Skip to content

feat: add ECR enhanced scanning and fix S3 logging configuration#52

Merged
alismx merged 12 commits intomainfrom
alis/fix-logging-path
Apr 1, 2026
Merged

feat: add ECR enhanced scanning and fix S3 logging configuration#52
alismx merged 12 commits intomainfrom
alis/fix-logging-path

Conversation

@alismx
Copy link
Copy Markdown
Collaborator

@alismx alismx commented Mar 27, 2026
edited
Loading

Summary

This PR adds ECR registry scanning configuration, fixes the S3 logging bucket policy to use ARN references instead of hardcoded paths, and addresses compatibility issues with ALB logging.

Changes

  • enable_ecr.tf: Added aws_ecr_registry_scanning_configuration resource for enhanced ECR scanning (configurable via enable_enhanced_ecr_registry_scanning variable)
  • _data.tf: Refactored S3 policy document to use resource ARN references and simplified permissions
  • s3.tf:
    • Fixed ALB compatibility by switching from KMS to AES256 encryption
    • Added aws_s3_bucket_server_side_encryption_configuration resource
    • Added checkov skip comments for CKV_AWS_144/145 (ALB logging incompatibility)
  • alb.tf: Added proper depends_on for S3 logging policy and encryption configuration
  • ecs.tf: Added dependency on ALB to ensure proper creation order
  • _variable.tf: Added enable_enhanced_ecr_registry_scanning variable
  • README.md: Updated automatically via terraform-docs

Test plan

  • Run terraform plan to verify changes
  • Run terraform validate to check syntax (passed)
  • Run terraform fmt -check to verify formatting (passed)
  • Checkov scan should pass with 0 failed checks (verified: 191 passed, 8 skipped)
  • CI/CD pipeline should pass all checks

@alismx alismx force-pushed the alis/fix-logging-path branch 2 times, most recently from ad92ce8 to c3a44ca Compare March 28, 2026 00:00
@alismx
fix(s3-logging): relax PutObject resource ARN to allow CloudTrail log…
6ce7bc8 
…ging

The previous ARN pattern with `AWSLogs/.../*` path was too restrictive
and prevented the S3 bucket policy from accepting PutObject requests
from CloudTrail. Changed to allow PutObject on any object within the
logging bucket.
@alismx alismx force-pushed the alis/fix-logging-path branch 2 times, most recently from ed32135 to 82f6777 Compare March 28, 2026 00:31
@alismx
fix(s3-logging): relax PutObject resource ARN to allow CloudTrail log…
5646a24 
…ging

The previous ARN pattern with `AWSLogs/.../*` path was too restrictive
and prevented the S3 bucket policy from accepting PutObject requests
from CloudTrail. Changed to allow PutObject on any object within the
logging bucket.
@alismx alismx force-pushed the alis/fix-logging-path branch from 82f6777 to 5646a24 Compare March 28, 2026 00:39
@alismx
fix: add ECR scanning and relax S3 logging for ALB
f7182b0 
- Add aws_ecr_registry_scanning_configuration with ENHANCED scan type and SCAN_ON_PUSH frequency
- Relaxed S3 logging policy to allow ALB access (add ALB ARN as principal)
- Changed S3 action from PutObject to * to allow all necessary S3 operations for logging
@alismx alismx changed the title fix(s3-logging): relax PutObject resource ARN for CloudTrail fix: add ECR scanning and relax S3 logging for ALB Mar 30, 2026
alismx and others added 3 commits March 30, 2026 11:40
@alismx
fix(s3-logging): remove ALB as principal in logging policy
b9b4b14 
- Reverting ALB principal addition as it's not needed for S3 logging
@alismx
feat(ecr): add enhanced registry scanning and ECS service dependency
5122657 
- Add enable_enhanced_ecr_registry_scanning variable for optional enhanced scanning
- Add depends_on for ECS service to wait for ALB creation
- Condition ECR scanning configuration on both disable_ecr and enhanced scanning flag
@alismx
Merge branch 'main' into alis/fix-logging-path
09a1329
@alismx alismx force-pushed the alis/fix-logging-path branch 3 times, most recently from 03e5f94 to 1f2f31d Compare March 30, 2026 22:02
@alismx
fix(s3-logging): narrow ALB policy permissions and add log delivery p…
aa49c4c 
…rincipal

