Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

EKS Pod identity and IRSA #208

Merged
merged 22 commits into from
Aug 28, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
22 commits
Select commit Hold shift + click to select a range
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions .mise.toml
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
[tools]
terraform = "latest"
1 change: 0 additions & 1 deletion .terraform-version

This file was deleted.

1 change: 0 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,6 @@ This module consists of the following submodules:

- [Prometheus](https://github.com/nlamirault/terraform-aws-observability/tree/master/modules/prometheus)
- [Mimir](https://github.com/nlamirault/terraform-aws-observability/tree/master/modules/mimir)
- [Thanos](https://github.com/nlamirault/terraform-aws-observability/tree/master/modules/thanos)
- [Loki](https://github.com/nlamirault/terraform-aws-observability/tree/master/modules/loki)
- [Tempo](https://github.com/nlamirault/terraform-aws-observability/tree/master/modules/tempo)
- [Grafana](https://github.com/nlamirault/terraform-aws-observability/tree/master/modules/grafana)
Expand Down
20 changes: 8 additions & 12 deletions modules/adot/README.md
Original file line number Diff line number Diff line change
@@ -1,28 +1,22 @@
# Observability / AWS Distro for OpenTelemetry (ADOT) Operator

Terraform module which configure the AWS Distro for OpenTelemetry (ADOT) Operator

## Documentation

<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
## Requirements

| Name | Version |
|------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.0.0 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.30 |

## Providers

| Name | Version |
|------|---------|
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.0.0 |
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.30 |

## Modules

| Name | Source | Version |
|------|--------|---------|
| <a name="module_irsa"></a> [irsa](#module\_irsa) | terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc | 5.5.2 |
| <a name="module_irsa"></a> [irsa](#module\_irsa) | terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc | 5.44.0 |
| <a name="module_pod_identity"></a> [pod\_identity](#module\_pod\_identity) | terraform-aws-modules/eks-pod-identity/aws | 1.4.0 |

## Resources

Expand All @@ -38,6 +32,8 @@ Terraform module which configure the AWS Distro for OpenTelemetry (ADOT) Operato
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | Name of the EKS cluster | `string` | n/a | yes |
| <a name="input_enable_irsa"></a> [enable\_irsa](#input\_enable\_irsa) | Enable IRSA resources | `bool` | n/a | yes |
| <a name="input_enable_pod_identity"></a> [enable\_pod\_identity](#input\_enable\_pod\_identity) | Enable EKS Pod Identity resources | `bool` | n/a | yes |
| <a name="input_namespace"></a> [namespace](#input\_namespace) | The Kubernetes namespace | `string` | n/a | yes |
| <a name="input_service_account"></a> [service\_account](#input\_service\_account) | The Kubernetes service account | `string` | n/a | yes |
| <a name="input_tags"></a> [tags](#input\_tags) | Tags for resources | `map(string)` | <pre>{<br> "Made-By": "Terraform"<br>}</pre> | no |
Expand All @@ -46,5 +42,5 @@ Terraform module which configure the AWS Distro for OpenTelemetry (ADOT) Operato

| Name | Description |
|------|-------------|
| <a name="output_role_arn"></a> [role\_arn](#output\_role\_arn) | Amazon Resource Name for ADOT Collector |
<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
| <a name="output_irsa_role_arn"></a> [irsa\_role\_arn](#output\_irsa\_role\_arn) | Amazon Resource Name for ADOT Collector |
| <a name="output_pod_identity_role_arn"></a> [pod\_identity\_role\_arn](#output\_pod\_identity\_role\_arn) | Amazon Resource Name for ADOT Collector |
31 changes: 31 additions & 0 deletions modules/adot/iam.tf
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,8 @@ module "irsa" {
source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
version = "5.44.0"

for_each = var.enable_irsa ? toset(["1"]) : toset([])

create_role = true
role_description = "ADOTCollector"
role_name = local.role_name
Expand All @@ -34,3 +36,32 @@ module "irsa" {
var.tags
)
}

module "pod_identity" {
source = "terraform-aws-modules/eks-pod-identity/aws"
version = "1.4.0"

for_each = var.enable_pod_identity ? toset(["1"]) : toset([])

name = local.role_name

# attach_custom_policy = true
additional_policy_arns = {
CloudWatchAgentServerPolicy = data.aws_iam_policy.cloudwatch_agent_server.arn,
AmazonPrometheusRemoteWriteAccess = data.aws_iam_policy.amp_remote_write_access.arn,
AWSXrayWriteOnlyAccess = data.aws_iam_policy.xray_write_access.arn
}

