From b7dd809025c607cd137db029b17de1b4e59831ea Mon Sep 17 00:00:00 2001 From: sidnhs Date: Tue, 30 Dec 2025 09:25:02 +0000 Subject: [PATCH 1/4] CCM-12770: Splunk log sending mandatory --- .../lambda/cloudwatch_log_subscription_filter_firehose.tf | 1 - infrastructure/modules/lambda/variables.tf | 8 -------- 2 files changed, 9 deletions(-) diff --git a/infrastructure/modules/lambda/cloudwatch_log_subscription_filter_firehose.tf b/infrastructure/modules/lambda/cloudwatch_log_subscription_filter_firehose.tf index cdf0605..7c5bf83 100644 --- a/infrastructure/modules/lambda/cloudwatch_log_subscription_filter_firehose.tf +++ b/infrastructure/modules/lambda/cloudwatch_log_subscription_filter_firehose.tf @@ -1,5 +1,4 @@ resource "aws_cloudwatch_log_subscription_filter" "firehose" { - count = var.send_to_firehose ? 1 : 0 # Keeping this optional for now as don't want to break all lambdas using this, can make this mandatory later name = trim(replace(aws_cloudwatch_log_group.main.name, "/", "-"), "-") log_group_name = aws_cloudwatch_log_group.main.name filter_pattern = var.filter_pattern diff --git a/infrastructure/modules/lambda/variables.tf b/infrastructure/modules/lambda/variables.tf index 1a103c9..ffece06 100644 --- a/infrastructure/modules/lambda/variables.tf +++ b/infrastructure/modules/lambda/variables.tf @@ -213,12 +213,6 @@ variable "lambda_at_edge" { default = false } -variable "send_to_firehose" { - type = bool - description = "Enable sending logs to firehose" - default = false -} - variable "filter_pattern" { type = string description = "Filter pattern to use for the log subscription filter" @@ -228,13 +222,11 @@ variable "filter_pattern" { variable "log_destination_arn" { type = string description = "Destination ARN to use for the log subscription filter" - default = "" } variable "log_subscription_role_arn" { type = string description = "The ARN of the IAM role to use for the log subscription filter" - default = "" } variable "permission_statements" { From dd91a50d301616eab983e74d6671c3185f8626ae Mon Sep 17 00:00:00 2001 From: sidnhs Date: Tue, 30 Dec 2025 09:27:13 +0000 Subject: [PATCH 2/4] CCM-12770: Splunk log sending mandatory --- infrastructure/modules/lambda/README.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/infrastructure/modules/lambda/README.md b/infrastructure/modules/lambda/README.md index 8e238e7..6f4023d 100644 --- a/infrastructure/modules/lambda/README.md +++ b/infrastructure/modules/lambda/README.md @@ -35,18 +35,17 @@ | [lambda\_dlq\_message\_retention\_seconds](#input\_lambda\_dlq\_message\_retention\_seconds) | The number of seconds to retain messages in the Lambda DLQ SQS queue | `number` | `1209600` | no | | [lambda\_env\_vars](#input\_lambda\_env\_vars) | Lambda environment parameters map | `map(string)` | `{}` | no | | [layers](#input\_layers) | Lambda layer arns to include | `list(any)` | `[]` | no | -| [log\_destination\_arn](#input\_log\_destination\_arn) | Destination ARN to use for the log subscription filter | `string` | `""` | no | +| [log\_destination\_arn](#input\_log\_destination\_arn) | Destination ARN to use for the log subscription filter | `string` | n/a | yes | | [log\_level](#input\_log\_level) | The log level to be used in lambda functions within the component. Any log with a lower severity than the configured value will not be logged: https://docs.python.org/3/library/logging.html#levels | `string` | `"INFO"` | no | | [log\_retention\_in\_days](#input\_log\_retention\_in\_days) | The retention period in days for the Cloudwatch Logs events generated by the lambda function | `number` | n/a | yes | | [log\_subscription\_lambda\_create\_permission](#input\_log\_subscription\_lambda\_create\_permission) | Whether to create a