security fixes

Author: AlexanderWiechert

cloudwatch.tf

@@ -5,6 +5,7 @@
 resource "aws_cloudwatch_log_group" "fargate_cluster" {
   name              = var.log_group
   retention_in_days = var.log_retention_days
+  kms_key_id        = aws_kms_key.fargate.key_id
 }
 
 
@@ -13,4 +14,9 @@ resource "aws_cloudwatch_log_group" "fargate_execute_command_logs" {
 
   name              = "${var.log_group}-execute-commands"
   retention_in_days = var.log_retention_days
+  kms_key_id        = aws_kms_key.fargate.key_id
 }
+
+resource "aws_kms_key" "fargate" {
+  description             = "cloudwatch-encrpytion"
+}

ecs.tf

@@ -5,6 +5,11 @@
 resource "aws_ecs_cluster" "fargate_cluster" {
   name = var.cluster_name
 
+  setting {
+    name  = "containerInsights"
+    value = "enabled"
+  }
+
   dynamic "configuration" {
     for_each = var.enable_execute_command ? [""] : []
     content {

vars.tf

@@ -11,7 +11,7 @@ variable "execution_role_policy" {
 }
 
 variable "log_retention_days" {
-  default = 0
+  default = 14
 }
 
 variable "enable_execute_command" {