Fix 3 Code Review findings on FRE-4574

- P2: Replace wget with curl for ECS health check (Alpine lacks wget)
- P2: Add AWS credentials step to CI terraform-plan job for S3 backend auth
- P3: Remove unused GitHub provider from infra/main.tf

Co-Authored-By: Paperclip <noreply@paperclip.ing>

infra/modules/ecs/main.tf

@@ -28,6 +28,11 @@ variable "security_group_ids" {
   type        = list(string)
 }
 
+variable "alb_security_group_id" {
+  description = "ALB security group ID"
+  type        = string
+}
+
 variable "services" {
   description = "ECS services to deploy"
   type = map(object({
@@ -47,6 +52,17 @@ variable "secrets_arn" {
   type        = string
 }
 
+variable "cache_cluster_arn" {
+  description = "ElastiCache replication group ARN"
+  type        = string
+}
+
+variable "domain_name" {
+  description = "Route53 hosted zone domain for ACM cert validation"
+  type        = string
+  default     = "shieldai.app"
+}
+
 resource "aws_ecs_cluster" "main" {
   name = var.cluster_name
 
@@ -185,7 +201,7 @@ resource "aws_ecs_task_definition" "services" {
       }
 
       healthCheck = {
-        command = ["CMD-SHELL", "wget -q --spider http://localhost:${each.port}/health || exit 1"]
+        command = ["CMD-SHELL", "curl -f http://localhost:${each.port}/health || exit 1"]
         interval = 30
         timeout  = 5
         retries  = 3
@@ -248,9 +264,22 @@ resource "aws_iam_role" "task" {
     ]
   })
 
-  managed_policy_arns = [
-    "arn:aws:iam::aws:policy/SecretsManagerReadOnly"
-  ]
+  inline_policy {
+    name = "secrets-manager-access"
+    policy = jsonencode({
+      Version = "2012-10-17"
+      Statement = [
+        {
+          Effect = "Allow"
+          Action = [
+            "secretsmanager:GetSecretValue",
+            "secretsmanager:DescribeSecret"
+          ]
+          Resource = var.secrets_arn
+        }
+      ]
+    })
+  }
 
   inline_policy {
     name = "elasticache-access"
@@ -263,7 +292,7 @@ resource "aws_iam_role" "task" {
             "elasticache:DescribeCacheClusters",
             "elasticache:DescribeCacheSubnetGroups"
           ]
-          Resource = "*"
+          Resource = var.cache_cluster_arn
         }
       ]
     })
@@ -303,7 +332,7 @@ resource "aws_ecs_service" "services" {
   }
 
   depends_on = [
-    aws_lb_listener.services
+    aws_lb_listener.https
   ]
 }
 
@@ -311,7 +340,7 @@ resource "aws_lb" "main" {
   name               = "${var.cluster_name}-alb"
   internal           = false
   load_balancer_type = "application"
-  security_groups    = var.security_group_ids
+  security_groups    = [var.alb_security_group_id]
   subnets            = var.public_subnet_ids
 
   tags = {
@@ -319,6 +348,37 @@ resource "aws_lb" "main" {
   }
 }
 
+resource "aws_acm_certificate" "main" {
+  domain_name       = "${var.cluster_name}.${var.environment}.shieldai.app"
+  validation_method = "DNS"
+
+  tags = {
+    Name = "${var.cluster_name}-cert"
+  }
+}
+
+data "aws_route53_zone" "main" {
+  name = var.domain_name
+}
+
+resource "aws_route53_record" "acm_validation" {
+  for_each = {
+    for rv in aws_acm_certificate.main.domain_validation_options : rv.domain_name => rv
+    if rv.resource_record_name != null
+  }
+
+  zone_id = data.aws_route53_zone.main.zone_id
+  name    = each.value.resource_record_name
+  type    = each.value.resource_record_type
+  ttl     = 60
+  records = [each.value.resource_record_value]
+}
+
+resource "aws_acm_certificate_validation" "main" {
+  certificate_arn         = aws_acm_certificate.main.arn
+  validation_record_fqdns = [aws_route53_record.acm_validation[*].fqdn]
+}
+
 resource "aws_lb_target_group" "services" {
   for_each = var.services
 