permission for the log forwarder. Set to false if using a generic one. | `bool` | `true` | no | -| [log\_subscription\_role\_arn](#input\_log\_subscription\_role\_arn) | The ARN of the IAM role to use for the log subscription filter | `string` | `""` | no | +| [log\_subscription\_role\_arn](#input\_log\_subscription\_role\_arn) | The ARN of the IAM role to use for the log subscription filter | `string` | n/a | yes | | [memory](#input\_memory) | The amount of memory to apply to the created Lambda | `number` | n/a | yes | | [permission\_statements](#input\_permission\_statements) | Statements giving an external source permission to invoke the Lambda function | 
list(object({
    action         = optional(string)
    principal      = string
    source_arn     = optional(string)
    source_account = optional(string)
    statement_id   = string
  }))
| `[]` | no | | [project](#input\_project) | The name of the tfscaffold project | `string` | n/a | yes | | [region](#input\_region) | The AWS Region | `string` | n/a | yes | | [runtime](#input\_runtime) | The runtime to use for the lambda function | `string` | n/a | yes | | [schedule](#input\_schedule) | The fully qualified Cloudwatch Events schedule for when to run the lambda function, e.g. rate(1 day) or a cron() expression. Default disables all events resources | `string` | `""` | no | -| [send\_to\_firehose](#input\_send\_to\_firehose) | Enable sending logs to firehose | `bool` | `false` | no | | [sns\_destination](#input\_sns\_destination) | SNS Topic ARN to be used for on-failure Lambda invocation records | `string` | `null` | no | | [sns\_destination\_kms\_key](#input\_sns\_destination\_kms\_key) | KMS Key ARN to be used for SNS Topic for on-failure Lambda invocation records | `string` | `null` | no | | [system\_log\_level](#input\_system\_log\_level) | The detail level of the Lambda platform event logs sent to CloudWatch | `string` | `"WARN"` | no | From 5a8efb7aa6187da1940be6443ab958710bc1b847 Mon Sep 17 00:00:00 2001 From: sidnhs Date: Tue, 30 Dec 2025 10:09:29 +0000 Subject: [PATCH 3/4] CCM-12770: Splunk log sending mandatory --- .../lambda/cloudwatch_log_subscription_filter_firehose.tf | 1 + infrastructure/modules/lambda/variables.tf | 8 ++++++++ 2 files changed, 9 insertions(+) diff --git a/infrastructure/modules/lambda/cloudwatch_log_subscription_filter_firehose.tf b/infrastructure/modules/lambda/cloudwatch_log_subscription_filter_firehose.tf index 7c5bf83..ced23fa 100644 --- a/infrastructure/modules/lambda/cloudwatch_log_subscription_filter_firehose.tf +++ b/infrastructure/modules/lambda/cloudwatch_log_subscription_filter_firehose.tf @@ -1,4 +1,5 @@ resource "aws_cloudwatch_log_subscription_filter" "firehose" { + count = var.send_to_firehose ? 1 : 0 name = trim(replace(aws_cloudwatch_log_group.main.name, "/", "-"), "-") log_group_name = aws_cloudwatch_log_group.main.name filter_pattern = var.filter_pattern diff --git a/infrastructure/modules/lambda/variables.tf b/infrastructure/modules/lambda/variables.tf index ffece06..33dbe13 100644 --- a/infrastructure/modules/lambda/variables.tf +++ b/infrastructure/modules/lambda/variables.tf @@ -213,6 +213,12 @@ variable "lambda_at_edge" { default = false } +variable "send_to_firehose" { + type = bool + description = "Enable sending logs to firehose" + default = true +} + variable "filter_pattern" { type = string description = "Filter pattern to use for the log subscription filter" @@ -222,11 +228,13 @@ variable "filter_pattern" { variable "log_destination_arn" { type = string description = "Destination ARN to use for the log subscription filter" + default = "" } variable "log_subscription_role_arn" { type = string description = "The ARN of the IAM role to use for the log subscription filter" + default = "" } variable "permission_statements" { From ed088384240401d2369d73488d9c2ca3eec8100f Mon Sep 17 00:00:00 2001 From: sidnhs Date: Tue, 30 Dec 2025 10:09:56 +0000 Subject: [PATCH 4/4] CCM-12770: Splunk log sending mandatory --- infrastructure/modules/lambda/README.