feat: Add ECS/Fargate deployment for LogGuardian (Issue #91)

[Sarlynoel020]

🎯 Overview

Deploys LogGuardian to ECS/Fargate in the dev account (769392325486) for automated CloudWatch log compliance enforcement.

📦 What's Changed

Infrastructure (Terraform)

• ECS Cluster: logguardian-dev with Fargate Spot capacity provider (80/20 split)
• Task Definition: logguardian-dev with 256 CPU / 512 MB memory
• IAM Roles: Task role (Config/Logs/CloudWatch) + Execution role (ECR/Logs)
• Security Group: Egress-only for AWS API access
• CloudWatch Logs: /ecs/logguardian with 30-day retention
• Network: Public subnets (ca-central-1a, ca-central-1b)

Container Image

• Source: Built from zsoftly/logguardian main branch
• Location: 769392325486.dkr.ecr.ca-central-1.amazonaws.com/logguardian:latest
• Version: 1.3.0
• Size: ~20 MB (Alpine-based)

✅ Testing Evidence

Dry-Run Execution

{
  "status": "completed",
  "mode": "dry-run",
  "config_rule_name": "cloudwatch-log-group-encrypted",
  "total_processed": 2,
  "success_count": 2,
  "failure_count": 0,
  "duration": "245ms",
  "exit_code": 0
}

Resources Found:

• /aws/ecs/containerinsights/logguardian-dev/performance (would apply encryption)
• /ecs/logguardian (would apply encryption)

Error Handling Validation

• Missing CONFIG_RULE_NAME: Exit code 2 ✅
• Invalid Config rule: Exit code 1 ✅
• Proper error messages in CloudWatch ✅

Authentication & Integration

• ECS task role authentication: ✅
• AWS Config API access: ✅
• CloudWatch Logs write: ✅

📁 Files Added

terraform/environments/dev/
├── README.md          (deployment documentation)
├── main.tf            (ECS infrastructure, 4.1 KB)
├── iam.tf             (IAM roles, 2.1 KB)
└── terraform.tfvars   (environment config)

terraform/.gitignore   (Terraform artifacts)

💰 Cost Impact

Monthly Recurring:

• Fargate Spot: ~$15-20
• CloudWatch Logs: ~$1-2
• ECR Storage: <$1
• Total: ~$20/month

Savings:

• No NAT Gateway: -$32/month (using public subnets)

🏗️ Architecture Decisions

Fargate Spot (80% allocation)

• Rationale: Dev workload can tolerate interruptions, 70% cost savings
• Fallback: 20% On-Demand for availability

Public Subnets

• Rationale: Dev environment, saves $32/month on NAT Gateway
• Trade-off: Tasks get public IPs (acceptable for dev)
• Production: Should use private subnets + NAT Gateway

Resource Sizing

• 256 CPU / 512 MB memory: LogGuardian execution is lightweight (~250ms)
• Actual Usage: <50% CPU, <300 MB memory
• Cost-optimized: Smallest Fargate task size

🔒 Security Considerations

IAM Least Privilege

• Task role: Only Config read, Logs write, CloudWatch metrics
• Execution role: Only ECR pull, CloudWatch Logs write
• No wildcard resources where possible

Network Security

• Security group: Egress-only (no ingress rules)
• No sensitive data in logs (verified)

Secrets Management

• No hardcoded credentials
• AWS credentials via ECS task role
• Container image in private ECR

📋 Deployment Instructions

Prerequisites

1. AWS Config enabled in account
2. ECR repository exists with image
3. Config rule created: cloudwatch-log-group-encrypted

Deploy

cd terraform/environments/dev
terraform init
terraform plan
terraform apply

Verify

# Test execution
CLUSTER=logguardian-dev
TASK=logguardian-dev
SG=sg-015c44092a321da76

aws ecs run-task \
  --cluster $CLUSTER \
  --launch-type FARGATE \
  --task-definition $TASK \
  --network-configuration "awsvpcConfiguration={subnets=[subnet-0cb3a166fffa03698,subnet-0026232dabc7d880d],securityGroups=[$SG],assignPublicIp=ENABLED}" \
  --overrides '{
    "containerOverrides":[{
      "name":"logguardian",
      "command":["--dry-run","--config-rule","cloudwatch-log-group-encrypted"],
      "environment":[{"name":"AWS_REGION","value":"ca-central-1"}]
    }]
  }'

# Check logs
aws logs tail /ecs/logguardian --since 5m

🔜 Next Steps (After Merge)

1. QA Testing - Full validation
2. Enable Enforcement - Remove --dry-run flag
3. Add Scheduling - EventBridge rule for daily runs
4. Deploy to Staging/Prod

🐛 Known Limitations

• Public subnets: Dev pattern only, use NAT Gateway for prod
• Manual invocation: EventBridge automation not yet deployed
• Single region: Only ca-central-1

✅ Pre-Merge Checklist

• Terraform code tested in dev
• Infrastructure deployed successfully
• Documentation included (README.md)
• .gitignore prevents sensitive files
• Cost impact documented
• Security reviewed
• Testing evidence provided
• Code review approved
• QA validation passed