UPDATE IAM policies after resolving the MWAA log creation issue and o…

…ther code cleanup.
NASA-PDS · Jun 11, 2024 · e500724 · e500724
1 parent d8b98b6
commit e500724
Show file tree

Hide file tree

Showing 9 changed files with 46 additions and 14 deletions.
diff --git a/terraform/main.tf b/terraform/main.tf
@@ -54,7 +54,6 @@ module "ecs_ecr" {
   pds_nucleus_config_init_cloudwatch_logs_region = var.region
 
   pds_nucleus_s3_to_efs_copy_cloudwatch_logs_group  = var.pds_nucleus_s3_to_efs_copy_cloudwatch_logs_group
-  pds_nucleus_s3_to_efs_copy_cloudwatch_logs_region = var.region
 
   depends_on = [module.common, module.efs]
 }

diff --git a/...modules/ecs-ecr/container-definitions/pds-airflow-registry-loader-harvest-containers.json b/...modules/ecs-ecr/container-definitions/pds-airflow-registry-loader-harvest-containers.json
@@ -5,7 +5,7 @@
     "cpu": 0,
     "portMappings": [],
     "essential": true,
-    "entryPoint": [],
+    "entryPoint": ["harvest"],
     "command": [],
     "environment": [],
     "mountPoints": [

diff --git a/terraform/terraform-modules/ecs-ecr/docker/template-deploy-ecr-images.sh b/terraform/terraform-modules/ecs-ecr/docker/template-deploy-ecr-images.sh
@@ -17,7 +17,7 @@ docker push "${pds_nucleus_aws_account_id}".dkr.ecr.us-west-2.amazonaws.com/pds-
 
 # Deploy pds-registry-loader-harvest ECR image
 docker image pull nasapds/registry-loader
-docker tag nasapds/registry-loader:latest "${pds_nucleus_aws_account_id}".dkr.ecr.us-west-2.amazonaws.com/nasapds/pds-registry-loader-harvest:latest
+docker tag nasapds/registry-loader:latest "${pds_nucleus_aws_account_id}".dkr.ecr.us-west-2.amazonaws.com/pds-registry-loader-harvest:latest
 docker push "${pds_nucleus_aws_account_id}".dkr.ecr.us-west-2.amazonaws.com/pds-registry-loader-harvest:latest
 
 # Deploy pds-validate ECR image

diff --git a/terraform/terraform-modules/ecs-ecr/template_ecs_task_execution_role_iam_policy.json b/terraform/terraform-modules/ecs-ecr/template_ecs_task_execution_role_iam_policy.json
@@ -19,9 +19,17 @@
       "Effect": "Allow",
       "Action": [
         "logs:CreateLogStream",
-        "logs:PutLogEvents"
+        "logs:PutLogEvents",
+        "logs:CreateLogGroup"
       ],
       "Resource": "arn:aws:logs:*:${pds_nucleus_aws_account_id}:log-group:*:log-stream:*"
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "ecs:stopTask"
+      ],
+      "Resource": "arn:aws:ecs:*:${pds_nucleus_aws_account_id}:task/pds-nucleus-ecs/*"
     }
   ]
 }
diff --git a/terraform/terraform-modules/ecs-ecr/template_ecs_task_role_iam_policy.json b/terraform/terraform-modules/ecs-ecr/template_ecs_task_role_iam_policy.json
@@ -27,6 +27,7 @@
       "Effect": "Allow",
       "Action": [
         "logs:CreateLogStream",
+        "logs:CreateLogGroup",
         "logs:PutLogEvents"
       ],
       "Resource": "arn:aws:logs:*:${pds_nucleus_aws_account_id}:log-group:*:log-stream:*"
@@ -35,6 +36,20 @@
       "Effect": "Allow",
       "Action": "ecr:GetAuthorizationToken",
       "Resource": "arn:aws:ecr:*:${pds_nucleus_aws_account_id}:repository/pds*"
+    },
+    {
+      "Action": [
+        "s3:GetBucket*",
+        "s3:GetObject*",
+        "s3:List*"
+      ],
+      "Effect": "Allow",
+      "Resource": [
+        "arn:aws:s3:::pds-nucleus*",
+        "arn:aws:s3:::pds-nucleus*/*",
+        "arn:aws:s3:::pds-*-staging*",
+        "arn:aws:s3:::pds-*-staging*/*"
+      ]
     }
   ]
 }
diff --git a/terraform/terraform-modules/ecs-ecr/variables.tf b/terraform/terraform-modules/ecs-ecr/variables.tf
@@ -81,12 +81,6 @@ variable "pds_nucleus_s3_to_efs_copy_cloudwatch_logs_group" {
   sensitive   = true
 }
 
