BAU: use well-known for cribl kinesis arns

[whi-tw]

What problem does this pull request solve?

• BAU: use well-known module for Cribl Kinesis dest

Things to consider when reviewing

• Ensure that you consider the wider context.
• Does it work when run on your machine?
• Is it clear what the code is doing?
• Do the commit messages explain why the changes were made?
• Are there all the unit tests needed?
• Has all relevant documentation been updated?

Reminders

If you've made changes to the deployer role (files in modules/deployer-access):

• Remember to run make <environment> forms/account apply on the relevant environments (dev, staging, user-research, and/or prod)
• Check the #govuk-forms-deployment-notifications Slack channel to ensure the apply-forms-terraform-<environment> pipelines have run successfully

[github-actions]

💰 Infracost report

Monthly estimate generated

Estimate details (includes details of unsupported resources and skipped projects due to errors)

──────────────────────────────────
Project: forms-health-dev
Module path: infra/deployments/forms/health
Errors:
  Error loading Terraform modules:
    could not load modules for path /home/runner/work/forms-deploy/forms-deploy/infra/deployments/forms/health failed to parse file /home/runner/work/forms-deploy/forms-deploy/infra/deployments/forms/health/alerts/variables.tf diag:
      /home/runner/work/forms-deploy/forms-deploy/infra/deployments/forms/health/alerts/variables.tf:32,90-91:
        Missing argument separator; A comma is required to separate each function argument from the next., and 1 other diagnostic(s)
  Diff baseline error:
    Error loading Terraform modules:
      could not load modules for path /home/runner/work/forms-deploy/forms-deploy/infra/deployments/forms/health failed to parse file /home/runner/work/forms-deploy/forms-deploy/infra/deployments/forms/health/alerts/variables.tf diag:
        /home/runner/work/forms-deploy/forms-deploy/infra/deployments/forms/health/alerts/variables.tf:32,90-91:
          Missing argument separator; A comma is required to separate each function argument from the next., and 1 other diagnostic(s)

──────────────────────────────────
Project: forms-health-production
Module path: infra/deployments/forms/health
Errors:
  Error loading Terraform modules:
    could not load modules for path /home/runner/work/forms-deploy/forms-deploy/infra/deployments/forms/health failed to parse file /home/runner/work/forms-deploy/forms-deploy/infra/deployments/forms/health/alerts/variables.tf diag:
      /home/runner/work/forms-deploy/forms-deploy/infra/deployments/forms/health/alerts/variables.tf:32,90-91:
        Missing argument separator; A comma is required to separate each function argument from the next., and 1 other diagnostic(s)
  Diff baseline error:
    Error loading Terraform modules:
      could not load modules for path /home/runner/work/forms-deploy/forms-deploy/infra/deployments/forms/health failed to parse file /home/runner/work/forms-deploy/forms-deploy/infra/deployments/forms/health/alerts/variables.tf diag:
        /home/runner/work/forms-deploy/forms-deploy/infra/deployments/forms/health/alerts/variables.tf:32,90-91:
          Missing argument separator; A comma is required to separate each function argument from the next., and 1 other diagnostic(s)

──────────────────────────────────
Project: forms-health-staging
Module path: infra/deployments/forms/health
Errors:
  Error loading Terraform modules:
    could not load modules for path /home/runner/work/forms-deploy/forms-deploy/infra/deployments/forms/health failed to parse file /home/runner/work/forms-deploy/forms-deploy/infra/deployments/forms/health/alerts/variables.tf diag:
      /home/runner/work/forms-deploy/forms-deploy/infra/deployments/forms/health/alerts/variables.tf:32,90-91:
        Missing argument separator; A comma is required to separate each function argument from the next., and 1 other diagnostic(s)
  Diff baseline error:
    Error loading Terraform modules:
      could not load modules for path /home/runner/work/forms-deploy/forms-deploy/infra/deployments/forms/health failed to parse file /home/runner/work/forms-deploy/forms-deploy/infra/deployments/forms/health/alerts/variables.tf diag:
        /home/runner/work/forms-deploy/forms-deploy/infra/deployments/forms/health/alerts/variables.tf:32,90-91:
          Missing argument separator; A comma is required to separate each function argument from the next., and 1 other diagnostic(s)

──────────────────────────────────
Project: forms-health-user-research
Module path: infra/deployments/forms/health
Errors:
  Error loading Terraform modules:
    could not load modules for path /home/runner/work/forms-deploy/forms-deploy/infra/deployments/forms/health failed to parse file /home/runner/work/forms-deploy/forms-deploy/infra/deployments/forms/health/alerts/variables.tf diag:
      /home/runner/work/forms-deploy/forms-deploy/infra/deployments/forms/health/alerts/variables.tf:32,90-91:
        Missing argument separator; A comma is required to separate each function argument from the next., and 1 other diagnostic(s)
  Diff baseline error:
    Error loading Terraform modules:
      could not load modules for path /home/runner/work/forms-deploy/forms-deploy/infra/deployments/forms/health failed to parse file /home/runner/work/forms-deploy/forms-deploy/infra/deployments/forms/health/alerts/variables.tf diag:
        /home/runner/work/forms-deploy/forms-deploy/infra/deployments/forms/health/alerts/variables.tf:32,90-91:
          Missing argument separator; A comma is required to separate each function argument from the next., and 1 other diagnostic(s)

──────────────────────────────────
──────────────────────────────────
53 projects have no cost estimate changes.
Run the following command to see their breakdown: infracost breakdown --path=/path/to/code

──────────────────────────────────
3650 cloud resources were detected:
∙ 673 were estimated
∙ 2952 were free
∙ 25 are not supported yet, see https://infracost.io/requested-resources:
  ∙ 21 x aws_codepipeline
  ∙ 4 x aws_guardduty_malware_protection_plan

_{This comment will be updated when code changes.}

[Copilot]

Pull Request Overview

This pull request refactors the Cribl Kinesis logging infrastructure to use a well-known module for managing Kinesis destination ARNs. The change centralizes the destination ARN definitions and removes the need to pass them as variables through multiple layers of the infrastructure code.

