feat: Added logging for documentation infrastructure. (#23)

Author: jamesiarmes

docs/services/appspec/reference.md

@@ -84,6 +84,21 @@ supported.
 `version` defines the version of the specified database engine to use. If not
 provided, the latest supported version will be used.
 
+## `docs`
+
+`docs` defines configuration for the application's documentation, if any.
+
+### `docs.enabled`
+
+`enabled` defines whether the documentation is enabled for the application. If
+not provided, defaults to `true` when other attributes a present in `docs.*`,
+otherwise defaults to `false`.
+
+### `docs.private`
+
+`private` defines whether the documentation is private to the organization,
+requiring authentication to access. Defaults to `false` if not provided.
+
 ## `secrets`
 
 `secrets` defines any secrets that the application requires. This is a map of

tofu/modules/docs/data.tf

@@ -16,3 +16,13 @@ data "aws_vpc_endpoint" "s3" {
 data "aws_cloudfront_cache_policy" "endpoint" {
   name = "Managed-CachingOptimized"
 }
+
+# Find the lambda function for the Datadog forwarder so that we can use it as a
+# destination for CloudWatch log subscriptions.
+data "aws_lambda_functions" "all" {}
+
+data "aws_lambda_function" "datadog" {
+  for_each = length(local.datadog_lambda) > 0 ? toset(["this"]) : toset([])
+
+  function_name = local.datadog_lambda[0]
+}

tofu/modules/docs/lambda.tf

@@ -47,5 +47,5 @@ resource "aws_lambda_function" "oidc" {
 
   runtime = "nodejs22.x"
 
-  tags = local.tags
+  tags = merge(local.tags, { use = "edge-function" })
 }

tofu/modules/docs/local.tf

@@ -1,9 +1,17 @@
 locals {
   apps               = { for k, v in var.apps : k => v if v.docs.enabled }
+  aws_logs_path = "/AWSLogs/${data.aws_caller_identity.identity.account_id}"
   build_dir          = "${path.module}/dist"
+  datadog_lambda = [
+    for lambda in data.aws_lambda_functions.all.function_names :
+    lambda if length(regexall("^DatadogIntegration-ForwarderStack-", lambda)) > 0
+  ]
   file_dir           = "${path.module}/files"
   fqdn               = "${var.subdomain}.${var.domain}"
   lambda_dir         = "${path.module}/lambda"
+  log_groups = [
+    aws_lambda_function.oidc.logging_config[0].log_group
+  ]
   prefix             = "cfa-documentation-${var.environment}"
   protected_prefixes = [for k, v in local.apps : k if v.docs.private]
   tags_base = {

tofu/modules/docs/main.tf

@@ -60,7 +60,22 @@ module "bucket" {
     cloudfront_distribution_arn : aws_cloudfront_distribution.endpoint.arn,
   })))
 
-  tags = local.tags
+  s3_logging = {
+    target_bucket = var.logging_bucket
+    target_prefix = "${local.aws_logs_path}/s3accesslogs/${var.bucket_name}"
+  }
+
+  lifecycle_configuration = [{
+      id      = "static-site"
+      status  = "Enabled"
+      prefix  = ""
+      abort_incomplete_multipart_upload_days = 7
+      noncurrent_version_expiration = {
+        noncurrent_days = 30
+      }
+  }]
+
+  tags = merge(local.tags, { use = "static-site" })
 }
 
 resource "aws_s3_object" "robots" {
@@ -77,3 +92,13 @@ resource "aws_s3_object" "index" {
   content_type   = "text/html"
   force_destroy  = var.force_delete
 }
+
+resource "aws_cloudwatch_log_subscription_filter" "datadog" {
+  depends_on = [aws_lambda_function.oidc]
+  for_each   = length(local.datadog_lambda) > 0 ? local.log_groups : toset([])
+
+  name            = "datadog"
+  log_group_name  = each.value
+  filter_pattern  = ""
+  destination_arn = data.aws_lambda_function.datadog["this"].arn
+}