Merge pull request #208 from nlamirault/feat/eks-pod-identity

EKS Pod identity and IRSA
nlamirault · Aug 28, 2024 · 47d9cac · 47d9cac
2 parents 2c76759 + 0778539
commit 47d9cac
Show file tree

Hide file tree

Showing 44 changed files with 416 additions and 536 deletions.
diff --git a/.mise.toml b/.mise.toml
@@ -0,0 +1,2 @@
+[tools]
+terraform = "latest"
diff --git a/.terraform-version b/.terraform-version
diff --git a/README.md b/README.md
@@ -6,7 +6,6 @@ This module consists of the following submodules:
 
 - [Prometheus](https://github.com/nlamirault/terraform-aws-observability/tree/master/modules/prometheus)
 - [Mimir](https://github.com/nlamirault/terraform-aws-observability/tree/master/modules/mimir)
-- [Thanos](https://github.com/nlamirault/terraform-aws-observability/tree/master/modules/thanos)
 - [Loki](https://github.com/nlamirault/terraform-aws-observability/tree/master/modules/loki)
 - [Tempo](https://github.com/nlamirault/terraform-aws-observability/tree/master/modules/tempo)
 - [Grafana](https://github.com/nlamirault/terraform-aws-observability/tree/master/modules/grafana)

diff --git a/modules/adot/README.md b/modules/adot/README.md
@@ -1,28 +1,22 @@
-# Observability / AWS Distro for OpenTelemetry (ADOT) Operator
-
-Terraform module which configure the AWS Distro for OpenTelemetry (ADOT) Operator
-
-## Documentation
-
-<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ## Requirements
 
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.0.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.30 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.0.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.30 |
 
 ## Modules
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_irsa"></a> [irsa](#module\_irsa) | terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc | 5.5.2 |
+| <a name="module_irsa"></a> [irsa](#module\_irsa) | terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc | 5.44.0 |
+| <a name="module_pod_identity"></a> [pod\_identity](#module\_pod\_identity) | terraform-aws-modules/eks-pod-identity/aws | 1.4.0 |
 
 ## Resources
 
@@ -38,6 +32,8 @@ Terraform module which configure the AWS Distro for OpenTelemetry (ADOT) Operato
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | Name of the EKS cluster | `string` | n/a | yes |
+| <a name="input_enable_irsa"></a> [enable\_irsa](#input\_enable\_irsa) | Enable IRSA resources | `bool` | n/a | yes |
+| <a name="input_enable_pod_identity"></a> [enable\_pod\_identity](#input\_enable\_pod\_identity) | Enable EKS Pod Identity resources | `bool` | n/a | yes |
 | <a name="input_namespace"></a> [namespace](#input\_namespace) | The Kubernetes namespace | `string` | n/a | yes |
 | <a name="input_service_account"></a> [service\_account](#input\_service\_account) | The Kubernetes service account | `string` | n/a | yes |
 | <a name="input_tags"></a> [tags](#input\_tags) | Tags for resources | `map(string)` | <pre>{<br>  "Made-By": "Terraform"<br>}</pre> | no |
@@ -46,5 +42,5 @@ Terraform module which configure the AWS Distro for OpenTelemetry (ADOT) Operato
 
 | Name | Description |
 |------|-------------|
-| <a name="output_role_arn"></a> [role\_arn](#output\_role\_arn) | Amazon Resource Name for ADOT Collector |
-<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+| <a name="output_irsa_role_arn"></a> [irsa\_role\_arn](#output\_irsa\_role\_arn) | Amazon Resource Name for ADOT Collector |
+| <a name="output_pod_identity_role_arn"></a> [pod\_identity\_role\_arn](#output\_pod\_identity\_role\_arn) | Amazon Resource Name for ADOT Collector |
diff --git a/modules/adot/iam.tf b/modules/adot/iam.tf
@@ -18,6 +18,8 @@ module "irsa" {
   source  = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
   version = "5.44.0"
 
