diff --git a/modules/grafana/grafana.tf b/modules/grafana/grafana.tf index 86b802e..e8813d4 100644 --- a/modules/grafana/grafana.tf +++ b/modules/grafana/grafana.tf @@ -70,7 +70,7 @@ module "grafana_role" { version = "4.7.0" create_role = true - role_description = "Grafana Role" + role_description = "Role for Grafana" role_name = local.role_name provider_url = data.aws_eks_cluster.this.identity[0].oidc[0].issuer role_policy_arns = [aws_iam_policy.grafana.arn] diff --git a/modules/loki/loki.tf b/modules/loki/loki.tf index 7129aa3..b7e6f60 100644 --- a/modules/loki/loki.tf +++ b/modules/loki/loki.tf @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -data "aws_iam_policy_document" "loki_permissions" { +data "aws_iam_policy_document" "bucket" { statement { effect = "Allow" @@ -24,11 +24,27 @@ data "aws_iam_policy_document" "loki_permissions" { ] resources = [ - module.loki_log.s3_bucket_arn, - "${module.loki_log.s3_bucket_arn}/*" + module.loki.s3_bucket_arn, + "${module.loki.s3_bucket_arn}/*" ] } + # statement { + # effect = "Allow" + + # actions = [ + # "kms:Encrypt", + # "kms:Decrypt", + # "kms:GenerateDataKey*", + # ] + + # resources = var.enable_kms ? [aws_kms_key.loki[0].arn] : [] + # } +} + +data "aws_iam_policy_document" "kms" { + count = var.enable_kms ? 1 : 0 + statement { effect = "Allow" @@ -38,18 +54,32 @@ data "aws_iam_policy_document" "loki_permissions" { "kms:GenerateDataKey*", ] - resources = var.enable_kms ? [aws_kms_key.loki[0].arn] : [] + resources = [ + aws_kms_key.loki[0].arn + ] } +} +resource "aws_iam_policy" "bucket" { + name = format("%s-bucket", local.service_name) + path = "/" + description = "Bucket permissions for Loki" + policy = data.aws_iam_policy_document.bucket.json + tags = merge( + { "Name" = format("%s-bucket", local.service_name) }, + local.tags + ) } -resource "aws_iam_policy" "loki" { - name = local.service_name +resource "aws_iam_policy" "kms" { + count = var.enable_kms ? 1 : 0 + + name = format("%s-kms", local.service_name) path = "/" - description = "Permissions for Loki" - policy = data.aws_iam_policy_document.loki_permissions.json + description = "KMS permissions for Loki" + policy = data.aws_iam_policy_document.kms[0].json tags = merge( - { "Name" = local.service_name }, + { "Name" = format("%s-kms", local.service_name) }, local.tags ) } @@ -58,11 +88,16 @@ module "loki_role" { source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc" version = "4.7.0" - create_role = true - role_description = "Loki Role" - role_name = local.role_name - provider_url = data.aws_eks_cluster.this.identity[0].oidc[0].issuer - role_policy_arns = [aws_iam_policy.loki.arn] + create_role = true + role_description = "Role for Loki" + role_name = local.role_name + provider_url = data.aws_eks_cluster.this.identity[0].oidc[0].issuer + role_policy_arns = var.enable_kms ? [ + aws_iam_policy.bucket.arn, + aws_iam_policy.kms[0].arn, + ] : [ + aws_iam_policy.bucket.arn, + ] oidc_fully_qualified_subjects = ["system:serviceaccount:${var.namespace}:${var.service_account}"] tags = merge( { "Name" = local.role_name }, diff --git a/modules/prometheus/prometheus.tf b/modules/prometheus/prometheus.tf index 3ed5b4c..0e57fe2 100644 --- a/modules/prometheus/prometheus.tf +++ b/modules/prometheus/prometheus.tf @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -data "aws_iam_policy_document" "prometheus_permissions" { +data "aws_iam_policy_document" "bucket" { statement { actions = [ "s3:ListBucket", @@ -27,6 +27,22 @@ data "aws_iam_policy_document" "prometheus_permissions" { ] } + # statement { + # effect = "Allow" + + # actions = [ + # "kms:Encrypt", + # "kms:Decrypt", + # "kms:GenerateDataKey*", + # ] + + # resources = var.enable_kms ? [data.aws_kms_key.thanos[0].arn] : [] + # } +} + +data "aws_iam_policy_document" "kms" { + count = var.enable_kms ? 