Record OpenSearch error logs

MCP asked us to do this for compliance purposes.
nasa-gcn · Aug 5, 2024 · e7c1387 · e7c1387
1 parent aab58aa
commit e7c1387
Showing 1 changed file with 31 additions and 0 deletions.
diff --git a/service.ts b/service.ts
@@ -36,6 +36,29 @@ export function cloudformationResources({
   }
 
   return {
+    OpenSearchLogGroup: {
+      Type: 'AWS::Logs::LogGroup',
+    },
+    OpenSearchLogPolicy: {
+      Type: 'AWS::Logs::ResourcePolicy',
+      Properties: {
+        PolicyName: { 'Fn::Ref': 'OpenSearchLogGroup' },
+        PolicyDocument: {
+          'Fn::ToJsonString': {
+            Version: '2012-10-17',
+            Statement: [
+              {
+                Sid: '',
+                Effect: 'Allow',
+                Principal: { Service: 'es.amazonaws.com' },
+                Action: ['logs:PutLogEvents', 'logs:CreateLogStream'],
+                Resource: { 'Fn::GetAtt': ['OpenSearchLogGroup', 'Arn'] },
+              },
+            ],
+          },
+        },
+      },
+    },
     OpenSearchServiceDomain: {
       Type: 'AWS::OpenSearchService::Domain',
       Properties: {
@@ -67,6 +90,14 @@ export function cloudformationResources({
         EBSOptions: { EBSEnabled: true, VolumeSize },
         EncryptionAtRestOptions: { Enabled: true },
         IPAddressType: 'dualstack',
+        LogPublishingOptions: {
+          ES_APPLICATION_LOGS: {
+            CloudWatchLogsLogGroupArn: {
+              'Fn::GetAtt': ['OpenSearchLogGroup', 'Arn'],
+            },
+            Enabled: true,
+          },
+        },
         NodeToNodeEncryptionOptions: { Enabled: true },
       },
     },