CCM-8197: Cross Account Observability

jamesthompson26-nhs · jamesthompson26-nhs · commit 8d245d47a427 · 2025-05-02T11:48:24.000+01:00
diff --git a/infrastructure/modules/observability-datasource/README.md b/infrastructure/modules/observability-datasource/README.md
@@ -15,6 +15,8 @@
 | <a name="input_component"></a> [component](#input\_component) | The name of the terraformscaffold component calling this module | `string` | n/a | yes |
 | <a name="input_default_tags"></a> [default\_tags](#input\_default\_tags) | Default tag map for application to all taggable resources in the module | `map(string)` | `{}` | no |
 | <a name="input_environment"></a> [environment](#input\_environment) | The name of the terraformscaffold environment the module is called for | `string` | n/a | yes |
+| <a name="input_log_group_configuration"></a> [log\_group\_configuration](#input\_log\_group\_configuration) | Configuration for filtering log groups in the link configuration. | <pre>object({<br/>    filter = string<br/>  })</pre> | `null` | no |
+| <a name="input_metric_configuration"></a> [metric\_configuration](#input\_metric\_configuration) | Configuration for filtering metrics in the link configuration. | <pre>object({<br/>    filter = string<br/>  })</pre> | `null` | no |
 | <a name="input_name"></a> [name](#input\_name) | A unique name to distinguish this module invocation from others within the same CSI scope | `string` | n/a | yes |
 | <a name="input_oam_sink_id"></a> [oam\_sink\_id](#input\_oam\_sink\_id) | The ID of the Cloudwatch OAM sink in the appropriate observability account. | `string` | `""` | no |
 | <a name="input_observability_account_id"></a> [observability\_account\_id](#input\_observability\_account\_id) | The Observability Account ID that needs access | `string` | n/a | yes |
diff --git a/infrastructure/modules/observability-datasource/oam_link_cross_account_obs.tf b/infrastructure/modules/observability-datasource/oam_link_cross_account_obs.tf
@@ -1,31 +1,42 @@
 resource "aws_oam_link" "cross_account_obs" {
-  count           = var.oam_sink_id != "" ? 1 : 0
   label_template  = "$AccountName"
   resource_types  = [
     "AWS::CloudWatch::Metric",
     "AWS::Logs::LogGroup"
   ]
   sink_identifier = "arn:aws:oam:${var.region}:${var.observability_account_id}:sink/${var.oam_sink_id}"
   tags            = var.default_tags
+
+  link_configuration {
+    dynamic "log_group_configuration" {
+      for_each = var.log_group_configuration != null ? [var.log_group_configuration] : []
+      content {
+        filter = log_group_configuration.value.filter
+      }
+    }
+
+    dynamic "metric_configuration" {
+      for_each = var.metric_configuration != null ? [var.metric_configuration] : []
+      content {
+        filter = metric_configuration.value.filter
+      }
+    }
+  }
 }
 
 data "aws_iam_policy" "cloudwatch_read_only" {
-  count = var.oam_sink_id != "" ? 1 : 0
-  name  = "CloudWatchReadOnlyAccess"
+  name = "CloudWatchReadOnlyAccess"
 }
 
 data "aws_iam_policy" "cloudwatch_automatic_dashboards" {
-  count = var.oam_sink_id != "" ? 1 : 0
-  name  = "CloudWatchAutomaticDashboardsAccess"
+  name = "CloudWatchAutomaticDashboardsAccess"
 }
 
 data "aws_iam_policy" "aws_xray_read_only" {
-  count = var.oam_sink_id != "" ? 1 : 0
-  name  = "AWSXrayReadOnlyAccess"
+  name = "AWSXrayReadOnlyAccess"
 }
 
 data "aws_iam_policy_document" "cross_account_obs_assume_role_policy" {
-  count = var.oam_sink_id != "" ? 1 : 0
   statement {
     effect = "Allow"
     principals {
@@ -37,25 +48,21 @@ data "aws_iam_policy_document" "cross_account_obs_assume_role_policy" {
 }
 
 resource "aws_iam_role" "cross_account_obs_role" {
-  count              = var.oam_sink_id != "" ? 1 : 0
   name               = "CloudWatch-CrossAccountSharingRole"
-  assume_role_policy = data.aws_iam_policy_document.cross_account_obs_assume_role_policy[0].json
+  assume_role_policy = data.aws_iam_policy_document.cross_account_obs_assume_role_policy.json
 }
 
 resource "aws_iam_role_policy_attachment" "cloudwatch_read_only_attachment" {
-  count      = var.oam_sink_id != "" ? 1 : 0
-  policy_arn = data.aws_iam_policy.cloudwatch_read_only[0].arn
-  role       = aws_iam_role.cross_account_obs_role[0].name
+  policy_arn = data.aws_iam_policy.cloudwatch_read_only.arn
+  role       = aws_iam_role.cross_account_obs_role.name
 }
 
 resource "aws_iam_role_policy_attachment" "cloudwatch_automatic_dashboards_attachment" {
-  count      = var.oam_sink_id != "" ? 1 : 0
-  policy_arn = data.aws_iam_policy.cloudwatch_automatic_dashboards[0].arn
-  role       = aws_iam_role.cross_account_obs_role[0].name
+  policy_arn = data.aws_iam_policy.cloudwatch_automatic_dashboards.arn
+  role       = aws_iam_role.cross_account_obs_role.name
 }
 
 resource "aws_iam_role_policy_attachment" "aws_xray_read_only_attachment" {
-  count      = var.oam_sink_id != "" ? 1 : 0
-  policy_arn = data.aws_iam_policy.aws_xray_read_only[0].arn
-  role       = aws_iam_role.cross_account_obs_role[0].name
+  policy_arn = data.aws_iam_policy.aws_xray_read_only.arn
+  role       = aws_iam_role.cross_account_obs_role.name
 }
diff --git a/infrastructure/modules/observability-datasource/variables.tf b/infrastructure/modules/observability-datasource/variables.tf
@@ -55,3 +55,19 @@ variable "observability_account_id" {
   type        = string
   description = "The Observability Account ID that needs access"
 }
+
+variable "log_group_configuration" {
+  description = "Configuration for filtering log groups in the link configuration."
+  type = object({
+    filter = string
+  })
+  default = null
+}
+
+variable "metric_configuration" {
+  description = "Configuration for filtering metrics in the link configuration." # https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/oam_link#link_configuration-block
+  type = object({
+    filter = string
+  })
+  default = null
+}
