Add logging in Infrastructure (#2743)

* refactor s3 buckets into a module

* add vpc flow logs, cache logs, and update ecs logs

* update code

Author: rudransh-shrivastava

infrastructure/modules/cache/main.tf

@@ -19,6 +19,18 @@ locals {
   redis_major_version  = split(".", var.redis_engine_version)[0]
 }
 
+resource "aws_cloudwatch_log_group" "engine_log" {
+  name              = "/aws/elasticache/${var.project_name}-${var.environment}-cache-engine-log"
+  retention_in_days = var.log_retention_in_days
+  tags              = var.common_tags
+}
+
+resource "aws_cloudwatch_log_group" "slow_log" {
+  name              = "/aws/elasticache/${var.project_name}-${var.environment}-cache-slow-log"
+  retention_in_days = var.log_retention_in_days
+  tags              = var.common_tags
+}
+
 resource "aws_elasticache_subnet_group" "main" {
   name       = "${var.project_name}-${var.environment}-cache-subnet-group"
   subnet_ids = var.subnet_ids
@@ -53,8 +65,20 @@ resource "aws_elasticache_replication_group" "main" {
   snapshot_retention_limit   = var.snapshot_retention_limit
   snapshot_window            = var.snapshot_window
   subnet_group_name          = aws_elasticache_subnet_group.main.name
+  transit_encryption_enabled = true
+  log_delivery_configuration {
+    destination      = aws_cloudwatch_log_group.engine_log.name
+    destination_type = "cloudwatch-logs"
+    log_format       = "json"
+    log_type         = "engine-log"
+  }
+  log_delivery_configuration {
+    destination      = aws_cloudwatch_log_group.slow_log.name
+    destination_type = "cloudwatch-logs"
+    log_format       = "json"
+    log_type         = "slow-log"
+  }
   tags = merge(var.common_tags, {
     Name = "${var.project_name}-${var.environment}-redis"
   })
-  transit_encryption_enabled = true
 }

infrastructure/modules/cache/variables.tf

@@ -15,6 +15,12 @@ variable "environment" {
   type        = string
 }
 
+variable "log_retention_in_days" {
+  description = "The number of days to retain log events."
+  type        = number
+  default     = 90
+}
+
 variable "maintenance_window" {
   description = "The weekly time range for when maintenance on the cache cluster is performed."
   type        = string

infrastructure/modules/ecs/modules/task/main.tf

@@ -10,7 +10,7 @@ terraform {
 }
 
 resource "aws_cloudwatch_log_group" "task" {
-  name              = "/ecs/${var.project_name}-${var.environment}-${var.task_name}"
+  name              = "/aws/ecs/${var.project_name}-${var.environment}-${var.task_name}"
   retention_in_days = var.log_retention_in_days
   tags = merge(var.common_tags, {
     Name = "${var.project_name}-${var.environment}-${var.task_name}-logs"

infrastructure/modules/ecs/modules/task/variables.tf

@@ -54,7 +54,7 @@ variable "image_url" {
 variable "log_retention_in_days" {
   description = "The number of days to retain log events."
   type        = number
-  default     = 30
+  default     = 90
 }
 
 variable "memory" {

infrastructure/modules/networking/main.tf

@@ -13,6 +13,27 @@ terraform {
   }
 }
 
+data "aws_iam_policy_document" "flow_logs_assume_role" {
+  statement {
+    actions = ["sts:AssumeRole"]
+    principals {
+      type        = "Service"
+      identifiers = ["vpc-flow-logs.amazonaws.com"]
+    }
+  }
+}
+
+data "aws_iam_policy_document" "flow_logs_policy" {
+  statement {
+    actions = [
+      "logs:CreateLogStream",
+      "logs:PutLogEvents",
+      "logs:DescribeLogStreams",
+    ]
+    resources = ["${aws_cloudwatch_log_group.flow_logs.arn}:*"]
+  }
+}
+
 resource "aws_vpc" "main" {
   cidr_block           = var.vpc_cidr
   enable_dns_hostnames = true
@@ -22,6 +43,39 @@ resource "aws_vpc" "main" {
   })
 }
 
+resource "aws_cloudwatch_log_group" "flow_logs" {
+  name              = "/aws/vpc-flow-logs/${var.project_name}-${var.environment}"
+  retention_in_days = var.log_retention_in_days
+  tags              = var.common_tags
+}
+
+resource "aws_flow_log" "main" {
+  iam_role_arn    = aws_iam_role.flow_logs.arn
+  log_destination = aws_cloudwatch_log_group.flow_logs.arn
+  traffic_type    = "ALL"
+  vpc_id          = aws_vpc.main.id
+  tags = merge(var.common_tags, {
+    Name = "${var.project_name}-${var.environment}-vpc-flow-log"
+  })
+}
+
+resource "aws_iam_policy" "flow_logs" {
+  name   = "${var.project_name}-${var.environment}-flow-logs-policy"
+  policy = data.aws_iam_policy_document.flow_logs_policy.json
+  tags   = var.common_tags
+}
+
+resource "aws_iam_role" "flow_logs" {
+  name               = "${var.project_name}-${var.environment}-flow-logs-role"
+  assume_role_policy = data.aws_iam_policy_document.flow_logs_assume_role.json
+  tags               = var.common_tags
+}
+
+resource "aws_iam_role_policy_attachment" "flow_logs" {
+  role       = aws_iam_role.flow_logs.name
+  policy_arn = aws_iam_policy.flow_logs.arn
+}
+
 resource "aws_internet_gateway" "main" {
   tags = merge(var.common_tags, {
     Name = "${var.project_name}-${var.environment}-igw"

