Wardship: Delete log configuration from ECS, add TrustEventsToStoreLo…

…gEvents policy (#3698)

terraform/environments/wardship/ecs.tf

@@ -8,6 +8,7 @@ resource "aws_ecs_cluster" "wardship_cluster" {
 
 resource "aws_cloudwatch_log_group" "deployment_logs" {
   name = "/aws/events/deploymentLogs"
+  retention_in_days = "7"
 }
 
 resource "aws_ecs_task_definition" "wardship_task_definition" {
@@ -32,14 +33,6 @@ resource "aws_ecs_task_definition" "wardship_task_definition" {
           hostPort      = 80
         }
       ]
-      logConfiguration = {
-        logDriver = "awslogs"
-        options = {
-          awslogs-group         = "${aws_cloudwatch_log_group.deployment_logs.name}"
-          awslogs-region        = "eu-west-2"
-          awslogs-stream-prefix = "ecs"
-        }
-      }
       environment = [
         {
           name  = "RDS_HOSTNAME"
@@ -262,3 +255,24 @@ resource "aws_cloudwatch_event_target" "logs" {
   target_id  = "send-to-cloudwatch"
   arn        = aws_cloudwatch_log_group.deployment_logs.arn
 }
+
+resource "aws_cloudwatch_log_resource_policy" "ecs_logging_policy" {
+  policy_document = jsonencode({
+    "Version": "2012-10-17",
+    "Statement": [
+      {
+        "Sid": "TrustEventsToStoreLogEvent",
+        "Effect": "Allow",
+        "Principal": {
+          "Service": ["events.amazonaws.com", "delivery.logs.amazonaws.com"]
+        },
+        "Action": [
+          "logs:CreateLogStream",
+          "logs:PutLogEvents"
+        ],
+        "Resource": "arn:aws:logs:eu-west-2:${data.aws_caller_identity.current.account_id}:log-group:/aws/events/*:*"
+      }
+    ]
+  })
+  policy_name     = "TrustEventsToStoreLogEvents"
+}