OWASP · arkid15r · Jan 30, 2026 · Jan 30, 2026 · Jan 30, 2026 · Jan 30, 2026
@@ -27,40 +27,41 @@ resource "aws_ecs_cluster_capacity_providers" "main" {
   }
 }
 
+
+# TODO: disallow tag mutability
+# NOSEMGREP: terraform.aws.security.aws-ecr-mutable-image-tags.aws-ecr-mutable-image-tags
+resource "aws_ecr_repository" "main" {
+  image_tag_mutability = "MUTABLE"
+  name                 = "${var.project_name}-${var.environment}-backend"
+  tags                 = var.common_tags
+
+  image_scanning_configuration {
+    scan_on_push = true
+  }
+}
+
 resource "aws_ecr_lifecycle_policy" "main" {
   repository = aws_ecr_repository.main.name
 
   policy = jsonencode({
     rules = [
       {
-        rulePriority = 1
+        action = {
+          type = "expire"
+        }
         description  = "Remove untagged images"
+        rulePriority = 1
         selection = {
-          tagStatus   = "untagged"
+          countNumber = 7
           countType   = "sinceImagePushed"
           countUnit   = "days"
-          countNumber = 7
-        }
-        action = {
-          type = "expire"
+          tagStatus   = "untagged"
         }
       }
     ]
   })
 }
 
-# TODO: disallow tag mutability
-# nosemgrep: terraform.aws.security.aws-ecr-mutable-image-tags.aws-ecr-mutable-image-tags
-resource "aws_ecr_repository" "main" {
-  name                 = "${var.project_name}-${var.environment}-backend"
-  image_tag_mutability = "MUTABLE"
-  tags                 = var.common_tags
-
-  image_scanning_configuration {
-    scan_on_push = true
-  }
-}
-
 resource "aws_iam_role" "ecs_tasks_execution_role" {
   name = "${var.project_name}-${var.environment}-ecs-tasks-execution-role"
   tags = var.common_tags
@@ -81,8 +82,8 @@ resource "aws_iam_role" "ecs_tasks_execution_role" {
 
 
 resource "aws_iam_policy" "ecs_tasks_execution_role_ssm_policy" {
-  name        = "${var.project_name}-${var.environment}-ecs-tasks-ssm-policy"
   description = "Allow ECS tasks to read SSM parameters"
+  name        = "${var.project_name}-${var.environment}-ecs-tasks-ssm-policy"
   policy = jsonencode({
     Version = "2012-10-17"
     Statement = [
@@ -99,8 +100,8 @@ resource "aws_iam_policy" "ecs_tasks_execution_role_ssm_policy" {
 }
 
 resource "aws_iam_policy" "ecs_tasks_execution_policy" {
-  name        = "${var.project_name}-${var.environment}-ecs-tasks-execution-policy"
   description = "Custom policy for ECS task execution - ECR and CloudWatch Logs access"
+  name        = "${var.project_name}-${var.environment}-ecs-tasks-execution-policy"
 
   policy = jsonencode({
     Version = "2012-10-17"
@@ -147,9 +148,6 @@ resource "aws_iam_role_policy_attachment" "ecs_tasks_execution_role_ssm_policy_a
 }
 
 resource "aws_iam_role" "ecs_task_role" {
-  name = "${var.project_name}-${var.environment}-ecs-task-role"
-  tags = var.common_tags
-
   assume_role_policy = jsonencode({
     Version = "2012-10-17"
     Statement = [
@@ -162,6 +160,8 @@ resource "aws_iam_role" "ecs_task_role" {
       }
     ]
   })
+  name = "${var.project_name}-${var.environment}-ecs-task-role"
+  tags = var.common_tags
 }
 
 resource "aws_iam_role_policy_attachment" "ecs_task_role_fixtures_s3_access" {
@@ -170,9 +170,6 @@ resource "aws_iam_role_policy_attachment" "ecs_task_role_fixtures_s3_access" {
 }
 
 resource "aws_iam_role" "event_bridge_role" {
-  name = "${var.project_name}-${var.environment}-event-bridge-role"
-  tags = var.common_tags
-
   assume_role_policy = jsonencode({
     Version = "2012-10-17"
     Statement = [
@@ -185,12 +182,13 @@ resource "aws_iam_role" "event_bridge_role" {
       }
     ]
   })
+  name = "${var.project_name}-${var.environment}-event-bridge-role"
+  tags = var.common_tags
 }
 
