god speed

Signed-off-by: Jacob Woffenden <[email protected]>
ministryofjustice · Nov 14, 2024 · fd6f2f9 · fd6f2f9
1 parent c4c80db
commit fd6f2f9
Show file tree

Hide file tree

Showing 3 changed files with 51 additions and 0 deletions.
diff --git a/terraform/environments/analytical-platform-ingestion/cloudwatch-log-group-policies.tf b/terraform/environments/analytical-platform-ingestion/cloudwatch-log-group-policies.tf
@@ -0,0 +1,30 @@
+ata "aws_iam_policy_document" "datasync_cloudwatch_logs" {
+  statement {
+    sid    = "AllowDataSync"
+    effect = "Allow"
+    actions = [
+      "logs:PutLogEvents",
+      "logs:CreateLogStream"
+    ]
+    principals {
+      type        = "Service"
+      identifiers = ["datasync.amazonaws.com"]
+    }
+    resources = ["${module.datasync_task_logs.cloudwatch_log_group_arn}*"]
+    condition {
+      test     = "ArnLike"
+      variable = "aws:SourceArn"
+      values   = ["arn:aws:datasync:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:task/*"]
+    }
+    condition {
+      test     = "StringEquals"
+      variable = "aws:SourceAccount"
+      values   = [data.aws_caller_identity.current.account_id]
+    }
+  }
+}
+
+resource "aws_cloudwatch_log_resource_policy" "datasync_cloudwatch_logs" {
+  policy_name     = "datasync-cloudwatch-logs"
+  policy_document = data.aws_iam_policy_document.datasync_cloudwatch_logs.json
+}
diff --git a/terraform/environments/analytical-platform-ingestion/cloudwatch-log-groups.tf b/terraform/environments/analytical-platform-ingestion/cloudwatch-log-groups.tf
@@ -18,3 +18,23 @@ module "connected_vpc_route53_resolver_logs" {
   name              = "/aws/route53-resolver/connected-vpc"
   retention_in_days = 400
 }
+
+module "connected_vpc_route53_resolver_logs" {
+  #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions
+
+  source  = "terraform-aws-modules/cloudwatch/aws//modules/log-group"
+  version = "5.6.0"
+
+  name              = "/aws/route53-resolver/connected-vpc"
+  retention_in_days = 400
+}
+
+module "datasync_task_logs" {
+  #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions
+
+  source  = "terraform-aws-modules/cloudwatch/aws//modules/log-group"
+  version = "5.6.0"
+
+  name              = "/aws/datasync/tasks"
+  retention_in_days = 400
+}
diff --git a/terraform/environments/analytical-platform-ingestion/datasync-tasks.tf b/terraform/environments/analytical-platform-ingestion/datasync-tasks.tf
@@ -2,6 +2,7 @@ resource "aws_datasync_task" "dom1_hq_pgo_shared_group_sis_case_management_inves
   name                     = "dom1-hq-pgo-shared-group-sis-case-management-investigations"
   source_location_arn      = aws_datasync_location_smb.dom1_hq_pgo_shared_group_sis_case_management_investigations.arn
   destination_location_arn = aws_datasync_location_s3.dom1_hq_pgo_shared_group_sis_case_management_investigations.arn
+  cloudwatch_log_group_arn = module.datasync_task_logs.cloudwatch_log_group_arn
 
   task_report_config {
     report_level         = "SUCCESSES_AND_ERRORS"