1 : 0 + statement { effect = "Allow" @@ -36,17 +52,32 @@ data "aws_iam_policy_document" "prometheus_permissions" { "kms:GenerateDataKey*", ] - resources = var.enable_kms ? [data.aws_kms_key.thanos[0].arn] : [] + resources = [ + data.aws_kms_key.thanos[0].arn + ] } } -resource "aws_iam_policy" "prometheus" { - name = local.service_name +resource "aws_iam_policy" "bucket" { + name = format("%s-bucket", local.service_name) + path = "/" + description = "Bucket permissions for Prometheus" + policy = data.aws_iam_policy_document.bucket.json + tags = merge( + { "Name" = format("%s-bucket", local.service_name) }, + local.tags + ) +} + +resource "aws_iam_policy" "kms" { + count = var.enable_kms ? 1 : 0 + + name = format("%s-kms", local.service_name) path = "/" - description = "Permissions for Prometheus" - policy = data.aws_iam_policy_document.prometheus_permissions.json + description = "KMS permissions for Prometheus" + policy = data.aws_iam_policy_document.kms[0].json tags = merge( - { "Name" = local.service_name }, + { "Name" = format("%s-kms", local.service_name) }, local.tags ) } @@ -55,11 +86,16 @@ module "prometheus_role" { source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc" version = "4.7.0" - create_role = true - role_description = "prometheus Role" - role_name = local.role_name - provider_url = data.aws_eks_cluster.this.identity[0].oidc[0].issuer - role_policy_arns = [aws_iam_policy.prometheus.arn] + create_role = true + role_description = "prometheus Role" + role_name = local.role_name + provider_url = data.aws_eks_cluster.this.identity[0].oidc[0].issuer + role_policy_arns = var.enable_kms ? [ + aws_iam_policy.bucket.arn, + aws_iam_policy.kms[0].arn, + ] : [ + aws_iam_policy.bucket.arn, + ] oidc_fully_qualified_subjects = ["system:serviceaccount:${var.namespace}:${var.service_account}"] tags = merge( { "Name" = local.role_name }, diff --git a/modules/tempo/tempo.tf b/modules/tempo/tempo.tf index 4b4dfb3..b24b3ac 100644 --- a/modules/tempo/tempo.tf +++ b/modules/tempo/tempo.tf @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -data "aws_iam_policy_document" "tempo_permissions" { +data "aws_iam_policy_document" "bucket" { statement { effect = "Allow" @@ -24,11 +24,28 @@ data "aws_iam_policy_document" "tempo_permissions" { ] resources = [ - module.tempo_log.s3_bucket_arn, - "${module.tempo_log.s3_bucket_arn}/*" + module.tempo.s3_bucket_arn, + "${module.tempo.s3_bucket_arn}/*" ] } + # statement { + # effect = "Allow" + + # actions = [ + # "kms:Encrypt", + # "kms:Decrypt", + # "kms:GenerateDataKey*", + # ] + + # resources = var.enable_kms ? [aws_kms_key.tempo[0].arn] : [] + # } + +} + +data "aws_iam_policy_document" "kms" { + count = var.enable_kms ? 1 : 0 + statement { effect = "Allow" @@ -38,31 +55,51 @@ data "aws_iam_policy_document" "tempo_permissions" { "kms:GenerateDataKey*", ] - resources = var.enable_kms ? [aws_kms_key.tempo[0].arn] : [] + resources = [ + aws_kms_key.tempo[0].arn + ] } +} +resource "aws_iam_policy" "bucket" { + name = format("%s-bucket", local.service_name) + path = "/" + description = "Bucket permissions for Tempo" + policy = data.aws_iam_policy_document.bucket.json + tags = merge( + { "Name" = format("%s-bucket", local.service_name) }, + local.tags + ) } -resource "aws_iam_policy" "tempo" { - name = local.service_name +resource "aws_iam_policy" "kms" { + count = var.enable_kms ? 1 : 0 + + name = format("%s-kms", local.service_name) path = "/" - description = "Permissions for Tempo" - policy = data.aws_iam_policy_document.tempo_permissions.json + description = "KMS permissions for Tempo" + policy = data.aws_iam_policy_document.kms.json tags = merge( - { "Name" = local.service_name }, + { "Name" = format("%s-kms", local.service_name) }, local.tags ) } + module "tempo_role" { source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc" version = "4.7.0" - create_role = true - role_description = "tempo Role" - role_name = local.role_name - provider_url = data.aws_eks_cluster.this.identity[0].oidc[0].issuer - role_policy_arns = [aws_iam_policy.tempo.arn] + create_role = true + role_description = "Role for Tempo" + role_name = local.role_name + provider_url = data.aws_eks_cluster.this.identity[0].oidc[0].issuer + role_policy_arns = var.enable_kms ? [ + aws_iam_policy.bucket.arn, + aws_iam_policy.kms[0].arn, + ] : [ + aws_iam_policy.bucket.arn, + ] oidc_fully_qualified_subjects = ["system:serviceaccount:${var.namespace}:${var.service_account}"] tags = merge( { "Name" = local.role_name }, diff --git a/modules/thanos/README.md b/modules/thanos/README.md index d2fa527..f046612 100644 --- a/modules/thanos/README.md +++ b/modules/thanos/README.md @@ -83,7 +83,7 @@ tags = { | enable\_kms | Enable custom KMS key | `bool` | n/a | yes | | namespace | The Kubernetes namespace | `string` | n/a | yes | | service\_accounts | The Kubernetes service account | `list(string)` | n/a | yes | -| tags | Tags for Thanos | `map(string)` |
