From 0afa73fa62823b2f375dbb06c53613cd66646fc3 Mon Sep 17 00:00:00 2001 From: Mateusz Kolakowski Date: Tue, 26 Mar 2024 10:09:03 +0000 Subject: [PATCH] Wardship: fix security hub issues (#5465) --- terraform/environments/wardship/ecs.tf | 83 ++++++++------------------ 1 file changed, 25 insertions(+), 58 deletions(-) diff --git a/terraform/environments/wardship/ecs.tf b/terraform/environments/wardship/ecs.tf index 81e79920f02..7b26cf167f3 100644 --- a/terraform/environments/wardship/ecs.tf +++ b/terraform/environments/wardship/ecs.tf @@ -11,6 +11,11 @@ resource "aws_cloudwatch_log_group" "deployment_logs" { retention_in_days = "7" } +resource "aws_cloudwatch_log_group" "ecs_logs" { + name = "wardship-ecs" + retention_in_days = "7" +} + resource "aws_ecs_task_definition" "wardship_task_definition" { count = local.is-development ? 0 : 1 family = "wardshipFamily" @@ -27,6 +32,15 @@ resource "aws_ecs_task_definition" "wardship_task_definition" { cpu = 1024 memory = 2048 essential = true + ReadonlyRootFilesystem = true + logConfiguration = { + logDriver = "awslogs", + options = { + "awslogs-group" = aws_cloudwatch_log_group.ecs_logs.name, + "awslogs-region" = "eu-west-2", + "awslogs-stream-prefix" = "wardship-app" + } + }, portMappings = [ { containerPort = 80 @@ -97,6 +111,15 @@ resource "aws_ecs_task_definition" "wardship_task_definition_dev" { cpu = 1024 memory = 2048 essential = true + ReadonlyRootFilesystem = true + logConfiguration = { + logDriver = "awslogs", + options = { + "awslogs-group" = aws_cloudwatch_log_group.ecs_logs.name, + "awslogs-region" = "eu-west-2", + "awslogs-stream-prefix" = "wardship-app" + } + }, portMappings = [ { containerPort = 80 @@ -165,7 +188,7 @@ resource "aws_ecs_service" "wardship_ecs_service" { health_check_grace_period_seconds = 180 network_configuration { - subnets = data.aws_subnets.shared-public.ids + subnets = data.aws_subnets.shared-private.ids security_groups = [aws_security_group.ecs_service.id] assign_public_ip = false } @@ -196,7 +219,7 @@ resource "aws_ecs_service" "wardship_ecs_service_dev" { health_check_grace_period_seconds = 180 network_configuration { - subnets = data.aws_subnets.shared-public.ids + subnets = data.aws_subnets.shared-private.ids security_groups = [aws_security_group.ecs_service.id] assign_public_ip = false } @@ -480,59 +503,3 @@ module "pagerduty_core_alerts_prod" { sns_topics = [aws_sns_topic.wardship_utilisation_alarm[0].name] pagerduty_integration_key = local.pagerduty_integration_keys["wardship_prod_alarms"] } - -# resource "aws_eip" "nat" { -# domain = "vpc" - -# tags = { -# Name = "eip-for-nat-gateway" -# } -# } - -# resource "aws_nat_gateway" "nat_gateway" { -# allocation_id = aws_eip.nat.id -# subnet_id = data.aws_subnets.shared-public.ids[0] - -# tags = { -# Name = "nat-gateway" -# } -# } - -# resource "aws_route" "route" { -# route_table_id = data.aws_route_table.private.id -# destination_cidr_block = "0.0.0.0/0" -# nat_gateway_id = aws_nat_gateway.nat_gateway.id -# } - -# data "aws_route_table" "private" { -# subnet_id = data.aws_subnets.shared-private.ids[0] -# } - -//VPC endpoint stuff: -resource "aws_vpc_endpoint" "ecr_dkr" { - vpc_id = data.aws_vpc.shared.id - service_name = "com.amazonaws.eu-west-2.ecr.dkr" - vpc_endpoint_type = "Interface" - private_dns_enabled = true - - security_group_ids = [aws_security_group.ecs_service.id] - subnet_ids = data.aws_subnets.shared-private.ids -} - -resource "aws_vpc_endpoint" "ecr_api" { - vpc_id = data.aws_vpc.shared.id - service_name = "com.amazonaws.eu-west-2.ecr.api" - vpc_endpoint_type = "Interface" - private_dns_enabled = true - - security_group_ids = [aws_security_group.ecs_service.id] - subnet_ids = data.aws_subnets.shared-private.ids -} - -resource "aws_vpc_endpoint" "s3" { - vpc_id = data.aws_vpc.shared.id - service_name = "com.amazonaws.eu-west-2.s3" - vpc_endpoint_type = "Gateway" - - route_table_ids = data.aws_subnets.shared-private.ids -} \ No newline at end of file