From 878593250ea72281f018ba698a700ba778cc4e47 Mon Sep 17 00:00:00 2001
From: TomJKing <tom.king@nationalarchives.gov.uk>
Date: Fri, 19 Jan 2024 08:06:39 +0000
Subject: [PATCH 1/3] Allow setting of lambda log retention period

Control the Cloudwatch log retention period from the calling Terraform

This is in anticipation of setting log retention consistently across TDR environments
---
 lambda/variables.tf | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/lambda/variables.tf b/lambda/variables.tf
index 43aed48..528d94d 100644
--- a/lambda/variables.tf
+++ b/lambda/variables.tf
@@ -363,3 +363,8 @@ variable "user_session_timeout_mins" {
   description = "Timeout for a user session in minutes"
   default     = 60
 }
+
+variable "cloudwatch_log_retention_in_days" {
+  description = "Number of days to retain logs. '0' equals indefinite retention"
+  default     = 0
+}

From fe0be24a726c25f2bde91acc2e77ea5253a3537b Mon Sep 17 00:00:00 2001
From: TomJKing <tom.king@nationalarchives.gov.uk>
Date: Fri, 19 Jan 2024 08:27:10 +0000
Subject: [PATCH 2/3] Use log retention variable in lambdas

---
 lambda/create_db_users.tf             | 7 ++++---
 lambda/create_keycloak_db_user.tf     | 7 ++++---
 lambda/create_keycloak_db_user_new.tf | 7 ++++---
 lambda/create_keycloak_users_api.tf   | 7 ++++---
 lambda/create_keycloak_users_s3.tf    | 7 ++++---
 lambda/ecr_scan.tf                    | 7 ++++---
 lambda/export_api_authoriser.tf       | 7 ++++---
 lambda/export_status_update.tf        | 7 ++++---
 lambda/notifications.tf               | 7 ++++---
 lambda/reporting.tf                   | 7 ++++---
 lambda/rotate_keycloak_secrets.tf     | 7 ++++---
 lambda/service_unavailable.tf         | 7 ++++---
 lambda/signed_cookies.tf              | 7 ++++---
 13 files changed, 52 insertions(+), 39 deletions(-)

diff --git a/lambda/create_db_users.tf b/lambda/create_db_users.tf
index b9271d7..7e99856 100644
--- a/lambda/create_db_users.tf
+++ b/lambda/create_db_users.tf
@@ -36,9 +36,10 @@ resource "aws_kms_ciphertext" "environment_vars_create_db_users" {
 }
 
 resource "aws_cloudwatch_log_group" "create_db_users_lambda_log_group" {
-  count = local.count_create_db_users
-  name  = "/aws/lambda/${aws_lambda_function.create_db_users_lambda_function.*.function_name[0]}"
-  tags  = var.common_tags
+  count             = local.count_create_db_users
+  name              = "/aws/lambda/${aws_lambda_function.create_db_users_lambda_function.*.function_name[0]}"
+  retention_in_days = var.cloudwatch_log_retention_in_days
+  tags              = var.common_tags
 }
 
 resource "aws_iam_policy" "create_db_users_lambda_policy" {
diff --git a/lambda/create_keycloak_db_user.tf b/lambda/create_keycloak_db_user.tf
index f6e2dbb..f7ca2ff 100644
--- a/lambda/create_keycloak_db_user.tf
+++ b/lambda/create_keycloak_db_user.tf
@@ -37,9 +37,10 @@ resource "aws_kms_ciphertext" "environment_vars_create_keycloak_db_user" {
 }
 
 resource "aws_cloudwatch_log_group" "create_keycloak_db_user_lambda_log_group" {
-  count = local.count_create_keycloak_db_user
-  name  = "/aws/lambda/${aws_lambda_function.create_keycloak_db_user_lambda_function.*.function_name[0]}"
-  tags  = var.common_tags
+  count             = local.count_create_keycloak_db_user
+  name              = "/aws/lambda/${aws_lambda_function.create_keycloak_db_user_lambda_function.*.function_name[0]}"
+  retention_in_days = var.cloudwatch_log_retention_in_days
+  tags              = var.common_tags
 }
 
