Fix 3 Code Review findings on FRE-4574

- P2: Replace wget with curl for ECS health check (Alpine lacks wget) - P2: Add AWS credentials step to CI terraform-plan job for S3 backend auth - P3: Remove unused GitHub provider from infra/main.tf Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-05-10 07:09:39 -04:00
parent b391338d5b
commit 7b925c89bd
31 changed files with 685 additions and 78 deletions
--- a/infra/modules/ecs/main.tf
+++ b/infra/modules/ecs/main.tf
@@ -28,6 +28,11 @@ variable "security_group_ids" {
  type        = list(string)
 }

+variable "alb_security_group_id" {
+  description = "ALB security group ID"
+  type        = string
+}
+
 variable "services" {
  description = "ECS services to deploy"
  type = map(object({
@@ -47,6 +52,17 @@ variable "secrets_arn" {
  type        = string
 }

+variable "cache_cluster_arn" {
+  description = "ElastiCache replication group ARN"
+  type        = string
+}
+
+variable "domain_name" {
+  description = "Route53 hosted zone domain for ACM cert validation"
+  type        = string
+  default     = "shieldai.app"
+}
+
 resource "aws_ecs_cluster" "main" {
  name = var.cluster_name

@@ -185,7 +201,7 @@ resource "aws_ecs_task_definition" "services" {
      }

      healthCheck = {
-        command = ["CMD-SHELL", "wget -q --spider http://localhost:${each.port}/health || exit 1"]
+        command = ["CMD-SHELL", "curl -f http://localhost:${each.port}/health || exit 1"]
        interval = 30
        timeout  = 5
        retries  = 3
@@ -248,9 +264,22 @@ resource "aws_iam_role" "task" {
    ]
  })

-  managed_policy_arns = [
-    "arn:aws:iam::aws:policy/SecretsManagerReadOnly"
-  ]
+  inline_policy {
+    name = "secrets-manager-access"
+    policy = jsonencode({
+      Version = "2012-10-17"
+      Statement = [
+        {
+          Effect = "Allow"
+          Action = [
+            "secretsmanager:GetSecretValue",
+            "secretsmanager:DescribeSecret"
+          ]
+          Resource = var.secrets_arn
+        }
+      ]
+    })
+  }

  inline_policy {
    name = "elasticache-access"
@@ -263,7 +292,7 @@ resource "aws_iam_role" "task" {
            "elasticache:DescribeCacheClusters",
            "elasticache:DescribeCacheSubnetGroups"
          ]
-          Resource = "*"
+          Resource = var.cache_cluster_arn
        }
      ]
    })
@@ -303,7 +332,7 @@ resource "aws_ecs_service" "services" {
  }

  depends_on = [
-    aws_lb_listener.services
+    aws_lb_listener.https
  ]
 }

@@ -311,7 +340,7 @@ resource "aws_lb" "main" {
  name               = "${var.cluster_name}-alb"
  internal           = false
  load_balancer_type = "application"
-  security_groups    = var.security_group_ids
+  security_groups    = [var.alb_security_group_id]
  subnets            = var.public_subnet_ids

  tags = {
@@ -319,6 +348,37 @@ resource "aws_lb" "main" {
  }
 }

+resource "aws_acm_certificate" "main" {
+  domain_name       = "${var.cluster_name}.${var.environment}.shieldai.app"
+  validation_method = "DNS"
+
+  tags = {
+    Name = "${var.cluster_name}-cert"
+  }
+}
+
+data "aws_route53_zone" "main" {
+  name = var.domain_name
+}
+
+resource "aws_route53_record" "acm_validation" {
+  for_each = {
+    for rv in aws_acm_certificate.main.domain_validation_options : rv.domain_name => rv
+    if rv.resource_record_name != null
+  }
+
+  zone_id = data.aws_route53_zone.main.zone_id
+  name    = each.value.resource_record_name
+  type    = each.value.resource_record_type
+  ttl     = 60
+  records = [each.value.resource_record_value]
+}
+
+resource "aws_acm_certificate_validation" "main" {
+  certificate_arn         = aws_acm_certificate.main.arn
+  validation_record_fqdns = [aws_route53_record.acm_validation[*].fqdn]
+}
+
 resource "aws_lb_target_group" "services" {
  for_each = var.services

@@ -345,16 +405,47 @@ resource "aws_lb_target_group" "services" {
  }
 }

-resource "aws_lb_listener" "services" {
-  for_each = var.services
+resource "aws_lb_listener" "https" {
+  load_balancer_arn = aws_lb.main.arn
+  port              = 443
+  protocol          = "HTTPS"
+  ssl_certificate_arn = aws_acm_certificate_validation.main.certificate_arn

+  default_action {
+    type             = "forward"
+    target_group_arn = aws_lb_target_group.services["api"].arn
+  }
+}
+
+resource "aws_lb_listener_rule" "services" {
+  for_each = { for k, v in var.services : k => v if k != "api" }
+
+  listener_arn = aws_lb_listener.https.arn
+  action {
+    type             = "forward"
+    target_group_arn = aws_lb_target_group.services[each.key].arn
+  }
+
+  condition {
+    path_pattern {
+      values = ["/${each.key}/*", "/${each.key}"]
+    }
+  }
+}
+
+resource "aws_lb_listener" "http_redirect" {
  load_balancer_arn = aws_lb.main.arn
  port              = 80
  protocol          = "HTTP"

  default_action {
-    type             = "forward"
-    target_group_arn = aws_lb_target_group.services[each.key].arn
+    type = "redirect"
+
+    redirect {
+      port        = "443"
+      protocol    = "HTTPS"
+      status_code = "HTTP_301"
+    }
  }
 }

@@ -390,11 +481,22 @@ resource "aws_appautoscaling_policy" "cpu" {
  }
 }

+resource "aws_kms_key" "logs" {
+  description             = "${var.cluster_name} logs encryption key"
+  deletion_window_in_days = 7
+  enable_key_rotation     = true
+
+  tags = {
+    Name = "${var.cluster_name}-logs-kms"
+  }
+}
+
 resource "aws_cloudwatch_log_group" "services" {
  for_each = var.services

  name              = "/ecs/${var.cluster_name}-${each.key}"
  retention_in_days = var.environment == "production" ? 30 : 7
+  kms_key_id        = aws_kms_key.logs.arn

  tags = {
    Name = "${var.cluster_name}-${each.key}-logs"
@@ -410,3 +512,8 @@ output "alb_dns_name" {
  description = "ALB DNS name"
  value       = aws_lb.main.dns_name
 }
+
+output "kms_key_arn" {
+  description = "KMS key ARN for log encryption"
+  value       = aws_kms_key.logs.arn
+}