From 6083a1df9e13d6ea223ba14799a986bcf567ace4 Mon Sep 17 00:00:00 2001
From: sidnhs <siddharth.nair1@nhs.net>
Date: Tue, 13 May 2025 09:22:45 +0100
Subject: [PATCH 1/6] CCM-9868: Adding subfilter for lambda logs

---
 ...dwatch_log_subscription_filter_firehose.tf |  8 +++++++
 infrastructure/modules/lambda/variables.tf    | 24 +++++++++++++++++++
 2 files changed, 32 insertions(+)
 create mode 100644 infrastructure/modules/lambda/cloudwatch_log_subscription_filter_firehose.tf

diff --git a/infrastructure/modules/lambda/cloudwatch_log_subscription_filter_firehose.tf b/infrastructure/modules/lambda/cloudwatch_log_subscription_filter_firehose.tf
new file mode 100644
index 0000000..cd4843c
--- /dev/null
+++ b/infrastructure/modules/lambda/cloudwatch_log_subscription_filter_firehose.tf
@@ -0,0 +1,8 @@
+resource "aws_cloudwatch_log_subscription_filter" "amplify" {
+  count = var.send_to_firehose ? 1 : 0
+  name            = replace(aws_cloudwatch_log_group.main.name, "/", "-")
+  log_group_name  = aws_cloudwatch_log_group.main.name
+  filter_pattern  = var.filter_pattern
+  destination_arn = var.destination_arn
+  role_arn        = var.log_subscription_log_role_arn
+}
diff --git a/infrastructure/modules/lambda/variables.tf b/infrastructure/modules/lambda/variables.tf
index 7e0be65..90a503e 100644
--- a/infrastructure/modules/lambda/variables.tf
+++ b/infrastructure/modules/lambda/variables.tf
@@ -212,3 +212,27 @@ variable "lambda_at_edge" {
   description = "Enable the lambda insights layer, this must be disabled for lambda@edge usage"
   default     = false
 }
+
+variable "send_to_firehose" {
+  type        = bool
+  description = "Enable sending logs to firehose"
+  default     = false
+}
+
+variable "filter_pattern" {
+  type        = string
+  description = "Filter pattern to use for the log subscription filter"
+  default     = ""
+}
+
+variable "destination_arn" {
+  type        = string
+  description = "Destination ARN to use for the log subscription filter"
+  default     = ""
+}
+
+variable "log_subscription_log_role_arn" {
+  type        = string
+  description = "The ARN of the IAM role to use for the log subscription filter"
+  default     = ""
+}

From 3ee46b02f6443f7d3a2b030a5f1f80cf39533e59 Mon Sep 17 00:00:00 2001
From: sidnhs <siddharth.nair1@nhs.net>
Date: Tue, 13 May 2025 09:23:02 +0100
Subject: [PATCH 2/6] CCM-9868: Adding subfilter for lambda logs

---
 .../lambda/cloudwatch_log_subscription_filter_firehose.tf       | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/infrastructure/modules/lambda/cloudwatch_log_subscription_filter_firehose.tf b/infrastructure/modules/lambda/cloudwatch_log_subscription_filter_firehose.tf
index cd4843c..b8296ee 100644
--- a/infrastructure/modules/lambda/cloudwatch_log_subscription_filter_firehose.tf
+++ b/infrastructure/modules/lambda/cloudwatch_log_subscription_filter_firehose.tf
@@ -1,5 +1,5 @@
 resource "aws_cloudwatch_log_subscription_filter" "amplify" {
-  count = var.send_to_firehose ? 1 : 0
+  count           = var.send_to_firehose ? 1 : 0
   name            = replace(aws_cloudwatch_log_group.main.name, "/", "-")
   log_group_name  = aws_cloudwatch_log_group.main.name
   filter_pattern  = var.filter_pattern

From 26235191c426af8577a4804e2135e20749ff84d0 Mon Sep 17 00:00:00 2001
From: sidnhs <siddharth.nair1@nhs.net>
Date: Tue, 13 May 2025 15:32:28 +0100
Subject: [PATCH 3/6] CCM-9868: Adding subfilter for lambda logs