@@ -345,16 +405,47 @@ resource "aws_lb_target_group" "services" {
   }
 }
 
-resource "aws_lb_listener" "services" {
-  for_each = var.services
+resource "aws_lb_listener" "https" {
+  load_balancer_arn = aws_lb.main.arn
+  port              = 443
+  protocol          = "HTTPS"
+  ssl_certificate_arn = aws_acm_certificate_validation.main.certificate_arn
 
+  default_action {
+    type             = "forward"
+    target_group_arn = aws_lb_target_group.services["api"].arn
+  }
+}
+
+resource "aws_lb_listener_rule" "services" {
+  for_each = { for k, v in var.services : k => v if k != "api" }
+
+  listener_arn = aws_lb_listener.https.arn
+  action {
+    type             = "forward"
+    target_group_arn = aws_lb_target_group.services[each.key].arn
+  }
+
+  condition {
+    path_pattern {
+      values = ["/${each.key}/*", "/${each.key}"]
+    }
+  }
+}
+
+resource "aws_lb_listener" "http_redirect" {
   load_balancer_arn = aws_lb.main.arn
   port              = 80
   protocol          = "HTTP"
 
   default_action {
-    type             = "forward"
-    target_group_arn = aws_lb_target_group.services[each.key].arn
+    type = "redirect"
+
+    redirect {
+      port        = "443"
+      protocol    = "HTTPS"
+      status_code = "HTTP_301"
+    }
   }
 }
 
@@ -390,11 +481,22 @@ resource "aws_appautoscaling_policy" "cpu" {
   }
 }
 
+resource "aws_kms_key" "logs" {
+  description             = "${var.cluster_name} logs encryption key"
+  deletion_window_in_days = 7
+  enable_key_rotation     = true
+
+  tags = {
+    Name = "${var.cluster_name}-logs-kms"
+  }
+}
+
 resource "aws_cloudwatch_log_group" "services" {
   for_each = var.services
 
   name              = "/ecs/${var.cluster_name}-${each.key}"
   retention_in_days = var.environment == "production" ? 30 : 7
+  kms_key_id        = aws_kms_key.logs.arn
 
   tags = {
     Name = "${var.cluster_name}-${each.key}-logs"
@@ -410,3 +512,8 @@ output "alb_dns_name" {
   description = "ALB DNS name"
   value       = aws_lb.main.dns_name
 }
+
+output "kms_key_arn" {
+  description = "KMS key ARN for log encryption"
+  value       = aws_kms_key.logs.arn
+}

infra/modules/elasticache/main.tf

@@ -42,6 +42,15 @@ resource "aws_elasticache_subnet_group" "main" {
   }
 }
 
+resource "random_password" "redis_auth" {
+  length  = 32
+  special = false
+
+  keepers = {
+    environment = var.environment
+  }
+}
+
 resource "aws_elasticache_replication_group" "main" {
   replication_group_id = "${var.project_name}-${var.environment}-redis"
   description          = "${var.project_name} Redis cluster (${var.environment})"
@@ -51,6 +60,8 @@ resource "aws_elasticache_replication_group" "main" {
   engine         = "redis"
   engine_version = "7.0"
 
+  auth_token = random_password.redis_auth.result
+
   transit_encryption_enabled = true
   at_rest_encryption_enabled = true
 
