NHSDigital · jamesthompson26-nhs · May 22, 2025 · May 21, 2025 · May 21, 2025 · May 21, 2025
@@ -12,8 +12,8 @@ trivy 0.61.0
 # The section below is reserved for Docker image versions.
 
 # TODO: Move this section - consider using a different file for the repository template dependencies.
-# docker/ghcr.io/anchore/grype v0.69.1@sha256:d41fcb371d0af59f311e72123dff46900ebd6d0482391b5a830853ee4f9d1a76 # SEE: https://github.com/anchore/grype/pkgs/container/grype
-# docker/ghcr.io/anchore/syft v0.92.0@sha256:63c60f0a21efb13e80aa1359ab243e49213b6cc2d7e0f8179da38e6913b997e0 # SEE: https://github.com/anchore/syft/pkgs/container/syft
+# docker/ghcr.io/anchore/grype v0.92.2@sha256:651e558f9ba84f2a790b3449c8a57cbbf4f34e004f7d3f14ae8f8cbeede4cd33  # SEE: https://github.com/anchore/grype/pkgs/container/grype
+# docker/ghcr.io/anchore/syft v1.26.0@sha256:de078f51704a213906970b1475edd6006b8af50aa159852e125518237487b8c6  # SEE: https://github.com/anchore/syft/pkgs/container/syft
 # docker/ghcr.io/gitleaks/gitleaks v8.18.0@sha256:fd2b5cab12b563d2cc538b14631764a1c25577780e3b7dba71657d58da45d9d9 # SEE: https://github.com/gitleaks/gitleaks/pkgs/container/gitleaks
 # docker/ghcr.io/igorshubovych/markdownlint-cli v0.37.0@sha256:fb3e79946fce78e1cde84d6798c6c2a55f2de11fc16606a40d49411e281d950d # SEE: https://github.com/igorshubovych/markdownlint-cli/pkgs/container/markdownlint-cli
 # docker/ghcr.io/make-ops-tools/gocloc latest@sha256:6888e62e9ae693c4ebcfed9f1d86c70fd083868acb8815fe44b561b9a73b5032 # SEE: https://github.com/make-ops-tools/gocloc/pkgs/container/gocloc

@@ -18,17 +18,21 @@
 | <a name="input_default_tags"></a> [default\_tags](#input\_default\_tags) | A map of default tags to apply to all taggable resources within the component | `map(string)` | `{}` | no |
 | <a name="input_environment"></a> [environment](#input\_environment) | The name of the tfscaffold environment | `string` | n/a | yes |
 | <a name="input_group"></a> [group](#input\_group) | The group variables are being inherited from (often synonmous with account short-name) | `string` | n/a | yes |
-| <a name="input_observability_account_id"></a> [observability\_account\_id](#input\_observability\_account\_id) | The Observability Account ID that needs access | `string` | n/a | yes |
+| <a name="input_oam_sink_id"></a> [oam\_sink\_id](#input\_oam\_sink\_id) | The ID of the Cloudwatch OAM sink in the appropriate observability account. | `string` | `null` | no |
+| <a name="input_observability_account_id"></a> [observability\_account\_id](#input\_observability\_account\_id) | The Observability Account ID that needs access | `string` | `null` | no |
 | <a name="input_project"></a> [project](#input\_project) | The name of the tfscaffold project | `string` | n/a | yes |
 | <a name="input_region"></a> [region](#input\_region) | The AWS Region | `string` | n/a | yes |
 ## Modules
 
-No modules.
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_obs_datasource"></a> [obs\_datasource](#module\_obs\_datasource) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/obs-datasource | v2.0.3 |
 ## Outputs
 
 | Name | Description |
 |------|-------------|
 | <a name="output_aws_account_id"></a> [aws\_account\_id](#output\_aws\_account\_id) | n/a |
+| <a name="output_log_subscription_role_arn"></a> [log\_subscription\_role\_arn](#output\_log\_subscription\_role\_arn) | n/a |
 <!-- vale on -->
 <!-- markdownlint-enable -->
 <!-- END_TF_DOCS -->
@@ -19,6 +19,7 @@ data "aws_iam_policy_document" "github_deploy" {
       "firehose:*",
       "glue:*",
       "kinesis:*",
+      "oam:*",
     ]
     resources = ["*"]
   }

