Skip to content

Commit

Permalink
Fix s3 ACL definitions by adding ownership, create variables for elas…
Browse files Browse the repository at this point in the history
…ticache, and update ES volumnesize
  • Loading branch information
aloftus23 committed Nov 18, 2024
1 parent f6f65bf commit bb03fd9
Show file tree
Hide file tree
Showing 7 changed files with 43 additions and 15 deletions.
23 changes: 17 additions & 6 deletions infrastructure/database.tf
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@ resource "aws_db_instance" "db" {
allow_major_version_upgrade = true
skip_final_snapshot = true
availability_zone = data.aws_availability_zones.available.names[0]
multi_az = true
multi_az = false
backup_retention_period = 35
storage_encrypted = true
iam_database_authentication_enabled = true
Expand Down Expand Up @@ -110,11 +110,6 @@ resource "aws_iam_instance_profile" "db_accessor" {
count = var.create_db_accessor_instance ? 1 : 0
name = "crossfeed-db-accessor-${var.stage}"
role = aws_iam_role.db_accessor[0].id
tags = {
Project = var.project
Stage = var.stage
Owner = "Crossfeed managed resource"
}
}

#Attach Policies to Instance Role
Expand Down Expand Up @@ -342,6 +337,14 @@ resource "aws_s3_bucket_acl" "reports_bucket" {
acl = "private"
}

resource "aws_s3_bucket_ownership_controls" "reports_bucket" {
count = var.is_dmz ? 1 : 0
bucket = aws_s3_bucket.reports_bucket.id
rule {
object_ownership = "ObjectWriter"
}
}

resource "aws_s3_bucket_server_side_encryption_configuration" "reports_bucket" {
bucket = aws_s3_bucket.reports_bucket.id
rule {
Expand Down Expand Up @@ -403,6 +406,14 @@ resource "aws_s3_bucket_acl" "pe_db_backups_bucket" {
acl = "private"
}

resource "aws_s3_bucket_ownership_controls" "pe_db_backups_bucket" {
count = var.is_dmz ? 1 : 0
bucket = aws_s3_bucket.pe_db_backups_bucket.id
rule {
object_ownership = "ObjectWriter"
}
}

resource "aws_s3_bucket_server_side_encryption_configuration" "pe_db_backups_bucket" {
bucket = aws_s3_bucket.pe_db_backups_bucket.id
rule {
Expand Down
8 changes: 4 additions & 4 deletions infrastructure/elasticache.tf
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ resource "aws_security_group" "elasticache_security_group" {

resource "aws_elasticache_subnet_group" "crossfeed_vpc" {
count = var.is_dmz ? 1 : 0
name = "crossfeed-vpc-subnet-group"
name = "crossfeed-${var.stage}-elasticache-subnet-group"
subnet_ids = [aws_subnet.backend[0].id]

tags = {
Expand All @@ -24,7 +24,7 @@ resource "aws_elasticache_subnet_group" "crossfeed_vpc" {

resource "aws_elasticache_parameter_group" "xfd_redis_group" {
count = var.is_dmz ? 1 : 0
name = "my-redis7-1"
name = "crossfeed-${var.stage}-redis7-group"
family = "redis7"

parameter {
Expand All @@ -35,7 +35,7 @@ resource "aws_elasticache_parameter_group" "xfd_redis_group" {

resource "aws_elasticache_cluster" "crossfeed_vpc_elasticache_cluster" {
count = var.create_elasticache_cluster ? 1 : 0
cluster_id = "crossfeed-vpc-cluster"
cluster_id = "crossfeed-${var.stage}-elasticache-cluster"
engine = "redis"
node_type = "cache.r7g.xlarge"
num_cache_nodes = 1
Expand All @@ -54,7 +54,7 @@ resource "aws_elasticache_cluster" "crossfeed_vpc_elasticache_cluster" {