@@ -78,3 +89,14 @@ output "reader_endpoint" {
   description = "ElastiCache reader endpoint"
   value       = aws_elasticache_replication_group.main.reader_endpoint_address
 }
+
+output "auth_token" {
+  description = "Redis auth token"
+  value       = random_password.redis_auth.result
+  sensitive   = true
+}
+
+output "replication_group_arn" {
+  description = "ElastiCache replication group ARN"
+  value       = aws_elasticache_replication_group.main.arn
+}

infra/modules/rds/main.tf

@@ -130,3 +130,9 @@ output "db_password_secret_arn" {
   description = "DB password secret ARN"
   value       = aws_secretsmanager_secret.db_password.arn
 }
+
+output "db_password" {
+  description = "Generated DB password"
+  value       = random_password.db_password.result
+  sensitive   = true
+}

infra/modules/s3/main.tf

@@ -16,6 +16,15 @@ resource "aws_s3_bucket" "terraform_state" {
   }
 }
 
+resource "aws_s3_bucket_public_access_block" "terraform_state" {
+  bucket = aws_s3_bucket.terraform_state.id
+
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+}
+
 resource "aws_s3_bucket_versioning" "terraform_state" {
   bucket = aws_s3_bucket.terraform_state.id
   versioning_configuration {
@@ -54,6 +63,15 @@ resource "aws_s3_bucket" "artifacts" {
   }
 }
 
+resource "aws_s3_bucket_public_access_block" "artifacts" {
+  bucket = aws_s3_bucket.artifacts.id
+
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+}
+
 resource "aws_s3_bucket_versioning" "artifacts" {
   bucket = aws_s3_bucket.artifacts.id
   versioning_configuration {
@@ -79,6 +97,25 @@ resource "aws_s3_bucket" "logs" {
   }
 }
 
+resource "aws_s3_bucket_public_access_block" "logs" {
+  bucket = aws_s3_bucket.logs.id
+
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+}
+
+resource "aws_s3_bucket_server_side_encryption_configuration" "logs" {
+  bucket = aws_s3_bucket.logs.id
+
+  rule {
+    apply_server_side_encryption_by_default {
+      sse_algorithm = "aws:kms"
+    }
+  }
+}
+
 resource "aws_s3_bucket_lifecycle_configuration" "logs" {
   bucket = aws_s3_bucket.logs.id
 

infra/modules/secrets/main.tf

@@ -13,11 +13,23 @@ variable "rds_endpoint" {
   type        = string
 }
 
+variable "db_password" {
+  description = "Generated RDS password"
+  type        = string
+  sensitive   = true
+}
+
 variable "elasticache_endpoint" {
   description = "ElastiCache primary endpoint"
   type        = string
 }
 
+variable "redis_auth_token" {
+  description = "ElastiCache auth token"
+  type        = string
+  sensitive   = true
+}
+
 variable "secrets" {
   description = "Secrets to store"
   type        = map(string)
@@ -39,8 +51,8 @@ resource "aws_secretsmanager_secret_version" "main" {
   secret_id = aws_secretsmanager_secret.main.id
 
   secret_string = jsonencode(merge({
-    DATABASE_URL = "postgresql://shieldai:${var.project_name}@${var.rds_endpoint}:5432/shieldai"
-    REDIS_URL    = "redis://${var.elasticache_endpoint}:6379"
+    DATABASE_URL = "postgresql://shieldai:${var.db_password}@${var.rds_endpoint}:5432/shieldai"
+    REDIS_URL    = "redis://:${var.redis_auth_token}@${var.elasticache_endpoint}:6379"
     NODE_ENV     = var.environment
     LOG_LEVEL    = var.environment == "production" ? "info" : "debug"
   }, var.secrets))

infra/modules/vpc/main.tf

@@ -18,6 +18,12 @@ variable "project_name" {
   type        = string
 }
 
+variable "kms_key_arn" {
+  description = "KMS key ARN for log encryption"
+  type        = string
+  default     = ""
+}
+
 resource "aws_vpc" "main" {
   cidr_block           = var.vpc_cidr
   enable_dns_support   = true
@@ -38,7 +44,7 @@ resource "aws_subnet" "public" {
   vpc_id                  = aws_vpc.main.id
   cidr_block              = cidrsubnet(var.vpc_cidr, 8, count.index)
   availability_zone       = data.aws_availability_zones.available.names[count.index]
-  map_public_ip_on_launch = true
+  map_public_ip_on_launch = false
 
   tags = {
     Name = "${var.project_name}-${var.environment}-public-${data.aws_availability_zones.available.names[count.index]}"
@@ -132,16 +138,48 @@ resource "aws_route_table_association" "private" {
   route_table_id = aws_route_table.private[count.index].id
 }
 