---
 infrastructure/modules/lambda/README.md                       | 4 ++++
 .../lambda/cloudwatch_log_subscription_filter_firehose.tf     | 4 ++--
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/infrastructure/modules/lambda/README.md b/infrastructure/modules/lambda/README.md
index 5482e26..8ed76f4 100644
--- a/infrastructure/modules/lambda/README.md
+++ b/infrastructure/modules/lambda/README.md
@@ -16,9 +16,11 @@
 | <a name="input_component"></a> [component](#input\_component) | The name of the tfscaffold component | `string` | n/a | yes |
 | <a name="input_default_tags"></a> [default\_tags](#input\_default\_tags) | A map of default tags to apply to all taggable resources within the component | `map(string)` | `{}` | no |
 | <a name="input_description"></a> [description](#input\_description) | Description of the Lambda | `string` | n/a | yes |
+| <a name="input_destination_arn"></a> [destination\_arn](#input\_destination\_arn) | Destination ARN to use for the log subscription filter | `string` | `""` | no |
 | <a name="input_enable_dlq_and_notifications"></a> [enable\_dlq\_and\_notifications](#input\_enable\_dlq\_and\_notifications) | Create an SQS Queue and on-failure destination to be used as the Lambda's Dead Letter Queue and notifications | `bool` | `false` | no |
 | <a name="input_enable_lambda_insights"></a> [enable\_lambda\_insights](#input\_enable\_lambda\_insights) | Enable the lambda insights layer, this must be disabled for lambda@edge usage | `bool` | `true` | no |
 | <a name="input_environment"></a> [environment](#input\_environment) | The name of the tfscaffold environment | `string` | n/a | yes |
+| <a name="input_filter_pattern"></a> [filter\_pattern](#input\_filter\_pattern) | Filter pattern to use for the log subscription filter | `string` | `""` | no |
 | <a name="input_force_lambda_code_deploy"></a> [force\_lambda\_code\_deploy](#input\_force\_lambda\_code\_deploy) | If the lambda package in s3 has the same commit id tag as the terraform build branch, the lambda will not update automatically. Set to True if making changes to Lambda code from on the same commit for example during development | `bool` | `false` | no |
 | <a name="input_function_code_base_path"></a> [function\_code\_base\_path](#input\_function\_code\_base\_path) | The path to the sourcecode directories needed for this lambda | `string` | `"./"` | no |
 | <a name="input_function_code_dir"></a> [function\_code\_dir](#input\_function\_code\_dir) | The path to the sourcecode directories needed for this lambda | `string` | n/a | yes |
@@ -37,11 +39,13 @@
 | <a name="input_log_level"></a> [log\_level](#input\_log\_level) | The log level to be used in lambda functions within the component. Any log with a lower severity than the configured value will not be logged: https://docs.python.org/3/library/logging.html#levels | `string` | `"INFO"` | no |
 | <a name="input_log_retention_in_days"></a> [log\_retention\_in\_days](#input\_log\_retention\_in\_days) | The retention period in days for the Cloudwatch Logs events generated by the lambda function | `number` | n/a | yes |
 | <a name="input_log_subscription_lambda_create_permission"></a> [log\_subscription\_lambda\_create\_permission](#input\_log\_subscription\_lambda\_create\_permission) | Whether to create a permission for the log forwarder. Set to false if using a generic one. | `bool` | `true` | no |
+| <a name="input_log_subscription_log_role_arn"></a> [log\_subscription\_log\_role\_arn](#input\_log\_subscription\_log\_role\_arn) | The ARN of the IAM role to use for the log subscription filter | `string` | `""` | no |
 | <a name="input_memory"></a> [memory](#input\_memory) | The amount of memory to apply to the created Lambda | `number` | n/a | yes |
 | <a name="input_project"></a> [project](#input\_project) | The name of the tfscaffold project | `string` | n/a | yes |
 | <a name="input_region"></a> [region](#input\_region) | The AWS Region | `string` | n/a | yes |
 | <a name="input_runtime"></a> [runtime](#input\_runtime) | The runtime to use for the lambda function | `string` | n/a | yes |
 | <a name="input_schedule"></a> [schedule](#input\_schedule) | The fully qualified Cloudwatch Events schedule for when to run the lambda function, e.g. rate(1 day) or a cron() expression. Default disables all events resources | `string` | `""` | no |
+| <a name="input_send_to_firehose"></a> [send\_to\_firehose](#input\_send\_to\_firehose) | Enable sending logs to firehose | `bool` | `false` | no |
 | <a name="input_sns_destination"></a> [sns\_destination](#input\_sns\_destination) | SNS Topic ARN to be used for on-failure Lambda invocation records | `string` | `null` | no |
 | <a name="input_sns_destination_kms_key"></a> [sns\_destination\_kms\_key](#input\_sns\_destination\_kms\_key) | KMS Key ARN to be used for SNS Topic for on-failure Lambda invocation records | `string` | `null` | no |
 | <a name="input_system_log_level"></a> [system\_log\_level](#input\_system\_log\_level) | The detail level of the Lambda platform event logs sent to CloudWatch | `string` | `"WARN"` | no |
diff --git a/infrastructure/modules/lambda/cloudwatch_log_subscription_filter_firehose.tf b/infrastructure/modules/lambda/cloudwatch_log_subscription_filter_firehose.tf
index b8296ee..6913705 100644
--- a/infrastructure/modules/lambda/cloudwatch_log_subscription_filter_firehose.tf
+++ b/infrastructure/modules/lambda/cloudwatch_log_subscription_filter_firehose.tf
@@ -1,5 +1,5 @@
-resource "aws_cloudwatch_log_subscription_filter" "amplify" {
-  count           = var.send_to_firehose ? 1 : 0
+resource "aws_cloudwatch_log_subscription_filter" "firehose" {
+  count           = var.send_to_firehose ? 1 : 0 # Keeping this optional for now as don't want to break all lambdas using this, can make this mandatory later
   name            = replace(aws_cloudwatch_log_group.main.name, "/", "-")
   log_group_name  = aws_cloudwatch_log_group.main.name
   filter_pattern  = var.filter_pattern