 resource "aws_iam_policy" "create_keycloak_db_user_lambda_policy" {
diff --git a/lambda/create_keycloak_db_user_new.tf b/lambda/create_keycloak_db_user_new.tf
index b69e5e2..880797e 100644
--- a/lambda/create_keycloak_db_user_new.tf
+++ b/lambda/create_keycloak_db_user_new.tf
@@ -37,9 +37,10 @@ resource "aws_kms_ciphertext" "environment_vars_create_keycloak_db_user_new" {
 }
 
 resource "aws_cloudwatch_log_group" "create_keycloak_db_user_lambda_log_group_new" {
-  count = local.count_create_keycloak_db_user_new
-  name  = "/aws/lambda/${aws_lambda_function.create_keycloak_db_user_lambda_function_new.*.function_name[0]}"
-  tags  = var.common_tags
+  count             = local.count_create_keycloak_db_user_new
+  name              = "/aws/lambda/${aws_lambda_function.create_keycloak_db_user_lambda_function_new.*.function_name[0]}"
+  retention_in_days = var.cloudwatch_log_retention_in_days
+  tags              = var.common_tags
 }
 
 resource "aws_iam_policy" "create_keycloak_db_user_lambda_policy_new" {
diff --git a/lambda/create_keycloak_users_api.tf b/lambda/create_keycloak_users_api.tf
index c14d6b6..6ed0639 100644
--- a/lambda/create_keycloak_users_api.tf
+++ b/lambda/create_keycloak_users_api.tf
@@ -34,9 +34,10 @@ resource "aws_kms_ciphertext" "environment_vars_create_keycloak_users_api" {
 }
 
 resource "aws_cloudwatch_log_group" "create_keycloak_users_api_lambda_log_group" {
-  count = local.count_create_keycloak_users_api
-  name  = "/aws/lambda/${aws_lambda_function.create_keycloak_users_api_lambda_function.*.function_name[0]}"
-  tags  = var.common_tags
+  count             = local.count_create_keycloak_users_api
+  name              = "/aws/lambda/${aws_lambda_function.create_keycloak_users_api_lambda_function.*.function_name[0]}"
+  retention_in_days = var.cloudwatch_log_retention_in_days
+  tags              = var.common_tags
 }
 
 resource "aws_iam_policy" "create_keycloak_users_api_lambda_policy" {
diff --git a/lambda/create_keycloak_users_s3.tf b/lambda/create_keycloak_users_s3.tf
index e4f289a..75f134b 100644
--- a/lambda/create_keycloak_users_s3.tf
+++ b/lambda/create_keycloak_users_s3.tf
@@ -43,9 +43,10 @@ resource "aws_kms_ciphertext" "environment_vars_create_keycloak_users_s3" {
 }
 
 resource "aws_cloudwatch_log_group" "create_keycloak_users_s3_lambda_log_group" {
-  count = local.count_create_keycloak_users_s3
-  name  = "/aws/lambda/${aws_lambda_function.create_keycloak_users_s3_lambda_function.*.function_name[0]}"
-  tags  = var.common_tags
+  count             = local.count_create_keycloak_users_s3
+  name              = "/aws/lambda/${aws_lambda_function.create_keycloak_users_s3_lambda_function.*.function_name[0]}"
+  retention_in_days = var.cloudwatch_log_retention_in_days
+  tags              = var.common_tags
 }
 
 resource "aws_iam_policy" "create_keycloak_users_s3_lambda_policy" {
diff --git a/lambda/ecr_scan.tf b/lambda/ecr_scan.tf
index c833b41..5b5e1b4 100644
--- a/lambda/ecr_scan.tf
+++ b/lambda/ecr_scan.tf
@@ -25,9 +25,10 @@ resource "aws_lambda_permission" "lambda_allow_event" {
 }
 
