firehose cloudwatch logs

Karthikeyannhs · Karthikeyannhs · commit e8592a68ec8e · 2025-06-26T15:22:39.000+01:00
diff --git a/infrastructure/modules/kinesis_firehose/kinesis_firehose_delivery_stream.tf b/infrastructure/modules/kinesis_firehose/kinesis_firehose_delivery_stream.tf
@@ -9,6 +9,12 @@ resource "aws_kinesis_firehose_delivery_stream" "eligibility_audit_firehose_deli
     buffering_size     = 1
     buffering_interval = 60
     compression_format = "UNCOMPRESSED"
+
+    cloudwatch_logging_options {
+      enabled         = true
+      log_group_name  = var.kinesis_cloud_watch_log_group_name
+      log_stream_name = "to-s3"
+    }
   }
 
   tags = var.tags
diff --git a/infrastructure/modules/kinesis_firehose/variables.tf b/infrastructure/modules/kinesis_firehose/variables.tf
@@ -13,3 +13,9 @@ variable "s3_audit_bucket_arn" {
   type        = string
 }
 
+variable "kinesis_cloud_watch_log_group_name" {
+  description = "kinesis cloud watch log group name"
+  type        = string
+}
+
+
diff --git a/infrastructure/stacks/api-layer/cloudwatch.tf b/infrastructure/stacks/api-layer/cloudwatch.tf
@@ -9,3 +9,13 @@ resource "aws_cloudwatch_log_group" "lambda_logs" {
     Stack = local.stack_name
   }
 }
+
+resource "aws_cloudwatch_log_group" "firehose_audit" {
+  name              = "/aws/kinesisfirehose/${var.project_name}-${var.environment}-audit"
+  retention_in_days = 365
+
+  tags = {
+    Name  = "kinesis-firehose-logs"
+    Stack = local.stack_name
+  }
+}
diff --git a/infrastructure/stacks/api-layer/iam_policies.tf b/infrastructure/stacks/api-layer/iam_policies.tf
@@ -63,6 +63,29 @@ resource "aws_iam_role_policy" "kinesis_firehose_s3_write_policy" {
   policy = data.aws_iam_policy_document.s3_audit_bucket_policy.json
 }
 
+# Policy doc for firehose logging
+resource "aws_iam_role_policy" "kinesis_firehose_logs_policy" {
+  name   = "CloudWatchLogsAccess"
+  role   = aws_iam_role.eligibility_audit_firehose_role.id
+
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Effect = "Allow",
+        Action = [
+          "logs:CreateLogStream",
+          "logs:PutLogEvents",
+          "logs:DescribeLogGroups",
+          "logs:DescribeLogStreams"
+        ],
+        Resource = "*"
+      }
+    ]
+  })
+}
+
+
 # Attach AWSLambdaVPCAccessExecutionRole to Lambda
 resource "aws_iam_role_policy_attachment" "AWSLambdaVPCAccessExecutionRole" {
   role       = aws_iam_role.eligibility_lambda_role.id
diff --git a/infrastructure/stacks/api-layer/kinesis_firehose.tf b/infrastructure/stacks/api-layer/kinesis_firehose.tf
@@ -7,4 +7,5 @@ module "eligibility_audit_firehose_delivery_stream" {
   stack_name                          = local.stack_name
   workspace                           = local.workspace
   tags                                = local.tags
+  kinesis_cloud_watch_log_group_name  = aws_cloudwatch_log_group.firehose_audit.name
 }
diff --git a/src/eligibility_signposting_api/config/config.py b/src/eligibility_signposting_api/config/config.py
@@ -15,6 +15,7 @@
 AwsRegion = NewType("AwsRegion", str)
 AwsAccessKey = NewType("AwsAccessKey", str)
 AwsSecretAccessKey = NewType("AwsSecretAccessKey", str)
+AwsKinesisFirehoseStreamName = NewType("AwsKinesisFirehoseStreamName", str)
 
 
 @cache
@@ -23,7 +24,7 @@ def config() -> dict[str, Any]:
     rules_bucket_name = BucketName(os.getenv("RULES_BUCKET_NAME", "test-rules-bucket"))
     audit_bucket_name = BucketName(os.getenv("AUDIT_BUCKET_NAME", "test-audit-bucket"))
     aws_default_region = AwsRegion(os.getenv("AWS_DEFAULT_REGION", "eu-west-1"))
-    kinesis_audit_stream_to_s3 = AwsRegion(os.getenv("KINESIS_AUDIT_STREAM_TO_S3", "test_kinesis_audit_stream_to_s3"))
+    kinesis_audit_stream_to_s3 = AwsKinesisFirehoseStreamName(os.getenv("KINESIS_AUDIT_STREAM_TO_S3", "test_kinesis_audit_stream_to_s3"))
     log_level = LOG_LEVEL
 
     if os.getenv("ENV"):
diff --git a/src/eligibility_signposting_api/services/audit_service.py b/src/eligibility_signposting_api/services/audit_service.py
@@ -6,13 +6,15 @@
 from wireup import Inject, service
 from yarl import URL
 
+from eligibility_signposting_api.config.config import AwsKinesisFirehoseStreamName
+
 logger = logging.getLogger(__name__)
 
 
 @service
 class AuditService:
 
-    def __init__(self, firehose: Annotated[BaseClient, Inject(qualifier="firehose")], audit_delivery_stream: Annotated[URL, Inject(param="kinesis_audit_stream_to_s3")] ) -> None:
+    def __init__(self, firehose: Annotated[BaseClient, Inject(qualifier="firehose")], audit_delivery_stream: Annotated[AwsKinesisFirehoseStreamName, Inject(param="kinesis_audit_stream_to_s3")] ) -> None:
         super().__init__()
         self.firehose = firehose
         self.audit_delivery_stream = audit_delivery_stream

Original file line number	Diff line number	Diff line change
`@@ -13,3 +13,9 @@ variable "s3_audit_bucket_arn" {`
`13`	`13`	`type = string`
`14`	`14`	`}`
`15`	`15`
	`16`	`+variable "kinesis_cloud_watch_log_group_name" {`
	`17`	`+ description = "kinesis cloud watch log group name"`
	`18`	`+ type = string`
	`19`	`+}`
	`20`	`+`
	`21`	`+`
Original file line number	Diff line number	Diff line change
`@@ -9,3 +9,13 @@ resource "aws_cloudwatch_log_group" "lambda_logs" {`
`9`	`9`	`Stack = local.stack_name`
`10`	`10`	`}`
`11`	`11`	`}`
	`12`	`+`
	`13`	`+resource "aws_cloudwatch_log_group" "firehose_audit" {`
	`14`	`+ name = "/aws/kinesisfirehose/${var.project_name}-${var.environment}-audit"`
	`15`	`+ retention_in_days = 365`
	`16`	`+`
	`17`	`+ tags = {`
	`18`	`+ Name = "kinesis-firehose-logs"`
	`19`	`+ Stack = local.stack_name`
	`20`	`+ }`
	`21`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -7,4 +7,5 @@ module "eligibility_audit_firehose_delivery_stream" {`
`7`	`7`	`stack_name = local.stack_name`
`8`	`8`	`workspace = local.workspace`
`9`	`9`	`tags = local.tags`
	`10`	`+ kinesis_cloud_watch_log_group_name = aws_cloudwatch_log_group.firehose_audit.name`
`10`	`11`	`}`