KMS-654: Ensure KMS logs from the lambdas are available in Splunk (#101)

* KMS-654: Initial revision

* KMS-654: Setup log group name, log account

* KMS-654: Updated to fix deployment issue with account

* KMS-654: Add secLog account

* KMS-654: Update account setup

* KMS-654: Fix lint issues

* KMS-654: Update for conddition 'useLocalStack'

* KMS-654: Fix linter issue

* KMS-654: Use one param for log account

* KMS-654: Use dummy value for logDestinationArn for local stack

* KMS-654: Refactoring

* KMS-654: Use subscriptionFilter

* KMS-654: Rename log groups

* KMS-654: Update log group

* KMS-654: Update log group name

* KMS-654: Increase log detention to one month

Author: htranho

bin/deploy-bamboo.sh

@@ -73,6 +73,7 @@ dockerRun() {
         --env "LOG_LEVEL=$bamboo_LOG_LEVEL" \
         --env "KMS_REDIS_ENABLED=$bamboo_KMS_REDIS_ENABLED" \
         --env "KMS_REDIS_NODE_TYPE=$bamboo_KMS_REDIS_NODE_TYPE" \
+        --env "LOG_DESTINATION_ARN=$bamboo_LOG_DESTINATION_ARN" \
     $dockerTag "$@"
 }
 

cdk/app/lib/CmrEventProcessingStack.ts

@@ -10,13 +10,16 @@ import * as subscriptions from 'aws-cdk-lib/aws-sns-subscriptions'
 import * as sqs from 'aws-cdk-lib/aws-sqs'
 import { Construct } from 'constructs'
 
+import { LogForwardingSetup } from './helper/LogForwardingSetup'
+
 /**
  * Properties for the CMR event processing stack.
  */
 export interface CmrEventProcessingStackProps extends cdk.StackProps {
   prefix: string
   stage: string
   topicArn: string
+  logDestinationArn: string
 }
 
 /**
@@ -38,6 +41,7 @@ export class CmrEventProcessingStack extends cdk.Stack {
   constructor(scope: Construct, id: string, props: CmrEventProcessingStackProps) {
     super(scope, id, props)
 
+    const useLocalstack = this.node.tryGetContext('useLocalstack') === 'true'
     const queueName = `${props.prefix}-${props.stage}-cmr-keyword-events`
     const topic = sns.Topic.fromTopicArn(this, 'KeywordEventsTopic', props.topicArn)
 
@@ -55,7 +59,7 @@ export class CmrEventProcessingStack extends cdk.Stack {
     })
 
     const listenerLambda = new NodejsFunction(this, `${props.prefix}-cmr-keyword-events-processor`, {
-      functionName: `${props.prefix}-cmr-keyword-events-processor`,
+      functionName: `${props.prefix}-${props.stage}-cmr-keyword-events-processor`,
       entry: path.join(__dirname, '../../../serverless/src/cmrKeywordEventsListener/handler.js'),
       handler: 'cmrKeywordEventsListener',
       runtime: lambda.Runtime.NODEJS_22_X,
@@ -72,6 +76,20 @@ export class CmrEventProcessingStack extends cdk.Stack {
 
     queue.grantConsumeMessages(listenerLambda)
 
+    // Set up CloudWatch Logs forwarding to Splunk via NGAP SecLog account
+    // Skip log forwarding for localstack deployments
+    if (!useLocalstack) {
+      // eslint-disable-next-line no-new
+      new LogForwardingSetup(this, 'LogForwarding', {
+        prefix: props.prefix,
+        stage: props.stage,
+        logDestinationArn: props.logDestinationArn,
+        lambdas: {
+          'cmrKeywordEventsListener/handler.js::cmr-keyword-events-processor': listenerLambda
+        }
+      })
+    }
+
     this.keywordEventsQueueUrlOutput = new cdk.CfnOutput(this, 'CmrKeywordEventsQueueUrl', {
       description: 'Queue URL for CMR keyword event processing',
       exportName: `${props.prefix}-CmrKeywordEventsQueueUrl`,

cdk/app/lib/KmsStack.ts

@@ -9,6 +9,7 @@ import { Construct } from 'constructs'
 import { ApiResources } from './helper/ApiResources'
 import { IamSetup } from './helper/IamSetup'
 import { LambdaFunctions } from './helper/KmsLambdaFunctions'
+import { LogForwardingSetup } from './helper/LogForwardingSetup'
 import { VpcSetup } from './helper/VpcSetup'
 
