From 9ddd9981104822aba02d1cd8978aba0dcfa16c46 Mon Sep 17 00:00:00 2001
From: David Sibley <david.sibley@digital.justice.gov.uk>
Date: Fri, 20 Sep 2024 16:48:37 +0100
Subject: [PATCH] send flow logs from live_data to s3

---
 terraform/environments/core-shared-services/locals.tf |  2 ++
 .../environments/core-shared-services/secrets.tf      | 11 +++++++++++
 terraform/environments/core-shared-services/vpc.tf    |  3 ++-
 3 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/terraform/environments/core-shared-services/locals.tf b/terraform/environments/core-shared-services/locals.tf
index e58901e71..20e15cbfd 100644
--- a/terraform/environments/core-shared-services/locals.tf
+++ b/terraform/environments/core-shared-services/locals.tf
@@ -48,6 +48,8 @@ locals {
   # This local allows us to references the key / value pairs held in xsiam_secrets.
   xsiam = jsondecode(data.aws_secretsmanager_secret_version.xsiam_secret_arn_version.secret_string)
 
+  cloudwatch_log_buckets = nonsensitive(jsondecode(data.aws_secretsmanager_secret_version.core_logging_bucket_arns.secret_string))
+
   tags = {
     business-unit = "Platforms"
     application   = "Modernisation Platform: ${terraform.workspace}"
diff --git a/terraform/environments/core-shared-services/secrets.tf b/terraform/environments/core-shared-services/secrets.tf
index b1255bcf1..e865a3410 100644
--- a/terraform/environments/core-shared-services/secrets.tf
+++ b/terraform/environments/core-shared-services/secrets.tf
@@ -32,3 +32,14 @@ data "aws_secretsmanager_secret_version" "xsiam_secret_arn_version" {
   provider  = aws.modernisation-platform
   secret_id = data.aws_secretsmanager_secret.xsiam_secret_arn.id
 }
+
+# Get the ARNs of the logging buckets in `core-logging`
+data "aws_secretsmanager_secret" "core_logging_bucket_arns" {
+  provider = aws.modernisation-platform
+  name     = "core_logging_bucket_arns"
+}
+
+data "aws_secretsmanager_secret_version" "core_logging_bucket_arns" {
+  provider  = aws.modernisation-platform
+  secret_id = data.aws_secretsmanager_secret.core_logging_bucket_arns.id
+}
diff --git a/terraform/environments/core-shared-services/vpc.tf b/terraform/environments/core-shared-services/vpc.tf
index 9e2b9adde..807dc0a79 100644
--- a/terraform/environments/core-shared-services/vpc.tf
+++ b/terraform/environments/core-shared-services/vpc.tf
@@ -32,7 +32,8 @@ module "vpc" {
   gateway = "transit"
 
   # VPC Flow Logs
-  vpc_flow_log_iam_role = aws_iam_role.vpc_flow_log.arn
+  vpc_flow_log_iam_role       = aws_iam_role.vpc_flow_log.arn
+  flow_log_s3_destination_arn = each.key == "live_data" ? local.cloudwatch_log_buckets["vpc-flow-logs"] : ""
 
   # Transit Gateway ID
   transit_gateway_id = data.aws_ec2_transit_gateway.transit-gateway.id