+  for_each = var.enable_irsa ? toset(["1"]) : toset([])
+
   create_role      = true
   role_description = "ADOTCollector"
   role_name        = local.role_name
@@ -34,3 +36,32 @@ module "irsa" {
     var.tags
   )
 }
+
+module "pod_identity" {
+  source  = "terraform-aws-modules/eks-pod-identity/aws"
+  version = "1.4.0"
+
+  for_each = var.enable_pod_identity ? toset(["1"]) : toset([])
+
+  name = local.role_name
+
+  # attach_custom_policy = true
+  additional_policy_arns = {
+    CloudWatchAgentServerPolicy       = data.aws_iam_policy.cloudwatch_agent_server.arn,
+    AmazonPrometheusRemoteWriteAccess = data.aws_iam_policy.amp_remote_write_access.arn,
+    AWSXrayWriteOnlyAccess            = data.aws_iam_policy.xray_write_access.arn
+  }
+
+  associations = {
+    main = {
+      cluster_name    = data.aws_eks_cluster.this.id
+      namespace       = var.namespace
+      service_account = var.service_account
+    }
+  }
+
+  tags = merge(
+    { "Name" = local.role_name },
+    var.tags
+  )
+}
diff --git a/modules/adot/main.tf b/modules/adot/main.tf
@@ -20,7 +20,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 4.0.0"
+      version = ">= 5.30"
     }
   }
 }
diff --git a/modules/adot/outputs.tf b/modules/adot/outputs.tf
@@ -14,7 +14,12 @@
 #
 # SPDX-License-Identifier: Apache-2.0
 
-output "role_arn" {
-  value       = module.irsa.iam_role_arn
+output "irsa_role_arn" {
+  value       = [for irsa in module.irsa : irsa.iam_role_arn]
+  description = "Amazon Resource Name for ADOT Collector"
+}
+
+output "pod_identity_role_arn" {
+  value       = [for pod_id in module.pod_identity : pod_id.iam_role_arn]
   description = "Amazon Resource Name for ADOT Collector"
 }
diff --git a/modules/adot/variables.tf b/modules/adot/variables.tf
@@ -29,6 +29,16 @@ variable "service_account" {
   description = "The Kubernetes service account"
 }
 
+variable "enable_irsa" {
+  type        = bool
+  description = "Enable IRSA resources"
+}
+
+variable "enable_pod_identity" {
+  type        = bool
+  description = "Enable EKS Pod Identity resources"
+}
+
 variable "tags" {
   type        = map(string)
   description = "Tags for resources"

diff --git a/modules/amg/README.md b/modules/amg/README.md
@@ -1,10 +1,3 @@
-# Observability / Amazon Managed Grafana
-
-Terraform module which configure Amazon Managed Grafana resources on Amazon AWS
-
-## Documentation
-
-<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ## Requirements
 
 | Name | Version |
@@ -20,7 +13,7 @@ No providers.
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_managed_grafana"></a> [managed\_grafana](#module\_managed\_grafana) | terraform-aws-modules/managed-service-grafana/aws | 1.5.0 |
+| <a name="module_managed_grafana"></a> [managed\_grafana](#module\_managed\_grafana) | terraform-aws-modules/managed-service-grafana/aws | 2.1.1 |
 
 ## Resources
 
@@ -36,4 +29,3 @@ No resources.
 ## Outputs
 
 No outputs.
-<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/modules/amp/README.md b/modules/amp/README.md
@@ -1,10 +1,3 @@
-# Observability / AWS Managed Service for Prometheus
-
-Terraform module which configure an AWS managed service for Prometheus instance.
-
-## Documentation
-
-<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ## Requirements
 
 | Name | Version |
@@ -20,7 +13,7 @@ No providers.
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_amp"></a> [amp](#module\_amp) | terraform-aws-modules/managed-service-prometheus/aws | 2.2.0 |
+| <a name="module_amp"></a> [amp](#module\_amp) | terraform-aws-modules/managed-service-prometheus/aws | 3.0.0 |
 