@@ -0,0 +1,14 @@
+module "obs_datasource" {
+  source = "git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/obs-datasource?ref=v2.0.3"
+
+  name = "obs-datasource"
+
+  aws_account_id = var.aws_account_id
+  region         = var.region
+  project        = var.project
+  environment    = var.environment
+  component      = var.component
+
+  oam_sink_id               = var.oam_sink_id
+  observability_account_id  = var.observability_account_id
+}
@@ -1,3 +1,7 @@
 output "aws_account_id" {
   value = var.aws_account_id
 }
+
+output "log_subscription_role_arn" {
+  value = module.obs_datasource.log_subscription_role_arn
+}
@@ -60,4 +60,11 @@ variable "core_account_ids" {
 variable "observability_account_id" {
   type        = string
   description = "The Observability Account ID that needs access"
+  default     = null
+}
+
+variable "oam_sink_id" {
+  description = "The ID of the Cloudwatch OAM sink in the appropriate observability account."
+  type        = string
+  default     = null
 }
@@ -13,6 +13,7 @@ No requirements.
 | <a name="input_account_name"></a> [account\_name](#input\_account\_name) | The name of the AWS Account to deploy into (see globals.tfvars) | `string` | n/a | yes |
 | <a name="input_app_deployer_role_name"></a> [app\_deployer\_role\_name](#input\_app\_deployer\_role\_name) | Name of the app deployer role that is allowed to deploy Comms Mgr applications but not create other IAM roles | `string` | n/a | yes |
 | <a name="input_app_deployer_role_permission_account_ids"></a> [app\_deployer\_role\_permission\_account\_ids](#input\_app\_deployer\_role\_permission\_account\_ids) | All AWS Account IDs for this project that have the AppDeployer role created | `map(string)` | `{}` | no |
+| <a name="input_aws_account_id"></a> [aws\_account\_id](#input\_aws\_account\_id) | The AWS Account ID (numeric) | `string` | n/a | yes |
 | <a name="input_batch_client_ids"></a> [batch\_client\_ids](#input\_batch\_client\_ids) | List of client ids that require additional batch identifier dimensions when aggregating data | `list(string)` | <pre>[<br/>  "NULL"<br/>]</pre> | no |
 | <a name="input_cloudtrail_log_group_name"></a> [cloudtrail\_log\_group\_name](#input\_cloudtrail\_log\_group\_name) | The name of the Cloudtrail log group name on the account (see globals.tfvars) | `string` | n/a | yes |
 | <a name="input_component"></a> [component](#input\_component) | The name of the component | `string` | `"reporting"` | no |
@@ -21,6 +22,7 @@ No requirements.
 | <a name="input_core_account_ids"></a> [core\_account\_ids](#input\_core\_account\_ids) | List of all corresponding core account id's that exist in the Non-Prod domain | `list(string)` | `[]` | no |
 | <a name="input_core_env"></a> [core\_env](#input\_core\_env) | The core environment that contains the corresponding Glue table/S3 buckets etc. | `string` | `"internal-dev"` | no |
 | <a name="input_default_kms_deletion_window_in_days"></a> [default\_kms\_deletion\_window\_in\_days](#input\_default\_kms\_deletion\_window\_in\_days) | Default number of days to set KMS key deletion window | `number` | `14` | no |
+| <a name="input_default_tags"></a> [default\_tags](#input\_default\_tags) | A map of default tags to apply to all taggable resources within the component | `map(string)` | `{}` | no |
 | <a name="input_desired_capacity"></a> [desired\_capacity](#input\_desired\_capacity) | The desired number of instances in the Power BI On-Premises Gateway Auto Scaling group. | `number` | `1` | no |
 | <a name="input_enable_powerbi_gateway"></a> [enable\_powerbi\_gateway](#input\_enable\_powerbi\_gateway) | Deploy EC2 instance for PowerBI On-Premises Gateway | `bool` | `true` | no |
 | <a name="input_enable_s3_backup"></a> [enable\_s3\_backup](#input\_enable\_s3\_backup) | Enable AWS S3 Backup of the data bucket | `bool` | `true` | no |
@@ -33,7 +35,7 @@ No requirements.
 | <a name="input_max_size"></a> [max\_size](#input\_max\_size) | The maximum number of instances in the Power BI On-Premises Gateway Auto Scaling group. | `number` | `1` | no |
 | <a name="input_min_size"></a> [min\_size](#input\_min\_size) | The minimum number of instances in the Power BI On-Premises Gateway Auto Scaling group. | `number` | `1` | no |
 | <a name="input_module"></a> [module](#input\_module) | The variable encapsulating the name of this module | `string` | `"n/a"` | no |
-| <a name="input_observability_account_id"></a> [observability\_account\_id](#input\_observability\_account\_id) | The Observability Account ID that needs access | `string` | n/a | yes |
+| <a name="input_observability_account_id"></a> [observability\_account\_id](#input\_observability\_account\_id) | The Observability Account ID that needs access | `string` | `null` | no |
 | <a name="input_periodic_s3backup_retention_days"></a> [periodic\_s3backup\_retention\_days](#input\_periodic\_s3backup\_retention\_days) | number of days to retain weekly s3 backups | `number` | `90` | no |
 | <a name="input_periodic_s3backup_schedule"></a> [periodic\_s3backup\_schedule](#input\_periodic\_s3backup\_schedule) | Crontab formatted schedule for Periodic S3 Backups | `string` | `"cron(0 5 ? * 7 *)"` | no |
 | <a name="input_private_subnet_cidrs"></a> [private\_subnet\_cidrs](#input\_private\_subnet\_cidrs) | List of CIDR blocks for private subnets. | `list(string)` | `[]` | no |

