Skip to content

Commit

Permalink
Tipstaff: Update ECS config, add EventBridge for CloudWatch logs (#3719)
Browse files Browse the repository at this point in the history
  • Loading branch information
@matt-k1998
matt-k1998 authored Oct 18, 2023
1 parent 9f40554 commit da5ba6c
Show file tree
Hide file tree
Showing 11 changed files with 79 additions and 174 deletions.
22 changes: 11 additions & 11 deletions terraform/environments/dacp/ecs.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ resource "aws_ecs_cluster" "dacp_cluster" {
}

resource "aws_cloudwatch_log_group" "deployment_logs" {
name = "/aws/events/deploymentLogs"
name = "/aws/events/deploymentLogs"
retention_in_days = "7"
}

Expand Down Expand Up @@ -252,21 +252,21 @@ resource "aws_cloudwatch_event_target" "logs" {

resource "aws_cloudwatch_log_resource_policy" "ecs_logging_policy" {
policy_document = jsonencode({
"Version": "2012-10-17",
"Statement": [
"Version" : "2012-10-17",
"Statement" : [
{
"Sid": "TrustEventsToStoreLogEvent",
"Effect": "Allow",
"Principal": {
"Service": ["events.amazonaws.com", "delivery.logs.amazonaws.com"]
"Sid" : "TrustEventsToStoreLogEvent",
"Effect" : "Allow",
"Principal" : {
"Service" : ["events.amazonaws.com", "delivery.logs.amazonaws.com"]
},
"Action": [
"Action" : [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:eu-west-2:${data.aws_caller_identity.current.account_id}:log-group:/aws/events/*:*"
"Resource" : "arn:aws:logs:eu-west-2:${data.aws_caller_identity.current.account_id}:log-group:/aws/events/*:*"
}
]
})
policy_name = "TrustEventsToStoreLogEvents"
}
policy_name = "TrustEventsToStoreLogEvents"
}
71 changes: 53 additions & 18 deletions terraform/environments/tipstaff/ecs.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,9 @@ resource "aws_ecs_cluster" "tipstaff_cluster" {
}
}

resource "aws_cloudwatch_log_group" "tipstaffFamily_logs" {
name = "/ecs/tipstaffFamily"
resource "aws_cloudwatch_log_group" "deployment_logs" {
name = "/aws/events/deploymentLogs"
retention_in_days = "7"
}

resource "aws_ecs_task_definition" "tipstaff_task_definition" {
Expand All @@ -16,14 +17,14 @@ resource "aws_ecs_task_definition" "tipstaff_task_definition" {
network_mode = "awsvpc"
execution_role_arn = aws_iam_role.app_execution.arn
task_role_arn = aws_iam_role.app_task.arn
cpu = 1024
memory = 2048
cpu = 2048
memory = 4096
container_definitions = jsonencode([
{
name = "tipstaff-container"
image = "mcr.microsoft.com/dotnet/framework/aspnet:4.8"
cpu = 1024
memory = 2048
image = "${aws_ecr_repository.tipstaff_ecr_repo.repository_url}:latest"
cpu = 2048
memory = 4096
essential = true
portMappings = [
{
Expand All @@ -32,14 +33,6 @@ resource "aws_ecs_task_definition" "tipstaff_task_definition" {
hostPort = 80
}
]
logConfiguration = {
logDriver = "awslogs"
options = {
awslogs-group = "${aws_cloudwatch_log_group.tipstaffFamily_logs.name}"
awslogs-region = "eu-west-2"
awslogs-stream-prefix = "ecs"
}
}
environment = [
{
name = "RDS_HOSTNAME"
Expand Down Expand Up @@ -96,8 +89,8 @@ resource "aws_ecs_service" "tipstaff_ecs_service" {
task_definition = aws_ecs_task_definition.tipstaff_task_definition.arn
launch_type = "FARGATE"
enable_execute_command = true
desired_count = 1
health_check_grace_period_seconds = 90
desired_count = 2
health_check_grace_period_seconds = 180

network_configuration {
subnets = data.aws_subnets.shared-public.ids
Expand Down Expand Up @@ -237,7 +230,49 @@ resource "aws_security_group" "ecs_service" {
}
}

resource "aws_ecr_repository" "tipstaff-ecr-repo" {
resource "aws_ecr_repository" "tipstaff_ecr_repo" {
name = "tipstaff-ecr-repo"
force_delete = true
}

