Merge pull request #48 from NHSDigital/feature/CCM-8200_grafana

sidnhs · web-flow · commit 4604809baa8d · 2025-02-12T10:21:13.000Z
CCM-8200: Add IAM role for grafana access
diff --git a/infrastructure/terraform/components/acct/iam_role_grafana_access.tf b/infrastructure/terraform/components/acct/iam_role_grafana_access.tf
@@ -0,0 +1,20 @@
+resource "aws_iam_role" "grafana_access" {
+  name               = "${local.csi}-grafana-cross-access-role"
+  assume_role_policy = data.aws_iam_policy_document.observability_grafana_role_assume_role_policy.json
+}
+
+data "aws_iam_policy_document" "observability_grafana_role_assume_role_policy" {
+  statement {
+    actions = ["sts:AssumeRole"]
+    effect  = "Allow"
+    principals {
+      type        = "AWS"
+      identifiers = ["arn:aws:iam::${var.observability_account_id}:role/${local.csi}-grafana-workspace-role"]
+    }
+  }
+}
+
+resource "aws_iam_role_policy_attachment" "grafana_workspace_cloudwatch" {
+  role       = aws_iam_role.grafana_access.name
+  policy_arn = "arn:aws:iam::aws:policy/CloudWatchReadOnlyAccess"
+}
diff --git a/infrastructure/terraform/components/acct/module_s3bucket_lambda_function_artefacts.tf b/infrastructure/terraform/components/acct/module_s3bucket_lambda_function_artefacts.tf
@@ -100,7 +100,7 @@ data "aws_iam_policy_document" "s3bucket_lambda_artefacts" {
     ]
 
     principals {
-      type        = "AWS"
+      type = "AWS"
       identifiers = [
         "arn:aws:iam::${var.aws_account_id}:root"
       ]
@@ -120,7 +120,7 @@ data "aws_iam_policy_document" "s3bucket_lambda_artefacts" {
     ]
 
     principals {
-      type        = "AWS"
+      type = "AWS"
       identifiers = [
         "arn:aws:iam::${var.aws_account_id}:root"
       ]
diff --git a/infrastructure/terraform/components/acct/outputs.tf b/infrastructure/terraform/components/acct/outputs.tf
@@ -9,9 +9,9 @@ output "dns_zone" {
 output "s3_buckets" {
   value = {
     lambda_function_artefacts = {
-      arn = module.s3bucket_lambda_artefacts.arn
+      arn    = module.s3bucket_lambda_artefacts.arn
       bucket = module.s3bucket_lambda_artefacts.bucket
-      id  = module.s3bucket_lambda_artefacts.id
+      id     = module.s3bucket_lambda_artefacts.id
     }
   }
 }
diff --git a/infrastructure/terraform/components/acct/variables.tf b/infrastructure/terraform/components/acct/variables.tf
@@ -62,3 +62,8 @@ variable "root_domain_name" {
   description = "The service's root DNS root nameespace, like nonprod.nhsnotify.national.nhs.uk"
   default     = "nonprod.nhsnotify.national.nhs.uk"
 }
+
+variable "observability_account_id" {
+  type        = string
+  description = "The Observability Account ID that needs access"
+}
diff --git a/infrastructure/terraform/components/cdn/cloudfront_distribution_cdn.tf b/infrastructure/terraform/components/cdn/cloudfront_distribution_cdn.tf
@@ -11,7 +11,7 @@ resource "aws_cloudfront_distribution" "main" {
   restrictions {
     geo_restriction {
       restriction_type = "none" # Moved to WAF
-      locations        = [] # Moved to WAF
+      locations        = []     # Moved to WAF
     }
   }
 
@@ -71,8 +71,8 @@ resource "aws_cloudfront_distribution" "main" {
     }
 
     lambda_function_association {
-        event_type = "viewer-response"
-        lambda_arn = module.lambda_rewrite_viewer_trailing_slashes.function_qualified_arn
+      event_type = "viewer-response"
+      lambda_arn = module.lambda_rewrite_viewer_trailing_slashes.function_qualified_arn
     }
 