@@ -2,3 +2,11 @@ resource "aws_cloudwatch_log_group" "reporting" {
   name              = "/aws/sfn-state-machine/${local.csi}"
   retention_in_days = var.log_retention_days
 }
+
+resource "aws_cloudwatch_log_subscription_filter" "reporting" {
+  name            = "${local.csi}-reporting"
+  log_group_name  = aws_cloudwatch_log_group.reporting.name
+  filter_pattern  = ""
+  destination_arn = "arn:aws:logs:${var.region}:${var.observability_account_id}:destination:nhs-notify-main-acct-firehose-logs"
+  role_arn        = local.acct.log_subscription_role_arn
+}
@@ -0,0 +1,40 @@
+locals {
+  bootstrap = data.terraform_remote_state.bootstrap.outputs
+  acct      = data.terraform_remote_state.acct.outputs
+}
+
+data "terraform_remote_state" "bootstrap" {
+  backend = "s3"
+
+  config = {
+    bucket = local.terraform_state_bucket
+
+    key = format(
+      "%s/%s/%s/%s/bootstrap.tfstate",
+      var.project,
+      var.aws_account_id,
+      "eu-west-2",
+      "bootstrap"
+    )
+
+    region = "eu-west-2"
+  }
+}
+
+data "terraform_remote_state" "acct" {
+  backend = "s3"
+
+  config = {
+    bucket = local.terraform_state_bucket
+
+    key = format(
+      "%s/%s/%s/%s/acct.tfstate",
+      var.project,
+      var.aws_account_id,
+      "eu-west-2",
+      var.environment
+    )
+
+    region = "eu-west-2"
+  }
+}
@@ -0,0 +1,19 @@
+locals {
+  terraform_state_bucket = format(
+    "%s-tfscaffold-%s-%s",
+    var.project,
+    var.aws_account_id,
+    var.region,
+  )
+
+  default_tags = merge(
+    var.default_tags,
+    {
+      Project     = var.project
+      Environment = var.environment
+      Component   = var.component
+      Group       = var.group
+      Name        = local.csi
+    },
+  )
+}
@@ -9,11 +9,22 @@ variable "account_ids" {
   default     = {}
 }
 
