File tree Expand file tree Collapse file tree 7 files changed +61
-25
lines changed
Expand file tree Collapse file tree 7 files changed +61
-25
lines changed Original file line number Diff line number Diff line change 293293| [ aws_s3_bucket_lifecycle_configuration.lg-lifecycle-rules] ( https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_lifecycle_configuration ) | resource |
294294| [ aws_s3_bucket_lifecycle_configuration.staging-store-lifecycle-rules] ( https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_lifecycle_configuration ) | resource |
295295| [ aws_s3_bucket_policy.logs_bucket_policy] ( https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy ) | resource |
296- | [ aws_s3_bucket_public_access_block.bucket ] ( https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block ) | resource |
296+ | [ aws_s3_bucket_public_access_block.logs_bucket ] ( https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block ) | resource |
297297| [ aws_scheduler_schedule.ods_weekly_update_ecs] ( https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/scheduler_schedule ) | resource |
298298| [ aws_security_group.ndr_mesh_sg] ( https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group ) | resource |
299299| [ aws_sns_topic.alarm_notifications_topic] ( https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic ) | resource |
320320| [ aws_iam_policy_document.ecs-assume-role-policy] ( https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document ) | data source |
321321| [ aws_iam_policy_document.ecs_execution] ( https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document ) | data source |
322322| [ aws_iam_policy_document.kms_policy_doc] ( https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document ) | data source |
323+ | [ aws_iam_policy_document.logs_bucket_policy] ( https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document ) | data source |
323324| [ aws_iam_policy_document.logs_policy_doc] ( https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document ) | data source |
324325| [ aws_iam_policy_document.sns_failure_feedback_policy] ( https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document ) | data source |
325326| [ aws_iam_policy_document.sns_policy_doc] ( https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document ) | data source |
Original file line number Diff line number Diff line change @@ -113,9 +113,10 @@ resource "aws_api_gateway_deployment" "ndr_api_deploy" {
113113}
114114
115115resource "aws_api_gateway_stage" "ndr_api" {
116- deployment_id = . ndr_api_deploy . id
117- rest_api_id = . ndr_doc_store_api . id
118- stage_name = . environment
116+ deployment_id = . ndr_api_deploy . id
117+ rest_api_id = . ndr_doc_store_api . id
118+ stage_name = . environment
119+ xray_tracing_enabled = false
119120}
120121
121122resource "aws_api_gateway_gateway_response" "unauthorised_response" {
Original file line number Diff line number Diff line change @@ -180,20 +180,51 @@ resource "aws_s3_bucket_public_access_block" "logs_bucket" {
180180 restrict_public_buckets = true
181181}
182182
183+ data "aws_iam_policy_document" "logs_bucket_policy" {
184+ statement {
185+ effect = " Deny"
186+
187+ principals {
188+ type = " *"
189+ identifiers = " *"
190+ }
191+
192+ actions =
193+ " s3:*"
194+ ]
195+
196+ resources =
197+ " ${ aws_s3_bucket . logs_bucket . arn } /*"
198+ ]
199+
200+ condition {
201+ test = " Bool"
202+ variable = " aws:SecureTransport"
203+ values = " false"
204+ }
205+ }
206+
207+ statement {
208+ effect = " Allow"
209+
210+ principals {
211+ type = " AWS"
212+ identifiers = data . aws_elb_service_account . main . arn ]
213+ }
214+
215+ actions =
216+ " s3:PutObject"
217+ ]
218+
219+ resources =
220+ " ${ aws_s3_bucket . logs_bucket . arn } /AWSLogs/${ data . aws_caller_identity . current . account_id } /*"
221+ ]
222+ }
223+ }
224+
183225resource "aws_s3_bucket_policy" "logs_bucket_policy" {
184226 bucket = . logs_bucket . id
185- policy = jsonencode ({
186- " Version" : " 2012-10-17"
187- " Statement" : [
188- {
189- " Principal" : {
190- " AWS" : data.aws_elb_service_account.main.arn
191- },
192- " Action" : " s3:PutObject"
193- " Resource" : " ${ aws_s3_bucket . logs_bucket . arn } /AWSLogs/${ data . aws_caller_identity . current . account_id } /*"
194- " Effect" : " Allow"
195- }
196- ]
197- })
198- depends_on = aws_s3_bucket . logs_bucket ]
227+ policy = . aws_iam_policy_document . logs_bucket_policy . json
199228}
229+
230+
Original file line number Diff line number Diff line change @@ -392,8 +392,9 @@ data "aws_iam_policy_document" "sns_failure_feedback_policy" {
392392
393393# CloudWatch groups
394394resource "aws_cloudwatch_log_group" "mesh_log_group" {
395- count = . is_mesh_forwarder_enable ? 1 : 0
396- name = " /nhs/deductions/${ terraform . workspace } /${ var . mesh_component_name } "
395+ count = . is_mesh_forwarder_enable ? 1 : 0
396+ name = " /nhs/deductions/${ terraform . workspace } /${ var . mesh_component_name } "
397+ retention_in_days = 0
397398
398399 tags =
399400 Environment = var.environment
Original file line number Diff line number Diff line change @@ -19,5 +19,6 @@ resource "aws_ecs_cluster" "ndr_ecs_cluster" {
1919}
2020
2121resource "aws_cloudwatch_log_group" "ecs_cluster_logs" {
22- name = " ${ terraform . workspace } -${ var . ecs_cluster_name } -logs"
22+ name = " ${ terraform . workspace } -${ var . ecs_cluster_name } -logs"
23+ retention_in_days = 0
2324}
Original file line number Diff line number Diff line change @@ -35,5 +35,6 @@ resource "aws_ecs_task_definition" "ndr_ecs_task" {
3535}
3636
3737resource "aws_cloudwatch_log_group" "awslogs-ndr-ecs" {
38- name = " ${ terraform . workspace } -ecs-task-${ var . ecs_cluster_name } "
38+ name = " ${ terraform . workspace } -ecs-task-${ var . ecs_cluster_name } "
39+ retention_in_days = 0
3940}
Original file line number Diff line number Diff line change @@ -19,7 +19,7 @@ resource "aws_s3_bucket_public_access_block" "bucket" {
1919 restrict_public_buckets = true
2020}
2121
22- data "aws_iam_policy_document" "s3_defaut_policy " {
22+ data "aws_iam_policy_document" "s3_default_policy " {
2323 statement {
2424 effect = " Deny"
2525
@@ -55,7 +55,7 @@ data "aws_iam_policy_document" "s3_cloudfront_policy" {
5555 }
5656
5757 actions =
58- " s3:GetObject "
58+ " s3:* "
5959 ]
6060
6161 resources =
@@ -95,7 +95,7 @@ data "aws_iam_policy_document" "s3_cloudfront_policy" {
9595
9696resource "aws_s3_bucket_policy" "bucket_policy" {
9797 bucket = . bucket . id
98- policy = . cloudfront_enabled ? data. aws_iam_policy_document . s3_cloudfront_policy . json : data. aws_iam_policy_document . s3_defaut_policy . json
98+ policy = . cloudfront_enabled ? data. aws_iam_policy_document . s3_cloudfront_policy . json : data. aws_iam_policy_document . s3_default_policy . json
9999}
100100
101101resource "aws_s3_bucket_acl" "bucket_acl" {
You can’t perform that action at this time.
0 commit comments