CCM-15958: Enable CSOC APIGW Log Forwarding on api component (#514)

sidnhs · web-flow · commit 4fcac1f3802b · 2026-04-07T13:46:48.000+01:00
* CCM-15958: Enable CSOC APIGW Log Forwarding on api component * CCM-15958: Add markdown yaml file
diff --git a/infrastructure/terraform/components/api/README.md b/infrastructure/terraform/components/api/README.md
@@ -15,6 +15,8 @@ No requirements.
 | <a name="input_component"></a> [component](#input\_component) | The variable encapsulating the name of this component | `string` | `"supapi"` | no |
 | <a name="input_core_account_id"></a> [core\_account\_id](#input\_core\_account\_id) | AWS Account ID for Core | `string` | `"000000000000"` | no |
 | <a name="input_core_environment"></a> [core\_environment](#input\_core\_environment) | Environment of Core | `string` | `"prod"` | no |
+| <a name="input_csoc_destination_account"></a> [csoc\_destination\_account](#input\_csoc\_destination\_account) | value of the CSOC destination account, if applicable. If null, CSOC destination account will not be added as a resource in the logging policy | `string` | `"000000000000"` | no |
+| <a name="input_csoc_log_forwarding"></a> [csoc\_log\_forwarding](#input\_csoc\_log\_forwarding) | Enable forwarding of API Gateway logs to CSOC | `bool` | `true` | no |
 | <a name="input_default_tags"></a> [default\_tags](#input\_default\_tags) | A map of default tags to apply to all taggable resources within the component | `map(string)` | `{}` | no |
 | <a name="input_disable_gateway_execute_endpoint"></a> [disable\_gateway\_execute\_endpoint](#input\_disable\_gateway\_execute\_endpoint) | Disable the execution endpoint for the API Gateway | `bool` | `true` | no |
 | <a name="input_enable_alarms"></a> [enable\_alarms](#input\_enable\_alarms) | Enable CloudWatch alarms for this deployed environment | `bool` | `true` | no |
diff --git a/infrastructure/terraform/components/api/cloudwatch_log_group_api_gateway_access.tf b/infrastructure/terraform/components/api/cloudwatch_log_group_api_gateway_access.tf
@@ -10,3 +10,12 @@ resource "aws_cloudwatch_log_subscription_filter" "api_gateway_access" {
   filter_pattern  = ""
   destination_arn = local.destination_arn
 }
+
+resource "aws_cloudwatch_log_subscription_filter" "api_gateway" {
+  count           = var.csoc_log_forwarding ? 1 : 0
+  name            = replace(aws_cloudwatch_log_group.api_gateway_access.name, "/", "-")
+  log_group_name  = aws_cloudwatch_log_group.api_gateway_access.name
+  role_arn        = data.aws_iam_role.csoc_subscription[0].arn
+  filter_pattern  = ""
+  destination_arn = local.csoc_api_gw_log_destination_arn
+}
diff --git a/infrastructure/terraform/components/api/data_iam_role_csoc_subscription.tf b/infrastructure/terraform/components/api/data_iam_role_csoc_subscription.tf
@@ -0,0 +1,4 @@
+data "aws_iam_role" "csoc_subscription" {
+  count = var.csoc_log_forwarding ? 1 : 0
+  name  = "nhs-main-acct-api-log-subscription-role"
+}
diff --git a/infrastructure/terraform/components/api/locals.tf b/infrastructure/terraform/components/api/locals.tf
@@ -37,4 +37,9 @@ locals {
 
   event_cache_bucket_name          = lookup(module.eventpub.s3_bucket_event_cache, "bucket", null)
   eventsub_event_cache_bucket_name = lookup(module.eventsub.s3_bucket_event_cache, "bucket", null)
+
+  csoc_api_gw_log_destination_arn = format("arn:aws:logs:%s:%s:destination:api_gateway_log_destination",
+    var.region,
+    var.csoc_destination_account
+  )
 }
diff --git a/infrastructure/terraform/components/api/variables.tf b/infrastructure/terraform/components/api/variables.tf
@@ -229,3 +229,15 @@ variable "event_anomaly_band_width" {
   description = "The width of the anomaly detection band. Higher values (e.g. 4-6) reduce sensitivity and noise, lower values (e.g. 2-3) increase sensitivity. Recommended: 2-4."
   default     = 4
 }
+
+variable "csoc_log_forwarding" {
+  type        = bool
+  description = "Enable forwarding of API Gateway logs to CSOC"
+  default     = true
+}
+
+variable "csoc_destination_account" {
+  type        = string
+  description = "value of the CSOC destination account, if applicable. If null, CSOC destination account will not be added as a resource in the logging policy"
+  default     = "000000000000"
+}
diff --git a/scripts/config/markdownlint.yaml b/scripts/config/markdownlint.yaml
@@ -0,0 +1,11 @@
+# SEE: https://github.com/DavidAnson/markdownlint/blob/main/schema/.markdownlint.yaml
+
+# https://github.com/DavidAnson/markdownlint/blob/main/doc/md013.md
+MD013: false
+
+# https://github.com/DavidAnson/markdownlint/blob/main/doc/md024.md
+MD024:
+  siblings_only: true
+
+# https://github.com/DavidAnson/markdownlint/blob/main/doc/md033.md
+MD033: false

Original file line number	Diff line number	Diff line change
`@@ -37,4 +37,9 @@ locals {`
`37`	`37`
`38`	`38`	`event_cache_bucket_name = lookup(module.eventpub.s3_bucket_event_cache, "bucket", null)`
`39`	`39`	`eventsub_event_cache_bucket_name = lookup(module.eventsub.s3_bucket_event_cache, "bucket", null)`
	`40`	`+`
	`41`	`+ csoc_api_gw_log_destination_arn = format("arn:aws:logs:%s:%s:destination:api_gateway_log_destination",`
	`42`	`+ var.region,`
	`43`	`+ var.csoc_destination_account`
	`44`	`+ )`
`40`	`45`	`}`