eligibility-signposting-api/infrastructure/stacks/api-layer/eventbridge.tf at 68fa0f1815cc4b5bbe933ef5a20a52b2a4343689 · NHSDigital/eligibility-signposting-api · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
# IAM role for EventBridge to write to Firehose
resource "aws_iam_role" "eventbridge_firehose_role" {
  name = "${var.environment}-eventbridge-to-firehose-role"

  assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [{
      Effect = "Allow"
      Principal = {
        Service = "events.amazonaws.com"
      }
      Action = "sts:AssumeRole"
    }]
  })

  tags = {
    Environment = var.environment
    Purpose     = "splunk-forwarding"
    ManagedBy   = "terraform"
  }
}

# IAM policy for EventBridge to access Firehose
resource "aws_iam_role_policy" "eventbridge_to_firehose_policy" {
  name = "${var.environment}-eventbridge-to-firehose-policy"
  role = aws_iam_role.eventbridge_firehose_role.id

  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [{
      Effect = "Allow"
      Action = [
        "firehose:PutRecord",
        "firehose:PutRecordBatch"
      ]
      Resource = module.splunk_forwarder.firehose_delivery_stream_arn
    }]
  })
}

# EventBridge rule to capture CloudWatch alarm state changes
resource "aws_cloudwatch_event_rule" "alarm_state_change" {
  name        = "cloudwatch-alarm-state-change-to-splunk"
  description = "Forward CloudWatch alarm state changes to Splunk via Firehose"

  event_pattern = jsonencode({
    source      = ["aws.cloudwatch"]
    detail-type = ["CloudWatch Alarm State Change"]
  })

  tags = {
    Environment = var.environment
    Purpose     = "splunk-forwarding"
    ManagedBy   = "terraform"
  }
}

# EventBridge target to send events to Firehose
resource "aws_cloudwatch_event_target" "firehose_target" {
  rule     = aws_cloudwatch_event_rule.alarm_state_change.name
  arn      = module.splunk_forwarder.firehose_delivery_stream_arn
  role_arn = aws_iam_role.eventbridge_firehose_role.arn

  # Transform the CloudWatch alarm event into a format suitable for Splunk
  input_transformer {
    input_paths = {
      account    = "$.account"
      region     = "$.region"
      time       = "$.time"
      alarm_name = "$.detail.alarmName"
      new_state  = "$.detail.state.value"
      old_state  = "$.detail.previousState.value"
      reason     = "$.detail.state.reason"
    }

    input_template = jsonencode({
      time = "<time>"
      source = "elid-${var.environment}:cloudwatch:alarm"
      sourcetype = "aws:cloudwatch:alarm"
      event = {
        alarm_name  = "<alarm_name>"
        new_state   = "<new_state>"
        old_state   = "<old_state>"
        reason      = "<reason>"
        region      = "<region>"
      }
    })
  }
}