- Setup CW for ECS tasks

- Ensure ECS is accessed from LB only
bcgov · Jul 29, 2024 · acb436a · acb436a
1 parent 6fdae6b
commit acb436a
Show file tree

Hide file tree

Showing 7 changed files with 59 additions and 9 deletions.
diff --git a/infrastructure/cloud/environments/sandbox/webapp.tf b/infrastructure/cloud/environments/sandbox/webapp.tf
@@ -31,4 +31,11 @@ module "container" {
   ecs_sg_id                           = module.networking.ecs_sg_id
   lb_listener                         = module.networking.lb_listener
   lb_tg_arn                           = module.networking.lb_tg_arn
+  ecs_web_log_group_name              = module.monitoring.ecs_web_log_group_name
+}
+
+module "monitoring" {
+  source      = "../../modules/monitoring"
+  environment = var.environment
+  app_name    = var.app_name
 }
diff --git a/infrastructure/cloud/modules/container/ecs.tf b/infrastructure/cloud/modules/container/ecs.tf
@@ -28,8 +28,7 @@ resource "aws_ecs_task_definition" "ecs_web_task_definition" {
       logConfiguration = {
         logDriver = "awslogs"
         options = {
-          awslogs-create-group  = "true"
-          awslogs-group         = "/ecs/${var.app_name}"
+          awslogs-group         = var.ecs_web_log_group_name
           awslogs-region        = var.region
           awslogs-stream-prefix = "ecs"
         }

diff --git a/infrastructure/cloud/modules/container/variables.tf b/infrastructure/cloud/modules/container/variables.tf
@@ -50,3 +50,8 @@ variable "web_port" {
   type        = number
   default     = 8080
 }
+
+variable "ecs_web_log_group_name" {
+  description = "ECS Web Log Group Name in CloudWatch"
+  type        = string
+}
diff --git a/infrastructure/cloud/modules/monitoring/logs.tf b/infrastructure/cloud/modules/monitoring/logs.tf
@@ -0,0 +1,4 @@
+resource "aws_cloudwatch_log_group" "ecs_web_log_group" {
+  name              = "${var.app_name}-ecs-web-log-group-${var.environment}"
+  retention_in_days = var.log_group_retention
+}
diff --git a/infrastructure/cloud/modules/monitoring/outputs.tf b/infrastructure/cloud/modules/monitoring/outputs.tf
@@ -0,0 +1,3 @@
+output "ecs_web_log_group_name" {
+  value = aws_cloudwatch_log_group.ecs_web_log_group.name
+}
diff --git a/infrastructure/cloud/modules/monitoring/variables.tf b/infrastructure/cloud/modules/monitoring/variables.tf
@@ -0,0 +1,15 @@
+variable "environment" {
+  type        = string
+  description = "The environment to deploy the application to"
+}
+
+variable "app_name" {
+  description = "The name of the application"
+  type        = string
+}
+
+variable "log_group_retention" {
+  description = "The retention period in days for CloudWatch logs"
+  type        = number
+  default     = 30
+}
diff --git a/infrastructure/cloud/modules/networking/vpc.tf b/infrastructure/cloud/modules/networking/vpc.tf
@@ -28,25 +28,42 @@ resource "aws_route_table_association" "route_table_association" {
   route_table_id = aws_route_table.route_table.id
 }
 
-resource "aws_security_group" "ecs_security_group" {
-  name   = "${var.app_name}-ecs-sg-${var.environment}"
+
+resource "aws_security_group" "lb_sg" {
+  name   = "${var.app_name}-lb-sg-${var.environment}"
   vpc_id = aws_vpc.vpc.id
 
   ingress {
-    from_port   = 8080
-    to_port     = 8080
     protocol    = "tcp"
+    from_port   = 80
+    to_port     = 80
     cidr_blocks = ["0.0.0.0/0"]
   }
 
   egress {
+    protocol    = "-1"
     from_port   = 0
     to_port     = 0
-    protocol    = "-1"
     cidr_blocks = ["0.0.0.0/0"]
   }
+}
+
 
-  tags = {
-    Name = "${var.app_name}-ecs-sg-${var.environment}"
+resource "aws_security_group" "ecs_security_group" {
+  name   = "${var.app_name}-ecs-sg-${var.environment}"
+  vpc_id = aws_vpc.vpc.id
+
+  ingress {
+    from_port       = 80
+    to_port         = 80
+    protocol        = "tcp"
+    security_groups = [aws_security_group.lb_sg.id]
+  }
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
   }
 }