MLPAB-1991 - Fix AV Scan lambda function logging (#1100)

* use log group for lambda function

* put all logs into a folder named for the environment

terraform/environment/region/modules/application_logs/cloudwatch_log_group.tf

@@ -10,7 +10,7 @@ resource "aws_cloudwatch_log_group" "application_logs" {
   provider          = aws.region
 }
 resource "aws_cloudwatch_query_definition" "app_container_messages" {
-  name            = "Modernising LPA Application Logs/${data.aws_default_tags.current.tags.environment-name} app container messages"
+  name            = "${data.aws_default_tags.current.tags.environment-name}/app container messages"
   log_group_names = [aws_cloudwatch_log_group.application_logs.name]
 
   query_string = <<EOF

terraform/environment/region/modules/lambda/main.tf

@@ -41,7 +41,7 @@ resource "aws_lambda_function" "lambda_function" {
 }
 
 resource "aws_cloudwatch_query_definition" "main" {
-  name            = "Lambda Logs/${var.environment}/${var.lambda_name}"
+  name            = "${var.environment}/${var.lambda_name}"
   log_group_names = [aws_cloudwatch_log_group.lambda.name]
 
   query_string = <<EOF

terraform/environment/region/modules/s3_antivirus/README.md

@@ -26,6 +26,7 @@ No modules.
 |------|------|
 | [aws_cloudwatch_log_group.lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
 | [aws_cloudwatch_metric_alarm.virus_infections](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_metric_alarm) | resource |
+| [aws_cloudwatch_query_definition.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_query_definition) | resource |
 | [aws_iam_role_policy.lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [aws_lambda_alias.lambda_alias](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_alias) | resource |
 | [aws_lambda_function.lambda_function](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function) | resource |

terraform/environment/region/modules/s3_antivirus/iam.tf

@@ -17,6 +17,18 @@ data "aws_iam_policy_document" "lambda" {
     ]
   }
 
+  statement {
+    sid       = "allowLoggingEncryption"
+    effect    = "Allow"
+    resources = [data.aws_kms_alias.cloudwatch_application_logs_encryption.target_key_arn]
+    actions = [
+      "kms:Encrypt",
+      "kms:ReEncrypt*",
+      "kms:GenerateDataKey*",
+      "kms:DescribeKey"
+    ]
+  }
+
   statement {
     sid       = "allowS3Tagging"
     effect    = "Allow"

terraform/environment/region/modules/s3_antivirus/main.tf

@@ -10,6 +10,18 @@ resource "aws_cloudwatch_log_group" "lambda" {
   provider          = aws.region
 }
 
+resource "aws_cloudwatch_query_definition" "main" {
+  name            = "${data.aws_default_tags.current.tags.environment-name}/s3-antivirus"
+  log_group_names = [aws_cloudwatch_log_group.lambda.name]
+
+  query_string = <<EOF
+fields @timestamp, type, record.status as status, @xrayTraceId, @message, record.metrics.initDurationMs, record.metrics.durationMs
+| sort @timestamp desc
+EOF
+  provider     = aws.region
+}
+
+
 resource "aws_lambda_function" "lambda_function" {
   function_name = "s3-antivirus-${data.aws_default_tags.current.tags.environment-name}"
   description   = "Function to scan S3 objects for viruses"
@@ -24,6 +36,11 @@ resource "aws_lambda_function" "lambda_function" {
     mode = "Active"
   }
 
+  logging_config {
+    log_group  = aws_cloudwatch_log_group.lambda.name
+    log_format = "JSON"
+  }
+
   vpc_config {
     subnet_ids = var.aws_subnet_ids
     security_group_ids = [