# AWS EventBridge rule
resource "aws_cloudwatch_event_rule" "ecs_events" {
name = "ecs-events"
description = "Capture all ECS events"

event_pattern = jsonencode({
"source" : ["aws.ecs"],
"detail" : {
"clusterArn" : [aws_ecs_cluster.tipstaff_cluster.arn]
}
})
}

# AWS EventBridge target
resource "aws_cloudwatch_event_target" "logs" {
depends_on = [aws_cloudwatch_log_group.deployment_logs]
rule = aws_cloudwatch_event_rule.ecs_events.name
target_id = "send-to-cloudwatch"
arn = aws_cloudwatch_log_group.deployment_logs.arn
}

resource "aws_cloudwatch_log_resource_policy" "ecs_logging_policy" {
policy_document = jsonencode({
"Version" : "2012-10-17",
"Statement" : [
{
"Sid" : "TrustEventsToStoreLogEvent",
"Effect" : "Allow",
"Principal" : {
"Service" : ["events.amazonaws.com", "delivery.logs.amazonaws.com"]
},
"Action" : [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource" : "arn:aws:logs:eu-west-2:${data.aws_caller_identity.current.account_id}:log-group:/aws/events/*:*"
}
]
})
policy_name = "TrustEventsToStoreLogEvents"
}
6 changes: 3 additions & 3 deletions terraform/environments/tipstaff/load_balancer.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -156,12 +156,12 @@ resource "aws_lb_target_group" "tipstaff_target_group" {

health_check {
healthy_threshold = "3"
interval = "15"
interval = "30"
protocol = "HTTP"
port = "80"
unhealthy_threshold = "3"
unhealthy_threshold = "5"
matcher = "200-302"
timeout = "5"
timeout = "10"
}

}
Expand Down
22 changes: 0 additions & 22 deletions terraform/environments/tipstaff/migrate_db.sh
View file

This file was deleted.

5 changes: 2 additions & 3 deletions terraform/environments/tipstaff/providers.tf
View file
Original file line number Diff line number Diff line change
@@ -1,9 +1,8 @@
provider "aws" {
region = "eu-west-2"
access_key = jsondecode(data.aws_secretsmanager_secret_version.get_tactical_products_rds_credentials.secret_string)["ACCESS_KEY"]
secret_key = jsondecode(data.aws_secretsmanager_secret_version.get_tactical_products_rds_credentials.secret_string)["SECRET_KEY"]
# access_key = jsondecode(data.aws_secretsmanager_secret_version.get_tactical_products_rds_credentials.secret_string)["ACCESS_KEY"]
# secret_key = jsondecode(data.aws_secretsmanager_secret_version.get_tactical_products_rds_credentials.secret_string)["SECRET_KEY"]
alias = "tacticalproducts"
}

data "github_ip_ranges" "github_actions_ips" {}

62 changes: 0 additions & 62 deletions terraform/environments/tipstaff/rds.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,28 +20,6 @@ resource "aws_db_subnet_group" "dbsubnetgroup" {
subnet_ids = data.aws_subnets.shared-public.ids
}

//SG for accessing the tacticalproducts source DB:
resource "aws_security_group" "modernisation_tipstaff_access" {
provider = aws.tacticalproducts
name = "modernisation_tipstaff_access_${local.environment}"
description = "Allow tipstaff on modernisation platform to access the source database"

ingress {
from_port = 5432
to_port = 5432
protocol = "tcp"
description = "Allow tipstaff on modernisation platform to connect to source database"
cidr_blocks = ["${jsondecode(data.http.myip.response_body)["ip"]}/32"]
}

egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
}

resource "aws_security_group" "postgresql_db_sc" {
name = "postgres_security_group"
description = "control access to the database"
Expand Down Expand Up @@ -82,43 +60,3 @@ data "http" "myip" {
url = "http://ipinfo.io/json"
}

resource "null_resource" "setup_db" {
depends_on = [aws_db_instance.tipstaff_db]

provisioner "local-exec" {
interpreter = ["bash", "-c"]
command = "chmod +x ./migrate_db.sh; ./migrate_db.sh"

environment = {
SOURCE_DB_HOSTNAME = jsondecode(data.aws_secretsmanager_secret_version.get_tactical_products_rds_credentials.secret_string)["SOURCE_DB_HOSTNAME"]
SOURCE_DB_NAME = jsondecode(data.aws_secretsmanager_secret_version.get_tactical_products_rds_credentials.secret_string)["SOURCE_DB_NAME"]
SOURCE_DB_USERNAME = jsondecode(data.aws_secretsmanager_secret_version.get_tactical_products_rds_credentials.secret_string)["SOURCE_DB_USERNAME"]
SOURCE_DB_PASSWORD = jsondecode(data.aws_secretsmanager_secret_version.get_tactical_products_rds_credentials.secret_string)["SOURCE_DB_PASSWORD"]
DB_HOSTNAME = aws_db_instance.tipstaff_db.address
DB_NAME = aws_db_instance.tipstaff_db.db_name
TIPSTAFF_DB_USERNAME = local.application_data.accounts[local.environment].db_username
TIPSTAFF_DB_PASSWORD = random_password.password.result
}
}
triggers = {
always_run = "${timestamp()}"
}
}

