add vpc flow logs, cache logs, and update ecs logs

Author: rudransh-shrivastava

infrastructure/modules/cache/main.tf

@@ -19,6 +19,18 @@ locals {
   redis_major_version  = split(".", var.redis_engine_version)[0]
 }
 
+resource "aws_cloudwatch_log_group" "engine_log" {
+  name              = "/aws/elasticache/${var.project_name}-${var.environment}-cache-engine-log"
+  retention_in_days = var.log_retention_in_days
+  tags              = var.common_tags
+}
+
+resource "aws_cloudwatch_log_group" "slow_log" {
+  name              = "/aws/elasticache/${var.project_name}-${var.environment}-cache-slow-log"
+  retention_in_days = var.log_retention_in_days
+  tags              = var.common_tags
+}
+
 resource "aws_elasticache_subnet_group" "main" {
   name       = "${var.project_name}-${var.environment}-cache-subnet-group"
   subnet_ids = var.subnet_ids
@@ -53,8 +65,20 @@ resource "aws_elasticache_replication_group" "main" {
   snapshot_retention_limit   = var.snapshot_retention_limit
   snapshot_window            = var.snapshot_window
   subnet_group_name          = aws_elasticache_subnet_group.main.name
+  transit_encryption_enabled = true
+  log_delivery_configuration {
+    destination      = aws_cloudwatch_log_group.engine_log.name
+    destination_type = "cloudwatch-logs"
+    log_format       = "json"
+    log_type         = "engine-log"
+  }
+  log_delivery_configuration {
+    destination      = aws_cloudwatch_log_group.slow_log.name
+    destination_type = "cloudwatch-logs"
+    log_format       = "json"
+    log_type         = "slow-log"
+  }
   tags = merge(var.common_tags, {
     Name = "${var.project_name}-${var.environment}-redis"
   })
-  transit_encryption_enabled = true
 }

infrastructure/modules/cache/variables.tf

@@ -15,6 +15,12 @@ variable "environment" {
   type        = string
 }
 
+variable "log_retention_in_days" {
+  description = "The number of days to retain log events."
+  type        = number
+  default     = 90
+}
+
 variable "maintenance_window" {
   description = "The weekly time range for when maintenance on the cache cluster is performed."
   type        = string

infrastructure/modules/ecs/modules/task/main.tf

@@ -10,7 +10,7 @@ terraform {
 }
 
 resource "aws_cloudwatch_log_group" "task" {
-  name              = "/ecs/${var.project_name}-${var.environment}-${var.task_name}"
+  name              = "/aws/ecs/${var.project_name}-${var.environment}-${var.task_name}"
   retention_in_days = var.log_retention_in_days
   tags = merge(var.common_tags, {
     Name = "${var.project_name}-${var.environment}-${var.task_name}-logs"

infrastructure/modules/ecs/modules/task/variables.tf

@@ -54,7 +54,7 @@ variable "image_url" {
 variable "log_retention_in_days" {
   description = "The number of days to retain log events."
   type        = number
-  default     = 30
+  default     = 90
 }
 
 variable "memory" {

infrastructure/modules/networking/main.tf

@@ -13,6 +13,27 @@ terraform {
   }
 }
 
+data "aws_iam_policy_document" "flow_logs_assume_role" {
+  statement {
+    actions = ["sts:AssumeRole"]
+    principals {
+      type        = "Service"
+      identifiers = ["vpc-flow-logs.amazonaws.com"]
+    }
+  }
+}
+
+data "aws_iam_policy_document" "flow_logs_policy" {
+  statement {
+    actions = [
+      "logs:CreateLogStream",
+      "logs:PutLogEvents",
+      "logs:DescribeLogStreams",
+    ]
+    resources = ["${aws_cloudwatch_log_group.flow_logs.arn}:*"]
+  }
+}
+
 resource "aws_vpc" "main" {
   cidr_block           = var.vpc_cidr
   enable_dns_hostnames = true
@@ -22,6 +43,39 @@ resource "aws_vpc" "main" {
   })
 }
 
+resource "aws_cloudwatch_log_group" "flow_logs" {
+  name              = "/aws/vpc-flow-logs/${var.project_name}-${var.environment}"
+  retention_in_days = var.log_retention_in_days
+  tags              = var.common_tags
+}
+
+resource "aws_flow_log" "main" {
+  iam_role_arn    = aws_iam_role.flow_logs.arn
+  log_destination = aws_cloudwatch_log_group.flow_logs.arn
+  traffic_type    = "ALL"
+  vpc_id          = aws_vpc.main.id
+  tags = merge(var.common_tags, {
+    Name = "${var.project_name}-${var.environment}-vpc-flow-log"
+  })
+}
+
+resource "aws_iam_policy" "flow_logs" {
+  name   = "${var.project_name}-${var.environment}-flow-logs-policy"
+  policy = data.aws_iam_policy_document.flow_logs_policy.json
+  tags   = var.common_tags
+}
+
+resource "aws_iam_role" "flow_logs" {
+  name               = "${var.project_name}-${var.environment}-flow-logs-role"
+  assume_role_policy = data.aws_iam_policy_document.flow_logs_assume_role.json
+  tags               = var.common_tags
+}
+
+resource "aws_iam_role_policy_attachment" "flow_logs" {
+  role       = aws_iam_role.flow_logs.name
+  policy_arn = aws_iam_policy.flow_logs.arn
+}
+
 resource "aws_internet_gateway" "main" {
   tags = merge(var.common_tags, {
     Name = "${var.project_name}-${var.environment}-igw"

infrastructure/modules/networking/variables.tf

@@ -14,6 +14,12 @@ variable "environment" {
   type        = string
 }
 
+variable "log_retention_in_days" {
+  description = "The number of days to retain log events."
+  type        = number
+  default     = 90
+}
+
 variable "private_subnet_cidrs" {
   description = "A list of CIDR blocks for the private subnets"
   type        = list(string)

infrastructure/modules/storage/modules/s3-bucket/main.tf

@@ -35,7 +35,7 @@ data "aws_iam_policy_document" "this" {
   }
 }
 
-resource "aws_s3_bucket" "this" {
+resource "aws_s3_bucket" "this" { #NOSONAR
   bucket        = var.bucket_name
   force_destroy = var.force_destroy
   tags          = var.tags