From 7c81c99074674b7987e383f28084970d66105d65 Mon Sep 17 00:00:00 2001 From: sidnhs Date: Tue, 31 Mar 2026 14:12:52 +0100 Subject: [PATCH 1/2] CCM-15958: Enable CSOC APIGW Log Forwarding on api component --- infrastructure/terraform/components/api/README.md | 2 ++ .../api/cloudwatch_log_group_api_gateway_access.tf | 9 +++++++++ .../api/data_iam_role_csoc_subscription.tf | 4 ++++ infrastructure/terraform/components/api/locals.tf | 5 +++++ infrastructure/terraform/components/api/variables.tf | 12 ++++++++++++ 5 files changed, 32 insertions(+) create mode 100644 infrastructure/terraform/components/api/data_iam_role_csoc_subscription.tf diff --git a/infrastructure/terraform/components/api/README.md b/infrastructure/terraform/components/api/README.md index f3443ed8a..a0b2b3cdb 100644 --- a/infrastructure/terraform/components/api/README.md +++ b/infrastructure/terraform/components/api/README.md @@ -15,6 +15,8 @@ No requirements. | [component](#input\_component) | The variable encapsulating the name of this component | `string` | `"supapi"` | no | | [core\_account\_id](#input\_core\_account\_id) | AWS Account ID for Core | `string` | `"000000000000"` | no | | [core\_environment](#input\_core\_environment) | Environment of Core | `string` | `"prod"` | no | +| [csoc\_destination\_account](#input\_csoc\_destination\_account) | value of the CSOC destination account, if applicable. If null, CSOC destination account will not be added as a resource in the logging policy | `string` | `"000000000000"` | no | +| [csoc\_log\_forwarding](#input\_csoc\_log\_forwarding) | Enable forwarding of API Gateway logs to CSOC | `bool` | `true` | no | | [default\_tags](#input\_default\_tags) | A map of default tags to apply to all taggable resources within the component | `map(string)` | `{}` | no | | [disable\_gateway\_execute\_endpoint](#input\_disable\_gateway\_execute\_endpoint) | Disable the execution endpoint for the API Gateway | `bool` | `true` | no | | [enable\_alarms](#input\_enable\_alarms) | Enable CloudWatch alarms for this deployed environment | `bool` | `true` | no | diff --git a/infrastructure/terraform/components/api/cloudwatch_log_group_api_gateway_access.tf b/infrastructure/terraform/components/api/cloudwatch_log_group_api_gateway_access.tf index 1b93de894..3907dd711 100644 --- a/infrastructure/terraform/components/api/cloudwatch_log_group_api_gateway_access.tf +++ b/infrastructure/terraform/components/api/cloudwatch_log_group_api_gateway_access.tf @@ -10,3 +10,12 @@ resource "aws_cloudwatch_log_subscription_filter" "api_gateway_access" { filter_pattern = "" destination_arn = local.destination_arn } + +resource "aws_cloudwatch_log_subscription_filter" "api_gateway" { + count = var.csoc_log_forwarding ? 1 : 0 + name = replace(aws_cloudwatch_log_group.api_gateway_access.name, "/", "-") + log_group_name = aws_cloudwatch_log_group.api_gateway_access.name + role_arn = data.aws_iam_role.csoc_subscription[0].arn + filter_pattern = "" + destination_arn = local.csoc_api_gw_log_destination_arn +} diff --git a/infrastructure/terraform/components/api/data_iam_role_csoc_subscription.tf b/infrastructure/terraform/components/api/data_iam_role_csoc_subscription.tf new file mode 100644 index 000000000..5148063c8 --- /dev/null +++ b/infrastructure/terraform/components/api/data_iam_role_csoc_subscription.tf @@ -0,0 +1,4 @@ +data "aws_iam_role" "csoc_subscription" { + count = var.csoc_log_forwarding ? 1 : 0 + name = "nhs-main-acct-api-log-subscription-role" +} diff --git a/infrastructure/terraform/components/api/locals.tf b/infrastructure/terraform/components/api/locals.tf index adc6947a6..17e52b090 100644 --- a/infrastructure/terraform/components/api/locals.tf +++ b/infrastructure/terraform/components/api/locals.tf @@ -37,4 +37,9 @@ locals { event_cache_bucket_name = lookup(module.eventpub.s3_bucket_event_cache, "bucket", null) eventsub_event_cache_bucket_name = lookup(module.eventsub.s3_bucket_event_cache, "bucket", null) + + csoc_api_gw_log_destination_arn = format("arn:aws:logs:%s:%s:destination:api_gateway_log_destination", + var.region, + var.csoc_destination_account + ) } diff --git a/infrastructure/terraform/components/api/variables.tf b/infrastructure/terraform/components/api/variables.tf index 508b33d53..4f831d18f 100644 --- a/infrastructure/terraform/components/api/variables.tf +++ b/infrastructure/terraform/components/api/variables.tf @@ -229,3 +229,15 @@ variable "event_anomaly_band_width" { description = "The width of the anomaly detection band. Higher values (e.g. 4-6) reduce sensitivity and noise, lower values (e.g. 2-3) increase sensitivity. Recommended: 2-4." default = 4 } + +variable "csoc_log_forwarding" { + type = bool + description = "Enable forwarding of API Gateway logs to CSOC" + default = true +} + +variable "csoc_destination_account" { + type = string + description = "value of the CSOC destination account, if applicable. If null, CSOC destination account will not be added as a resource in the logging policy" + default = "000000000000" +} From f8ebb79aef004114cd94bc140f2f8f3b6585e04b Mon Sep 17 00:00:00 2001 From: sidnhs Date: Thu, 2 Apr 2026 15:29:04 +0100 Subject: [PATCH 2/2] CCM-15958: Add markdown yaml file --- scripts/config/markdownlint.yaml | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 scripts/config/markdownlint.yaml diff --git a/scripts/config/markdownlint.yaml b/scripts/config/markdownlint.yaml new file mode 100644 index 000000000..554ab554b --- /dev/null +++ b/scripts/config/markdownlint.yaml @@ -0,0 +1,11 @@ +# SEE: https://github.com/DavidAnson/markdownlint/blob/main/schema/.markdownlint.yaml + +# https://github.com/DavidAnson/markdownlint/blob/main/doc/md013.md +MD013: false + +# https://github.com/DavidAnson/markdownlint/blob/main/doc/md024.md +MD024: + siblings_only: true + +# https://github.com/DavidAnson/markdownlint/blob/main/doc/md033.md +MD033: false