// executes a local script to set up the security group for the source RDS instance.
resource "null_resource" "setup_source_rds_security_group" {
provisioner "local-exec" {
interpreter = ["bash", "-c"]
command = "chmod +x ./setup-security-group-${local.environment}.sh; ./setup-security-group-${local.environment}.sh"

environment = {
RDS_SECURITY_GROUP = aws_security_group.modernisation_tipstaff_access.id
RDS_SOURCE_ACCOUNT_ACCESS_KEY = jsondecode(data.aws_secretsmanager_secret_version.get_tactical_products_rds_credentials.secret_string)["ACCESS_KEY"]
RDS_SOURCE_ACCOUNT_SECRET_KEY = jsondecode(data.aws_secretsmanager_secret_version.get_tactical_products_rds_credentials.secret_string)["SECRET_KEY"]
RDS_SOURCE_ACCOUNT_REGION = "eu-west-2"
}
}
triggers = {
always_run = "${timestamp()}"
}
}
9 changes: 0 additions & 9 deletions terraform/environments/tipstaff/secrets.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,12 +28,3 @@ data "aws_secretsmanager_secret_version" "get_rds_credentials" {
depends_on = [aws_secretsmanager_secret_version.rds_credentials]
secret_id = data.aws_secretsmanager_secret.get_tipstaff_db_secrets.id
}

// retrieve secrets for the tactical products database
data "aws_secretsmanager_secret" "get_tactical_products_db_secrets" {
arn = "arn:aws:secretsmanager:eu-west-2:${data.aws_caller_identity.current.account_id}:secret:tactical-products-db-secrets-${local.application_data.accounts[local.environment].tactical_products_db_secrets_arn}"
}

data "aws_secretsmanager_secret_version" "get_tactical_products_rds_credentials" {
secret_id = data.aws_secretsmanager_secret.get_tactical_products_db_secrets.id
}
12 changes: 0 additions & 12 deletions terraform/environments/tipstaff/setup-security-group-development.sh
View file

This file was deleted.

12 changes: 0 additions & 12 deletions terraform/environments/tipstaff/setup-security-group-preproduction.sh
View file

This file was deleted.

12 changes: 0 additions & 12 deletions terraform/environments/tipstaff/setup-security-group-production.sh
View file

This file was deleted.

20 changes: 10 additions & 10 deletions terraform/environments/wardship/ecs.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ resource "aws_ecs_cluster" "wardship_cluster" {
}

resource "aws_cloudwatch_log_group" "deployment_logs" {
name = "/aws/events/deploymentLogs"
name = "/aws/events/deploymentLogs"
retention_in_days = "7"
}

Expand Down Expand Up @@ -258,21 +258,21 @@ resource "aws_cloudwatch_event_target" "logs" {

resource "aws_cloudwatch_log_resource_policy" "ecs_logging_policy" {
policy_document = jsonencode({
"Version": "2012-10-17",
"Statement": [
"Version" : "2012-10-17",
"Statement" : [
{
"Sid": "TrustEventsToStoreLogEvent",
"Effect": "Allow",
"Principal": {
"Service": ["events.amazonaws.com", "delivery.logs.amazonaws.com"]
"Sid" : "TrustEventsToStoreLogEvent",
"Effect" : "Allow",
"Principal" : {
"Service" : ["events.amazonaws.com", "delivery.logs.amazonaws.com"]
},
"Action": [
"Action" : [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:eu-west-2:${data.aws_caller_identity.current.account_id}:log-group:/aws/events/*:*"
"Resource" : "arn:aws:logs:eu-west-2:${data.aws_caller_identity.current.account_id}:log-group:/aws/events/*:*"
}
]
})
policy_name = "TrustEventsToStoreLogEvents"
policy_name = "TrustEventsToStoreLogEvents"
}

0 comments on commit da5ba6c

Please sign in to comment.