feat(logging,ecs): add S3 logging policy and update ECS health check grace period

- Add IAM policy document and S3 bucket policy for logging.
- Update local naming for S3 logging bucket to include "-logging" suffix.
- Increase ECS service health check grace period to 120 seconds.
- Remove redundant README copy and adjust README markdown links.

Author: alismx

README copy.md

@@ -1,5 +1,5 @@
 # Table of Contents
-[1. Overview](#1-overview)\
+[1. Overview](#1-overview)
 [2. Notices](#2-notices)
 - [Table of Contents](#table-of-contents)
 - [1. Overview](#1-overview)

README.md

@@ -27,6 +27,51 @@ data "aws_iam_policy_document" "ecr_viewer_s3" {
   }
 }
 
+data "aws_iam_policy_document" "logging" {
+  statement {
+    sid    = "AllowELBRootAccount"
+    effect = "Allow"
+    principals {
+      type        = "AWS"
+      identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
+    }
+    actions = [
+      "s3:PutObject"
+    ]
+    resources = [
+      "${aws_s3_bucket.logging.arn}/*"
+    ]
+  }
+  statement {
+    sid    = "AWSLogDeliveryWrite"
+    effect = "Allow"
+    principals {
+      type        = "Service"
+      identifiers = ["delivery.logs.amazonaws.com"]
+    }
+    actions = [
+      "s3:PutObject"
+    ]
+    resources = [
+      "${aws_s3_bucket.logging.arn}/*"
+    ]
+  }
+  statement {
+    sid    = "AWSLogDeliveryAclCheck"
+    effect = "Allow"
+    principals {
+      type        = "Service"
+      identifiers = ["delivery.logs.amazonaws.com"]
+    }
+    actions = [
+      "s3:GetBucketAcl"
+    ]
+    resources = [
+      "${aws_s3_bucket.logging.arn}"
+    ]
+  }
+}
+
 data "aws_iam_policy" "ecs_task_execution" {
   name = "AmazonECSTaskExecutionRolePolicy"
 }

_data.tf

@@ -266,7 +266,7 @@ locals {
   ecs_cloudwatch_group         = var.ecs_cloudwatch_group == "" ? "/${local.local_name}" : var.ecs_cloudwatch_group
   ecs_cluster_name             = var.ecs_cluster_name == "" ? local.local_name : var.ecs_cluster_name
   s3_viewer_bucket_name        = var.s3_viewer_bucket_name == "" ? "${local.local_name}-${random_string.s3_viewer.result}" : var.s3_viewer_bucket_name
-  s3_logging_bucket_name       = var.s3_logging_bucket_name == "" ? "${local.local_name}-${random_string.s3_viewer.result}" : var.s3_logging_bucket_name
+  s3_logging_bucket_name       = var.s3_logging_bucket_name == "" ? "${local.local_name}-${random_string.s3_viewer.result}-logging" : var.s3_logging_bucket_name
   s3_viewer_bucket_role_name   = var.s3_viewer_bucket_role_name == "" ? "${local.local_name}-ecrv" : var.s3_viewer_bucket_role_name
   tags                         = var.tags
   vpc_endpoints = [

_local.tf

@@ -287,4 +287,4 @@ resource "aws_security_group_rule" "alb_egress" {
   description       = "Allow outbound traffic from alb"
   security_group_id = aws_security_group.alb.id
   cidr_blocks       = ["0.0.0.0/0"]
-}
+}

alb.tf

@@ -57,6 +57,8 @@ resource "aws_ecs_service" "this" {
   deployment_minimum_healthy_percent = 50
   deployment_maximum_percent         = 200
 
+  health_check_grace_period_seconds = 120
+
   deployment_circuit_breaker {
     enable   = true
     rollback = true

ecs.tf

@@ -28,7 +28,7 @@ resource "aws_iam_role" "s3_role_for_ecr_viewer" {
   assume_role_policy = data.aws_iam_policy_document.assume_role.json
   tags               = local.tags
 }
-# s3
+
 resource "aws_iam_policy" "s3_bucket_ecr_viewer" {
   name        = "${local.s3_viewer_bucket_role_name}-policy"
   description = "Policy for ECR-Viewer and S3 for DIBBS-AWS"

iam.tf

@@ -44,6 +44,11 @@ resource "aws_s3_bucket_public_access_block" "logging" {
   restrict_public_buckets = true
 }
 
+resource "aws_s3_bucket_policy" "logging" {
+  bucket = aws_s3_bucket.logging.id
+  policy = data.aws_iam_policy_document.logging.json
+}
+
 # https://avd.aquasec.com/misconfig/aws/s3/avd-aws-0132/
 # trivy:ignore:AVD-AWS-0132
 resource "aws_s3_bucket_server_side_encryption_configuration" "logging" {