From a176be89dcc0450997654f7a0fb23f1ad8dbd4b1 Mon Sep 17 00:00:00 2001
From: sidnhs <siddharth.nair1@nhs.net>
Date: Wed, 14 May 2025 10:33:01 +0100
Subject: [PATCH 4/6] CCM-9868: Adding subfilter for lambda logs

---
 .../lambda/cloudwatch_log_subscription_filter_firehose.tf     | 4 ++--
 infrastructure/modules/lambda/variables.tf                    | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/infrastructure/modules/lambda/cloudwatch_log_subscription_filter_firehose.tf b/infrastructure/modules/lambda/cloudwatch_log_subscription_filter_firehose.tf
index 6913705..e253875 100644
--- a/infrastructure/modules/lambda/cloudwatch_log_subscription_filter_firehose.tf
+++ b/infrastructure/modules/lambda/cloudwatch_log_subscription_filter_firehose.tf
@@ -3,6 +3,6 @@ resource "aws_cloudwatch_log_subscription_filter" "firehose" {
   name            = replace(aws_cloudwatch_log_group.main.name, "/", "-")
   log_group_name  = aws_cloudwatch_log_group.main.name
   filter_pattern  = var.filter_pattern
-  destination_arn = var.destination_arn
-  role_arn        = var.log_subscription_log_role_arn
+  destination_arn = var.cloudwatch_log_destination_arn
+  role_arn        = var.log_subscription_role_arn
 }
diff --git a/infrastructure/modules/lambda/variables.tf b/infrastructure/modules/lambda/variables.tf
index 90a503e..815e3f6 100644
--- a/infrastructure/modules/lambda/variables.tf
+++ b/infrastructure/modules/lambda/variables.tf
@@ -225,13 +225,13 @@ variable "filter_pattern" {
   default     = ""
 }
 
-variable "destination_arn" {
+variable "cloudwatch_log_destination_arn" {
   type        = string
   description = "Destination ARN to use for the log subscription filter"
   default     = ""
 }
 
-variable "log_subscription_log_role_arn" {
+variable "log_subscription_role_arn" {
   type        = string
   description = "The ARN of the IAM role to use for the log subscription filter"
   default     = ""

From 28c78e0c4b163c320807cf23974773164fc4653e Mon Sep 17 00:00:00 2001
From: sidnhs <siddharth.nair1@nhs.net>
Date: Wed, 14 May 2025 12:08:09 +0100
Subject: [PATCH 5/6] CCM-9868: Adding subfilter for lambda logs

