patheard commented 2 years ago

Summary

Update WAF ACL, load balancer and VPC logs to use new Cloud Based Sensor satellite bucket.

Also sorts the ECS task definition JSON alphanumerically by its keys. This will prevent Terraform plan flip/flops based on key order in the future.

```terraform Resource actions are indicated with the following symbols: + create ~ update in-place -/+ destroy and then create replacement Terraform will perform the following actions: # aws_flow_log.cloud_based_sensor will be created + resource "aws_flow_log" "cloud_based_sensor" { + arn = (known after apply) + id = (known after apply) + log_destination = "arn:aws:s3:::cbs-satellite-595701125956/vpc_flow_logs/" + log_destination_type = "s3" + log_format = "${vpc-id} ${version} ${account-id} ${interface-id} ${srcaddr} ${dstaddr} ${srcport} ${dstport} ${protocol} ${packets} ${bytes} ${start} ${end} ${action} ${log-status} ${subnet-id} ${instance-id}" + log_group_name = (known after apply) + max_aggregation_interval = 600 + tags = { + "CostCentre" = "CovidPortal_Staging" + "Terraform" = "true" } + tags_all = { + "CostCentre" = "CovidPortal_Staging" + "Terraform" = "true" } + traffic_type = "ALL" + vpc_id = "vpc-0e71ff594dff0ef9d" } # aws_iam_role_policy.firehose_waf_logs will be updated in-place ~ resource "aws_iam_role_policy" "firehose_waf_logs" { id = "firehose_waf_logs:firehose-waf-logs-policy" name = "firehose-waf-logs-policy" ~ policy = jsonencode( ~ { ~ Statement = [ ~ { Action = [ "s3:AbortMultipartUpload", "s3:GetBucketLocation", "s3:GetObject", "s3:ListBucket", "s3:ListBucketMultipartUploads", "s3:PutObject", ] Effect = "Allow" ~ Resource = [ - "arn:aws:s3:::staging-covid-portal-terraform-waf-logs", - "arn:aws:s3:::staging-covid-portal-terraform-waf-logs/*", - "arn:aws:s3:::staging-qrcode-terraform-waf-logs", - "arn:aws:s3:::staging-qrcode-terraform-waf-logs/*", + "arn:aws:s3:::cbs-satellite-595701125956", + "arn:aws:s3:::cbs-satellite-595701125956/*", ] Sid = "" }, { Action = "iam:CreateServiceLinkedRole" Effect = "Allow" Resource = "arn:aws:iam::*:role/aws-service-role/wafv2.amazonaws.com/AWSServiceRoleForWAFV2Logging" }, ] Version = "2012-10-17" } ) role = "firehose_waf_logs" } # aws_kinesis_firehose_delivery_stream.firehose_waf_logs must be replaced -/+ resource "aws_kinesis_firehose_delivery_stream" "firehose_waf_logs" { ~ arn = "arn:aws:firehose:ca-central-1:595701125956:deliverystream/aws-waf-logs-covid-portal" -> (known after apply) ~ destination = "s3" -> "extended_s3" # forces replacement ~ destination_id = "destinationId-000000000001" -> (known after apply) ~ id = "arn:aws:firehose:ca-central-1:595701125956:deliverystream/aws-waf-logs-covid-portal" -> (known after apply) name = "aws-waf-logs-covid-portal" - tags = {} -> null ~ tags_all = {} -> (known after apply) ~ version_id = "1" -> (known after apply) + extended_s3_configuration { + bucket_arn = "arn:aws:s3:::cbs-satellite-595701125956" + buffer_interval = 300 + buffer_size = 5 + compression_format = "GZIP" + prefix = "waf_acl_logs/AWSLogs/595701125956/" + role_arn = "arn:aws:iam::595701125956:role/firehose_waf_logs" + s3_backup_mode = "Disabled" + cloudwatch_logging_options { + enabled = (known after apply) + log_group_name = (known after apply) + log_stream_name = (known after apply) } } - s3_configuration { - bucket_arn = "arn:aws:s3:::staging-covid-portal-terraform-waf-logs" -> null - buffer_interval = 300 -> null - buffer_size = 5 -> null - compression_format = "UNCOMPRESSED" -> null - role_arn = "arn:aws:iam::595701125956:role/firehose_waf_logs" -> null - cloudwatch_logging_options { - enabled = false -> null } } ~ server_side_encryption { enabled = true key_type = "AWS_OWNED_CMK" } } # aws_kinesis_firehose_delivery_stream.firehose_waf_logs_qrcode must be replaced -/+ resource "aws_kinesis_firehose_delivery_stream" "firehose_waf_logs_qrcode" { ~ arn = "arn:aws:firehose:ca-central-1:595701125956:deliverystream/aws-waf-logs-qrcode" -> (known after apply) ~ destination = "s3" -> "extended_s3" # forces replacement ~ destination_id = "destinationId-000000000001" -> (known after apply) ~ id = "arn:aws:firehose:ca-central-1:595701125956:deliverystream/aws-waf-logs-qrcode" -> (known after apply) name = "aws-waf-logs-qrcode" - tags = {} -> null ~ tags_all = {} -> (known after apply) ~ version_id = "2" -> (known after apply) + extended_s3_configuration { + bucket_arn = "arn:aws:s3:::cbs-satellite-595701125956" + buffer_interval = 300 + buffer_size = 5 + compression_format = "GZIP" + prefix = "waf_acl_logs/AWSLogs/595701125956/" + role_arn = "arn:aws:iam::595701125956:role/firehose_waf_logs" + s3_backup_mode = "Disabled" + cloudwatch_logging_options { + enabled = (known after apply) + log_group_name = (known after apply) + log_stream_name = (known after apply) } } - s3_configuration { - bucket_arn = "arn:aws:s3:::staging-qrcode-terraform-waf-logs" -> null - buffer_interval = 300 -> null - buffer_size = 5 -> null - compression_format = "UNCOMPRESSED" -> null - role_arn = "arn:aws:iam::595701125956:role/firehose_waf_logs" -> null - cloudwatch_logging_options { - enabled = false -> null } } ~ server_side_encryption { enabled = true key_type = "AWS_OWNED_CMK" } } # aws_lb.covidportal will be updated in-place ~ resource "aws_lb" "covidportal" { arn = "arn:aws:elasticloadbalancing:ca-central-1:595701125956:loadbalancer/app/covidportal/da875a433e92c979" arn_suffix = "app/covidportal/da875a433e92c979" desync_mitigation_mode = "defensive" dns_name = "covidportal-2003356828.ca-central-1.elb.amazonaws.com" drop_invalid_header_fields = true enable_deletion_protection = false enable_http2 = true enable_waf_fail_open = false id = "arn:aws:elasticloadbalancing:ca-central-1:595701125956:loadbalancer/app/covidportal/da875a433e92c979" idle_timeout = 60 internal = false ip_address_type = "ipv4" load_balancer_type = "application" name = "covidportal" security_groups = [ "sg-0ddadcce9ea825a8e", ] subnets = [ "subnet-019b511faf5fd96eb", "subnet-0505d325018e25d58", "subnet-0c98cfbc9ade945e9", ] tags = { "CostCentre" = "CovidPortal_Staging" "Name" = "covidportal" } tags_all = { "CostCentre" = "CovidPortal_Staging" "Name" = "covidportal" } vpc_id = "vpc-0e71ff594dff0ef9d" zone_id = "ZQSVJUPU6J1EY" ~ access_logs { + bucket = "cbs-satellite-595701125956" ~ enabled = false -> true + prefix = "lb_logs" } subnet_mapping { subnet_id = "subnet-019b511faf5fd96eb" } subnet_mapping { subnet_id = "subnet-0505d325018e25d58" } subnet_mapping { subnet_id = "subnet-0c98cfbc9ade945e9" } } # aws_lb.qrcode will be updated in-place ~ resource "aws_lb" "qrcode" { arn = "arn:aws:elasticloadbalancing:ca-central-1:595701125956:loadbalancer/app/qrcode/c33f21bbbe1577f8" arn_suffix = "app/qrcode/c33f21bbbe1577f8" desync_mitigation_mode = "defensive" dns_name = "qrcode-1495691432.ca-central-1.elb.amazonaws.com" drop_invalid_header_fields = true enable_deletion_protection = false enable_http2 = true enable_waf_fail_open = false id = "arn:aws:elasticloadbalancing:ca-central-1:595701125956:loadbalancer/app/qrcode/c33f21bbbe1577f8" idle_timeout = 60 internal = false ip_address_type = "ipv4" load_balancer_type = "application" name = "qrcode" security_groups = [ "sg-08c0baa62db7587c4", ] subnets = [ "subnet-019b511faf5fd96eb", "subnet-0505d325018e25d58", "subnet-0c98cfbc9ade945e9", ] tags = { "CostCentre" = "CovidPortal_Staging" "Name" = "qrcode" } tags_all = { "CostCentre" = "CovidPortal_Staging" "Name" = "qrcode" } vpc_id = "vpc-0e71ff594dff0ef9d" zone_id = "ZQSVJUPU6J1EY" ~ access_logs { + bucket = "cbs-satellite-595701125956" ~ enabled = false -> true + prefix = "lb_logs" } subnet_mapping { subnet_id = "subnet-019b511faf5fd96eb" } subnet_mapping { subnet_id = "subnet-0505d325018e25d58" } subnet_mapping { subnet_id = "subnet-0c98cfbc9ade945e9" } } # aws_wafv2_web_acl_logging_configuration.firehose_waf_logs_portal must be replaced -/+ resource "aws_wafv2_web_acl_logging_configuration" "firehose_waf_logs_portal" { ~ id = "arn:aws:wafv2:ca-central-1:595701125956:regional/webacl/covid_portal/33daa4cb-63b4-41df-9aee-4e05a91b538c" -> (known after apply) ~ log_destination_configs = [ - "arn:aws:firehose:ca-central-1:595701125956:deliverystream/aws-waf-logs-covid-portal", ] -> (known after apply) # forces replacement resource_arn = "arn:aws:wafv2:ca-central-1:595701125956:regional/webacl/covid_portal/33daa4cb-63b4-41df-9aee-4e05a91b538c" } # aws_wafv2_web_acl_logging_configuration.firehose_waf_logs_qrcode must be replaced -/+ resource "aws_wafv2_web_acl_logging_configuration" "firehose_waf_logs_qrcode" { ~ id = "arn:aws:wafv2:ca-central-1:595701125956:regional/webacl/qrcode/90ed9118-ca41-437c-862b-a8d6cb10a584" -> (known after apply) ~ log_destination_configs = [ - "arn:aws:firehose:ca-central-1:595701125956:deliverystream/aws-waf-logs-qrcode", ] -> (known after apply) # forces replacement resource_arn = "arn:aws:wafv2:ca-central-1:595701125956:regional/webacl/qrcode/90ed9118-ca41-437c-862b-a8d6cb10a584" } Plan: 5 to add, 3 to change, 4 to destroy. Changes to Outputs: ~ aws_private_subnets = [ ~ { arn = "arn:aws:ec2:ca-central-1:595701125956:subnet/subnet-0dbc9e98ee932ec56" assign_ipv6_address_on_creation = false availability_zone = "ca-central-1a" availability_zone_id = "cac1-az1" cidr_block = "172.16.0.0/20" customer_owned_ipv4_pool = "" + enable_dns64 = false + enable_resource_name_dns_a_record_on_launch = false + enable_resource_name_dns_aaaa_record_on_launch = false id = "subnet-0dbc9e98ee932ec56" ipv6_cidr_block = "" ipv6_cidr_block_association_id = "" + ipv6_native = false map_customer_owned_ip_on_launch = false map_public_ip_on_launch = false outpost_arn = "" owner_id = "595701125956" + private_dns_hostname_type_on_launch = "ip-name" tags = { "Access" = "private" "CostCentre" = "CovidPortal_Staging" "Name" = "Private Subnet 01" } tags_all = { "Access" = "private" "CostCentre" = "CovidPortal_Staging" "Name" = "Private Subnet 01" } timeouts = null vpc_id = "vpc-0e71ff594dff0ef9d" }, ~ { arn = "arn:aws:ec2:ca-central-1:595701125956:subnet/subnet-06cba26d17da3fb51" assign_ipv6_address_on_creation = false availability_zone = "ca-central-1b" availability_zone_id = "cac1-az2" cidr_block = "172.16.16.0/20" customer_owned_ipv4_pool = "" + enable_dns64 = false + enable_resource_name_dns_a_record_on_launch = false + enable_resource_name_dns_aaaa_record_on_launch = false id = "subnet-06cba26d17da3fb51" ipv6_cidr_block = "" ipv6_cidr_block_association_id = "" + ipv6_native = false map_customer_owned_ip_on_launch = false map_public_ip_on_launch = false outpost_arn = "" owner_id = "595701125956" + private_dns_hostname_type_on_launch = "ip-name" tags = { "Access" = "private" "CostCentre" = "CovidPortal_Staging" "Name" = "Private Subnet 02" } tags_all = { "Access" = "private" "CostCentre" = "CovidPortal_Staging" "Name" = "Private Subnet 02" } timeouts = null vpc_id = "vpc-0e71ff594dff0ef9d" }, ~ { arn = "arn:aws:ec2:ca-central-1:595701125956:subnet/subnet-070154c5e39558532" assign_ipv6_address_on_creation = false availability_zone = "ca-central-1d" availability_zone_id = "cac1-az4" cidr_block = "172.16.32.0/20" customer_owned_ipv4_pool = "" + enable_dns64 = false + enable_resource_name_dns_a_record_on_launch = false + enable_resource_name_dns_aaaa_record_on_launch = false id = "subnet-070154c5e39558532" ipv6_cidr_block = "" ipv6_cidr_block_association_id = "" + ipv6_native = false map_customer_owned_ip_on_launch = false map_public_ip_on_launch = false outpost_arn = "" owner_id = "595701125956" + private_dns_hostname_type_on_launch = "ip-name" tags = { "Access" = "private" "CostCentre" = "CovidPortal_Staging" "Name" = "Private Subnet 03" } tags_all = { "Access" = "private" "CostCentre" = "CovidPortal_Staging" "Name" = "Private Subnet 03" } timeouts = null vpc_id = "vpc-0e71ff594dff0ef9d" }, ] ~ aws_public_subnets = [ ~ { arn = "arn:aws:ec2:ca-central-1:595701125956:subnet/subnet-0c98cfbc9ade945e9" assign_ipv6_address_on_creation = false availability_zone = "ca-central-1a" availability_zone_id = "cac1-az1" cidr_block = "172.16.48.0/20" customer_owned_ipv4_pool = "" + enable_dns64 = false + enable_resource_name_dns_a_record_on_launch = false + enable_resource_name_dns_aaaa_record_on_launch = false id = "subnet-0c98cfbc9ade945e9" ipv6_cidr_block = "" ipv6_cidr_block_association_id = "" + ipv6_native = false map_customer_owned_ip_on_launch = false map_public_ip_on_launch = false outpost_arn = "" owner_id = "595701125956" + private_dns_hostname_type_on_launch = "ip-name" tags = { "Access" = "public" "CostCentre" = "CovidPortal_Staging" "Name" = "Public Subnet 01" } tags_all = { "Access" = "public" "CostCentre" = "CovidPortal_Staging" "Name" = "Public Subnet 01" } timeouts = null vpc_id = "vpc-0e71ff594dff0ef9d" }, ~ { arn = "arn:aws:ec2:ca-central-1:595701125956:subnet/subnet-019b511faf5fd96eb" assign_ipv6_address_on_creation = false availability_zone = "ca-central-1b" availability_zone_id = "cac1-az2" cidr_block = "172.16.64.0/20" customer_owned_ipv4_pool = "" + enable_dns64 = false + enable_resource_name_dns_a_record_on_launch = false + enable_resource_name_dns_aaaa_record_on_launch = false id = "subnet-019b511faf5fd96eb" ipv6_cidr_block = "" ipv6_cidr_block_association_id = "" + ipv6_native = false map_customer_owned_ip_on_launch = false map_public_ip_on_launch = false outpost_arn = "" owner_id = "595701125956" + private_dns_hostname_type_on_launch = "ip-name" tags = { "Access" = "public" "CostCentre" = "CovidPortal_Staging" "Name" = "Public Subnet 02" } tags_all = { "Access" = "public" "CostCentre" = "CovidPortal_Staging" "Name" = "Public Subnet 02" } timeouts = null vpc_id = "vpc-0e71ff594dff0ef9d" }, ~ { arn = "arn:aws:ec2:ca-central-1:595701125956:subnet/subnet-0505d325018e25d58" assign_ipv6_address_on_creation = false availability_zone = "ca-central-1d" availability_zone_id = "cac1-az4" cidr_block = "172.16.80.0/20" customer_owned_ipv4_pool = "" + enable_dns64 = false + enable_resource_name_dns_a_record_on_launch = false + enable_resource_name_dns_aaaa_record_on_launch = false id = "subnet-0505d325018e25d58" ipv6_cidr_block = "" ipv6_cidr_block_association_id = "" + ipv6_native = false map_customer_owned_ip_on_launch = false map_public_ip_on_launch = false outpost_arn = "" owner_id = "595701125956" + private_dns_hostname_type_on_launch = "ip-name" tags = { "Access" = "public" "CostCentre" = "CovidPortal_Staging" "Name" = "Public Subnet 03" } tags_all = { "Access" = "public" "CostCentre" = "CovidPortal_Staging" "Name" = "Public Subnet 03" } timeouts = null vpc_id = "vpc-0e71ff594dff0ef9d" }, ] ~ ecs_cluster = { arn = "arn:aws:ecs:ca-central-1:595701125956:cluster/covid-portal_staging" capacity_providers = [ "FARGATE", ] + configuration = [] default_capacity_provider_strategy = [ { base = 2 capacity_provider = "FARGATE" weight = 1 }, ] id = "arn:aws:ecs:ca-central-1:595701125956:cluster/covid-portal_staging" name = "covid-portal_staging" setting = [ { name = "containerInsights" value = "enabled" }, ] tags = { "CostCentre" = "CovidPortal_Staging" } tags_all = { "CostCentre" = "CovidPortal_Staging" } } ~ route53_zone = { + arn = "arn:aws:route53:::hostedzone/Z04010123IJK3Z6J7TE8H" comment = "Managed by Terraform" delegation_set_id = "" force_destroy = false id = "Z04010123IJK3Z6J7TE8H" name = "tf.covid-hcportal.cdssandbox.xyz" name_servers = [ "ns-1524.awsdns-62.org", "ns-1939.awsdns-50.co.uk", "ns-41.awsdns-05.com", "ns-927.awsdns-51.net", ] tags = { "CostCentre" = "CovidPortal_Staging" } tags_all = { "CostCentre" = "CovidPortal_Staging" } vpc = [] zone_id = "Z04010123IJK3Z6J7TE8H" } security_group_egress = { arn = "arn:aws:ec2:ca-central-1:595701125956:security-group/sg-006789af77a3fbdcb" description = "Egress - CovidShield External Services" egress = [ { cidr_blocks = [ "0.0.0.0/0", ] description = "Security group rule for Portal New Relic egress" from_port = 443 ipv6_cidr_blocks = [] prefix_list_ids = [] protocol = "tcp" security_groups = [] self = false to_port = 443 }, { cidr_blocks = [ "0.0.0.0/0", ] description = "Security group rule for Portal email egress" from_port = 587 ipv6_cidr_blocks = [] prefix_list_ids = [] protocol = "tcp" security_groups = [] self = false to_port = 587 }, ] id = "sg-006789af77a3fbdcb" ingress = [] name = "egress-anywhere" name_prefix = "" owner_id = "595701125956" revoke_rules_on_delete = false tags = { "CostCentre" = "CovidPortal_Staging" } tags_all = { "CostCentre" = "CovidPortal_Staging" } timeouts = null vpc_id = "vpc-0e71ff594dff0ef9d" } security_group_load_balancer = { arn = "arn:aws:ec2:ca-central-1:595701125956:security-group/sg-0ddadcce9ea825a8e" description = "Ingress - covidportal Load Balancer" egress = [ { cidr_blocks = [ "172.16.0.0/16", ] description = "" from_port = 8000 ipv6_cidr_blocks = [] prefix_list_ids = [] protocol = "tcp" security_groups = [] self = false to_port = 8000 }, ] id = "sg-0ddadcce9ea825a8e" ingress = [ { cidr_blocks = [ "0.0.0.0/0", ] description = "" from_port = 443 ipv6_cidr_blocks = [] prefix_list_ids = [] protocol = "tcp" security_groups = [] self = false to_port = 443 }, { cidr_blocks = [ "0.0.0.0/0", ] description = "" from_port = 80 ipv6_cidr_blocks = [] prefix_list_ids = [] protocol = "tcp" security_groups = [] self = false to_port = 80 }, ] name = "covidportal-load-balancer" name_prefix = "" owner_id = "595701125956" revoke_rules_on_delete = false tags = { "CostCentre" = "CovidPortal_Staging" } tags_all = { "CostCentre" = "CovidPortal_Staging" } timeouts = null vpc_id = "vpc-0e71ff594dff0ef9d" } ~ vpc = { arn = "arn:aws:ec2:ca-central-1:595701125956:vpc/vpc-0e71ff594dff0ef9d" assign_generated_ipv6_cidr_block = false cidr_block = "172.16.0.0/16" default_network_acl_id = "acl-04bf80ef98d3cf2a4" default_route_table_id = "rtb-031c88e9e9b61a7e6" default_security_group_id = "sg-063dafcff8f2e96d9" dhcp_options_id = "dopt-61f0de09" ~ enable_classiclink = null -> false ~ enable_classiclink_dns_support = null -> false enable_dns_hostnames = true enable_dns_support = true id = "vpc-0e71ff594dff0ef9d" instance_tenancy = "default" + ipv4_ipam_pool_id = null + ipv4_netmask_length = null ipv6_association_id = "" ipv6_cidr_block = "" + ipv6_cidr_block_network_border_group = "" + ipv6_ipam_pool_id = "" + ipv6_netmask_length = 0 main_route_table_id = "rtb-031c88e9e9b61a7e6" owner_id = "595701125956" tags = { "CostCentre" = "CovidPortal_Staging" "Name" = "covidportal" } tags_all = { "CostCentre" = "CovidPortal_Staging" "Name" = "covidportal" } } ------------------------------------------------------------------------ This plan was saved to: plan.tfplan To perform exactly these actions, run the following command to apply: terraform apply "plan.tfplan" ```

cds-snc / covid-alert-portal

feat: send logs to new Cloud Based Sensor bucket #745

Summary

Related

Plan changes