 resource "aws_cloudwatch_log_group" "ecr_scan_lambda_log_group" {
-  count = local.count_ecr_scan
-  name  = "/aws/lambda/${aws_lambda_function.ecr_scan_lambda_function.*.function_name[0]}"
-  tags  = var.common_tags
+  count             = local.count_ecr_scan
+  name              = "/aws/lambda/${aws_lambda_function.ecr_scan_lambda_function.*.function_name[0]}"
+  retention_in_days = var.cloudwatch_log_retention_in_days
+  tags              = var.common_tags
 }
 
 resource "aws_iam_policy" "ecr_scan_lambda_policy" {
diff --git a/lambda/export_api_authoriser.tf b/lambda/export_api_authoriser.tf
index 1be5483..4958a95 100644
--- a/lambda/export_api_authoriser.tf
+++ b/lambda/export_api_authoriser.tf
@@ -33,9 +33,10 @@ resource "aws_kms_ciphertext" "environment_vars_export_api_authoriser" {
 }
 
 resource "aws_cloudwatch_log_group" "export_api_authoriser_lambda_log_group" {
-  count = local.count_export_api_authoriser
-  name  = "/aws/lambda/${aws_lambda_function.export_api_authoriser_lambda_function.*.function_name[0]}"
-  tags  = var.common_tags
+  count             = local.count_export_api_authoriser
+  name              = "/aws/lambda/${aws_lambda_function.export_api_authoriser_lambda_function.*.function_name[0]}"
+  retention_in_days = var.cloudwatch_log_retention_in_days
+  tags              = var.common_tags
 }
 
 resource "aws_iam_role" "export_api_authoriser_lambda_iam_role" {
diff --git a/lambda/export_status_update.tf b/lambda/export_status_update.tf
index 669db97..eca4687 100644
--- a/lambda/export_status_update.tf
+++ b/lambda/export_status_update.tf
@@ -28,9 +28,10 @@ resource "aws_lambda_function" "export_status_update_lambda_function" {
 }
 
 resource "aws_cloudwatch_log_group" "export_status_update_lambda_log_group" {
-  count = local.count_export_status_update
-  name  = "/aws/lambda/${aws_lambda_function.export_status_update_lambda_function.*.function_name[0]}"
-  tags  = var.common_tags
+  count             = local.count_export_status_update
+  name              = "/aws/lambda/${aws_lambda_function.export_status_update_lambda_function.*.function_name[0]}"
+  retention_in_days = var.cloudwatch_log_retention_in_days
+  tags              = var.common_tags
 }
 
 resource "aws_iam_policy" "export_status_update_lambda_policy" {
diff --git a/lambda/notifications.tf b/lambda/notifications.tf
index 9a321aa..47375f2 100644
--- a/lambda/notifications.tf
+++ b/lambda/notifications.tf
@@ -73,9 +73,10 @@ data "aws_ssm_parameter" "slack_export_webhook" {
 }
 
 resource "aws_cloudwatch_log_group" "notifications_lambda_log_group" {
-  count = local.count_notifications
-  name  = "/aws/lambda/${aws_lambda_function.notifications_lambda_function.*.function_name[0]}"
-  tags  = var.common_tags
+  count             = local.count_notifications
+  name              = "/aws/lambda/${aws_lambda_function.notifications_lambda_function.*.function_name[0]}"
+  retention_in_days = var.cloudwatch_log_retention_in_days
+  tags              = var.common_tags
 }
 
 resource "aws_iam_policy" "notifications_lambda_policy" {
diff --git a/lambda/reporting.tf b/lambda/reporting.tf
index 320c404..d0b092a 100644
--- a/lambda/reporting.tf
+++ b/lambda/reporting.tf
@@ -43,9 +43,10 @@ resource "aws_kms_ciphertext" "environment_vars_reporting" {
 }
 
 resource "aws_cloudwatch_log_group" "reporting_lambda_log_group" {
-  count = local.count_reporting
-  name  = "/aws/lambda/${aws_lambda_function.reporting_lambda_function.*.function_name[0]}"
-  tags  = var.common_tags
+  count             = local.count_reporting
+  name              = "/aws/lambda/${aws_lambda_function.reporting_lambda_function.*.function_name[0]}"
+  tags              = var.common_tags
+  retention_in_days = var.cloudwatch_log_retention_in_days
 }
 
