From bb03fd985c6e448c4d17dd9df376f30faabc8cbe Mon Sep 17 00:00:00 2001 From: aloftus23 Date: Mon, 18 Nov 2024 10:07:10 -0500 Subject: [PATCH] Fix s3 ACL definitions by adding ownership, create variables for elasticache, and update ES volumnesize --- infrastructure/database.tf | 23 +++++++++++++++++------ infrastructure/elasticache.tf | 8 ++++---- infrastructure/integration.tfvars | 6 +++--- infrastructure/main.tf | 8 ++++++++ infrastructure/matomo.tf | 2 +- infrastructure/stage-cd.tfvars | 2 +- infrastructure/worker.tf | 9 +++++++++ 7 files changed, 43 insertions(+), 15 deletions(-) diff --git a/infrastructure/database.tf b/infrastructure/database.tf index 20c2159f..18f3d09e 100644 --- a/infrastructure/database.tf +++ b/infrastructure/database.tf @@ -37,7 +37,7 @@ resource "aws_db_instance" "db" { allow_major_version_upgrade = true skip_final_snapshot = true availability_zone = data.aws_availability_zones.available.names[0] - multi_az = true + multi_az = false backup_retention_period = 35 storage_encrypted = true iam_database_authentication_enabled = true @@ -110,11 +110,6 @@ resource "aws_iam_instance_profile" "db_accessor" { count = var.create_db_accessor_instance ? 1 : 0 name = "crossfeed-db-accessor-${var.stage}" role = aws_iam_role.db_accessor[0].id - tags = { - Project = var.project - Stage = var.stage - Owner = "Crossfeed managed resource" - } } #Attach Policies to Instance Role @@ -342,6 +337,14 @@ resource "aws_s3_bucket_acl" "reports_bucket" { acl = "private" } +resource "aws_s3_bucket_ownership_controls" "reports_bucket" { + count = var.is_dmz ? 1 : 0 + bucket = aws_s3_bucket.reports_bucket.id + rule { + object_ownership = "ObjectWriter" + } +} + resource "aws_s3_bucket_server_side_encryption_configuration" "reports_bucket" { bucket = aws_s3_bucket.reports_bucket.id rule { @@ -403,6 +406,14 @@ resource "aws_s3_bucket_acl" "pe_db_backups_bucket" { acl = "private" } +resource "aws_s3_bucket_ownership_controls" "pe_db_backups_bucket" { + count = var.is_dmz ? 1 : 0 + bucket = aws_s3_bucket.pe_db_backups_bucket.id + rule { + object_ownership = "ObjectWriter" + } +} + resource "aws_s3_bucket_server_side_encryption_configuration" "pe_db_backups_bucket" { bucket = aws_s3_bucket.pe_db_backups_bucket.id rule { diff --git a/infrastructure/elasticache.tf b/infrastructure/elasticache.tf index 033c4fd9..fbea6170 100644 --- a/infrastructure/elasticache.tf +++ b/infrastructure/elasticache.tf @@ -14,7 +14,7 @@ resource "aws_security_group" "elasticache_security_group" { resource "aws_elasticache_subnet_group" "crossfeed_vpc" { count = var.is_dmz ? 1 : 0 - name = "crossfeed-vpc-subnet-group" + name = "crossfeed-${var.stage}-elasticache-subnet-group" subnet_ids = [aws_subnet.backend[0].id] tags = { @@ -24,7 +24,7 @@ resource "aws_elasticache_subnet_group" "crossfeed_vpc" { resource "aws_elasticache_parameter_group" "xfd_redis_group" { count = var.is_dmz ? 1 : 0 - name = "my-redis7-1" + name = "crossfeed-${var.stage}-redis7-group" family = "redis7" parameter { @@ -35,7 +35,7 @@ resource "aws_elasticache_parameter_group" "xfd_redis_group" { resource "aws_elasticache_cluster" "crossfeed_vpc_elasticache_cluster" { count = var.create_elasticache_cluster ? 1 : 0 - cluster_id = "crossfeed-vpc-cluster" + cluster_id = "crossfeed-${var.stage}-elasticache-cluster" engine = "redis" node_type = "cache.r7g.xlarge" num_cache_nodes = 1 @@ -54,7 +54,7 @@ resource "aws_elasticache_cluster" "crossfeed_vpc_elasticache_cluster" { resource "aws_iam_policy" "elasticache_policy" { count = var.is_dmz ? 