 /**
@@ -21,6 +22,7 @@ export interface KmsStackProps extends cdk.StackProps {
   rootResourceId: string | undefined
   stage: string
   vpcId: string
+  logDestinationArn: string
   environment: {
     CMR_BASE_URL: string
     EDL_PASSWORD: string
@@ -79,7 +81,13 @@ export class KmsStack extends cdk.Stack {
   constructor(scope: Construct, id: string, props: KmsStackProps) {
     super(scope, id, props)
     const {
-      environment, existingApiId, prefix, rootResourceId, stage, vpcId
+      environment,
+      existingApiId,
+      logDestinationArn,
+      prefix,
+      rootResourceId,
+      stage,
+      vpcId
     } = props
     this.stage = stage
 
@@ -160,6 +168,19 @@ export class KmsStack extends cdk.Stack {
     const lambdas = this.lambdaFunctions.getAllLambdas()
     const methods = this.lambdaFunctions.getAllMethods()
 
+    // Set up CloudWatch Logs forwarding to Splunk via NGAP SecLog account
+    // Skip log forwarding for localstack deployments
+    if (!useLocalstack) {
+      // Create log forwarding setup - no reference needed as it registers itself
+      // eslint-disable-next-line no-new
+      new LogForwardingSetup(this, 'LogForwarding', {
+        prefix,
+        stage,
+        logDestinationArn,
+        lambdas
+      })
+    }
+
     // Create a new deployment
     const deployment = new apigateway.Deployment(
       this,

cdk/app/lib/helper/KmsLambdaFunctions.ts

@@ -617,7 +617,7 @@ export class LambdaFunctions {
     let lambdaFunction = this.lambdas[lambdaKey]
     if (!lambdaFunction) {
       const nodejsFunctionProps: NodejsFunctionProps = {
-        functionName: `${this.props.prefix}-${functionName}`,
+        functionName: `${this.props.prefix}-${this.props.stage}-${functionName}`,
         entry: path.join(__dirname, '../../../../serverless/src', handlerPath),
         handler: handlerName,
         runtime: lambda.Runtime.NODEJS_22_X,