- Change from s3:* to s3:PutObject for ALB access (principle of least privilege)
- Add AWSLogDeliveryWrite statement with Service principal for elasticloadbalancing.amazonaws.com
- This allows ALB to write logs while using least-privileged permissions
@alismx alismx force-pushed the alis/fix-logging-path branch from 1f2f31d to aa49c4c Compare March 30, 2026 22:07
@alismx
fix(alb-s3-policy): add time_sleep delay for S3 bucket policy propaga…
7005eb1 
…tion

ALB creation was failing with 'Access Denied' when trying to write to the
logging bucket because the S3 bucket policy was not fully propagated before
the ALB tried to use it.

The time_sleep resource adds a 10-second delay after the bucket policy is
created/updated, ensuring AWS has time to apply the policy before the ALB
attempts to write access logs.

- Added time_sleep.wait_for_s3_bucket_policy in s3.tf
- Added time provider in provider.tf
- Updated alb.tf depends_on to include time_sleep resource
@alismx alismx force-pushed the alis/fix-logging-path branch 5 times, most recently from cff6652 to 7bb6418 Compare March 30, 2026 23:05
@alismx
gfix(s3-logging): use AWS account principal instead of service principal
f0d8122 
S3 bucket policies do not support service principals like
'elasticloadbalancing.amazonaws.com'. This is a common confusion -
service principals only work in resource-based policies that explicitly
support them (SQS, SNS, Lambda).

For S3 bucket policies, you must use the account-specific ELB service
account ARN from data.aws_elb_service_account.elb_account_id.arn.

- Removed AWSLogDeliveryWrite statement using service principal
- Changed AWSLogDeliveryAclCheck to use AWS type with ELB service account

Fixes: ALB creation failing with 'Access Denied' for bucket
@alismx alismx force-pushed the alis/fix-logging-path branch from 7bb6418 to f0d8122 Compare March 30, 2026 23:08
@alismx alismx changed the title fix: add ECR scanning and relax S3 logging for ALB refactor: remove time provider and add skip comments for ALB logging Mar 31, 2026
@alismx
refactor: remove time provider and add skip comments for ALB logging
8c67333 
- Remove unused hashicorp/time TerraForm provider dependency
- Add checkov and trivy skip comments for CKV_AWS_145 and AVD-AWS-0132 on
  ALB logging S3 bucket (expected - ALB logging is not compatible with
  customer managed KMS keys)

Related: alis/fix-logging-path
@alismx alismx force-pushed the alis/fix-logging-path branch from bf53320 to 8c67333 Compare March 31, 2026 19:49
@alismx
fix: add CKV_AWS_145 skip comment to S3 logging bucket
ddf1608 
- Add checkov skip comment for CKV_AWS_145 on aws_s3_bucket.logging
  (ALB logging not fully compatible with customer managed KMS keys)
- Regenerate README.md and configuration.png via tfutil

Related: alis/fix-logging-path
@alismx alismx changed the title refactor: remove time provider and add skip comments for ALB logging feat: add ECR enhanced scanning and fix S3 logging configuration Mar 31, 2026
@alismx alismx requested a review from shanice-skylight March 31, 2026 20:32
shanice-skylight
shanice-skylight approved these changes Apr 1, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@shanice-skylight shanice-skylight left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed all file changes and ran all test plan actions that successfully passed. Terraform plan results here. LGTG

_data.tf
sid = "AllowALBAccess"
effect = "Allow"
actions = ["s3:PutObject", "s3:PutObjectAcl"]
actions = ["s3:PutObject"]
Copy link
Copy Markdown
Collaborator

@shanice-skylight shanice-skylight Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Did you intentional remove the s3:PutObjectAcl action?

Copy link
Copy Markdown
Collaborator Author

@alismx alismx Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, turns out it wasn't needed.

@alismx alismx merged commit 8e1ee72 into main Apr 1, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@shanice-skylight shanice-skylight shanice-skylight approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@alismx @shanice-skylight