1 : 0 - name = "elasticache_policy" + name = "crossfeed-${var.stage}-elasticache-policy" description = "Policy to allow ElastiCache operations" policy = jsonencode({ Version = "2012-10-17" diff --git a/infrastructure/integration.tfvars b/infrastructure/integration.tfvars index ef7d7286..3d6ae340 100644 --- a/infrastructure/integration.tfvars +++ b/infrastructure/integration.tfvars @@ -91,9 +91,9 @@ matomo_ecs_log_group_name = "crossfeed-matomo-integration" matomo_db_name = "crossfeed-matomo-integration" matomo_db_instance_class = "db.t3.micro" matomo_ecs_role_name = "crossfeed-matomo-integration" -es_instance_type = "m4.large.elasticsearch" +es_instance_type = "t3.medium.elasticsearch" es_instance_count = 3 -es_instance_volume_size = 512 +es_instance_volume_size = 200 create_db_accessor_instance = true db_accessor_instance_class = "t3.2xlarge" create_elk_instance = false @@ -105,4 +105,4 @@ ssm_redshift_host = "/crossfeed/integration/REDSHIFT_HOST" ssm_redshift_database = "/crossfeed/integration/REDSHIFT_DATABASE" ssm_redshift_user = "/crossfeed/integration/REDSHIFT_USER" ssm_redshift_password = "/crossfeed/integration/REDSHIFT_PASSWORD" -create_elasticache_cluster = false +create_elasticache_cluster = true \ No newline at end of file diff --git a/infrastructure/main.tf b/infrastructure/main.tf index 5a44e974..f33af3b8 100644 --- a/infrastructure/main.tf +++ b/infrastructure/main.tf @@ -81,6 +81,14 @@ resource "aws_s3_bucket_acl" "logging_bucket" { acl = "private" } +resource "aws_s3_bucket_ownership_controls" "logging_bucket" { + count = var.is_dmz ? 1 : 0 + bucket = aws_s3_bucket.logging_bucket.id + rule { + object_ownership = "ObjectWriter" + } +} + resource "aws_s3_bucket_logging" "logging_bucket" { bucket = aws_s3_bucket.logging_bucket.id target_bucket = aws_s3_bucket.logging_bucket.id diff --git a/infrastructure/matomo.tf b/infrastructure/matomo.tf index 273fba52..efc8e321 100644 --- a/infrastructure/matomo.tf +++ b/infrastructure/matomo.tf @@ -200,7 +200,7 @@ resource "aws_db_instance" "matomo_db" { engine_version = "10.6" skip_final_snapshot = true availability_zone = var.matomo_availability_zone - multi_az = true + multi_az = false backup_retention_period = 35 storage_encrypted = true iam_database_authentication_enabled = true diff --git a/infrastructure/stage-cd.tfvars b/infrastructure/stage-cd.tfvars index 8fb7c6c4..75278592 100644 --- a/infrastructure/stage-cd.tfvars +++ b/infrastructure/stage-cd.tfvars @@ -109,4 +109,4 @@ ssm_redshift_host = "/crossfeed/staging/REDSHIFT_HOST" ssm_redshift_database = "/crossfeed/staging/REDSHIFT_DATABASE" ssm_redshift_user = "/crossfeed/staging/REDSHIFT_USER" ssm_redshift_password = "/crossfeed/staging/REDSHIFT_PASSWORD" -create_elasticache_cluster = true +create_elasticache_cluster = true \ No newline at end of file diff --git a/infrastructure/worker.tf b/infrastructure/worker.tf index 0f6cfe38..3f1d299f 100644 --- a/infrastructure/worker.tf +++ b/infrastructure/worker.tf @@ -484,6 +484,15 @@ resource "aws_s3_bucket_acl" "export_bucket" { bucket = aws_s3_bucket.export_bucket.id acl = "private" } + +resource "aws_s3_bucket_ownership_controls" "export_bucket" { + count = var.is_dmz ? 1 : 0 + bucket = aws_s3_bucket.export_bucket.id + rule { + object_ownership = "ObjectWriter" + } +} + resource "aws_s3_bucket_server_side_encryption_configuration" "export_bucket" { bucket = aws_s3_bucket.export_bucket.id rule {