infrastructure/modules/networking/variables.tf

@@ -14,6 +14,12 @@ variable "environment" {
   type        = string
 }
 
+variable "log_retention_in_days" {
+  description = "The number of days to retain log events."
+  type        = number
+  default     = 90
+}
+
 variable "private_subnet_cidrs" {
   description = "A list of CIDR blocks for the private subnets"
   type        = list(string)

infrastructure/modules/storage/main.tf

@@ -1,138 +1,47 @@
 terraform {
-  required_version = ">= 1.0"
-
+  required_version = "1.14.0"
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "~> 6.0"
-    }
-    random = {
-      source  = "hashicorp/random"
-      version = "~> 3.0"
+      version = "6.22.0"
     }
   }
 }
 
-data "aws_iam_policy_document" "zappa" {
+data "aws_iam_policy_document" "fixtures_read_only" {
   statement {
-    actions = ["s3:*"]
-    condition {
-      test     = "Bool"
-      variable = "aws:SecureTransport"
-      values   = ["false"]
-    }
-    effect = "Deny"
-    principals {
-      type        = "*"
-      identifiers = ["*"]
-    }
+    actions = [
+      "s3:GetObject"
+    ]
+    effect = "Allow"
     resources = [
-      aws_s3_bucket.zappa.arn,
-      "${aws_s3_bucket.zappa.arn}/*",
+      "arn:aws:s3:::${var.fixtures_s3_bucket}/*"
     ]
-    sid = "EnforceTls"
   }
 }
 
-resource "aws_iam_policy" "fixtures_read_only" {
-  name        = "${var.project_name}-${var.environment}-fixtures-read-only"
-  description = "Allows read-only access to the fixtures S3 bucket"
+module "fixtures_bucket" {
+  source = "./modules/s3-bucket"
 
-  policy = jsonencode({
-    Version = "2012-10-17"
-    Statement = [
-      {
-        Action = [
-          "s3:GetObject"
-        ]
-        Effect   = "Allow"
-        Resource = "arn:aws:s3:::${var.fixtures_s3_bucket}/*"
-      }
-    ]
+  bucket_name   = var.fixtures_s3_bucket
+  force_destroy = var.force_destroy_bucket
+  tags = merge(var.common_tags, {
+    Name = "${var.project_name}-${var.environment}-fixtures"
   })
 }
 
-resource "aws_s3_bucket" "fixtures" { # NOSONAR
-  bucket = var.fixtures_s3_bucket
-  tags   = var.common_tags
-}
-
-resource "aws_s3_bucket_lifecycle_configuration" "zappa" {
-  bucket = aws_s3_bucket.zappa.id
+module "zappa_bucket" {
+  source = "./modules/s3-bucket"
 
-  rule {
-    abort_incomplete_multipart_upload {
-      days_after_initiation = var.abort_incomplete_multipart_upload_days
-    }
-    id = "delete-old-versions"
-    noncurrent_version_expiration {
-      noncurrent_days = var.noncurrent_version_expiration_days
-    }
-    status = "Enabled"
-  }
-}
-
-resource "aws_s3_bucket" "zappa" { # NOSONAR
-  bucket        = var.zappa_s3_bucket
+  bucket_name   = var.zappa_s3_bucket
   force_destroy = var.force_destroy_bucket
   tags = merge(var.common_tags, {
     Name = "${var.project_name}-${var.environment}-zappa-deployments"
   })
 }
 
-resource "aws_s3_bucket_policy" "zappa" {
-  bucket = aws_s3_bucket.zappa.id
-  policy = data.aws_iam_policy_document.zappa.json
-}
-
-resource "aws_s3_bucket_public_access_block" "fixtures" {
-  block_public_acls       = true
-  block_public_policy     = true
-  bucket                  = aws_s3_bucket.fixtures.id
-  ignore_public_acls      = true
-  restrict_public_buckets = true
-}
-
-resource "aws_s3_bucket_public_access_block" "zappa" {
-  block_public_acls       = true
-  block_public_policy     = true
-  bucket                  = aws_s3_bucket.zappa.id
-  ignore_public_acls      = true
-  restrict_public_buckets = true
-}
-
-resource "aws_s3_bucket_server_side_encryption_configuration" "fixtures" {
-  bucket = aws_s3_bucket.fixtures.id
-
-  rule {
-    apply_server_side_encryption_by_default {
-      sse_algorithm = "AES256"
-    }
-  }
-}
-
-resource "aws_s3_bucket_server_side_encryption_configuration" "zappa" {
-  bucket = aws_s3_bucket.zappa.id
-
-  rule {
-    apply_server_side_encryption_by_default {
-      sse_algorithm = "AES256"
-    }
-  }
-}
-
-resource "aws_s3_bucket_versioning" "fixtures" {
-  bucket = aws_s3_bucket.fixtures.id
-
-  versioning_configuration {
-    status = "Enabled"
-  }
-}
-
-resource "aws_s3_bucket_versioning" "zappa" {
-  bucket = aws_s3_bucket.zappa.id
-
-  versioning_configuration {
-    status = "Enabled"
-  }
+resource "aws_iam_policy" "fixtures_read_only" {
+  name        = "${var.project_name}-${var.environment}-fixtures-read-only"
+  description = "Allows read-only access to the fixtures S3 bucket"
+  policy      = data.aws_iam_policy_document.fixtures_read_only.json
 }