From 6b6a105d36a5c3c94054e7fdf03636ef1e56e6e6 Mon Sep 17 00:00:00 2001
From: David Sibley <david.sibley@digital.justice.gov.uk>
Date: Fri, 27 Sep 2024 16:18:20 +0100
Subject: [PATCH] added resolver logging config and applied some linting fixes

---
 .../environments/core-security/locals.tf      |  2 +-
 .../environments/core-security/logging.tf     | 28 +++++++++++++++++++
 terraform/environments/core-security/vpc.tf   |  2 +-
 3 files changed, 30 insertions(+), 2 deletions(-)
 create mode 100644 terraform/environments/core-security/logging.tf

diff --git a/terraform/environments/core-security/locals.tf b/terraform/environments/core-security/locals.tf
index 62872bfa7..182b7db71 100644
--- a/terraform/environments/core-security/locals.tf
+++ b/terraform/environments/core-security/locals.tf
@@ -9,7 +9,7 @@ locals {
 
   # This takes the name of the Terraform workspace (e.g. core-vpc-production), strips out the application name (e.g. core-vpc), and checks if
   # the string leftover is `-production`, if it isn't (e.g. core-vpc-non-production => -non-production) then it sets the var to false.
-  is-production = substr(terraform.workspace, length(local.application_name), length(terraform.workspace)) == "-production"
+  is-production          = substr(terraform.workspace, length(local.application_name), length(terraform.workspace)) == "-production"
   cloudwatch_log_buckets = nonsensitive(jsondecode(data.aws_secretsmanager_secret_version.core_logging_bucket_arns.secret_string))
 
   tags = {
diff --git a/terraform/environments/core-security/logging.tf b/terraform/environments/core-security/logging.tf
new file mode 100644
index 000000000..8a5205341
--- /dev/null
+++ b/terraform/environments/core-security/logging.tf
@@ -0,0 +1,28 @@
+locals {
+  resolver_query_log_config_names = toset(["core-logging-rlq-cloudwatch", "core-logging-rlq-s3"])
+  vpc_ids                         = { for key, value in module.vpc : key => value["vpc_id"] if key == "live_data" }
+  rlq_ids                         = { for name, config in data.aws_route53_resolver_query_log_config.core_logging : name => config.id }
+  vpc_rlq_associations = merge([
+    for vpc_key, vpc_id in local.vpc_ids : {
+      for rlq_name, rlq_id in local.rlq_ids :
+      "${vpc_key}_${rlq_name}" => {
+        vpc_id = vpc_id
+        rlq_id = rlq_id
+      }
+    }
+  ]...)
+}
+
+data "aws_route53_resolver_query_log_config" "core_logging" {
+  for_each = local.resolver_query_log_config_names
+  filter {
+    name   = "Name"
+    values = [each.value]
+  }
+}
+
+resource "aws_route53_resolver_query_log_config_association" "core_logging" {
+  for_each                     = local.is-production ? local.vpc_rlq_associations : {}
+  resolver_query_log_config_id = each.value.rlq_id
+  resource_id                  = each.value.vpc_id
+}
diff --git a/terraform/environments/core-security/vpc.tf b/terraform/environments/core-security/vpc.tf
index a02287610..e2d51fff7 100644
--- a/terraform/environments/core-security/vpc.tf
+++ b/terraform/environments/core-security/vpc.tf
@@ -20,7 +20,7 @@ module "vpc" {
   gateway = "transit"
 
   # VPC Flow Logs
-  vpc_flow_log_iam_role = aws_iam_role.vpc_flow_log.arn
+  vpc_flow_log_iam_role       = aws_iam_role.vpc_flow_log.arn
   flow_log_s3_destination_arn = each.key == "live_data" ? local.cloudwatch_log_buckets["vpc-flow-logs"] : ""
 
   # Transit Gateway ID