From 1a7190b54dc5a6425a96a2ec8a5fff5a768f6783 Mon Sep 17 00:00:00 2001
From: David Sibley <david.sibley@digital.justice.gov.uk>
Date: Mon, 23 Sep 2024 08:49:15 +0100
Subject: [PATCH 1/2] send flow logs to s3 for live_data, lint locals

---
 .../core-network-services/locals.tf           |  6 +++---
 .../environments/core-network-services/vpc.tf | 19 ++++++++++---------
 2 files changed, 13 insertions(+), 12 deletions(-)

diff --git a/terraform/environments/core-network-services/locals.tf b/terraform/environments/core-network-services/locals.tf
index 8c0ad9ed3..d61d5d7ad 100644
--- a/terraform/environments/core-network-services/locals.tf
+++ b/terraform/environments/core-network-services/locals.tf
@@ -14,9 +14,9 @@ locals {
   is-production = substr(terraform.workspace, length(local.application_name), length(terraform.workspace)) == "-production"
 
   # This local allows us to references the key / value pairs held in xsiam_secrets.
-  xsiam                          = jsondecode(data.aws_secretsmanager_secret_version.xsiam_secret_arn_version.secret_string)
-  cloudwatch_log_buckets         = jsondecode(data.aws_secretsmanager_secret_version.core_logging_bucket_arns.secret_string)
-  cloudwatch_generic_log_groups  = concat([module.firewall_logging.cloudwatch_log_group_name], [for key, value in module.vpc_inspection : value.fw_cloudwatch_name])
+  xsiam                         = jsondecode(data.aws_secretsmanager_secret_version.xsiam_secret_arn_version.secret_string)
+  cloudwatch_log_buckets        = jsondecode(data.aws_secretsmanager_secret_version.core_logging_bucket_arns.secret_string)
+  cloudwatch_generic_log_groups = concat([module.firewall_logging.cloudwatch_log_group_name], [for key, value in module.vpc_inspection : value.fw_cloudwatch_name])
 
   tags = {
     business-unit = "Platforms"
diff --git a/terraform/environments/core-network-services/vpc.tf b/terraform/environments/core-network-services/vpc.tf
index ee4d34150..ceee4f23b 100644
--- a/terraform/environments/core-network-services/vpc.tf
+++ b/terraform/environments/core-network-services/vpc.tf
@@ -9,15 +9,16 @@ locals {
 module "vpc_inspection" {
   for_each = local.networking
 
-  source                = "../../modules/vpc-inspection"
-  application_name      = local.application_name
-  fw_allowed_domains    = local.fqdn_firewall_rules.fw_allowed_domains
-  fw_home_net_ips       = local.fqdn_firewall_rules.fw_home_net_ips
-  fw_kms_arn            = data.aws_kms_key.general_shared.arn
-  fw_rules              = local.inline_firewall_rules
-  vpc_cidr              = each.value
-  vpc_flow_log_iam_role = aws_iam_role.vpc_flow_log.arn
-  transit_gateway_id    = aws_ec2_transit_gateway.transit-gateway.id
+  source                      = "../../modules/vpc-inspection"
+  application_name            = local.application_name
+  flow_log_s3_destination_arn = each.key == "live_data" ? local.cloudwatch_log_buckets["vpc-flow-logs"] : ""
+  fw_allowed_domains          = local.fqdn_firewall_rules.fw_allowed_domains
+  fw_home_net_ips             = local.fqdn_firewall_rules.fw_home_net_ips
+  fw_kms_arn                  = data.aws_kms_key.general_shared.arn
+  fw_rules                    = local.inline_firewall_rules
+  vpc_cidr                    = each.value
+  vpc_flow_log_iam_role       = aws_iam_role.vpc_flow_log.arn
+  transit_gateway_id          = aws_ec2_transit_gateway.transit-gateway.id
 
   # Tags
   tags_common = merge(

From f9e5865a42f2886fe9fb76482d77f4b7afe4c7a2 Mon Sep 17 00:00:00 2001
From: David Sibley <david.sibley@digital.justice.gov.uk>
Date: Mon, 23 Sep 2024 09:36:01 +0100
Subject: [PATCH 2/2] wrap log buckets secret as nonsensitive

---
 terraform/environments/core-network-services/locals.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/terraform/environments/core-network-services/locals.tf b/terraform/environments/core-network-services/locals.tf
index d61d5d7ad..01bd61f7a 100644
--- a/terraform/environments/core-network-services/locals.tf
+++ b/terraform/environments/core-network-services/locals.tf
@@ -15,7 +15,7 @@ locals {
 
   # This local allows us to references the key / value pairs held in xsiam_secrets.
   xsiam                         = jsondecode(data.aws_secretsmanager_secret_version.xsiam_secret_arn_version.secret_string)
-  cloudwatch_log_buckets        = jsondecode(data.aws_secretsmanager_secret_version.core_logging_bucket_arns.secret_string)
+  cloudwatch_log_buckets        = nonsensitive(jsondecode(data.aws_secretsmanager_secret_version.core_logging_bucket_arns.secret_string))
   cloudwatch_generic_log_groups = concat([module.firewall_logging.cloudwatch_log_group_name], [for key, value in module.vpc_inspection : value.fw_cloudwatch_name])
 
   tags = {