Merge pull request #108 from NHSDigital/feature/CCM-11007_log_sub

sidnhs · web-flow · commit cbeddfd85ef4 · 2025-07-08T10:40:56.000+01:00
CCM-11007: Fixing IAM permissions for Splunk forwarding
diff --git a/infrastructure/terraform/components/obs/iam_role_firehose_to_s3.tf b/infrastructure/terraform/components/obs/iam_role_firehose_to_s3.tf
diff --git a/infrastructure/terraform/components/obs/module_kinesis_firehose_to_splunk_logs.tf b/infrastructure/terraform/components/obs/module_kinesis_firehose_to_splunk_logs.tf
@@ -8,11 +8,10 @@ module "kinesis_firehose_to_splunk_logs" {
   group          = var.group
   component      = var.component
 
-  default_tags                  = var.default_tags
-  log_retention_in_days         = var.log_retention_in_days
-  type                          = "logs"
-  kms_splunk_key_arn            = module.kms_splunk.key_arn
-  splunk_firehose_bucket_arn    = module.s3bucket_splunk_firehose.arn
-  firehose_to_s3_role_arn       = aws_iam_role.firehose_to_s3.arn
+  default_tags               = var.default_tags
+  log_retention_in_days      = var.log_retention_in_days
+  type                       = "logs"
+  kms_splunk_key_arn         = module.kms_splunk.key_arn
+  splunk_firehose_bucket_arn = module.s3bucket_splunk_firehose.arn
   formatter_lambda_function_arn = module.splunk_logs_formatter_lambda.function_arn
 }
diff --git a/infrastructure/terraform/components/obs/module_kinesis_firehose_to_splunk_metrics.tf b/infrastructure/terraform/components/obs/module_kinesis_firehose_to_splunk_metrics.tf
@@ -8,11 +8,10 @@ module "kinesis_firehose_to_splunk_metrics" {
   group          = var.group
   component      = var.component
 
-  default_tags                  = var.default_tags
-  log_retention_in_days         = var.log_retention_in_days
-  type                          = "metrics"
-  kms_splunk_key_arn            = module.kms_splunk.key_arn
-  splunk_firehose_bucket_arn    = module.s3bucket_splunk_firehose.arn
-  firehose_to_s3_role_arn       = aws_iam_role.firehose_to_s3.arn
+  default_tags               = var.default_tags
+  log_retention_in_days      = var.log_retention_in_days
+  type                       = "metrics"
+  kms_splunk_key_arn         = module.kms_splunk.key_arn
+  splunk_firehose_bucket_arn = module.s3bucket_splunk_firehose.arn
   formatter_lambda_function_arn = module.splunk_metrics_formatter_lambda.function_arn
 }
diff --git a/infrastructure/terraform/components/obs/module_kinesis_firehose_to_splunk_metrics_us.tf b/infrastructure/terraform/components/obs/module_kinesis_firehose_to_splunk_metrics_us.tf
@@ -12,12 +12,11 @@ module "kinesis_firehose_to_splunk_metrics_us" {
   group          = var.group
   component      = var.component
 
-  default_tags                  = var.default_tags
-  log_retention_in_days         = var.log_retention_in_days
-  type                          = "metrics"
-  region_prefix                 = "us"
-  kms_splunk_key_arn            = module.kms_splunk.replica_key_arn
-  splunk_firehose_bucket_arn    = module.s3bucket_splunk_firehose_us.arn
-  firehose_to_s3_role_arn       = aws_iam_role.firehose_to_s3.arn
+  default_tags               = var.default_tags
+  log_retention_in_days      = var.log_retention_in_days
+  type                       = "metrics"
+  region_prefix              = "us"
+  kms_splunk_key_arn         = module.kms_splunk.replica_key_arn
+  splunk_firehose_bucket_arn = module.s3bucket_splunk_firehose_us.arn
   formatter_lambda_function_arn = module.splunk_metrics_formatter_lambda_us.function_arn
 }
diff --git a/infrastructure/terraform/modules/kinesis-firehose-to-splunk/iam_role_kinesis_firehose.tf b/infrastructure/terraform/modules/kinesis-firehose-to-splunk/iam_role_kinesis_firehose.tf
@@ -50,6 +50,22 @@ data "aws_iam_policy_document" "kinesis_firehose_policy_document" {
     ]
   }
 
+  statement {
+    actions = [
+      "kms:Decrypt",
+      "kms:GenerateDataKey",
+      "kms:DescribeKey",
+      "kms:Encrypt",
+      "kms:ReEncrypt*",
+    ]
+
+    resources = [
+      var.kms_splunk_key_arn
+    ]
+
+    effect = "Allow"
+  }
+
   statement {
     actions = [
       "logs:PutLogEvents",
diff --git a/infrastructure/terraform/modules/kinesis-firehose-to-splunk/kinesis_firehose_delivery_stream_splunk.tf b/infrastructure/terraform/modules/kinesis-firehose-to-splunk/kinesis_firehose_delivery_stream_splunk.tf
@@ -37,7 +37,7 @@ resource "aws_kinesis_firehose_delivery_stream" "splunk_firehose" {
     }
 
     s3_configuration {
-      role_arn           = var.firehose_to_s3_role_arn
+      role_arn           = aws_iam_role.kinesis_firehose.arn
       bucket_arn         = var.splunk_firehose_bucket_arn
       buffering_size     = var.s3_kinesis_firehose_buffer
       buffering_interval = var.s3_kinesis_firehose_buffer_interval
diff --git a/infrastructure/terraform/modules/kinesis-firehose-to-splunk/variables.tf b/infrastructure/terraform/modules/kinesis-firehose-to-splunk/variables.tf
@@ -81,12 +81,6 @@ variable "splunk_firehose_bucket_arn" {
   default     = null
 }
 
-variable "firehose_to_s3_role_arn" {
-  type        = string
-  description = "The ARN of the IAM role to use for the Splunk Firehose to S3"
-  default     = null
-}
-
 variable "formatter_lambda_buffer" {
   description = "Formatter lambda buffer size"
   default     = 1 # Megabytes (Maximum 3)

Original file line number	Diff line number	Diff line change
`@@ -37,7 +37,7 @@ resource "aws_kinesis_firehose_delivery_stream" "splunk_firehose" {`
`37`	`37`	`}`
`38`	`38`
`39`	`39`	`s3_configuration {`
`40`		`- role_arn = var.firehose_to_s3_role_arn`
	`40`	`+ role_arn = aws_iam_role.kinesis_firehose.arn`
`41`	`41`	`bucket_arn = var.splunk_firehose_bucket_arn`
`42`	`42`	`buffering_size = var.s3_kinesis_firehose_buffer`
`43`	`43`	`buffering_interval = var.s3_kinesis_firehose_buffer_interval`