+variable "aws_account_id" {
+  type        = string
+  description = "The AWS Account ID (numeric)"
+}
+
 variable "account_name" {
   type        = string
   description = "The name of the AWS Account to deploy into (see globals.tfvars)"
 }
 
+variable "default_tags" {
+  type        = map(string)
+  description = "A map of default tags to apply to all taggable resources within the component"
+  default     = {}
+}
+
 variable "app_deployer_role_permission_account_ids" {
   type        = map(string)
   description = "All AWS Account IDs for this project that have the AppDeployer role created"
@@ -203,4 +214,5 @@ variable "enable_vault_lock_configuration" {
 variable "observability_account_id" {
   type        = string
   description = "The Observability Account ID that needs access"
+  default     = null
 }
@@ -1,5 +1,6 @@
-environment  = "int"
-account_name = "notify-reporting-dev"
+environment    = "int"
+account_name   = "notify-reporting-dev"
+aws_account_id = "381492132479"
 
 core_account_id = "736102632839"
 core_env        = "int"
@@ -31,3 +32,4 @@ enable_s3_backup = false
 
 # Allow Grafana cross account access
 observability_account_id = "273354664196"
+oam_sink_id              = "e04b741a-9ba8-43e2-865d-3a76519b675e"
@@ -1,5 +1,7 @@
-environment  = "main"
-account_name = "notify-reporting-dev"
+environment    = "main"
+account_name   = "notify-reporting-dev"
+aws_account_id = "381492132479"
+
 
 core_account_id = "257995483745"
 core_env        = "internal-dev"
@@ -29,3 +31,4 @@ spot_max_price   = "0.3"
 
 # Allow Grafana cross account access
 observability_account_id = "273354664196"
+oam_sink_id              = "e04b741a-9ba8-43e2-865d-3a76519b675e"
@@ -1,5 +1,7 @@
-environment  = "prod"
-account_name = "notify-reporting-prod"
+environment    = "prod"
+account_name   = "notify-reporting-prod"
+aws_account_id = "211125615884"
+
 
 core_account_id = "746418818434"
 core_env        = "prod"
@@ -36,3 +38,4 @@ enable_vault_lock_configuration = true
 
 # Allow Grafana cross account access
 observability_account_id = "677276089126"
+oam_sink_id              = "14dab7f7-c89f-46b5-9cf7-45d9643133c4"
@@ -1,5 +1,7 @@
-environment  = "ref"
-account_name = "notify-reporting-dev"
+environment    = "ref"
+account_name   = "notify-reporting-dev"
+aws_account_id = "381492132479"
+
 
 core_account_id = "815490582396"
 core_env        = "ref"
@@ -36,3 +38,4 @@ enable_s3_backup = false
 
 # Allow Grafana cross account access
 observability_account_id = "273354664196"
+oam_sink_id              = "e04b741a-9ba8-43e2-865d-3a76519b675e"
@@ -1,5 +1,7 @@
-environment  = "uat"
-account_name = "notify-reporting-dev"
+environment    = "uat"
+account_name   = "notify-reporting-dev"
+aws_account_id = "381492132479"
+
 
 core_account_id = "736102632839"
 core_env        = "uat"
@@ -31,3 +33,4 @@ enable_s3_backup = false
 
 # Allow Grafana cross account access
 observability_account_id = "273354664196"
+oam_sink_id              = "e04b741a-9ba8-43e2-865d-3a76519b675e"
@@ -6,4 +6,4 @@ core_account_ids = [
 ]
 
 # Allow Grafana cross account access
-observability_account_id = "677276089126"
+observability_account_id = "273354664196"