 resource "aws_iam_policy" "event_bridge_ecs_policy" {
-  name        = "${var.project_name}-${var.environment}-event-bridge-ecs-policy"
   description = "Allow EventBridge to run ECS tasks"
-
+  name        = "${var.project_name}-${var.environment}-event-bridge-ecs-policy"
   policy = jsonencode({
     Version = "2012-10-17"
     Statement = [
@@ -206,7 +204,7 @@ resource "aws_iam_policy" "event_bridge_ecs_policy" {
       },
       {
         # https://docs.aws.amazon.com/AmazonECS/latest/developerguide/CWE_IAM_role.html
-        # nosemgrep: terraform.lang.security.iam.no-iam-resource-exposure.no-iam-resource-exposure
+        # NOSEMGREP: terraform.lang.security.iam.no-iam-resource-exposure.no-iam-resource-exposure
         Action = "iam:PassRole"
         Effect = "Allow"
         Resource = [

@@ -9,33 +9,23 @@ terraform {
   }
 }
 
-resource "aws_cloudwatch_log_group" "task" {
-  kms_key_id        = var.kms_key_arn
-  name              = "/aws/ecs/${var.project_name}-${var.environment}-${var.task_name}"
-  retention_in_days = var.log_retention_in_days
-  tags = merge(var.common_tags, {
-    Name = "${var.project_name}-${var.environment}-${var.task_name}-logs"
-  })
-}
-
 resource "aws_ecs_task_definition" "task" {
+  cpu                      = var.cpu
+  execution_role_arn       = var.ecs_tasks_execution_role_arn
   family                   = "${var.project_name}-${var.environment}-${var.task_name}"
+  memory                   = var.memory
   network_mode             = "awsvpc"
   requires_compatibilities = ["FARGATE"]
-  cpu                      = var.cpu
-  memory                   = var.memory
-  execution_role_arn       = var.ecs_tasks_execution_role_arn
   task_role_arn            = var.task_role_arn
   tags = merge(var.common_tags, {
     Name = "${var.project_name}-${var.environment}-${var.task_name}-task-def"
   })
 
   container_definitions = jsonencode([
     {
-      name      = "backend"
-      image     = var.image_url
       command   = var.command
       essential = true
+      image     = var.image_url
       logConfiguration = {
         logDriver = "awslogs"
         options = {
@@ -44,6 +34,7 @@ resource "aws_ecs_task_definition" "task" {
           "awslogs-stream-prefix" = "ecs"
         }
       }
+      name = "backend"
       secrets = [for name, valueFrom in var.container_parameters_arns : {
         name      = name
         valueFrom = valueFrom
@@ -52,21 +43,28 @@ resource "aws_ecs_task_definition" "task" {
   ])
 }
 
-resource "aws_cloudwatch_event_rule" "task" {
-  count = var.schedule_expression != null ? 1 : 0
+resource "aws_cloudwatch_log_group" "task" {
+  kms_key_id        = var.kms_key_arn
+  name              = "/aws/ecs/${var.project_name}-${var.environment}-${var.task_name}"
+  retention_in_days = var.log_retention_in_days
+  tags = merge(var.common_tags, {
+    Name = "${var.project_name}-${var.environment}-${var.task_name}-logs"
+  })
+}
 
-  name                = "${var.project_name}-${var.environment}-${var.task_name}-rule"
+resource "aws_cloudwatch_event_rule" "task" {
+  count               = var.schedule_expression != null ? 1 : 0
   description         = "Fires on a schedule to trigger the ${var.task_name} task"
+  name                = "${var.project_name}-${var.environment}-${var.task_name}-rule"
   schedule_expression = var.schedule_expression
   tags = merge(var.common_tags, {
     Name = "${var.project_name}-${var.environment}-${var.task_name}-rule"
   })
 }
 
 resource "aws_cloudwatch_event_target" "task" {
-  count = var.schedule_expression != null ? 1 : 0
-
   arn       = var.ecs_cluster_arn
+  count     = var.schedule_expression != null ? 1 : 0
   role_arn  = var.event_bridge_role_arn
   rule      = aws_cloudwatch_event_rule.task[0].name
   target_id = "${var.project_name}-${var.environment}-${var.task_name}-target"