     viewer_protocol_policy = "redirect-to-https"
diff --git a/infrastructure/terraform/components/cdn/cloudfront_monitoring_subscription_cdn.tf b/infrastructure/terraform/components/cdn/cloudfront_monitoring_subscription_cdn.tf
@@ -0,0 +1,9 @@
+resource "aws_cloudfront_monitoring_subscription" "cdn" {
+  distribution_id = aws_cloudfront_distribution.main.id
+
+  monitoring_subscription {
+    realtime_metrics_subscription_config {
+      realtime_metrics_subscription_status = "Enabled"
+    }
+  }
+}
diff --git a/infrastructure/terraform/components/cdn/wafv2_ip_set.tf b/infrastructure/terraform/components/cdn/wafv2_ip_set.tf
@@ -1,5 +1,5 @@
 resource "aws_wafv2_ip_set" "github_actions_ipv4" {
-  count = var.enable_github_actions_ip_access ? 1:0
+  count = var.enable_github_actions_ip_access ? 1 : 0
 
   provider = aws.us-east-1
 
@@ -11,7 +11,7 @@ resource "aws_wafv2_ip_set" "github_actions_ipv4" {
 }
 
 resource "aws_wafv2_ip_set" "github_actions_ipv6" {
-  count = var.enable_github_actions_ip_access ? 1:0
+  count = var.enable_github_actions_ip_access ? 1 : 0
 
   provider = aws.us-east-1
 
diff --git a/infrastructure/terraform/modules/.gitkeep b/infrastructure/terraform/modules/.gitkeep

Original file line number	Diff line number	Diff line change
`@@ -100,7 +100,7 @@ data "aws_iam_policy_document" "s3bucket_lambda_artefacts" {`
`100`	`100`	`]`
`101`	`101`
`102`	`102`	`principals {`
`103`		`- type = "AWS"`
	`103`	`+ type = "AWS"`
`104`	`104`	`identifiers = [`
`105`	`105`	`"arn:aws:iam::${var.aws_account_id}:root"`
`106`	`106`	`]`
`@@ -120,7 +120,7 @@ data "aws_iam_policy_document" "s3bucket_lambda_artefacts" {`
`120`	`120`	`]`
`121`	`121`
`122`	`122`	`principals {`
`123`		`- type = "AWS"`
	`123`	`+ type = "AWS"`
`124`	`124`	`identifiers = [`
`125`	`125`	`"arn:aws:iam::${var.aws_account_id}:root"`
`126`	`126`	`]`
Original file line number	Diff line number	Diff line change
`@@ -9,9 +9,9 @@ output "dns_zone" {`
`9`	`9`	`output "s3_buckets" {`
`10`	`10`	`value = {`
`11`	`11`	`lambda_function_artefacts = {`
`12`		`- arn = module.s3bucket_lambda_artefacts.arn`
	`12`	`+ arn = module.s3bucket_lambda_artefacts.arn`
`13`	`13`	`bucket = module.s3bucket_lambda_artefacts.bucket`
`14`		`- id = module.s3bucket_lambda_artefacts.id`
	`14`	`+ id = module.s3bucket_lambda_artefacts.id`
`15`	`15`	`}`
`16`	`16`	`}`
`17`	`17`	`}`
Original file line number	Diff line number	Diff line change
`@@ -62,3 +62,8 @@ variable "root_domain_name" {`
`62`	`62`	`description = "The service's root DNS root nameespace, like nonprod.nhsnotify.national.nhs.uk"`
`63`	`63`	`default = "nonprod.nhsnotify.national.nhs.uk"`
`64`	`64`	`}`
	`65`	`+`
	`66`	`+variable "observability_account_id" {`
	`67`	`+ type = string`
	`68`	`+ description = "The Observability Account ID that needs access"`
	`69`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -11,7 +11,7 @@ resource "aws_cloudfront_distribution" "main" {`
`11`	`11`	`restrictions {`
`12`	`12`	`geo_restriction {`
`13`	`13`	`restriction_type = "none" # Moved to WAF`
`14`		`- locations = [] # Moved to WAF`
	`14`	`+ locations = [] # Moved to WAF`
`15`	`15`	`}`
`16`	`16`	`}`
`17`	`17`
`@@ -71,8 +71,8 @@ resource "aws_cloudfront_distribution" "main" {`
`71`	`71`	`}`
`72`	`72`
`73`	`73`	`lambda_function_association {`
`74`		`- event_type = "viewer-response"`
`75`		`- lambda_arn = module.lambda_rewrite_viewer_trailing_slashes.function_qualified_arn`
	`74`	`+ event_type = "viewer-response"`
	`75`	`+ lambda_arn = module.lambda_rewrite_viewer_trailing_slashes.function_qualified_arn`
`76`	`76`	`}`
`77`	`77`
`78`	`78`	`viewer_protocol_policy = "redirect-to-https"`