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/infrastructure/modules/lambda/README.md b/infrastructure/modules/lambda/README.md index 6f4023d..44c1fdc 100644 --- a/infrastructure/modules/lambda/README.md +++ b/infrastructure/modules/lambda/README.md @@ -35,17 +35,18 @@ | [lambda\_dlq\_message\_retention\_seconds](#input\_lambda\_dlq\_message\_retention\_seconds) | The number of seconds to retain messages in the Lambda DLQ SQS queue | `number` | `1209600` | no | | [lambda\_env\_vars](#input\_lambda\_env\_vars) | Lambda environment parameters map | `map(string)` | `{}` | no | | [layers](#input\_layers) | Lambda layer arns to include | `list(any)` | `[]` | no | -| [log\_destination\_arn](#input\_log\_destination\_arn) | Destination ARN to use for the log subscription filter | `string` | n/a | yes | +| [log\_destination\_arn](#input\_log\_destination\_arn) | Destination ARN to use for the log subscription filter | `string` | `""` | no | | [log\_level](#input\_log\_level) | The log level to be used in lambda functions within the component. Any log with a lower severity than the configured value will not be logged: https://docs.python.org/3/library/logging.html#levels | `string` | `"INFO"` | no | | [log\_retention\_in\_days](#input\_log\_retention\_in\_days) | The retention period in days for the Cloudwatch Logs events generated by the lambda function | `number` | n/a | yes | | [log\_subscription\_lambda\_create\_permission](#input\_log\_subscription\_lambda\_create\_permission) | Whether to create a permission for the log forwarder. Set to false if using a generic one. | `bool` | `true` | no | -| [log\_subscription\_role\_arn](#input\_log\_subscription\_role\_arn) | The ARN of the IAM role to use for the log subscription filter | `string` | n/a | yes | +| [log\_subscription\_role\_arn](#input\_log\_subscription\_role\_arn) | The ARN of the IAM role to use for the log subscription filter | `string` | `""` | no | | [memory](#input\_memory) | The amount of memory to apply to the created Lambda | `number` | n/a | yes | | [permission\_statements](#input\_permission\_statements) | Statements giving an external source permission to invoke the Lambda function | 
list(object({
    action         = optional(string)
    principal      = string
    source_arn     = optional(string)
    source_account = optional(string)
    statement_id   = string
  }))
| `[]` | no | | [project](#input\_project) | The name of the tfscaffold project | `string` | n/a | yes | | [region](#input\_region) | The AWS Region | `string` | n/a | yes | | [runtime](#input\_runtime) | The runtime to use for the lambda function | `string` | n/a | yes | | [schedule](#input\_schedule) | The fully qualified Cloudwatch Events schedule for when to run the lambda function, e.g. rate(1 day) or a cron() expression. Default disables all events resources | `string` | `""` | no | +| [send\_to\_firehose](#input\_send\_to\_firehose) | Enable sending logs to firehose | `bool` | `true` | no | | [sns\_destination](#input\_sns\_destination) | SNS Topic ARN to be used for on-failure Lambda invocation records | `string` | `null` | no | | [sns\_destination\_kms\_key](#input\_sns\_destination\_kms\_key) | KMS Key ARN to be used for SNS Topic for on-failure Lambda invocation records | `string` | `null` | no | | [system\_log\_level](#input\_system\_log\_level) | The detail level of the Lambda platform event logs sent to CloudWatch | `string` | `"WARN"` | no |