NHSDigital · sidnhs · Mar 31, 2026 · Apr 2, 2026
@@ -15,6 +15,8 @@ No requirements.
 | <a name="input_component"></a> [component](#input\_component) | The variable encapsulating the name of this component | `string` | `"supapi"` | no |
 | <a name="input_core_account_id"></a> [core\_account\_id](#input\_core\_account\_id) | AWS Account ID for Core | `string` | `"000000000000"` | no |
 | <a name="input_core_environment"></a> [core\_environment](#input\_core\_environment) | Environment of Core | `string` | `"prod"` | no |
+| <a name="input_csoc_destination_account"></a> [csoc\_destination\_account](#input\_csoc\_destination\_account) | value of the CSOC destination account, if applicable. If null, CSOC destination account will not be added as a resource in the logging policy | `string` | `"000000000000"` | no |
+| <a name="input_csoc_log_forwarding"></a> [csoc\_log\_forwarding](#input\_csoc\_log\_forwarding) | Enable forwarding of API Gateway logs to CSOC | `bool` | `true` | no |
 | <a name="input_default_tags"></a> [default\_tags](#input\_default\_tags) | A map of default tags to apply to all taggable resources within the component | `map(string)` | `{}` | no |
 | <a name="input_disable_gateway_execute_endpoint"></a> [disable\_gateway\_execute\_endpoint](#input\_disable\_gateway\_execute\_endpoint) | Disable the execution endpoint for the API Gateway | `bool` | `true` | no |
 | <a name="input_enable_alarms"></a> [enable\_alarms](#input\_enable\_alarms) | Enable CloudWatch alarms for this deployed environment | `bool` | `true` | no |

@@ -10,3 +10,12 @@ resource "aws_cloudwatch_log_subscription_filter" "api_gateway_access" {
   filter_pattern  = ""
   destination_arn = local.destination_arn
 }
+
+resource "aws_cloudwatch_log_subscription_filter" "api_gateway" {
+  count           = var.csoc_log_forwarding ? 1 : 0
+  name            = replace(aws_cloudwatch_log_group.api_gateway_access.name, "/", "-")
+  log_group_name  = aws_cloudwatch_log_group.api_gateway_access.name
+  role_arn        = data.aws_iam_role.csoc_subscription[0].arn
+  filter_pattern  = ""
+  destination_arn = local.csoc_api_gw_log_destination_arn
+}
@@ -0,0 +1,4 @@
+data "aws_iam_role" "csoc_subscription" {
+  count = var.csoc_log_forwarding ? 1 : 0
+  name  = "nhs-main-acct-api-log-subscription-role"
+}
@@ -37,4 +37,9 @@ locals {
 
   event_cache_bucket_name          = lookup(module.eventpub.s3_bucket_event_cache, "bucket", null)
   eventsub_event_cache_bucket_name = lookup(module.eventsub.s3_bucket_event_cache, "bucket", null)
+
+  csoc_api_gw_log_destination_arn = format("arn:aws:logs:%s:%s:destination:api_gateway_log_destination",
+    var.region,
+    var.csoc_destination_account
+  )
 }
@@ -229,3 +229,15 @@ variable "event_anomaly_band_width" {
   description = "The width of the anomaly detection band. Higher values (e.g. 4-6) reduce sensitivity and noise, lower values (e.g. 2-3) increase sensitivity. Recommended: 2-4."
   default     = 4
 }
+
+variable "csoc_log_forwarding" {
+  type        = bool
+  description = "Enable forwarding of API Gateway logs to CSOC"
+  default     = true
+}
+
+variable "csoc_destination_account" {
+  type        = string
+  description = "value of the CSOC destination account, if applicable. If null, CSOC destination account will not be added as a resource in the logging policy"
+  default     = "000000000000"
+}
@@ -0,0 +1,11 @@
+# SEE: https://github.com/DavidAnson/markdownlint/blob/main/schema/.markdownlint.yaml
+
+# https://github.com/DavidAnson/markdownlint/blob/main/doc/md013.md
+MD013: false
+
+# https://github.com/DavidAnson/markdownlint/blob/main/doc/md024.md
+MD024:
+  siblings_only: true
+
+# https://github.com/DavidAnson/markdownlint/blob/main/doc/md033.md
+MD033: false