = "677276089126" +oam_sink_id = "14dab7f7-c89f-46b5-9cf7-45d9643133c4" From 1db71f4a1765a2cb33b67f48b9a843d9a97a1328 Mon Sep 17 00:00:00 2001 From: jamesthompson26-nhs Date: Wed, 21 May 2025 11:36:26 +0100 Subject: [PATCH 03/19] CCM-10203: Add Observability Datasource --- .../components/reporting/locals_tfscaffold.tf | 44 +++++++++++++++++++ .../components/reporting/variables.tf | 11 +++++ 2 files changed, 55 insertions(+) create mode 100644 infrastructure/terraform/components/reporting/locals_tfscaffold.tf diff --git a/infrastructure/terraform/components/reporting/locals_tfscaffold.tf b/infrastructure/terraform/components/reporting/locals_tfscaffold.tf new file mode 100644 index 00000000..b7cf3217 --- /dev/null +++ b/infrastructure/terraform/components/reporting/locals_tfscaffold.tf @@ -0,0 +1,44 @@ +locals { + terraform_state_bucket = format( + "%s-tfscaffold-%s-%s", + var.project, + var.aws_account_id, + var.region, + ) + + csi = replace( + format( + "%s-%s-%s", + var.project, + var.environment, + var.component, + ), + "_", + "", + ) + + # CSI for use in resources with a global namespace, i.e. S3 Buckets + csi_global = replace( + format( + "%s-%s-%s-%s-%s", + var.project, + var.aws_account_id, + var.region, + var.environment, + var.component, + ), + "_", + "", + ) + + default_tags = merge( + var.default_tags, + { + Project = var.project + Environment = var.environment + Component = var.component + Group = var.group + Name = local.csi + }, + ) +} diff --git a/infrastructure/terraform/components/reporting/variables.tf b/infrastructure/terraform/components/reporting/variables.tf index 1c756f06..ef5a9704 100644 --- a/infrastructure/terraform/components/reporting/variables.tf +++ b/infrastructure/terraform/components/reporting/variables.tf @@ -9,11 +9,22 @@ variable "account_ids" { default = {} } +variable "aws_account_id" { + type = string + description = "The AWS Account ID (numeric)" +} + variable "account_name" { type = string description = "The name of the AWS Account to deploy into (see globals.tfvars)" } +variable "default_tags" { + type = map(string) + description = "A map of default tags to apply to all taggable resources within the component" + default = {} +} + variable "app_deployer_role_permission_account_ids" { type = map(string) description = "All AWS Account IDs for this project that have the AppDeployer role created" From 203a7bed7ecaa04eb49c8ed73e901afcd63b5fc3 Mon Sep 17 00:00:00 2001 From: jamesthompson26-nhs Date: Wed, 21 May 2025 11:40:01 +0100 Subject: [PATCH 04/19] CCM-10203: Add Observability Datasource --- infrastructure/terraform/etc/env_eu-west-2_int.tfvars | 5 +++-- infrastructure/terraform/etc/env_eu-west-2_main.tfvars | 6 ++++-- infrastructure/terraform/etc/env_eu-west-2_prod.tfvars | 6 ++++-- infrastructure/terraform/etc/env_eu-west-2_ref.tfvars | 6 ++++-- infrastructure/terraform/etc/env_eu-west-2_uat.tfvars | 6 ++++-- 5 files changed, 19 insertions(+), 10 deletions(-) diff --git a/infrastructure/terraform/etc/env_eu-west-2_int.tfvars b/infrastructure/terraform/etc/env_eu-west-2_int.tfvars index 44cc79d6..69203be8 100644 --- a/infrastructure/terraform/etc/env_eu-west-2_int.tfvars +++ b/infrastructure/terraform/etc/env_eu-west-2_int.tfvars @@ -1,5 +1,6 @@ -environment = "int" -account_name = "notify-reporting-dev" +environment = "int" +account_name = "notify-reporting-dev" +aws_account_id = "381492132479" core_account_id = "736102632839" core_env = "int" diff --git a/infrastructure/terraform/etc/env_eu-west-2_main.tfvars b/infrastructure/terraform/etc/env_eu-west-2_main.tfvars index a728a2f3..ebe6cf3e 100644 --- a/infrastructure/terraform/etc/env_eu-west-2_main.tfvars +++ b/infrastructure/terraform/etc/env_eu-west-2_main.tfvars @@ -1,5 +1,7 @@ -environment = "main" -account_name = "notify-reporting-dev" +environment = "main" +account_name = "notify-reporting-dev" +aws_account_id = "381492132479" + core_account_id = "257995483745" core_env = "internal-dev" diff --git a/infrastructure/terraform/etc/env_eu-west-2_prod.tfvars b/infrastructure/terraform/etc/env_eu-west-2_prod.tfvars index cdacde28..593740e7 100644 --- a/infrastructure/terraform/etc/env_eu-west-2_prod.tfvars +++ b/infrastructure/terraform/etc/env_eu-west-2_prod.tfvars @@ -1,5 +1,7 @@ -environment = "prod" -account_name = "notify-reporting-prod" +environment = "prod" +account_name = "notify-reporting-prod" +aws_account_id = "211125615884" + core_account_id = "746418818434" core_env = "prod" diff --git a/infrastructure/terraform/etc/env_eu-west-2_ref.tfvars b/infrastructure/terraform/etc/env_eu-west-2_ref.tfvars index 9e1a4ad1..a42cfd84 100644 --- a/infrastructure/terraform/etc/env_eu-west-2_ref.tfvars +++ b/infrastructure/terraform/etc/env_eu-west-2_ref.tfvars @@ -1,5 +1,7 @@ -environment = "ref" -account_name = "notify-reporting-dev" +environment = "ref" +account_name = "notify-reporting-dev" +aws_account_id = "381492132479" + core_account_id = "815490582396" core_env = "ref" diff --git a/infrastructure/terraform/etc/env_eu-west-2_uat.tfvars b/infrastructure/terraform/etc/env_eu-west-2_uat.tfvars index 43eb83f1..d233d65e 100644 --- a/infrastructure/terraform/etc/env_eu-west-2_uat.tfvars +++ b/infrastructure/terraform/etc/env_eu-west-2_uat.tfvars @@ -1,5 +1,7 @@ -environment = "uat" -account_name = "notify-reporting-dev" +environment = "uat" +account_name = "notify-reporting-dev" +aws_account_id = "381492132479" + core_account_id = "736102632839" core_env = "uat" From 6111f5d6641c292235d1dc342f9b42b9d4ed68f4 Mon Sep 17 00:00:00 2001 From: jamesthompson26-nhs Date: Wed, 21 May 2025 11:40:40 +0100 Subject: [PATCH 05/19] CCM-10203: Add Observability Datasource --- infrastructure/terraform/components/acct/README.md | 6 +++++- infrastructure/terraform/components/reporting/README.md | 2 ++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/infrastructure/terraform/components/acct/README.md b/infrastructure/terraform/components/acct/README.md index 428b2df3..e8fcae22 100644 --- a/infrastructure/terraform/components/acct/README.md +++ b/infrastructure/terraform/components/acct/README.md @@ -18,17 +18,21 @@ | [default\_tags](#input\_default\_tags) | A map of default tags to apply to all taggable resources within the component | `map(string)` | `{}` | no | | [environment](#input\_environment) | The name of the tfscaffold environment | `string` | n/a | yes | | [group](#input\_group) | The group variables are being inherited from (often synonmous with account short-name) | `string` | n/a | yes | +| [oam\_sink\_id](#input\_oam\_sink\_id) | The ID of the Cloudwatch OAM sink in the appropriate observability account. | `string` | `""` | no | | [observability\_account\_id](#input\_observability\_account\_id) | The Observability Account ID that needs access | `string` | n/a | yes | | [project](#input\_project) | The name of the tfscaffold project | `string` | n/a | yes | | [region](#input\_region) | The AWS Region | `string` | n/a | yes | ## Modules -No modules. +| Name | Source | Version | +|------|--------|---------| +| [obs\_datasource](#module\_obs\_datasource) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/obs-datasource | v2.0.3 | ## Outputs | Name | Description | |------|-------------| | [aws\_account\_id](#output\_aws\_account\_id) | n/a | +| [log\_subscription\_role\_arn](#output\_log\_subscription\_role\_arn) | n/a | diff --git a/infrastructure/terraform/components/reporting/README.md b/infrastructure/terraform/components/reporting/README.md index 8af6015f..10963c73 100644 --- a/infrastructure/terraform/components/reporting/README.md +++ b/infrastructure/terraform/components/reporting/README.md @@ -13,6 +13,7 @@ No requirements. | [account\_name](#input\_account\_name) | The name of the AWS Account to deploy into (see globals.tfvars) | `string` | n/a | yes | | [app\_deployer\_role\_name](#input\_app\_deployer\_role\_name) | Name of the app deployer role that is allowed to deploy Comms Mgr applications but not create other IAM roles | `string` | n/a | yes | | [app\_deployer\_role\_permission\_account\_ids](#input\_app\_deployer\_role\_permission\_account\_ids) | All AWS Account IDs for this project that have the AppDeployer role created | `map(string)` | `{}` | no | +| [aws\_account\_id](#input\_aws\_account\_id) | The AWS Account ID (numeric) | `string` | n/a | yes | | [batch\_client\_ids](#input\_batch\_client\_ids) | List of client ids that require additional batch identifier dimensions when aggregating data | `list(string)` | 
[
  "NULL"
]
| no | | [cloudtrail\_log\_group\_name](#input\_cloudtrail\_log\_group\_name) | The name of the Cloudtrail log group name on the account (see globals.tfvars) | `string` | n/a | yes | | [component](#input\_component) | The name of the component | `string` | `"reporting"` | no | @@ -21,6 +22,7 @@ No requirements. | [core\_account\_ids](#input\_core\_account\_ids) | List of all corresponding core account id's that exist in the Non-Prod domain | `list(string)` | `[]` | no | | [core\_env](#input\_core\_env) | The core environment that contains the corresponding Glue table/S3 buckets etc. | `string` | `"internal-dev"` | no | | [default\_kms\_deletion\_window\_in\_days](#input\_default\_kms\_deletion\_window\_in\_days) | Default number of days to set KMS key deletion window | `number` | `14` | no | +| [default\_tags](#input\_default\_tags) | A map of default tags to apply to all taggable resources within the component | `map(string)` | `{}` | no | | [desired\_capacity](#input\_desired\_capacity) | The desired number of instances in the Power BI On-Premises Gateway Auto Scaling group. | `number` | `1` | no | | [enable\_powerbi\_gateway](#input\_enable\_powerbi\_gateway) | Deploy EC2 instance for PowerBI On-Premises Gateway | `bool` | `true` | no | | [enable\_s3\_backup](#input\_enable\_s3\_backup) | Enable AWS S3 Backup of the data bucket | `bool` | `true` | no | From b5e6304b9aa8f659e4437f6f14e45b92f947b722 Mon Sep 17 00:00:00 2001 From: jamesthompson26-nhs Date: Wed, 21 May 2025 11:43:37 +0100 Subject: [PATCH 06/19] CCM-10203: Add Observability Datasource --- .../components/reporting/locals_tfscaffold.tf | 25 ------------------- 1 file changed, 25 deletions(-) diff --git a/infrastructure/terraform/components/reporting/locals_tfscaffold.tf b/infrastructure/terraform/components/reporting/locals_tfscaffold.tf index b7cf3217..c7bc867c 100644 --- a/infrastructure/terraform/components/reporting/locals_tfscaffold.tf +++ b/infrastructure/terraform/components/reporting/locals_tfscaffold.tf @@ -6,31 +6,6 @@ locals { var.region, ) - csi = replace( - format( - "%s-%s-%s", - var.project, - var.environment, - var.component, - ), - "_", - "", - ) - - # CSI for use in resources with a global namespace, i.e. S3 Buckets - csi_global = replace( - format( - "%s-%s-%s-%s-%s", - var.project, - var.aws_account_id, - var.region, - var.environment, - var.component, - ), - "_", - "", - ) - default_tags = merge( var.default_tags, { From 4565f9bcda4beb742e78f63ffb43c63b1e3412c6 Mon Sep 17 00:00:00 2001 From: jamesthompson26-nhs Date: Wed, 21 May 2025 11:53:47 +0100 Subject: [PATCH 07/19] CCM-10203: Add Observability Datasource --- .../terraform/components/reporting/locals_remote_state.