associations = {
main = {
cluster_name = data.aws_eks_cluster.this.id
namespace = var.namespace
service_account = var.service_account
}
}

tags = merge(
{ "Name" = local.role_name },
var.tags
)
}
2 changes: 1 addition & 1 deletion modules/adot/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 4.0.0"
version = ">= 5.30"
}
}
}
9 changes: 7 additions & 2 deletions modules/adot/outputs.tf
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,12 @@
#
# SPDX-License-Identifier: Apache-2.0

output "role_arn" {
value = module.irsa.iam_role_arn
output "irsa_role_arn" {
value = [for irsa in module.irsa : irsa.iam_role_arn]
description = "Amazon Resource Name for ADOT Collector"
}

output "pod_identity_role_arn" {
value = [for pod_id in module.pod_identity : pod_id.iam_role_arn]
description = "Amazon Resource Name for ADOT Collector"
}
10 changes: 10 additions & 0 deletions modules/adot/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,16 @@ variable "service_account" {
description = "The Kubernetes service account"
}

variable "enable_irsa" {
type = bool
description = "Enable IRSA resources"
}

variable "enable_pod_identity" {
type = bool
description = "Enable EKS Pod Identity resources"
}

variable "tags" {
type = map(string)
description = "Tags for resources"
Expand Down
10 changes: 1 addition & 9 deletions modules/amg/README.md
Original file line number Diff line number Diff line change
@@ -1,10 +1,3 @@
# Observability / Amazon Managed Grafana

Terraform module which configure Amazon Managed Grafana resources on Amazon AWS

## Documentation

<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
## Requirements

| Name | Version |
Expand All @@ -20,7 +13,7 @@ No providers.

| Name | Source | Version |
|------|--------|---------|
| <a name="module_managed_grafana"></a> [managed\_grafana](#module\_managed\_grafana) | terraform-aws-modules/managed-service-grafana/aws | 1.5.0 |
| <a name="module_managed_grafana"></a> [managed\_grafana](#module\_managed\_grafana) | terraform-aws-modules/managed-service-grafana/aws | 2.1.1 |

## Resources

Expand All @@ -36,4 +29,3 @@ No resources.
## Outputs

No outputs.
<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
10 changes: 1 addition & 9 deletions modules/amp/README.md
Original file line number Diff line number Diff line change
@@ -1,10 +1,3 @@
# Observability / AWS Managed Service for Prometheus

Terraform module which configure an AWS managed service for Prometheus instance.

## Documentation

<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
## Requirements

| Name | Version |
Expand All @@ -20,7 +13,7 @@ No providers.

| Name | Source | Version |
|------|--------|---------|
| <a name="module_amp"></a> [amp](#module\_amp) | terraform-aws-modules/managed-service-prometheus/aws | 2.2.0 |
| <a name="module_amp"></a> [amp](#module\_amp) | terraform-aws-modules/managed-service-prometheus/aws | 3.0.0 |

## Resources

Expand All @@ -40,4 +33,3 @@ No resources.
| <a name="output_amp_arn"></a> [amp\_arn](#output\_amp\_arn) | Amazon Resource Name of the workspace |
| <a name="output_amp_endpoint"></a> [amp\_endpoint](#output\_amp\_endpoint) | Prometheus endpoint available for this workspace |
| <a name="output_amp_id"></a> [amp\_id](#output\_amp\_id) | Identifier of the workspace |
<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
20 changes: 8 additions & 12 deletions modules/cloudwatch/README.md
Original file line number Diff line number Diff line change
@@ -1,28 +1,22 @@
# Observability / Cloudwatch

Terraform module which configure Grafana Cloudwatch resources on Amazon AWS

## Documentation

<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
## Requirements

| Name | Version |
|------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.0.0 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.30.0 |

## Providers

| Name | Version |
|------|---------|
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.0.0 |
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.30.0 |

## Modules

| Name | Source | Version |
|------|--------|---------|
| <a name="module_irsa_agent"></a> [irsa\_agent](#module\_irsa\_agent) | terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc | 5.5.2 |
| <a name="module_irsa"></a> [irsa](#module\_irsa) | terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc | 5.44.0 |
| <a name="module_pod_identity"></a> [pod\_identity](#module\_pod\_identity) | terraform-aws-modules/eks-pod-identity/aws | 1.4.0 |