cdk/app/lib/helper/LogForwardingSetup.ts

@@ -0,0 +1,121 @@
+import * as cdk from 'aws-cdk-lib'
+import * as lambda from 'aws-cdk-lib/aws-lambda'
+import * as logs from 'aws-cdk-lib/aws-logs'
+import { Construct } from 'constructs'
+
+/**
+ * Interface for LogForwardingSetup properties
+ */
+interface LogForwardingSetupProps {
+  /** Prefix for naming resources */
+  prefix: string
+  /** Deployment stage (sit, uat, prod) */
+  stage: string
+  /** ARN of the log destination in NGAP SecLog account */
+  logDestinationArn: string
+  /** Map of Lambda functions to configure log forwarding for */
+  lambdas: { [key: string]: lambda.Function }
+  /** Log retention period in days */
+  logRetentionDays?: logs.RetentionDays
+}
+
+/**
+ * Sets up CloudWatch Log Groups and Subscription Filters to forward logs to NGAP SecLog account.
+ *
+ * This class configures log forwarding to Splunk via NGAP's centralized logging infrastructure.
+ * Logs are forwarded to a Kinesis stream in the SecLog account which then forwards them to Splunk.
+ *
+ * @see https://wiki.earthdata.nasa.gov/pages/viewpage.action?pageId=147423378
+ */
+export class LogForwardingSetup {
+  /** The ARN of the log destination for log forwarding */
+  private readonly logDestinationArn: string
+
+  /** Log retention period */
+  private readonly logRetentionDays: logs.RetentionDays
+
+  /** Prefix for naming resources */
+  private readonly prefix: string
+
+  /** Deployment stage */
+  private readonly stage: string
+
+  /** Stack name for resource naming */
+  private readonly stackName: string
+
+  /**
+   * Constructs a new LogForwardingSetup instance
+   * @param {Construct} scope - The scope in which to define this construct
+   * @param {string} id - The construct ID
+   * @param {LogForwardingSetupProps} props - Configuration properties
+   */
+  constructor(scope: Construct, id: string, props: LogForwardingSetupProps) {
+    this.logRetentionDays = props.logRetentionDays || logs.RetentionDays.ONE_MONTH
+    this.prefix = props.prefix
+    this.stage = props.stage
+    this.stackName = cdk.Stack.of(scope).stackName
+
+    if (!props.logDestinationArn) {
+      throw new Error(
+        'logDestinationArn is required for log forwarding. '
+        + 'Please set the LOG_DESTINATION_ARN environment variable in your Bamboo deployment.'
+      )
+    }
+
+    this.logDestinationArn = props.logDestinationArn
+
+    // Set up log groups and subscription filters for each Lambda function
+    this.setupLogForwarding(scope, props)
+  }
+
+  /**
+   * Sets up log groups and subscription filters for all Lambda functions.
+   *
+   * For each Lambda function:
+   * 1. Creates an explicit CloudWatch Log Group with retention policy
+   * 2. Creates a Subscription Filter to forward logs to NGAP SecLog destination
+   *
+   * Note: We use the pre-configured destination ARN in the SecLog account,
+   * not a role from our account. The destination already has the necessary
+   * permissions to receive logs from our account.
+   *
+   * @param {Construct} scope - The scope in which to define constructs
+   * @param {LogForwardingSetupProps} props - Configuration properties
+   * @private
+   */
+  private setupLogForwarding(scope: Construct, props: LogForwardingSetupProps) {
+    const { lambdas } = props
+
+    // Set up log forwarding for each Lambda function
+    Object.entries(lambdas).forEach(([key, lambdaFunction]) => {
+      const sanitizedKey = key.replace(/[^a-zA-Z0-9]/g, '-')
+
+      // Create explicit log group with retention
+      // Log group naming: /aws/lambda/{prefix}-{stage}-{functionName}
+      // This enables easy Splunk searches: source="/aws/lambda/kms-sit-*"
+      const logGroup = new logs.LogGroup(scope, `${sanitizedKey}-LogGroup`, {
+        logGroupName: `/aws/lambda/${lambdaFunction.functionName}`,
+        retention: this.logRetentionDays,
+        removalPolicy: cdk.RemovalPolicy.DESTROY
+      })
+
+      // Create subscription filter to forward logs to NGAP SecLog destination
+      // The destination ARN is pre-configured in the SecLog account and has
+      // the necessary permissions to accept logs from our account
+      const subscriptionFilter = new logs.CfnSubscriptionFilter(
+        scope,
+        `${sanitizedKey}-subscriptionFilter`,
+        {
+          logGroupName: logGroup.logGroupName,
+          filterPattern: '', // Empty pattern forwards all logs
+          destinationArn: this.logDestinationArn,
+          filterName: `${this.stackName}-${this.stage}-${sanitizedKey}-subscriptionFilter`
+          // No roleArn needed - the destination is in the SecLog account
+        }
+      )
+
+      // Ensure proper dependency order
+      subscriptionFilter.node.addDependency(logGroup)
+    })
+  }
+}

cdk/bin/main.ts

@@ -43,6 +43,7 @@ async function main() {
   const stage = process.env.STAGE_NAME || 'dev'
   const existingApiId = process.env.EXISTING_API_ID
   const rootResourceId = process.env.ROOT_RESOURCE_ID
+  let logDestinationArn = process.env.LOG_DESTINATION_ARN
 
   const app = new cdk.App({
     context: {
@@ -68,6 +69,19 @@ async function main() {
     throw new Error('VPC_ID environment variable is not set')
   }
 
+  // Validate required logging parameters for non-localstack deployments
+  if (!useLocalstack && !logDestinationArn) {
+    throw new Error(
+      'LOG_DESTINATION_ARN environment variable is required for log forwarding. '
+      + 'Please set bamboo_LOG_DESTINATION_ARN in your Bamboo deployment configuration.'
+    )
+  }
+
+  // Set dummy ARN for localstack since log forwarding is skipped
+  if (useLocalstack && !logDestinationArn) {
+    logDestinationArn = 'arn:aws:logs:us-east-1:000000000000:destination:localstack-dummy'
+  }
+
   let iamStack: IamStack | undefined
   let lbStack: LoadBalancerStack | undefined
   let ebsStack: EbsStack | undefined
@@ -151,6 +165,7 @@ async function main() {
     stage,
     existingApiId,
     rootResourceId,
+    logDestinationArn: logDestinationArn!,
     environment: {
       RDF4J_SERVICE_URL: useLocalstack
         ? 'http://rdf4j-server:8080'
@@ -187,7 +202,8 @@ async function main() {
     prefix,
     stage,
     stackName: `${prefix}-CmrEventProcessingStack`,
-    topicArn: kmsStack.keywordEventsTopic.topicArn
+    topicArn: kmsStack.keywordEventsTopic.topicArn,
+    logDestinationArn: logDestinationArn!
   })
 
   cmrEventProcessingStack.addDependency(kmsStack)