-variable "pds_nucleus_s3_to_efs_copy_cloudwatch_logs_region" {
-  type        = string
-  description = "PDS Nucleus S3 to EFS Copy CloudWatch Logs Region"
-  sensitive   = true
-}
-
 variable "permission_boundary_for_iam_role" {
   default = "mcp-tenantOperator-APIG"
   sensitive   = true

diff --git a/terraform/terraform-modules/efs/efs.tf b/terraform/terraform-modules/efs/efs.tf
@@ -2,9 +2,9 @@
 
 resource "aws_efs_file_system" "nucleus_efs" {
   creation_token = "nucleus_efs_token"
-
-  tags = {
-    Name = "Nucleus EFS"
+  encrypted = true
+tags = {
+    Name = "pds-nucleus-efs"
   }
 }
 

diff --git a/terraform/terraform-modules/mwaa-env/template_mwaa_iam_policy.json b/terraform/terraform-modules/mwaa-env/template_mwaa_iam_policy.json
@@ -129,6 +129,11 @@
       "Effect": "Allow",
       "Action": "cloudwatch:PutMetricData",
       "Resource": "*"
+    },
+    {
+      "Action": "iam:PassRole",
+      "Effect": "Allow",
+      "Resource": "arn:aws:iam::${pds_nucleus_aws_account_id}:role/pds_nucleus_*"
     }
   ]
 }
diff --git a/...form/terraform-modules/product-copy-completion-checker/product-copy-completion-checker.tf b/...form/terraform-modules/product-copy-completion-checker/product-copy-completion-checker.tf
@@ -176,7 +176,6 @@ resource "aws_s3_bucket" "pds_nucleus_s3_staging_bucket" {
   force_destroy = true
 }
 
-
 # Create pds_nucleus_s3_file_file_event_processor_function for each PDS Node
 resource "aws_lambda_function" "pds_nucleus_s3_file_file_event_processor_function" {
   count = length(var.pds_node_names)
@@ -199,6 +198,12 @@ resource "aws_lambda_function" "pds_nucleus_s3_file_file_event_processor_functio
   }
 }
 
+# Create CloudWatch Log Group for pds_nucleus_s3_file_file_event_processor_function for each PDS Node
+resource "aws_cloudwatch_log_group" "pds_nucleus_s3_file_file_event_processor_function_log_group" {
+  count = length(var.pds_node_names)
+  name = "/aws/lambda/pds_nucleus_s3_file_event_processor-${var.pds_node_names[count.index]}"
+}
+
 # Create pds_nucleus_product_completion_checker_function for each PDS Node
 resource "aws_lambda_function" "pds_nucleus_product_completion_checker_function" {
   count = length(var.pds_node_names)
@@ -227,6 +232,12 @@ resource "aws_lambda_function" "pds_nucleus_product_completion_checker_function"
   }
 }
 
+# Create CloudWatch Log Group for pds_nucleus_product_completion_checker_function for each PDS Node
+resource "aws_cloudwatch_log_group" "pds_nucleus_product_completion_checker_function_log_group" {
+  count = length(var.pds_node_names)
+  name = "/aws/lambda/pds-nucleus-product-completion-checker-${var.pds_node_names[count.index]}"
+}
+
 # Apply lambda permissions for each pds_nucleus_s3_file_file_event_processor_function of each Node
 resource "aws_lambda_permission" "s3-lambda-permission" {
   count = length(var.pds_node_names)