---
 infrastructure/modules/lambda/README.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/infrastructure/modules/lambda/README.md b/infrastructure/modules/lambda/README.md
index 8ed76f4..8daf4d3 100644
--- a/infrastructure/modules/lambda/README.md
+++ b/infrastructure/modules/lambda/README.md
@@ -13,10 +13,10 @@
 |------|-------------|------|---------|:--------:|
 | <a name="input_application_log_level"></a> [application\_log\_level](#input\_application\_log\_level) | The detail level of the logs the application sends to CloudWatch | `string` | `"INFO"` | no |
 | <a name="input_aws_account_id"></a> [aws\_account\_id](#input\_aws\_account\_id) | The AWS Account ID (numeric) | `string` | n/a | yes |
+| <a name="input_cloudwatch_log_destination_arn"></a> [cloudwatch\_log\_destination\_arn](#input\_cloudwatch\_log\_destination\_arn) | Destination ARN to use for the log subscription filter | `string` | `""` | no |
 | <a name="input_component"></a> [component](#input\_component) | The name of the tfscaffold component | `string` | n/a | yes |
 | <a name="input_default_tags"></a> [default\_tags](#input\_default\_tags) | A map of default tags to apply to all taggable resources within the component | `map(string)` | `{}` | no |
 | <a name="input_description"></a> [description](#input\_description) | Description of the Lambda | `string` | n/a | yes |
-| <a name="input_destination_arn"></a> [destination\_arn](#input\_destination\_arn) | Destination ARN to use for the log subscription filter | `string` | `""` | no |
 | <a name="input_enable_dlq_and_notifications"></a> [enable\_dlq\_and\_notifications](#input\_enable\_dlq\_and\_notifications) | Create an SQS Queue and on-failure destination to be used as the Lambda's Dead Letter Queue and notifications | `bool` | `false` | no |
 | <a name="input_enable_lambda_insights"></a> [enable\_lambda\_insights](#input\_enable\_lambda\_insights) | Enable the lambda insights layer, this must be disabled for lambda@edge usage | `bool` | `true` | no |
 | <a name="input_environment"></a> [environment](#input\_environment) | The name of the tfscaffold environment | `string` | n/a | yes |
@@ -39,7 +39,7 @@
 | <a name="input_log_level"></a> [log\_level](#input\_log\_level) | The log level to be used in lambda functions within the component. Any log with a lower severity than the configured value will not be logged: https://docs.python.org/3/library/logging.html#levels | `string` | `"INFO"` | no |
 | <a name="input_log_retention_in_days"></a> [log\_retention\_in\_days](#input\_log\_retention\_in\_days) | The retention period in days for the Cloudwatch Logs events generated by the lambda function | `number` | n/a | yes |
 | <a name="input_log_subscription_lambda_create_permission"></a> [log\_subscription\_lambda\_create\_permission](#input\_log\_subscription\_lambda\_create\_permission) | Whether to create a permission for the log forwarder. Set to false if using a generic one. | `bool` | `true` | no |
-| <a name="input_log_subscription_log_role_arn"></a> [log\_subscription\_log\_role\_arn](#input\_log\_subscription\_log\_role\_arn) | The ARN of the IAM role to use for the log subscription filter | `string` | `""` | no |
+| <a name="input_log_subscription_role_arn"></a> [log\_subscription\_role\_arn](#input\_log\_subscription\_role\_arn) | The ARN of the IAM role to use for the log subscription filter | `string` | `""` | no |
 | <a name="input_memory"></a> [memory](#input\_memory) | The amount of memory to apply to the created Lambda | `number` | n/a | yes |
 | <a name="input_project"></a> [project](#input\_project) | The name of the tfscaffold project | `string` | n/a | yes |
 | <a name="input_region"></a> [region](#input\_region) | The AWS Region | `string` | n/a | yes |

From f4c539874862f6912ce5a383d65c7605f3bc1f4d Mon Sep 17 00:00:00 2001
From: sidnhs <siddharth.nair1@nhs.net>
Date: Wed, 14 May 2025 13:44:39 +0100
Subject: [PATCH 6/6] CCM-9868: Making var name consistent