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/infrastructure/terraform/components/reporting/locals_remote_state.tf b/infrastructure/terraform/components/reporting/locals_remote_state.tf index 7f87c1fa..6248dec4 100644 --- a/infrastructure/terraform/components/reporting/locals_remote_state.tf +++ b/infrastructure/terraform/components/reporting/locals_remote_state.tf @@ -28,11 +28,11 @@ data "terraform_remote_state" "acct" { bucket = local.terraform_state_bucket key = format( - "%s/%s/%s/%s/acct.tfstate", + "%s/%s/%s/acct.tfstate", var.project, var.aws_account_id, "eu-west-2", - var.parent_acct_environment + var.environment ) region = "eu-west-2" From 91ecfae779673fedd083363f163a4607f08213f5 Mon Sep 17 00:00:00 2001 From: jamesthompson26-nhs Date: Wed, 21 May 2025 11:55:28 +0100 Subject: [PATCH 08/19] CCM-10203: Add Observability Datasource --- .../terraform/components/reporting/locals_remote_state.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infrastructure/terraform/components/reporting/locals_remote_state.tf b/infrastructure/terraform/components/reporting/locals_remote_state.tf index 6248dec4..f5b3d9cb 100644 --- a/infrastructure/terraform/components/reporting/locals_remote_state.tf +++ b/infrastructure/terraform/components/reporting/locals_remote_state.tf @@ -28,7 +28,7 @@ data "terraform_remote_state" "acct" { bucket = local.terraform_state_bucket key = format( - "%s/%s/%s/acct.tfstate", + "%s/%s/%s/%s/acct.tfstate", var.project, var.aws_account_id, "eu-west-2", From e1dec91a54c6c0401df8b6bcd3693a85838de3a1 Mon Sep 17 00:00:00 2001 From: jamesthompson26-nhs Date: Wed, 21 May 2025 12:18:22 +0100 Subject: [PATCH 09/19] CCM-10203: Add Observability Datasource --- scripts/reports/scan-vulnerabilities.sh | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/scripts/reports/scan-vulnerabilities.sh b/scripts/reports/scan-vulnerabilities.sh index eb68d4b5..b087b1ff 100755 --- a/scripts/reports/scan-vulnerabilities.sh +++ b/scripts/reports/scan-vulnerabilities.sh @@ -40,6 +40,8 @@ function create-report() { function run-grype-natively() { + grype db update + grype \ sbom:"$PWD/sbom-repository-report.json" \ --config "$PWD/scripts/config/grype.yaml" \ @@ -52,6 +54,10 @@ function run-grype-in-docker() { # shellcheck disable=SC1091 source ./scripts/docker/docker.lib.sh + docker run --rm --platform linux/amd64 \ + --volume /tmp/grype/db:/.cache/grype/db \ + "$image" db update + # shellcheck disable=SC2155 local image=$(name=ghcr.io/anchore/grype docker-get-image-version-and-pull) docker run --rm --platform linux/amd64 \ From cb90125a450af88cb88ebe8f20f52e4dbd75bd47 Mon Sep 17 00:00:00 2001 From: jamesthompson26-nhs Date: Wed, 21 May 2025 12:20:04 +0100 Subject: [PATCH 10/19] CCM-10203: Add Observability Datasource --- scripts/reports/scan-vulnerabilities.sh | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/scripts/reports/scan-vulnerabilities.sh b/scripts/reports/scan-vulnerabilities.sh index b087b1ff..847853a5 100755 --- a/scripts/reports/scan-vulnerabilities.sh +++ b/scripts/reports/scan-vulnerabilities.sh @@ -54,12 +54,13 @@ function run-grype-in-docker() { # shellcheck disable=SC1091 source ./scripts/docker/docker.lib.sh + # shellcheck disable=SC2155 + local image=$(name=ghcr.io/anchore/grype docker-get-image-version-and-pull) + docker run --rm --platform linux/amd64 \ --volume /tmp/grype/db:/.cache/grype/db \ "$image" db update - # shellcheck disable=SC2155 - local image=$(name=ghcr.io/anchore/grype docker-get-image-version-and-pull) docker run --rm --platform linux/amd64 \ --volume "$PWD":/workdir \ --volume /tmp/grype/db:/.cache/grype/db \ From 20a20b88830bd020455808b095fb5600d611bf0f Mon Sep 17 00:00:00 2001 From: jamesthompson26-nhs Date: Wed, 21 May 2025 12:27:33 +0100 Subject: [PATCH 11/19] CCM-10203: Add Observability Datasource --- scripts/config/grype.