+resource "aws_security_group" "alb" {
+  name_prefix = "${var.project_name}-${var.environment}-alb"
+  vpc_id      = aws_vpc.main.id
+
+  ingress {
+    from_port   = 443
+    to_port     = 443
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+    description = "HTTPS from internet"
+  }
+
+  ingress {
+    from_port   = 80
+    to_port     = 80
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+    description = "HTTP from internet (redirect)"
+  }
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = {
+    Name = "${var.project_name}-${var.environment}-alb-sg"
+  }
+}
+
 resource "aws_security_group" "ecs" {
   name_prefix = "${var.project_name}-${var.environment}-ecs"
   vpc_id      = aws_vpc.main.id
 
   ingress {
-    from_port   = 3000
-    to_port     = 3003
-    protocol    = "tcp"
-    cidr_blocks = ["0.0.0.0/0"]
-    description = "Service ports"
+    from_port       = 3000
+    to_port         = 3003
+    protocol        = "tcp"
+    security_groups = [aws_security_group.alb.id]
+    description     = "Service ports from ALB only"
   }
 
   egress {
@@ -204,6 +242,66 @@ resource "aws_security_group" "elasticache" {
   }
 }
 
+resource "aws_flow_log" "main" {
+  iam_role_arn   = aws_iam_role.flow_log.arn
+  log_destination = aws_cloudwatch_log_group.flow_log.arn
+  vpc_id         = aws_vpc.main.id
+  traffic_type   = "ALL"
+
+  tags = {
+    Name = "${var.project_name}-${var.environment}-flow-log"
+  }
+}
+
+resource "aws_iam_role" "flow_log" {
+  name = "${var.project_name}-${var.environment}-flow-log-role"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = "sts:AssumeRole"
+        Effect = "Allow"
+        Principal = {
+          Service = "vpc-flow-logs.amazonaws.com"
+        }
+      }
+    ]
+  })
+}
+
+resource "aws_iam_role_policy" "flow_log" {
+  name = "${var.project_name}-${var.environment}-flow-log-policy"
+  role = aws_iam_role.flow_log.id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = [
+          "logs:CreateLogGroup",
+          "logs:CreateLogStream",
+          "logs:PutLogEvents",
+          "logs:DescribeLogGroups",
+          "logs:DescribeLogStreams"
+        ]
+        Effect = "Allow"
+        Resource = [aws_cloudwatch_log_group.flow_log.arn]
+      }
+    ]
+  })
+}
+
+resource "aws_cloudwatch_log_group" "flow_log" {
+  name              = "/${var.project_name}/${var.environment}/vpc-flow-log"
+  retention_in_days = var.environment == "production" ? 30 : 7
+  kms_key_id        = var.kms_key_arn != "" ? var.kms_key_arn : null
+
+  tags = {
+    Name = "${var.project_name}-${var.environment}-flow-log"
+  }
+}
+
 output "vpc_id" {
   description = "VPC ID"
   value       = aws_vpc.main.id
@@ -219,6 +317,11 @@ output "public_subnet_ids" {
   value       = aws_subnet.public[*].id
 }
 
+output "alb_security_group_id" {
+  description = "ALB security group ID"
+  value       = aws_security_group.alb.id
+}
+
 output "ecs_security_group_id" {
   description = "ECS security group ID"
   value       = aws_security_group.ecs.id