✨ Enable EventBridge -> Cloudwatch

terraform/environments/data-platform-apps-and-tools/auth0-log-steams.tf

@@ -0,0 +1,10 @@
+module "auth0_log_streams" {
+  source = "./modules/auth0-log-streams"
+
+  for_each = local.environment_configuration.auth0_log_streams
+
+  name = each.key
+  event_source_name = each.value.event_source_name
+
+  tags = local.tags
+}

terraform/environments/data-platform-apps-and-tools/environment-configuration.tf

@@ -11,6 +11,14 @@ locals {
       eks_cluster_name               = "apps-tools-development"
       route53_zone                   = "apps-tools.development.data-platform.service.justice.gov.uk"
       ses_domain_identity            = "apps-tools.development.data-platform.service.justice.gov.uk"
+      auth0_log_streams = {
+        "dev-analytics-moj" = {
+          event_source_name = "aws.partner/auth0.com/alpha-analytics-moj-e03aeb05-4c4e-4b55-9c7e-7929526f3181/auth0.logs"
+        }
+        "ministryofjustice-data-platform-development" = {
+          event_source_name = "aws.partner/auth0.com/ministryofjustice-data-platform-development-a628362c-f79b-46e9-9604-7c9861565a1b/auth0.logs"
+        }
+      }
     }
     production = {
       eks_cluster_arn                = "arn:aws:eks:eu-west-1:312423030077:cluster/production-dBSvju9Y"
@@ -19,6 +27,14 @@ locals {
       eks_cluster_name               = "production-dBSvju9Y"
       route53_zone                   = "apps-tools.data-platform.service.justice.gov.uk"
       ses_domain_identity            = "apps-tools.data-platform.service.justice.gov.uk"
+      auth0_log_streams = {
+        "alpha-analytics-moj" = {
+          event_source_name = "aws.partner/auth0.com/alpha-analytics-moj-e03aeb05-4c4e-4b55-9c7e-7929526f3181/auth0.logs"
+        }
+        "ministryofjustice-data-platform" = {
+          event_source_name = "aws.partner/auth0.com/ministryofjustice-data-platform-e95e4fb0-f6f8-455f-9b62-61608adafd69/auth0.logs"
+        }
+      }
     }
   }
 }

terraform/environments/data-platform-apps-and-tools/modules/auth0-log-streams/locals.tf

@@ -0,0 +1,3 @@
+locals {
+  cloudwatch_log_group_name = "/aws/events/auth0/${var.name}"
+}

terraform/environments/data-platform-apps-and-tools/modules/auth0-log-streams/main.tf

@@ -0,0 +1,56 @@
+module "kms_key" {
+  #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions
+  source  = "terraform-aws-modules/kms/aws"
+  version = "2.1.0"
+
+  aliases               = ["auth0/${var.name}"]
+  description           = "Auth0 KMS Key for ${var.name}"
+  enable_default_policy = true
+
+  deletion_window_in_days = 7
+
+  key_statements = [
+    {
+      sid = "AWSEventBridge"
+      actions = [
+        "kms:Decrypt",
+        "kms:GenerateDataKey",
+      ]
+      resources = ["*"]
+
+      principals = [
+        {
+          type        = "Service"
+          identifiers = ["events.amazonaws.com"]
+        }
+      ]
+    }
+  ]
+
+  tags = var.tags
+}
+
+resource "aws_cloudwatch_log_group" "this" {
+  name = local.cloudwatch_log_group_name
+
+  kms_key_id        = module.kms_key.key_arn
+  retention_in_days = var.retention_in_days
+}
+
+resource "aws_cloudwatch_event_rule" "this" {
+  name           = var.name
+  event_bus_name = var.event_source_name
+
+  event_pattern = jsonencode({
+    source = [{
+      prefix = "aws.partner/auth0.com"
+    }]
+  })
+}
+
+resource "aws_cloudwatch_event_target" "this" {
+  target_id      = "auth0-to-cloudwatch-logs"
+  event_bus_name = var.event_source_name
+  rule           = aws_cloudwatch_event_rule.this.name
+  arn            = aws_cloudwatch_log_group.this.arn
+}

terraform/environments/data-platform-apps-and-tools/modules/auth0-log-streams/variables.tf

@@ -0,0 +1,16 @@
+variable "name" {
+  type = string
+}
+
+variable "event_source_name" {
+  type = string
+}
+
+variable "tags" {
+  type = map(string)
+}
+
+variable "retention_in_days" {
+  type = number
+  default = 400
+}