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/scripts/config/grype.yaml b/scripts/config/grype.yaml index 80c752e2..66924b1a 100644 --- a/scripts/config/grype.yaml +++ b/scripts/config/grype.yaml @@ -1,6 +1,9 @@ # If using SBOM input, automatically generate CPEs when packages have none add-cpes-if-none: true +db: + max-allowed-built-age: 168h # 7 days + # ignore: # # This is the full set of supported rule fields: # - vulnerability: CVE-2008-4318 From f3cd02601cf40288d855dc39166cf3bd4f33c6ee Mon Sep 17 00:00:00 2001 From: jamesthompson26-nhs Date: Wed, 21 May 2025 12:58:59 +0100 Subject: [PATCH 12/19] CCM-10203: Add Observability Datasource --- scripts/reports/scan-vulnerabilities.sh | 8 -------- 1 file changed, 8 deletions(-) diff --git a/scripts/reports/scan-vulnerabilities.sh b/scripts/reports/scan-vulnerabilities.sh index 847853a5..0c6b166b 100755 --- a/scripts/reports/scan-vulnerabilities.sh +++ b/scripts/reports/scan-vulnerabilities.sh @@ -39,9 +39,6 @@ function create-report() { } function run-grype-natively() { - - grype db update - grype \ sbom:"$PWD/sbom-repository-report.json" \ --config "$PWD/scripts/config/grype.yaml" \ @@ -56,11 +53,6 @@ function run-grype-in-docker() { # shellcheck disable=SC2155 local image=$(name=ghcr.io/anchore/grype docker-get-image-version-and-pull) - - docker run --rm --platform linux/amd64 \ - --volume /tmp/grype/db:/.cache/grype/db \ - "$image" db update - docker run --rm --platform linux/amd64 \ --volume "$PWD":/workdir \ --volume /tmp/grype/db:/.cache/grype/db \ From 1e3320c3cc8e7302383e8b3061bb6d0343b3ffe9 Mon Sep 17 00:00:00 2001 From: jamesthompson26-nhs Date: Wed, 21 May 2025 13:04:55 +0100 Subject: [PATCH 13/19] CCM-10203: Add Observability Datasource --- .tool-versions | 4 ++-- scripts/config/grype.yaml | 3 --- 2 files changed, 2 insertions(+), 5 deletions(-) diff --git a/.tool-versions b/.tool-versions index 5a59821f..2c67f30a 100644 --- a/.tool-versions +++ b/.tool-versions @@ -12,8 +12,8 @@ trivy 0.61.0 # The section below is reserved for Docker image versions. # TODO: Move this section - consider using a different file for the repository template dependencies. -# docker/ghcr.io/anchore/grype v0.69.1@sha256:d41fcb371d0af59f311e72123dff46900ebd6d0482391b5a830853ee4f9d1a76 # SEE: https://github.com/anchore/grype/pkgs/container/grype -# docker/ghcr.io/anchore/syft v0.92.0@sha256:63c60f0a21efb13e80aa1359ab243e49213b6cc2d7e0f8179da38e6913b997e0 # SEE: https://github.com/anchore/syft/pkgs/container/syft +# docker/ghcr.io/anchore/grype v0.92.2@sha256:651e558f9ba84f2a790b3449c8a57cbbf4f34e004f7d3f14ae8f8cbeede4cd33 # SEE: https://github.com/anchore/grype/pkgs/container/grype +# docker/ghcr.io/anchore/syft v1.26.0@sha256:de078f51704a213906970b1475edd6006b8af50aa159852e125518237487b8c6 # SEE: https://github.com/anchore/syft/pkgs/container/syft # docker/ghcr.io/gitleaks/gitleaks v8.18.0@sha256:fd2b5cab12b563d2cc538b14631764a1c25577780e3b7dba71657d58da45d9d9 # SEE: https://github.com/gitleaks/gitleaks/pkgs/container/gitleaks # docker/ghcr.io/igorshubovych/markdownlint-cli v0.37.0@sha256:fb3e79946fce78e1cde84d6798c6c2a55f2de11fc16606a40d49411e281d950d # SEE: https://github.com/igorshubovych/markdownlint-cli/pkgs/container/markdownlint-cli # docker/ghcr.io/make-ops-tools/gocloc latest@sha256:6888e62e9ae693c4ebcfed9f1d86c70fd083868acb8815fe44b561b9a73b5032 # SEE: https://github.com/make-ops-tools/gocloc/pkgs/container/gocloc diff --git a/scripts/config/grype.yaml b/scripts/config/grype.yaml index 66924b1a..80c752e2 100644 --- a/scripts/config/grype.yaml +++ b/scripts/config/grype.yaml @@ -1,9 +1,6 @@ # If using SBOM input, automatically generate CPEs when packages have none add-cpes-if-none: true -db: - max-allowed-built-age: 168h # 7 days - # ignore: # # This is the full set of supported rule fields: # - vulnerability: CVE-2008-4318 From 21a54453653a355ea817522b1bea8f24b2699545 Mon Sep 17 00:00:00 2001 From: jamesthompson26-nhs Date: Wed, 21 May 2025 13:10:38 +0100 Subject: [PATCH 14/19] CCM-10203: Add Observability Datasource --- scripts/reports/scan-vulnerabilities.