Skip to content

Commit

Permalink
Merge pull request #37 from nlamirault/feat/kms-iam
Browse files Browse the repository at this point in the history 
IAM outputs and KMS options
  • Loading branch information
@nlamirault
nlamirault authored Nov 12, 2021
2 parents 2cdb721 + c54d0f3 commit 5674be8
Show file tree
Hide file tree
Showing 8 changed files with 202 additions and 58 deletions.
2 changes: 1 addition & 1 deletion modules/grafana/grafana.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -70,7 +70,7 @@ module "grafana_role" {
version = "4.7.0"

create_role = true
role_description = "Grafana Role"
role_description = "Role for Grafana"
role_name = local.role_name
provider_url = data.aws_eks_cluster.this.identity[0].oidc[0].issuer
role_policy_arns = [aws_iam_policy.grafana.arn]
Expand Down
63 changes: 49 additions & 14 deletions modules/loki/loki.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@
# See the License for the specific language governing permissions and
# limitations under the License.

data "aws_iam_policy_document" "loki_permissions" {
data "aws_iam_policy_document" "bucket" {
statement {
effect = "Allow"

Expand All @@ -24,11 +24,27 @@ data "aws_iam_policy_document" "loki_permissions" {
]

resources = [
module.loki_log.s3_bucket_arn,
"${module.loki_log.s3_bucket_arn}/*"
module.loki.s3_bucket_arn,
"${module.loki.s3_bucket_arn}/*"
]
}

# statement {
# effect = "Allow"

# actions = [
# "kms:Encrypt",
# "kms:Decrypt",
# "kms:GenerateDataKey*",
# ]

# resources = var.enable_kms ? [aws_kms_key.loki[0].arn] : []
# }
}

data "aws_iam_policy_document" "kms" {
count = var.enable_kms ? 1 : 0

statement {
effect = "Allow"

Expand All @@ -38,18 +54,32 @@ data "aws_iam_policy_document" "loki_permissions" {
"kms:GenerateDataKey*",
]

resources = var.enable_kms ? [aws_kms_key.loki[0].arn] : []
resources = [
aws_kms_key.loki[0].arn
]
}
}

resource "aws_iam_policy" "bucket" {
name = format("%s-bucket", local.service_name)
path = "/"
description = "Bucket permissions for Loki"
policy = data.aws_iam_policy_document.bucket.json
tags = merge(
{ "Name" = format("%s-bucket", local.service_name) },
local.tags
)
}

resource "aws_iam_policy" "loki" {
name = local.service_name
resource "aws_iam_policy" "kms" {
count = var.enable_kms ? 1 : 0

name = format("%s-kms", local.service_name)
path = "/"
description = "Permissions for Loki"
policy = data.aws_iam_policy_document.loki_permissions.json
description = "KMS permissions for Loki"
policy = data.aws_iam_policy_document.kms[0].json
tags = merge(
{ "Name" = local.service_name },
{ "Name" = format("%s-kms", local.service_name) },
local.tags
)
}
Expand All @@ -58,11 +88,16 @@ module "loki_role" {
source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
version = "4.7.0"

create_role = true
role_description = "Loki Role"
role_name = local.role_name
provider_url = data.aws_eks_cluster.this.identity[0].oidc[0].issuer
role_policy_arns = [aws_iam_policy.loki.arn]
create_role = true
role_description = "Role for Loki"
role_name = local.role_name
provider_url = data.aws_eks_cluster.this.identity[0].oidc[0].issuer
role_policy_arns = var.enable_kms ? [
aws_iam_policy.bucket.arn,
aws_iam_policy.kms[0].arn,
] : [
aws_iam_policy.bucket.arn,
]
oidc_fully_qualified_subjects = ["system:serviceaccount:${var.namespace}:${var.service_account}"]
tags = merge(
{ "Name" = local.role_name },
Expand Down
60 changes: 48 additions & 12 deletions modules/prometheus/prometheus.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@
# See the License for the specific language governing permissions and
# limitations under the License.

data "aws_iam_policy_document" "prometheus_permissions" {
data "aws_iam_policy_document" "bucket" {
statement {
actions = [
"s3:ListBucket",
Expand All @@ -27,6 +27,22 @@ data "aws_iam_policy_document" "prometheus_permissions" {
]
}

# statement {
# effect = "Allow"

# actions = [
# "kms:Encrypt",
# "kms:Decrypt",
# "kms:GenerateDataKey*",
# ]

# resources = var.enable_kms ? [data.aws_kms_key.thanos[0].arn] : []
# }
}

data "aws_iam_policy_document" "kms" {
count = var.enable_kms ? 1 : 0

statement {
effect = "Allow"