Key changes:

• Created a new well-known/cribl module that provides Kinesis destination names and ARNs for both eu-west-2 and us-east-1 regions
• Simplified variable interfaces by replacing the log_to_splunk_settings object with a single kinesis_subscription_role_arn string variable
• Removed hardcoded Kinesis destination ARNs from tfvars files across all environments

Reviewed Changes

Copilot reviewed 41 out of 41 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
infra/modules/well-known/cribl/kinesis.tf	New module defining well-known Kinesis destination names and ARN construction logic
infra/modules/ecs-service/logging.tf	Updated to use well-known module for Kinesis destination ARN
infra/modules/cloudfront_waf_protection/waf.tf	Updated to use well-known module for Kinesis destination ARN (us-east-1)
infra/modules/alb_waf_protection/waf.tf	Updated to use well-known module for Kinesis destination ARN
infra/modules/forms-runner/variables.tf	Simplified variable from object to string for kinesis_subscription_role_arn
infra/modules/forms-product-page/variables.tf	Simplified variable from object to string for kinesis_subscription_role_arn
infra/modules/forms-admin/variables.tf	Simplified variable from object to string for kinesis_subscription_role_arn
infra/modules/environment/variables.tf	Simplified variable from object to string for kinesis_subscription_role_arn
infra/modules/cloudfront/variables.tf	Simplified variable from object to string for kinesis_subscription_role_arn
infra/deployments/integration/account/cloudwatch-log-to-splunk.tf	Converted counted resources to single resources with moved blocks, uses well-known module
infra/deployments/integration/account/outputs.tf	Removed kinesis_destination_arn outputs (but contains bug with [0] index)
infra/deployments/integration/account/inputs.tf	Removed kinesis_destination_arn input variables
infra/deployments/integration/tfvars/integration.tfvars	Removed hardcoded Kinesis destination ARNs
infra/deployments/integration/review/logging.tf	Updated to use well-known module for Kinesis destination ARN
infra/deployments/integration/review/cloudfront.tf	Updated module call to pass kinesis_subscription_role_arn directly
infra/deployments/integration/review/alb/waf.tf	Updated module call to pass kinesis_subscription_role_arn directly
infra/deployments/forms/account/cloudwatch-log-to-splunk.tf	Converted counted resources to single resources with moved blocks, uses well-known module
infra/deployments/forms/account/outputs.tf	Removed kinesis_destination_arn outputs (but contains bug with [0] index)
infra/deployments/forms/account/inputs.tf	Removed kinesis_destination_arn input variables
infra/deployments/forms/account/tfvars/*.tfvars	Removed hardcoded Kinesis destination ARNs from all environment tfvars files
infra/deployments/forms/environment/main.tf	Updated module call to pass kinesis_subscription_role_arn directly
infra/deployments/forms/forms-admin/main.tf	Updated module call to pass kinesis_subscription_role_arn directly
infra/deployments/forms/forms-product-page/main.tf	Updated module call with simplified variable
infra/deployments/forms/forms-runner/main.tf	Updated module call with simplified variable
infra/deployments/deploy/tools/log_to_splunk/outputs.tf	Removed destination_arn outputs
infra/deployments/deploy/tools/log_to_splunk/kinesis-stream.tf	Updated to use well-known module for destination names

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull Request Overview

Copilot reviewed 41 out of 41 changed files in this pull request and generated 1 comment.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[sarahseewhy]

I'm a bit late to the well-known module so I appreciate I may lack some context.

I'd like to propose a name change to the module to align it with the existing module naming convention (service-oriented nouns): canonical-identifiers or shared-identifiers.

For example: module.canonical-identifiers.kinesis_destination_names["eu-west-2"]

As I understand it, based on the helpful README (thank you!), the purpose of the well-known module is a central catalogue of canonical identifiers (names/ARNs/IDs) that are shared across environments, with lookup via outputs instead of repeated in each environment’s tfvars.

I know a request for this kind of change is a pain and I do apologise -- I'm also happy to chat about it if that would help. Maybe this is a drop in the bucket for having a forms-deploy style guide.

[sarahseewhy]

I'm a bit late to the well-known module so I appreciate I may lack some context.

I'd like to propose a name change to the module to align it with the existing module naming convention (service-oriented nouns): canonical-identifiers or shared-identifiers.

For example: module.canonical-identifiers.kinesis_destination_names["eu-west-2"]

As I understand it, based on the helpful README (thank you!), the purpose of the well-known module is a central catalogue of canonical identifiers (names/ARNs/IDs) that are shared across environments, with lookup via outputs instead of repeated in each environment’s tfvars.

I know a request for this kind of change is a pain and I do apologise -- I'm also happy to chat about it if that would help. Maybe this is a drop in the bucket for having a forms-deploy style guide.

We had a really good chat in stand-up about the naming and I retract my proposal. Instead, I'm going to update the directory README to include a section on why we named it well-known in a separate PR. I'll approve this PR now.

[sarahseewhy]

Thanks for the extra context in stand-up!