feat: add logging IAM policy, update logging bucket name, and extend ECS health check grace period

alismx · alismx · commit 63ffc8a11983 · 2025-05-20T17:03:04.000-07:00
- Remove duplicate README file.
- Introduce logging IAM policy document for S3 bucket operations.
- Append "-logging" suffix to the logging bucket name.
- Set ECS service health check grace period to 120 seconds.
diff --git a/README copy.md b/README copy.md
diff --git a/README.md b/README.md
@@ -1,5 +1,5 @@
 # Table of Contents
-[1. Overview](#1-overview)\
+[1. Overview](#1-overview)
 [2. Notices](#2-notices)
 - [Table of Contents](#table-of-contents)
 - [1. Overview](#1-overview)
diff --git a/_data.tf b/_data.tf
@@ -27,6 +27,28 @@ data "aws_iam_policy_document" "ecr_viewer_s3" {
   }
 }
 
+data "aws_iam_policy_document" "logging" {
+  statement {
+    principals {
+      type        = "Service"
+      identifiers = ["delivery.logs.amazonaws.com"]
+    }
+    actions = [
+      "s3:PutObject",
+      "s3:PutObjectAcl",
+      "s3:GetObject",
+      "s3:GetObjectAcl",
+      "s3:ListBucket",
+      "s3:GetBucketAcl",
+    ]
+    resources = [
+      aws_s3_bucket.logging.arn,
+      "${aws_s3_bucket.logging.arn}/*",
+
+    ]
+  }
+}
+
 data "aws_iam_policy" "ecs_task_execution" {
   name = "AmazonECSTaskExecutionRolePolicy"
 }
diff --git a/_local.tf b/_local.tf
@@ -266,7 +266,7 @@ locals {
   ecs_cloudwatch_group         = var.ecs_cloudwatch_group == "" ? "/${local.local_name}" : var.ecs_cloudwatch_group
   ecs_cluster_name             = var.ecs_cluster_name == "" ? local.local_name : var.ecs_cluster_name
   s3_viewer_bucket_name        = var.s3_viewer_bucket_name == "" ? "${local.local_name}-${random_string.s3_viewer.result}" : var.s3_viewer_bucket_name
-  s3_logging_bucket_name       = var.s3_logging_bucket_name == "" ? "${local.local_name}-${random_string.s3_viewer.result}" : var.s3_logging_bucket_name
+  s3_logging_bucket_name       = var.s3_logging_bucket_name == "" ? "${local.local_name}-${random_string.s3_viewer.result}-logging" : var.s3_logging_bucket_name
   s3_viewer_bucket_role_name   = var.s3_viewer_bucket_role_name == "" ? "${local.local_name}-ecrv" : var.s3_viewer_bucket_role_name
   tags                         = var.tags
   vpc_endpoints = [
diff --git a/ecs.tf b/ecs.tf
@@ -57,6 +57,8 @@ resource "aws_ecs_service" "this" {
   deployment_minimum_healthy_percent = 50
   deployment_maximum_percent         = 200
 
+  health_check_grace_period_seconds = 120
+
   deployment_circuit_breaker {
     enable   = true
     rollback = true
