feat: add S3 logging policy and update ECS config

- Remove duplicate README copy file and adjust README.md formatting.
- Introduce a new IAM policy document and policy for S3 logging.
- Update local S3 logging bucket name to include a "-logging" suffix.
- Set ECS service health check grace period to 120 seconds.

Author: alismx

README copy.md

@@ -1,5 +1,5 @@
 # Table of Contents
-[1. Overview](#1-overview)\
+[1. Overview](#1-overview)
 [2. Notices](#2-notices)
 - [Table of Contents](#table-of-contents)
 - [1. Overview](#1-overview)

README.md

@@ -27,6 +27,24 @@ data "aws_iam_policy_document" "ecr_viewer_s3" {
   }
 }
 
+data "aws_iam_policy_document" "logging" {
+  statement {
+    actions = [
+      "s3:PutObject",
+      "s3:PutObjectAcl",
+      "s3:GetObject",
+      "s3:GetObjectAcl",
+      "s3:ListBucket",
+      "s3:GetBucketAcl",
+    ]
+    resources = [
+      aws_s3_bucket.logging.arn,
+      "${aws_s3_bucket.logging.arn}/*",
+
+    ]
+  }
+}
+
 data "aws_iam_policy" "ecs_task_execution" {
   name = "AmazonECSTaskExecutionRolePolicy"
 }

_data.tf

@@ -266,7 +266,7 @@ locals {
   ecs_cloudwatch_group         = var.ecs_cloudwatch_group == "" ? "/${local.local_name}" : var.ecs_cloudwatch_group
   ecs_cluster_name             = var.ecs_cluster_name == "" ? local.local_name : var.ecs_cluster_name
   s3_viewer_bucket_name        = var.s3_viewer_bucket_name == "" ? "${local.local_name}-${random_string.s3_viewer.result}" : var.s3_viewer_bucket_name
-  s3_logging_bucket_name       = var.s3_logging_bucket_name == "" ? "${local.local_name}-${random_string.s3_viewer.result}" : var.s3_logging_bucket_name
+  s3_logging_bucket_name       = var.s3_logging_bucket_name == "" ? "${local.local_name}-${random_string.s3_viewer.result}-logging" : var.s3_logging_bucket_name
   s3_viewer_bucket_role_name   = var.s3_viewer_bucket_role_name == "" ? "${local.local_name}-ecrv" : var.s3_viewer_bucket_role_name
   tags                         = var.tags
   vpc_endpoints = [

_local.tf

@@ -287,4 +287,4 @@ resource "aws_security_group_rule" "alb_egress" {
   description       = "Allow outbound traffic from alb"
   security_group_id = aws_security_group.alb.id
   cidr_blocks       = ["0.0.0.0/0"]
-}
+}

alb.tf

@@ -57,6 +57,8 @@ resource "aws_ecs_service" "this" {
   deployment_minimum_healthy_percent = 50
   deployment_maximum_percent         = 200
 
+  health_check_grace_period_seconds = 120
+
   deployment_circuit_breaker {
     enable   = true
     rollback = true

ecs.tf

@@ -28,10 +28,18 @@ resource "aws_iam_role" "s3_role_for_ecr_viewer" {
   assume_role_policy = data.aws_iam_policy_document.assume_role.json
   tags               = local.tags
 }
-# s3
+
 resource "aws_iam_policy" "s3_bucket_ecr_viewer" {
   name        = "${local.s3_viewer_bucket_role_name}-policy"
   description = "Policy for ECR-Viewer and S3 for DIBBS-AWS"
   policy      = data.aws_iam_policy_document.ecr_viewer_s3.json
   tags        = local.tags
 }
+
+resource "aws_iam_policy" "s3_bucket_logging" {
+  name        = "${local.s3_logging_bucket_name}-policy"
+  description = "Policy for S3 bucket logging"
+  policy      = data.aws_iam_policy_document.logging.json
+  tags        = local.tags
+
+}