diff --git a/terraform/main.tf b/terraform/main.tf index a928e3b..4605370 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -54,7 +54,6 @@ module "ecs_ecr" { pds_nucleus_config_init_cloudwatch_logs_region = var.region pds_nucleus_s3_to_efs_copy_cloudwatch_logs_group = var.pds_nucleus_s3_to_efs_copy_cloudwatch_logs_group - pds_nucleus_s3_to_efs_copy_cloudwatch_logs_region = var.region depends_on = [module.common, module.efs] } diff --git a/terraform/terraform-modules/ecs-ecr/container-definitions/pds-airflow-registry-loader-harvest-containers.json b/terraform/terraform-modules/ecs-ecr/container-definitions/pds-airflow-registry-loader-harvest-containers.json index 843585c..6bb0db9 100644 --- a/terraform/terraform-modules/ecs-ecr/container-definitions/pds-airflow-registry-loader-harvest-containers.json +++ b/terraform/terraform-modules/ecs-ecr/container-definitions/pds-airflow-registry-loader-harvest-containers.json @@ -5,7 +5,7 @@ "cpu": 0, "portMappings": [], "essential": true, - "entryPoint": [], + "entryPoint": ["harvest"], "command": [], "environment": [], "mountPoints": [ diff --git a/terraform/terraform-modules/ecs-ecr/docker/template-deploy-ecr-images.sh b/terraform/terraform-modules/ecs-ecr/docker/template-deploy-ecr-images.sh index deaa884..ebf3226 100755 --- a/terraform/terraform-modules/ecs-ecr/docker/template-deploy-ecr-images.sh +++ b/terraform/terraform-modules/ecs-ecr/docker/template-deploy-ecr-images.sh @@ -17,7 +17,7 @@ docker push "${pds_nucleus_aws_account_id}".dkr.ecr.us-west-2.amazonaws.com/pds- # Deploy pds-registry-loader-harvest ECR image docker image pull nasapds/registry-loader -docker tag nasapds/registry-loader:latest "${pds_nucleus_aws_account_id}".dkr.ecr.us-west-2.amazonaws.com/nasapds/pds-registry-loader-harvest:latest +docker tag nasapds/registry-loader:latest "${pds_nucleus_aws_account_id}".dkr.ecr.us-west-2.amazonaws.com/pds-registry-loader-harvest:latest docker push "${pds_nucleus_aws_account_id}".dkr.ecr.us-west-2.amazonaws.com/pds-registry-loader-harvest:latest # Deploy pds-validate ECR image diff --git a/terraform/terraform-modules/ecs-ecr/template_ecs_task_execution_role_iam_policy.json b/terraform/terraform-modules/ecs-ecr/template_ecs_task_execution_role_iam_policy.json index cfb93e2..585a3c8 100644 --- a/terraform/terraform-modules/ecs-ecr/template_ecs_task_execution_role_iam_policy.json +++ b/terraform/terraform-modules/ecs-ecr/template_ecs_task_execution_role_iam_policy.json @@ -19,9 +19,17 @@ "Effect": "Allow", "Action": [ "logs:CreateLogStream", - "logs:PutLogEvents" + "logs:PutLogEvents", + "logs:CreateLogGroup" ], "Resource": "arn:aws:logs:*:${pds_nucleus_aws_account_id}:log-group:*:log-stream:*" + }, + { + "Effect": "Allow", + "Action": [ + "ecs:stopTask" + ], + "Resource": "arn:aws:ecs:*:${pds_nucleus_aws_account_id}:task/pds-nucleus-ecs/*" } ] } diff --git a/terraform/terraform-modules/ecs-ecr/template_ecs_task_role_iam_policy.json b/terraform/terraform-modules/ecs-ecr/template_ecs_task_role_iam_policy.json index 4b582ae..e8e085d 100644 --- a/terraform/terraform-modules/ecs-ecr/template_ecs_task_role_iam_policy.json +++ b/terraform/terraform-modules/ecs-ecr/template_ecs_task_role_iam_policy.json @@ -27,6 +27,7 @@ "Effect": "Allow", "Action": [ "logs:CreateLogStream", + "logs:CreateLogGroup", "logs:PutLogEvents" ], "Resource": "arn:aws:logs:*:${pds_nucleus_aws_account_id}:log-group:*:log-stream:*" @@ -35,6 +36,20 @@ "Effect": "Allow", "Action": "ecr:GetAuthorizationToken", "Resource": "arn:aws:ecr:*:${pds_nucleus_aws_account_id}:repository/pds*" + }, + { + "Action": [ + "s3:GetBucket*", + "s3:GetObject*", + "s3:List*" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:s3:::pds-nucleus*", + "arn:aws:s3:::pds-nucleus*/*", + "arn:aws:s3:::pds-*-staging*", + "arn:aws:s3:::pds-*-staging*/*" + ] } ] } diff --git a/terraform/terraform-modules/ecs-ecr/variables.tf b/terraform/terraform-modules/ecs-ecr/variables.tf index b8da8ad..29a09b1 100644 --- a/terraform/terraform-modules/ecs-ecr/variables.tf +++ b/terraform/terraform-modules/ecs-ecr/variables.tf @@ -81,12 +81,6 @@ variable "pds_nucleus_s3_to_efs_copy_cloudwatch_logs_group" { sensitive = true } -variable "pds_nucleus_s3_to_efs_copy_cloudwatch_logs_region" { - type = string - description = "PDS Nucleus S3 to EFS Copy CloudWatch Logs Region" - sensitive = true -} - variable "permission_boundary_for_iam_role" { default = "mcp-tenantOperator-APIG" sensitive = true diff --git a/terraform/terraform-modules/efs/efs.tf b/terraform/terraform-modules/efs/efs.tf index 4c08742..1af3bfd 100644 --- a/terraform/terraform-modules/efs/efs.tf +++ b/terraform/terraform-modules/efs/efs.tf @@ -2,9 +2,9 @@ resource "aws_efs_file_system" "nucleus_efs" { creation_token = "nucleus_efs_token" - - tags = { - Name = "Nucleus EFS" + encrypted = true +tags = { + Name = "pds-nucleus-efs" } } diff --git a/terraform/terraform-modules/mwaa-env/template_mwaa_iam_policy.json b/terraform/terraform-modules/mwaa-env/template_mwaa_iam_policy.json index bd8ebec..e5f8faa 100644 --- a/terraform/terraform-modules/mwaa-env/template_mwaa_iam_policy.json +++ b/terraform/terraform-modules/mwaa-env/template_mwaa_iam_policy.json @@ -129,6 +129,11 @@ "Effect": "Allow", "Action": "cloudwatch:PutMetricData", "Resource": "*" + }, + { + "Action": "iam:PassRole", + "Effect": "Allow", + "Resource": "arn:aws:iam::${pds_nucleus_aws_account_id}:role/pds_nucleus_*" } ] } diff --git a/terraform/terraform-modules/product-copy-completion-checker/product-copy-completion-checker.tf b/terraform/terraform-modules/product-copy-completion-checker/product-copy-completion-checker.tf index 86dca18..6c2d201 100644 --- a/terraform/terraform-modules/product-copy-completion-checker/product-copy-completion-checker.tf +++ b/terraform/terraform-modules/product-copy-completion-checker/product-copy-completion-checker.tf @@ -176,7 +176,6 @@ resource "aws_s3_bucket" "pds_nucleus_s3_staging_bucket" { force_destroy = true } - # Create pds_nucleus_s3_file_file_event_processor_function for each PDS Node resource "aws_lambda_function" "pds_nucleus_s3_file_file_event_processor_function" { count = length(var.pds_node_names) @@ -199,6 +198,12 @@ resource "aws_lambda_function" "pds_nucleus_s3_file_file_event_processor_functio } } +# Create CloudWatch Log Group for pds_nucleus_s3_file_file_event_processor_function for each PDS Node +resource "aws_cloudwatch_log_group" "pds_nucleus_s3_file_file_event_processor_function_log_group" { + count = length(var.pds_node_names) + name = "/aws/lambda/pds_nucleus_s3_file_event_processor-${var.pds_node_names[count.index]}" +} + # Create pds_nucleus_product_completion_checker_function for each PDS Node resource "aws_lambda_function" "pds_nucleus_product_completion_checker_function" { count = length(var.pds_node_names) @@ -227,6 +232,12 @@ resource "aws_lambda_function" "pds_nucleus_product_completion_checker_function" } } +# Create CloudWatch Log Group for pds_nucleus_product_completion_checker_function for each PDS Node +resource "aws_cloudwatch_log_group" "pds_nucleus_product_completion_checker_function_log_group" { + count = length(var.pds_node_names) + name = "/aws/lambda/pds-nucleus-product-completion-checker-${var.pds_node_names[count.index]}" +} + # Apply lambda permissions for each pds_nucleus_s3_file_file_event_processor_function of each Node resource "aws_lambda_permission" "s3-lambda-permission" { count = length(var.pds_node_names)