 resource "aws_iam_policy" "reporting_lambda_policy" {
diff --git a/lambda/rotate_keycloak_secrets.tf b/lambda/rotate_keycloak_secrets.tf
index 1926556..2fa40cf 100644
--- a/lambda/rotate_keycloak_secrets.tf
+++ b/lambda/rotate_keycloak_secrets.tf
@@ -29,9 +29,10 @@ resource "aws_lambda_function" "rotate_keycloak_secrets_lambda_function" {
 }
 
 resource "aws_cloudwatch_log_group" "rotate_keycloak_secrets_lambda_log_group" {
-  count = local.count_rotate_keycloak_secrets
-  name  = "/aws/lambda/${aws_lambda_function.rotate_keycloak_secrets_lambda_function.*.function_name[0]}"
-  tags  = var.common_tags
+  count             = local.count_rotate_keycloak_secrets
+  name              = "/aws/lambda/${aws_lambda_function.rotate_keycloak_secrets_lambda_function.*.function_name[0]}"
+  retention_in_days = var.cloudwatch_log_retention_in_days
+  tags              = var.common_tags
 }
 
 resource "aws_iam_policy" "rotate_keycloak_secrets_lambda_policy" {
diff --git a/lambda/service_unavailable.tf b/lambda/service_unavailable.tf
index cf94fda..3bbea64 100644
--- a/lambda/service_unavailable.tf
+++ b/lambda/service_unavailable.tf
@@ -21,9 +21,10 @@ resource "aws_lambda_function" "lambda_service_unavailable_function" {
 }
 
 resource "aws_cloudwatch_log_group" "lambda_service_unavailable_log_group" {
-  count = local.count_service_unavailable
-  name  = "/aws/lambda/${aws_lambda_function.lambda_service_unavailable_function.*.function_name[0]}"
-  tags  = var.common_tags
+  count             = local.count_service_unavailable
+  name              = "/aws/lambda/${aws_lambda_function.lambda_service_unavailable_function.*.function_name[0]}"
+  retention_in_days = var.cloudwatch_log_retention_in_days
+  tags              = var.common_tags
 }
 
 resource "aws_iam_policy" "lambda_service_unavailable_policy" {
diff --git a/lambda/signed_cookies.tf b/lambda/signed_cookies.tf
index 56579c5..00cb978 100644
--- a/lambda/signed_cookies.tf
+++ b/lambda/signed_cookies.tf
@@ -44,9 +44,10 @@ resource "aws_kms_ciphertext" "environment_vars_signed_cookies" {
 }
 
 resource "aws_cloudwatch_log_group" "signed_cookies_lambda_log_group" {
-  count = local.count_signed_cookies
-  name  = "/aws/lambda/${aws_lambda_function.signed_cookies_lambda_function.*.function_name[0]}"
-  tags  = var.common_tags
+  count             = local.count_signed_cookies
+  name              = "/aws/lambda/${aws_lambda_function.signed_cookies_lambda_function.*.function_name[0]}"
+  retention_in_days = var.cloudwatch_log_retention_in_days
+  tags              = var.common_tags
 }
 
 resource "aws_iam_policy" "signed_cookies_lambda_policy" {

From a502b482822f9707393907f8e112de6745d43741 Mon Sep 17 00:00:00 2001
From: TomJKing <tom.king@nationalarchives.gov.uk>
Date: Tue, 23 Jan 2024 07:55:24 +0000
Subject: [PATCH 3/3] Default lambda log retention to 30 days

Align default lambda log retention with DRI2
---
 lambda/variables.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lambda/variables.tf b/lambda/variables.tf
index 528d94d..42ee95e 100644
--- a/lambda/variables.tf
+++ b/lambda/variables.tf
@@ -366,5 +366,5 @@ variable "user_session_timeout_mins" {
 
 variable "cloudwatch_log_retention_in_days" {
   description = "Number of days to retain logs. '0' equals indefinite retention"
-  default     = 0
+  default     = 30
 }