Merge pull request #8004 from ministryofjustice/feature/7607-send-flo…

…w-logs-to-s3

Send `core-shared-services` flow logs to S3

terraform/environments/core-shared-services/locals.tf

@@ -48,6 +48,8 @@ locals {
   # This local allows us to references the key / value pairs held in xsiam_secrets.
   xsiam = jsondecode(data.aws_secretsmanager_secret_version.xsiam_secret_arn_version.secret_string)
 
+  cloudwatch_log_buckets = nonsensitive(jsondecode(data.aws_secretsmanager_secret_version.core_logging_bucket_arns.secret_string))
+
   tags = {
     business-unit = "Platforms"
     application   = "Modernisation Platform: ${terraform.workspace}"

terraform/environments/core-shared-services/secrets.tf

@@ -32,3 +32,14 @@ data "aws_secretsmanager_secret_version" "xsiam_secret_arn_version" {
   provider  = aws.modernisation-platform
   secret_id = data.aws_secretsmanager_secret.xsiam_secret_arn.id
 }
+
+# Get the ARNs of the logging buckets in `core-logging`
+data "aws_secretsmanager_secret" "core_logging_bucket_arns" {
+  provider = aws.modernisation-platform
+  name     = "core_logging_bucket_arns"
+}
+
+data "aws_secretsmanager_secret_version" "core_logging_bucket_arns" {
+  provider  = aws.modernisation-platform
+  secret_id = data.aws_secretsmanager_secret.core_logging_bucket_arns.id
+}

terraform/environments/core-shared-services/vpc.tf

@@ -32,7 +32,8 @@ module "vpc" {
   gateway = "transit"
 
   # VPC Flow Logs
-  vpc_flow_log_iam_role = aws_iam_role.vpc_flow_log.arn
+  vpc_flow_log_iam_role       = aws_iam_role.vpc_flow_log.arn
+  flow_log_s3_destination_arn = each.key == "live_data" ? local.cloudwatch_log_buckets["vpc-flow-logs"] : ""
 
   # Transit Gateway ID
   transit_gateway_id = data.aws_ec2_transit_gateway.transit-gateway.id