Expand All @@ -36,17 +52,32 @@ data "aws_iam_policy_document" "prometheus_permissions" {
"kms:GenerateDataKey*",
]

resources = var.enable_kms ? [data.aws_kms_key.thanos[0].arn] : []
resources = [
data.aws_kms_key.thanos[0].arn
]
}
}

resource "aws_iam_policy" "prometheus" {
name = local.service_name
resource "aws_iam_policy" "bucket" {
name = format("%s-bucket", local.service_name)
path = "/"
description = "Bucket permissions for Prometheus"
policy = data.aws_iam_policy_document.bucket.json
tags = merge(
{ "Name" = format("%s-bucket", local.service_name) },
local.tags
)
}

resource "aws_iam_policy" "kms" {
count = var.enable_kms ? 1 : 0

name = format("%s-kms", local.service_name)
path = "/"
description = "Permissions for Prometheus"
policy = data.aws_iam_policy_document.prometheus_permissions.json
description = "KMS permissions for Prometheus"
policy = data.aws_iam_policy_document.kms[0].json
tags = merge(
{ "Name" = local.service_name },
{ "Name" = format("%s-kms", local.service_name) },
local.tags
)
}
Expand All @@ -55,11 +86,16 @@ module "prometheus_role" {
source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
version = "4.7.0"

create_role = true
role_description = "prometheus Role"
role_name = local.role_name
provider_url = data.aws_eks_cluster.this.identity[0].oidc[0].issuer
role_policy_arns = [aws_iam_policy.prometheus.arn]
create_role = true
role_description = "prometheus Role"
role_name = local.role_name
provider_url = data.aws_eks_cluster.this.identity[0].oidc[0].issuer
role_policy_arns = var.enable_kms ? [
aws_iam_policy.bucket.arn,
aws_iam_policy.kms[0].arn,
] : [
aws_iam_policy.bucket.arn,
]
oidc_fully_qualified_subjects = ["system:serviceaccount:${var.namespace}:${var.service_account}"]
tags = merge(
{ "Name" = local.role_name },
Expand Down
65 changes: 51 additions & 14 deletions modules/tempo/tempo.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@
# See the License for the specific language governing permissions and
# limitations under the License.

data "aws_iam_policy_document" "tempo_permissions" {
data "aws_iam_policy_document" "bucket" {
statement {
effect = "Allow"

Expand All @@ -24,11 +24,28 @@ data "aws_iam_policy_document" "tempo_permissions" {
]

resources = [
module.tempo_log.s3_bucket_arn,
"${module.tempo_log.s3_bucket_arn}/*"
module.tempo.s3_bucket_arn,
"${module.tempo.s3_bucket_arn}/*"
]
}

# statement {
# effect = "Allow"

# actions = [
# "kms:Encrypt",
# "kms:Decrypt",
# "kms:GenerateDataKey*",
# ]

# resources = var.enable_kms ? [aws_kms_key.tempo[0].arn] : []
# }

}

data "aws_iam_policy_document" "kms" {
count = var.enable_kms ? 1 : 0

statement {
effect = "Allow"

Expand All @@ -38,31 +55,51 @@ data "aws_iam_policy_document" "tempo_permissions" {
"kms:GenerateDataKey*",
]

resources = var.enable_kms ? [aws_kms_key.tempo[0].arn] : []
resources = [
aws_kms_key.tempo[0].arn
]
}
}

resource "aws_iam_policy" "bucket" {
name = format("%s-bucket", local.service_name)
path = "/"
description = "Bucket permissions for Tempo"
policy = data.aws_iam_policy_document.bucket.json
tags = merge(
{ "Name" = format("%s-bucket", local.service_name) },
local.tags
)
}

resource "aws_iam_policy" "tempo" {
name = local.service_name
resource "aws_iam_policy" "kms" {
count = var.enable_kms ? 1 : 0

name = format("%s-kms", local.service_name)
path = "/"
description = "Permissions for Tempo"
policy = data.aws_iam_policy_document.tempo_permissions.json
description = "KMS permissions for Tempo"
policy = data.aws_iam_policy_document.kms.json
tags = merge(
{ "Name" = local.service_name },
{ "Name" = format("%s-kms", local.service_name) },
local.tags
)
}


module "tempo_role" {
source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
version = "4.7.0"

create_role = true
role_description = "tempo Role"
role_name = local.role_name
provider_url = data.aws_eks_cluster.this.identity[0].oidc[0].issuer
role_policy_arns = [aws_iam_policy.tempo.arn]
create_role = true
role_description = "Role for Tempo"
role_name = local.role_name
provider_url = data.aws_eks_cluster.this.identity[0].oidc[0].issuer
role_policy_arns = var.enable_kms ? [
aws_iam_policy.bucket.arn,
aws_iam_policy.kms[0].arn,
] : [
aws_iam_policy.bucket.arn,
]
oidc_fully_qualified_subjects = ["system:serviceaccount:${var.namespace}:${var.service_account}"]
tags = merge(
{ "Name" = local.role_name },
Expand Down
2 changes: 1 addition & 1 deletion modules/thanos/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -83,7 +83,7 @@ tags = {
| enable\_kms | Enable custom KMS key | `bool` | n/a | yes |
| namespace | The Kubernetes namespace | `string` | n/a | yes |
| service\_accounts | The Kubernetes service account | `list(string)` | n/a | yes |
| tags | Tags for Thanos | `map(string)` | <pre>{<br> "made-by": "terraform"<br>}</pre> | no |
| tags | Tags for Thanos | `map(string)` | `{}` | no |

## Outputs

Expand Down
2 changes: 1 addition & 1 deletion modules/thanos/outputs.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,6 @@ output "bucket_log" {
}

output "role_arn" {
value = module.thanos_role.iam_role_arn
description = "Amazon Resource Name for Thanos"
value = { for sa in toset(var.service_accounts) : sa => module.thanos_role[sa].iam_role_arn }
}
Loading

0 comments on commit 5674be8

Please sign in to comment.