{
"made-by": "terraform"
}
| no | +| tags | Tags for Thanos | `map(string)` | `{}` | no | ## Outputs diff --git a/modules/thanos/outputs.tf b/modules/thanos/outputs.tf index 62f0fb5..fd69d1b 100644 --- a/modules/thanos/outputs.tf +++ b/modules/thanos/outputs.tf @@ -23,6 +23,6 @@ output "bucket_log" { } output "role_arn" { - value = module.thanos_role.iam_role_arn description = "Amazon Resource Name for Thanos" + value = { for sa in toset(var.service_accounts) : sa => module.thanos_role[sa].iam_role_arn } } diff --git a/modules/thanos/thanos.tf b/modules/thanos/thanos.tf index cc1aa2c..e6873fa 100644 --- a/modules/thanos/thanos.tf +++ b/modules/thanos/thanos.tf @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -data "aws_iam_policy_document" "thanos_permissions" { +data "aws_iam_policy_document" "bucket" { statement { effect = "Allow" @@ -24,11 +24,28 @@ data "aws_iam_policy_document" "thanos_permissions" { ] resources = [ - module.thanos_log.s3_bucket_arn, - "${module.thanos_log.s3_bucket_arn}/*" + module.thanos.s3_bucket_arn, + "${module.thanos.s3_bucket_arn}/*" ] } + # statement { + # effect = "Allow" + + # actions = [ + # "kms:Encrypt", + # "kms:Decrypt", + # "kms:GenerateDataKey*", + # ] + + # resources = var.enable_kms ? [aws_kms_key.thanos[0].arn] : [] + # } + +} + +data "aws_iam_policy_document" "kms" { + count = var.enable_kms ? 1 : 0 + statement { effect = "Allow" @@ -38,33 +55,53 @@ data "aws_iam_policy_document" "thanos_permissions" { "kms:GenerateDataKey*", ] - resources = var.enable_kms ? [aws_kms_key.thanos[0].arn] : [] + resources = [ + aws_kms_key.thanos[0].arn + ] } +} +resource "aws_iam_policy" "bucket" { + name = format("%s-bucket", local.service_name) + path = "/" + description = "Bucket permissions for Thanos" + policy = data.aws_iam_policy_document.bucket.json + tags = merge( + { "Name" = format("%s-bucket", local.service_name) }, + local.tags + ) } -resource "aws_iam_policy" "thanos" { - name = local.service_name +resource "aws_iam_policy" "kms" { + count = var.enable_kms ? 1 : 0 + + name = format("%s-kms", local.service_name) path = "/" - description = "Permissions for Thanos" - policy = data.aws_iam_policy_document.thanos_permissions.json + description = "Bucket permissions for Thanos" + policy = data.aws_iam_policy_document.kms[0].json tags = merge( - { "Name" = local.service_name }, + { "Name" = format("%s-kms", local.service_name) }, local.tags ) } + module "thanos_role" { source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc" version = "4.7.0" for_each = toset(var.service_accounts) - create_role = true - role_description = "thanos Role" - role_name = local.role_name - provider_url = data.aws_eks_cluster.this.identity[0].oidc[0].issuer - role_policy_arns = [aws_iam_policy.thanos.arn] + create_role = true + role_description = "Role for Thanos" + role_name = each.value + provider_url = data.aws_eks_cluster.this.identity[0].oidc[0].issuer + role_policy_arns = var.enable_kms ? [ + aws_iam_policy.bucket.arn, + aws_iam_policy.kms[0].arn, + ] : [ + aws_iam_policy.bucket.arn, + ] oidc_fully_qualified_subjects = ["system:serviceaccount:${var.namespace}:${each.value}"] tags = merge( { "Name" = local.role_name }, diff --git a/modules/thanos/variables.tf b/modules/thanos/variables.tf index f5d3ab1..e566d66 100644 --- a/modules/thanos/variables.tf +++ b/modules/thanos/variables.tf @@ -34,7 +34,6 @@ variable "tags" { type = map(string) description = "Tags for Thanos" default = { - "made-by" = "terraform" } }