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/scripts/reports/scan-vulnerabilities.sh b/scripts/reports/scan-vulnerabilities.sh index 0c6b166b..eb68d4b5 100755 --- a/scripts/reports/scan-vulnerabilities.sh +++ b/scripts/reports/scan-vulnerabilities.sh @@ -39,6 +39,7 @@ function create-report() { } function run-grype-natively() { + grype \ sbom:"$PWD/sbom-repository-report.json" \ --config "$PWD/scripts/config/grype.yaml" \ From 2801cfaa68db7c78b5f0719089318779ee9f060b Mon Sep 17 00:00:00 2001 From: jamesthompson26-nhs Date: Thu, 22 May 2025 09:16:57 +0100 Subject: [PATCH 15/19] CCM-10203: Add Observability Datasource --- infrastructure/terraform/etc/env_eu-west-2_int.tfvars | 4 ++++ infrastructure/terraform/etc/env_eu-west-2_main.tfvars | 4 ++++ infrastructure/terraform/etc/env_eu-west-2_prod.tfvars | 1 + infrastructure/terraform/etc/env_eu-west-2_ref.tfvars | 4 ++++ infrastructure/terraform/etc/env_eu-west-2_uat.tfvars | 4 ++++ .../terraform/etc/group_nhs-notify-reporting-dev.tfvars | 4 ---- .../terraform/etc/group_nhs-notify-reporting-prod.tfvars | 4 ---- 7 files changed, 17 insertions(+), 8 deletions(-) diff --git a/infrastructure/terraform/etc/env_eu-west-2_int.tfvars b/infrastructure/terraform/etc/env_eu-west-2_int.tfvars index 69203be8..3112d64e 100644 --- a/infrastructure/terraform/etc/env_eu-west-2_int.tfvars +++ b/infrastructure/terraform/etc/env_eu-west-2_int.tfvars @@ -29,3 +29,7 @@ enable_spot = false spot_max_price = "0.3" enable_s3_backup = false + +# Allow Grafana cross account access +observability_account_id = "273354664196" +oam_sink_id = "e04b741a-9ba8-43e2-865d-3a76519b675e" diff --git a/infrastructure/terraform/etc/env_eu-west-2_main.tfvars b/infrastructure/terraform/etc/env_eu-west-2_main.tfvars index ebe6cf3e..10261138 100644 --- a/infrastructure/terraform/etc/env_eu-west-2_main.tfvars +++ b/infrastructure/terraform/etc/env_eu-west-2_main.tfvars @@ -28,3 +28,7 @@ min_size = 1 max_size = 1 enable_spot = false spot_max_price = "0.3" + +# Allow Grafana cross account access +observability_account_id = "273354664196" +oam_sink_id = "e04b741a-9ba8-43e2-865d-3a76519b675e" diff --git a/infrastructure/terraform/etc/env_eu-west-2_prod.tfvars b/infrastructure/terraform/etc/env_eu-west-2_prod.tfvars index 593740e7..3ce3fa28 100644 --- a/infrastructure/terraform/etc/env_eu-west-2_prod.tfvars +++ b/infrastructure/terraform/etc/env_eu-west-2_prod.tfvars @@ -38,3 +38,4 @@ enable_vault_lock_configuration = true # Allow Grafana cross account access observability_account_id = "677276089126" +oam_sink_id = "14dab7f7-c89f-46b5-9cf7-45d9643133c4" diff --git a/infrastructure/terraform/etc/env_eu-west-2_ref.tfvars b/infrastructure/terraform/etc/env_eu-west-2_ref.tfvars index a42cfd84..5410c091 100644 --- a/infrastructure/terraform/etc/env_eu-west-2_ref.tfvars +++ b/infrastructure/terraform/etc/env_eu-west-2_ref.tfvars @@ -35,3 +35,7 @@ batch_client_ids = [ ] enable_s3_backup = false + +# Allow Grafana cross account access +observability_account_id = "273354664196" +oam_sink_id = "e04b741a-9ba8-43e2-865d-3a76519b675e" diff --git a/infrastructure/terraform/etc/env_eu-west-2_uat.tfvars b/infrastructure/terraform/etc/env_eu-west-2_uat.tfvars index d233d65e..eea7528e 100644 --- a/infrastructure/terraform/etc/env_eu-west-2_uat.tfvars +++ b/infrastructure/terraform/etc/env_eu-west-2_uat.tfvars @@ -30,3 +30,7 @@ enable_spot = false spot_max_price = "0.3" enable_s3_backup = false + +# Allow Grafana cross