## Resources

Expand All @@ -41,7 +35,9 @@ Terraform module which configure Grafana Cloudwatch resources on Amazon AWS
|------|-------------|------|---------|:--------:|
| <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | Name of the EKS cluster | `string` | n/a | yes |
| <a name="input_deletion_window_in_days"></a> [deletion\_window\_in\_days](#input\_deletion\_window\_in\_days) | Duration in days after which the key is deleted after destruction of the resource, must be between 7 and 30 days | `number` | `30` | no |
| <a name="input_enable_irsa"></a> [enable\_irsa](#input\_enable\_irsa) | Enable IRSA resources | `bool` | n/a | yes |
| <a name="input_enable_kms"></a> [enable\_kms](#input\_enable\_kms) | Enable custom KMS key | `bool` | n/a | yes |
| <a name="input_enable_pod_identity"></a> [enable\_pod\_identity](#input\_enable\_pod\_identity) | Enable EKS Pod Identity resources | `bool` | n/a | yes |
| <a name="input_log_retention_in_days"></a> [log\_retention\_in\_days](#input\_log\_retention\_in\_days) | Number of days to retain log events | `number` | `90` | no |
| <a name="input_namespace"></a> [namespace](#input\_namespace) | The Kubernetes namespace | `string` | n/a | yes |
| <a name="input_service_account"></a> [service\_account](#input\_service\_account) | The Kubernetes service account | `string` | n/a | yes |
Expand All @@ -51,5 +47,5 @@ Terraform module which configure Grafana Cloudwatch resources on Amazon AWS

| Name | Description |
|------|-------------|
| <a name="output_agent_role_arn"></a> [agent\_role\_arn](#output\_agent\_role\_arn) | Amazon Resource Name for Cloudwatch Agent |
<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
| <a name="output_irsa_role_arn"></a> [irsa\_role\_arn](#output\_irsa\_role\_arn) | Amazon Resource Name for Cloudwatch Agent |
| <a name="output_pod_identity_role_arn"></a> [pod\_identity\_role\_arn](#output\_pod\_identity\_role\_arn) | Amazon Resource Name for Cloudwatch Agent |
28 changes: 27 additions & 1 deletion modules/cloudwatch/iam.tf
Original file line number Diff line number Diff line change
Expand Up @@ -14,10 +14,12 @@
#
# SPDX-License-Identifier: Apache-2.0

module "irsa_agent" {
module "irsa" {
source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
version = "5.44.0"

for_each = var.enable_irsa ? toset(["1"]) : toset([])

create_role = true
role_description = "Cloudwatch Agent"
role_name = local.role_name
Expand All @@ -32,3 +34,27 @@ module "irsa_agent" {
var.tags
)
}

module "pod_identity" {
source = "terraform-aws-modules/eks-pod-identity/aws"
version = "1.4.0"

for_each = var.enable_pod_identity ? toset(["1"]) : toset([])

name = local.role_name

attach_aws_cloudwatch_observability_policy = true

associations = {
main = {
cluster_name = data.aws_eks_cluster.this.id
namespace = var.namespace
service_account = var.service_account
}
}

tags = merge(
{ "Name" = local.role_name },
var.tags
)
}
2 changes: 1 addition & 1 deletion modules/cloudwatch/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 4.0.0"
version = ">= 5.30.0"
}
}
}
9 changes: 7 additions & 2 deletions modules/cloudwatch/outputs.tf
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,12 @@
#
# SPDX-License-Identifier: Apache-2.0

output "agent_role_arn" {
value = module.irsa_agent.iam_role_arn
output "irsa_role_arn" {
value = [for irsa in module.irsa : irsa.iam_role_arn]
description = "Amazon Resource Name for Cloudwatch Agent"
}

output "pod_identity_role_arn" {
value = [for pod_id in module.pod_identity : pod_id.iam_role_arn]
description = "Amazon Resource Name for Cloudwatch Agent"
}
10 changes: 10 additions & 0 deletions modules/cloudwatch/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,16 @@ variable "service_account" {
description = "The Kubernetes service account"
}

variable "enable_irsa" {
type = bool
description = "Enable IRSA resources"
}

variable "enable_pod_identity" {
type = bool
description = "Enable EKS Pod Identity resources"
}

variable "tags" {
type = map(string)
description = "Tags for Cloudwatch"
Expand Down
Loading
Loading