feat: Enable CloudWatch Observability EKS add-on

world-federation-of-advertisers · Aug 16, 2024 · 36bbaaf · 36bbaaf
1 parent 362f05e
commit 36bbaaf
Show file tree

Hide file tree

Showing 2 changed files with 59 additions and 43 deletions.
diff --git a/.github/workflows/terraform-cmms.yml b/.github/workflows/terraform-cmms.yml
@@ -55,46 +55,47 @@ jobs:
     steps:
     - uses: actions/checkout@v4
 
-    # Authenticate to Google Cloud. This will export some environment
-    # variables, including GCLOUD_PROJECT.
-    - name: Authenticate to Google Cloud
-      uses: google-github-actions/auth@v2
-      with:
-        workload_identity_provider: ${{ vars.WORKLOAD_IDENTITY_PROVIDER }}
-        service_account: ${{ vars.TF_SERVICE_ACCOUNT }}
-
-    - name: terraform init - gcloud
-      env:
-        TF_STORAGE_BUCKET: ${{ vars.TF_STORAGE_BUCKET }}
-      working-directory: ${{ env.GCLOUD_MODULE_PATH }}
-      run: >
-        terraform init
-        -input=false
-        -lockfile=readonly
-        -backend-config="bucket=$TF_STORAGE_BUCKET"
-
-    - name: terraform plan - gcloud
-      env:
-        KEY_RING: ${{ vars.KEY_RING }}
-        SPANNER_INSTANCE: ${{ vars.SPANNER_INSTANCE }}
-        STORAGE_BUCKET: ${{ vars.STORAGE_BUCKET }}
-        POSTGRES_INSTANCE: ${{ vars.POSTGRES_INSTANCE }}
-        POSTGRES_PASSWORD: ${{ secrets.POSTGRES_PASSWORD }}
-      working-directory: ${{ env.GCLOUD_MODULE_PATH }}
-      run: >
-        terraform plan
-        -input=false
-        -var="key_ring_name=$KEY_RING"
-        -var="spanner_instance_name=$SPANNER_INSTANCE"
-        -var="storage_bucket_name=$STORAGE_BUCKET"
-        -var="postgres_instance_name=$POSTGRES_INSTANCE"
-        -var="postgres_password=$POSTGRES_PASSWORD"
-        -out=tfplan
-
-    - name: terraform apply - gcloud
-      if: ${{ inputs.apply }}
-      working-directory: ${{ env.GCLOUD_MODULE_PATH }}
-      run: terraform apply -input=false tfplan
+# DO_NOT_SUBMIT: Re-enable when done with manual testing.
+#    # Authenticate to Google Cloud. This will export some environment
+#    # variables, including GCLOUD_PROJECT.
+#    - name: Authenticate to Google Cloud
+#      uses: google-github-actions/auth@v2
+#      with:
+#        workload_identity_provider: ${{ vars.WORKLOAD_IDENTITY_PROVIDER }}
+#        service_account: ${{ vars.TF_SERVICE_ACCOUNT }}
+#
+#    - name: terraform init - gcloud
+#      env:
+#        TF_STORAGE_BUCKET: ${{ vars.TF_STORAGE_BUCKET }}
+#      working-directory: ${{ env.GCLOUD_MODULE_PATH }}
+#      run: >
+#        terraform init
+#        -input=false
+#        -lockfile=readonly
+#        -backend-config="bucket=$TF_STORAGE_BUCKET"
+#
+#    - name: terraform plan - gcloud
+#      env:
+#        KEY_RING: ${{ vars.KEY_RING }}
+#        SPANNER_INSTANCE: ${{ vars.SPANNER_INSTANCE }}
+#        STORAGE_BUCKET: ${{ vars.STORAGE_BUCKET }}
+#        POSTGRES_INSTANCE: ${{ vars.POSTGRES_INSTANCE }}
+#        POSTGRES_PASSWORD: ${{ secrets.POSTGRES_PASSWORD }}
+#      working-directory: ${{ env.GCLOUD_MODULE_PATH }}
+#      run: >
+#        terraform plan
+#        -input=false
+#        -var="key_ring_name=$KEY_RING"
+#        -var="spanner_instance_name=$SPANNER_INSTANCE"
+#        -var="storage_bucket_name=$STORAGE_BUCKET"
+#        -var="postgres_instance_name=$POSTGRES_INSTANCE"
+#        -var="postgres_password=$POSTGRES_PASSWORD"
+#        -out=tfplan
+#
+#    - name: terraform apply - gcloud
+#      if: ${{ inputs.apply }}
+#      working-directory: ${{ env.GCLOUD_MODULE_PATH }}
+#      run: terraform apply -input=false tfplan
 
     # Authenticate to AWS Cloud. This will export some environment
     - name: Configure AWS Credentials

diff --git a/src/main/terraform/aws/modules/eks-cluster/main.tf b/src/main/terraform/aws/modules/eks-cluster/main.tf
@@ -37,6 +37,9 @@ module "eks" {
     vpc-cni = {
       most_recent = true
     }
+    amazon-cloudwatch-observability = {
+      most_recent = true
+    }
   }
 
   eks_managed_node_group_defaults = {
@@ -78,12 +81,24 @@ module "eks" {
     }
   }
 
-  kms_key_administrators    = var.kms_key_administrators
-  create_kms_key            = true
-  enable_kms_key_rotation   = true
+  kms_key_administrators  = var.kms_key_administrators
+  create_kms_key          = true
+  enable_kms_key_rotation = true
   cluster_encryption_config = {
     "resources" : [
       "secrets"
     ]
   }
 }
+
+resource "aws_iam_role_policy_attachment" "cloudwatch_policy_attachment" {
+  for_each = module.eks.eks_managed_node_groups
+
+  role       = each.value.iam_role_name
+  policy_arn = "arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy"
+}
+
+moved {
+  from = aws_iam_role_policy_attachment.cluster_cloudwatch_role
+  to   = aws_iam_role_policy_attachment.cloudwatch_policy_attachment["default"]
+}