Skip to content

Commit

Permalink
Wardship: fix security hub issues (#5465)
Browse files Browse the repository at this point in the history
  • Loading branch information
@matt-k1998
matt-k1998 authored Mar 26, 2024
1 parent 9d0bd89 commit 0afa73f
Showing 1 changed file with 25 additions and 58 deletions.
83 changes: 25 additions & 58 deletions terraform/environments/wardship/ecs.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,11 @@ resource "aws_cloudwatch_log_group" "deployment_logs" {
retention_in_days = "7"
}

resource "aws_cloudwatch_log_group" "ecs_logs" {
name = "wardship-ecs"
retention_in_days = "7"
}

resource "aws_ecs_task_definition" "wardship_task_definition" {
count = local.is-development ? 0 : 1
family = "wardshipFamily"
Expand All @@ -27,6 +32,15 @@ resource "aws_ecs_task_definition" "wardship_task_definition" {
cpu = 1024
memory = 2048
essential = true
ReadonlyRootFilesystem = true
logConfiguration = {
logDriver = "awslogs",
options = {
"awslogs-group" = aws_cloudwatch_log_group.ecs_logs.name,
"awslogs-region" = "eu-west-2",
"awslogs-stream-prefix" = "wardship-app"
}
},
portMappings = [
{
containerPort = 80
Expand Down Expand Up @@ -97,6 +111,15 @@ resource "aws_ecs_task_definition" "wardship_task_definition_dev" {
cpu = 1024
memory = 2048
essential = true
ReadonlyRootFilesystem = true
logConfiguration = {
logDriver = "awslogs",
options = {
"awslogs-group" = aws_cloudwatch_log_group.ecs_logs.name,
"awslogs-region" = "eu-west-2",
"awslogs-stream-prefix" = "wardship-app"
}
},
portMappings = [
{
containerPort = 80
Expand Down Expand Up @@ -165,7 +188,7 @@ resource "aws_ecs_service" "wardship_ecs_service" {
health_check_grace_period_seconds = 180

network_configuration {
subnets = data.aws_subnets.shared-public.ids
subnets = data.aws_subnets.shared-private.ids
security_groups = [aws_security_group.ecs_service.id]
assign_public_ip = false
}
Expand Down Expand Up @@ -196,7 +219,7 @@ resource "aws_ecs_service" "wardship_ecs_service_dev" {
health_check_grace_period_seconds = 180

network_configuration {
subnets = data.aws_subnets.shared-public.ids
subnets = data.aws_subnets.shared-private.ids
security_groups = [aws_security_group.ecs_service.id]
assign_public_ip = false
}
Expand Down Expand Up @@ -480,59 +503,3 @@ module "pagerduty_core_alerts_prod" {
sns_topics = [aws_sns_topic.wardship_utilisation_alarm[0].name]
pagerduty_integration_key = local.pagerduty_integration_keys["wardship_prod_alarms"]
}

# resource "aws_eip" "nat" {
# domain = "vpc"

# tags = {
# Name = "eip-for-nat-gateway"
# }
# }

# resource "aws_nat_gateway" "nat_gateway" {
# allocation_id = aws_eip.nat.id
# subnet_id = data.aws_subnets.shared-public.ids[0]

# tags = {
# Name = "nat-gateway"
# }
# }

# resource "aws_route" "route" {
# route_table_id = data.aws_route_table.private.id
# destination_cidr_block = "0.0.0.0/0"
# nat_gateway_id = aws_nat_gateway.nat_gateway.id
# }

# data "aws_route_table" "private" {
# subnet_id = data.aws_subnets.shared-private.ids[0]
# }

//VPC endpoint stuff:
resource "aws_vpc_endpoint" "ecr_dkr" {
vpc_id = data.aws_vpc.shared.id
service_name = "com.amazonaws.eu-west-2.ecr.dkr"
vpc_endpoint_type = "Interface"
private_dns_enabled = true

security_group_ids = [aws_security_group.ecs_service.id]
subnet_ids = data.aws_subnets.shared-private.ids
}

resource "aws_vpc_endpoint" "ecr_api" {
vpc_id = data.aws_vpc.shared.id
service_name = "com.amazonaws.eu-west-2.ecr.api"
vpc_endpoint_type = "Interface"
private_dns_enabled = true

security_group_ids = [aws_security_group.ecs_service.id]
subnet_ids = data.aws_subnets.shared-private.ids
}

resource "aws_vpc_endpoint" "s3" {
vpc_id = data.aws_vpc.shared.id
service_name = "com.amazonaws.eu-west-2.s3"
vpc_endpoint_type = "Gateway"

route_table_ids = data.aws_subnets.shared-private.ids
}

0 comments on commit 0afa73f

Please sign in to comment.