resource "aws_iam_policy" "elasticache_policy" {
count = var.is_dmz ? 1 : 0
name = "elasticache_policy"
name = "crossfeed-${var.stage}-elasticache-policy"
description = "Policy to allow ElastiCache operations"
policy = jsonencode({
Version = "2012-10-17"
Expand Down
6 changes: 3 additions & 3 deletions infrastructure/integration.tfvars
Original file line number Diff line number Diff line change
Expand Up @@ -91,9 +91,9 @@ matomo_ecs_log_group_name = "crossfeed-matomo-integration"
matomo_db_name = "crossfeed-matomo-integration"
matomo_db_instance_class = "db.t3.micro"
matomo_ecs_role_name = "crossfeed-matomo-integration"
es_instance_type = "m4.large.elasticsearch"
es_instance_type = "t3.medium.elasticsearch"
es_instance_count = 3
es_instance_volume_size = 512
es_instance_volume_size = 200
create_db_accessor_instance = true
db_accessor_instance_class = "t3.2xlarge"
create_elk_instance = false
Expand All @@ -105,4 +105,4 @@ ssm_redshift_host = "/crossfeed/integration/REDSHIFT_HOST"
ssm_redshift_database = "/crossfeed/integration/REDSHIFT_DATABASE"
ssm_redshift_user = "/crossfeed/integration/REDSHIFT_USER"
ssm_redshift_password = "/crossfeed/integration/REDSHIFT_PASSWORD"
create_elasticache_cluster = false
create_elasticache_cluster = true
8 changes: 8 additions & 0 deletions infrastructure/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -81,6 +81,14 @@ resource "aws_s3_bucket_acl" "logging_bucket" {
acl = "private"
}

resource "aws_s3_bucket_ownership_controls" "logging_bucket" {
count = var.is_dmz ? 1 : 0
bucket = aws_s3_bucket.logging_bucket.id
rule {
object_ownership = "ObjectWriter"
}
}

resource "aws_s3_bucket_logging" "logging_bucket" {
bucket = aws_s3_bucket.logging_bucket.id
target_bucket = aws_s3_bucket.logging_bucket.id
Expand Down
2 changes: 1 addition & 1 deletion infrastructure/matomo.tf
Original file line number Diff line number Diff line change
Expand Up @@ -200,7 +200,7 @@ resource "aws_db_instance" "matomo_db" {
engine_version = "10.6"
skip_final_snapshot = true
availability_zone = var.matomo_availability_zone
multi_az = true
multi_az = false
backup_retention_period = 35
storage_encrypted = true
iam_database_authentication_enabled = true
Expand Down
2 changes: 1 addition & 1 deletion infrastructure/stage-cd.tfvars
Original file line number Diff line number Diff line change
Expand Up @@ -109,4 +109,4 @@ ssm_redshift_host = "/crossfeed/staging/REDSHIFT_HOST"
ssm_redshift_database = "/crossfeed/staging/REDSHIFT_DATABASE"
ssm_redshift_user = "/crossfeed/staging/REDSHIFT_USER"
ssm_redshift_password = "/crossfeed/staging/REDSHIFT_PASSWORD"
create_elasticache_cluster = true
create_elasticache_cluster = true
9 changes: 9 additions & 0 deletions infrastructure/worker.tf
Original file line number Diff line number Diff line change
Expand Up @@ -484,6 +484,15 @@ resource "aws_s3_bucket_acl" "export_bucket" {
bucket = aws_s3_bucket.export_bucket.id
acl = "private"
}

resource "aws_s3_bucket_ownership_controls" "export_bucket" {
count = var.is_dmz ? 1 : 0
bucket = aws_s3_bucket.export_bucket.id
rule {
object_ownership = "ObjectWriter"
}
}

resource "aws_s3_bucket_server_side_encryption_configuration" "export_bucket" {
bucket = aws_s3_bucket.export_bucket.id
rule {
Expand Down

0 comments on commit bb03fd9

Please sign in to comment.