---
 infrastructure/modules/lambda/README.md                         | 2 +-
 .../lambda/cloudwatch_log_subscription_filter_firehose.tf       | 2 +-
 infrastructure/modules/lambda/variables.tf                      | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/infrastructure/modules/lambda/README.md b/infrastructure/modules/lambda/README.md
index 8daf4d3..b08f81c 100644
--- a/infrastructure/modules/lambda/README.md
+++ b/infrastructure/modules/lambda/README.md
@@ -13,7 +13,6 @@
 |------|-------------|------|---------|:--------:|
 | <a name="input_application_log_level"></a> [application\_log\_level](#input\_application\_log\_level) | The detail level of the logs the application sends to CloudWatch | `string` | `"INFO"` | no |
 | <a name="input_aws_account_id"></a> [aws\_account\_id](#input\_aws\_account\_id) | The AWS Account ID (numeric) | `string` | n/a | yes |
-| <a name="input_cloudwatch_log_destination_arn"></a> [cloudwatch\_log\_destination\_arn](#input\_cloudwatch\_log\_destination\_arn) | Destination ARN to use for the log subscription filter | `string` | `""` | no |
 | <a name="input_component"></a> [component](#input\_component) | The name of the tfscaffold component | `string` | n/a | yes |
 | <a name="input_default_tags"></a> [default\_tags](#input\_default\_tags) | A map of default tags to apply to all taggable resources within the component | `map(string)` | `{}` | no |
 | <a name="input_description"></a> [description](#input\_description) | Description of the Lambda | `string` | n/a | yes |
@@ -36,6 +35,7 @@
 | <a name="input_lambda_dlq_message_retention_seconds"></a> [lambda\_dlq\_message\_retention\_seconds](#input\_lambda\_dlq\_message\_retention\_seconds) | KMS Key ARN to be used for SNS Topic for on-failure Lambda invocation records | `number` | `86400` | no |
 | <a name="input_lambda_env_vars"></a> [lambda\_env\_vars](#input\_lambda\_env\_vars) | Lambda environment parameters map | `map(string)` | `{}` | no |
 | <a name="input_layers"></a> [layers](#input\_layers) | Lambda layer arns to include | `list(any)` | `[]` | no |
+| <a name="input_log_destination_arn"></a> [log\_destination\_arn](#input\_log\_destination\_arn) | Destination ARN to use for the log subscription filter | `string` | `""` | no |
 | <a name="input_log_level"></a> [log\_level](#input\_log\_level) | The log level to be used in lambda functions within the component. Any log with a lower severity than the configured value will not be logged: https://docs.python.org/3/library/logging.html#levels | `string` | `"INFO"` | no |
 | <a name="input_log_retention_in_days"></a> [log\_retention\_in\_days](#input\_log\_retention\_in\_days) | The retention period in days for the Cloudwatch Logs events generated by the lambda function | `number` | n/a | yes |
 | <a name="input_log_subscription_lambda_create_permission"></a> [log\_subscription\_lambda\_create\_permission](#input\_log\_subscription\_lambda\_create\_permission) | Whether to create a permission for the log forwarder. Set to false if using a generic one. | `bool` | `true` | no |
diff --git a/infrastructure/modules/lambda/cloudwatch_log_subscription_filter_firehose.tf b/infrastructure/modules/lambda/cloudwatch_log_subscription_filter_firehose.tf
index e253875..0e026da 100644
--- a/infrastructure/modules/lambda/cloudwatch_log_subscription_filter_firehose.tf
+++ b/infrastructure/modules/lambda/cloudwatch_log_subscription_filter_firehose.tf
@@ -3,6 +3,6 @@ resource "aws_cloudwatch_log_subscription_filter" "firehose" {
   name            = replace(aws_cloudwatch_log_group.main.name, "/", "-")
   log_group_name  = aws_cloudwatch_log_group.main.name
   filter_pattern  = var.filter_pattern
-  destination_arn = var.cloudwatch_log_destination_arn
+  destination_arn = var.log_destination_arn
   role_arn        = var.log_subscription_role_arn
 }
diff --git a/infrastructure/modules/lambda/variables.tf b/infrastructure/modules/lambda/variables.tf
index 815e3f6..61a9641 100644
--- a/infrastructure/modules/lambda/variables.tf
+++ b/infrastructure/modules/lambda/variables.tf
@@ -225,7 +225,7 @@ variable "filter_pattern" {
   default     = ""
 }
 
-variable "cloudwatch_log_destination_arn" {
+variable "log_destination_arn" {
   type        = string
   description = "Destination ARN to use for the log subscription filter"
   default     = ""