account access +observability_account_id = "273354664196" +oam_sink_id = "e04b741a-9ba8-43e2-865d-3a76519b675e" diff --git a/infrastructure/terraform/etc/group_nhs-notify-reporting-dev.tfvars b/infrastructure/terraform/etc/group_nhs-notify-reporting-dev.tfvars index a57e28cc..13775a15 100644 --- a/infrastructure/terraform/etc/group_nhs-notify-reporting-dev.tfvars +++ b/infrastructure/terraform/etc/group_nhs-notify-reporting-dev.tfvars @@ -8,7 +8,3 @@ core_account_ids = [ "815490582396", # ref "736102632839" # int & uat ] - -# Allow Grafana cross account access -observability_account_id = "273354664196" -oam_sink_id = "e04b741a-9ba8-43e2-865d-3a76519b675e" diff --git a/infrastructure/terraform/etc/group_nhs-notify-reporting-prod.tfvars b/infrastructure/terraform/etc/group_nhs-notify-reporting-prod.tfvars index a8588be4..730b84a9 100644 --- a/infrastructure/terraform/etc/group_nhs-notify-reporting-prod.tfvars +++ b/infrastructure/terraform/etc/group_nhs-notify-reporting-prod.tfvars @@ -4,7 +4,3 @@ aws_account_id = "211125615884" core_account_ids = [ "746418818434" ] - -# Allow Grafana cross account access -observability_account_id = "677276089126" -oam_sink_id = "14dab7f7-c89f-46b5-9cf7-45d9643133c4" From 4dfc77a6004281aa73862ee7f477b17a4132b6af Mon Sep 17 00:00:00 2001 From: jamesthompson26-nhs Date: Thu, 22 May 2025 11:06:38 +0100 Subject: [PATCH 16/19] CCM-10203: Add Observability Datasource --- infrastructure/terraform/components/reporting/variables.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/infrastructure/terraform/components/reporting/variables.tf b/infrastructure/terraform/components/reporting/variables.tf index ef5a9704..a2862548 100644 --- a/infrastructure/terraform/components/reporting/variables.tf +++ b/infrastructure/terraform/components/reporting/variables.tf @@ -214,4 +214,5 @@ variable "enable_vault_lock_configuration" { variable "observability_account_id" { type = string description = "The Observability Account ID that needs access" + default = null } From 8ae9c4e9e701e4116b50af0028edeabea1fc6224 Mon Sep 17 00:00:00 2001 From: jamesthompson26-nhs Date: Thu, 22 May 2025 11:08:35 +0100 Subject: [PATCH 17/19] CCM-10203: Add Observability Datasource --- infrastructure/terraform/components/acct/variables.tf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/infrastructure/terraform/components/acct/variables.tf b/infrastructure/terraform/components/acct/variables.tf index 8cd83b96..cf882e34 100644 --- a/infrastructure/terraform/components/acct/variables.tf +++ b/infrastructure/terraform/components/acct/variables.tf @@ -60,10 +60,11 @@ variable "core_account_ids" { variable "observability_account_id" { type = string description = "The Observability Account ID that needs access" + default = null } variable "oam_sink_id" { description = "The ID of the Cloudwatch OAM sink in the appropriate observability account." type = string - default = "" + default = null } From 6beb5172abc70cd5a85ee1eeec57cddad907bc49 Mon Sep 17 00:00:00 2001 From: jamesthompson26-nhs Date: Thu, 22 May 2025 11:45:16 +0100 Subject: [PATCH 18/19] CCM-10203: Add Observability Datasource --- .../terraform/etc/group_nhs-notify-reporting-dev.tfvars | 3 +++ .../terraform/etc/group_nhs-notify-reporting-prod.tfvars | 3 +++ 2 files changed, 6 insertions(+) diff --git a/infrastructure/terraform/etc/group_nhs-notify-reporting-dev.tfvars b/infrastructure/terraform/etc/group_nhs-notify-reporting-dev.tfvars index 13775a15..4df0bf2a 100644 --- a/infrastructure/terraform/etc/group_nhs-notify-reporting-dev.tfvars +++ b/infrastructure/terraform/etc/group_nhs-notify-reporting-dev.tfvars @@ -8,3 +8,6 @@ core_account_ids = [ "815490582396", # ref "736102632839" # int & uat ] + +# Allow Grafana cross account access +observability_account_id = "273354664196" diff --git a/infrastructure/terraform/etc/group_nhs-notify-reporting-prod.tfvars b/infrastructure/terraform/etc/group_nhs-notify-reporting-prod.tfvars index 730b84a9..87c12e95 100644 --- a/infrastructure/terraform/etc/group_nhs-notify-reporting-prod.tfvars +++ b/infrastructure/terraform/etc/group_nhs-notify-reporting-prod.tfvars @@ -4,3 +4,6 @@ aws_account_id = "211125615884" core_account_ids = [ "746418818434" ] + +# Allow Grafana cross account access +observability_account_id = "273354664196" From 57f61cc0a5df15482e1810f744b2d2a8114a2266 Mon Sep 17 00:00:00 2001 From: jamesthompson26-nhs Date: Thu, 22 May 2025 12:02:28 +0100 Subject: [PATCH 19/19] CCM-10203: Add Observability Datasource --- infrastructure/terraform/components/acct/README.md | 4 ++-- infrastructure/terraform/components/reporting/README.md | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/infrastructure/terraform/components/acct/README.md b/infrastructure/terraform/components/acct/README.md index e8fcae22..641a0dec 100644 --- a/infrastructure/terraform/components/acct/README.md +++ b/infrastructure/terraform/components/acct/README.md @@ -18,8 +18,8 @@ | [default\_tags](#input\_default\_tags) | A map of default tags to apply to all taggable resources within the component | `map(string)` | `{}` | no | | [environment](#input\_environment) | The name of the tfscaffold environment | `string` | n/a | yes | | [group](#input\_group) | The group variables are being inherited from (often synonmous with account short-name) | `string` | n/a | yes | -| [oam\_sink\_id](#input\_oam\_sink\_id) | The ID of the Cloudwatch OAM sink in the appropriate observability account. | `string` | `""` | no | -| [observability\_account\_id](#input\_observability\_account\_id) | The Observability Account ID that needs access | `string` | n/a | yes | +| [oam\_sink\_id](#input\_oam\_sink\_id) | The ID of the Cloudwatch OAM sink in the appropriate observability account. | `string` | `null` | no | +| [observability\_account\_id](#input\_observability\_account\_id) | The Observability Account ID that needs access | `string` | `null` | no | | [project](#input\_project) | The name of the tfscaffold project | `string` | n/a | yes | | [region](#input\_region) | The AWS Region | `string` | n/a | yes | ## Modules diff --git a/infrastructure/terraform/components/reporting/README.md b/infrastructure/terraform/components/reporting/README.md index 10963c73..1afa99ed 100644 --- a/infrastructure/terraform/components/reporting/README.md +++ b/infrastructure/terraform/components/reporting/README.md @@ -35,7 +35,7 @@ No requirements. | [max\_size](#input\_max\_size) | The maximum number of instances in the Power BI On-Premises Gateway Auto Scaling group. | `number` | `1` | no | | [min\_size](#input\_min\_size) | The minimum number of instances in the Power BI On-Premises Gateway Auto Scaling group. | `number` | `1` | no | | [module](#input\_module) | The variable encapsulating the name of this module | `string` | `"n/a"` | no | -| [observability\_account\_id](#input\_observability\_account\_id) | The Observability Account ID that needs access | `string` | n/a | yes | +| [observability\_account\_id](#input\_observability\_account\_id) | The Observability Account ID that needs access | `string` | `null` | no | | [periodic\_s3backup\_retention\_days](#input\_periodic\_s3backup\_retention\_days) | number of days to retain weekly s3 backups | `number` | `90` | no | | [periodic\_s3backup\_schedule](#input\_periodic\_s3backup\_schedule) | Crontab formatted schedule for Periodic S3 Backups | `string` | `"cron(0 5 ? * 7 *)"` | no | | [private\_subnet\_cidrs](#input\_private\_subnet\_cidrs) | List of CIDR blocks for private subnets. | `list(string)` | `[]` | no |