 ## Resources
 
@@ -40,4 +33,3 @@ No resources.
 | <a name="output_amp_arn"></a> [amp\_arn](#output\_amp\_arn) | Amazon Resource Name of the workspace |
 | <a name="output_amp_endpoint"></a> [amp\_endpoint](#output\_amp\_endpoint) | Prometheus endpoint available for this workspace |
 | <a name="output_amp_id"></a> [amp\_id](#output\_amp\_id) | Identifier of the workspace |
-<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/modules/cloudwatch/README.md b/modules/cloudwatch/README.md
@@ -1,28 +1,22 @@
-# Observability / Cloudwatch
-
-Terraform module which configure Grafana Cloudwatch resources on Amazon AWS
-
-## Documentation
-
-<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ## Requirements
 
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.0.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.30.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.0.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.30.0 |
 
 ## Modules
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_irsa_agent"></a> [irsa\_agent](#module\_irsa\_agent) | terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc | 5.5.2 |
+| <a name="module_irsa"></a> [irsa](#module\_irsa) | terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc | 5.44.0 |
+| <a name="module_pod_identity"></a> [pod\_identity](#module\_pod\_identity) | terraform-aws-modules/eks-pod-identity/aws | 1.4.0 |
 
 ## Resources
 
@@ -41,7 +35,9 @@ Terraform module which configure Grafana Cloudwatch resources on Amazon AWS
 |------|-------------|------|---------|:--------:|
 | <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | Name of the EKS cluster | `string` | n/a | yes |
 | <a name="input_deletion_window_in_days"></a> [deletion\_window\_in\_days](#input\_deletion\_window\_in\_days) | Duration in days after which the key is deleted after destruction of the resource, must be between 7 and 30 days | `number` | `30` | no |
+| <a name="input_enable_irsa"></a> [enable\_irsa](#input\_enable\_irsa) | Enable IRSA resources | `bool` | n/a | yes |
 | <a name="input_enable_kms"></a> [enable\_kms](#input\_enable\_kms) | Enable custom KMS key | `bool` | n/a | yes |
+| <a name="input_enable_pod_identity"></a> [enable\_pod\_identity](#input\_enable\_pod\_identity) | Enable EKS Pod Identity resources | `bool` | n/a | yes |
 | <a name="input_log_retention_in_days"></a> [log\_retention\_in\_days](#input\_log\_retention\_in\_days) | Number of days to retain log events | `number` | `90` | no |
 | <a name="input_namespace"></a> [namespace](#input\_namespace) | The Kubernetes namespace | `string` | n/a | yes |
 | <a name="input_service_account"></a> [service\_account](#input\_service\_account) | The Kubernetes service account | `string` | n/a | yes |
@@ -51,5 +47,5 @@ Terraform module which configure Grafana Cloudwatch resources on Amazon AWS
 
 | Name | Description |
 |------|-------------|
-| <a name="output_agent_role_arn"></a> [agent\_role\_arn](#output\_agent\_role\_arn) | Amazon Resource Name for Cloudwatch Agent |
-<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+| <a name="output_irsa_role_arn"></a> [irsa\_role\_arn](#output\_irsa\_role\_arn) | Amazon Resource Name for Cloudwatch Agent |
+| <a name="output_pod_identity_role_arn"></a> [pod\_identity\_role\_arn](#output\_pod\_identity\_role\_arn) | Amazon Resource Name for Cloudwatch Agent |
diff --git a/modules/cloudwatch/iam.tf b/modules/cloudwatch/iam.tf
@@ -14,10 +14,12 @@
 #
 # SPDX-License-Identifier: Apache-2.0
 
-module "irsa_agent" {
+module "irsa" {
   source  = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
   version = "5.44.0"
 
+  for_each = var.enable_irsa ? toset(["1"]) : toset([])
+
   create_role      = true
   role_description = "Cloudwatch Agent"
   role_name        = local.role_name
@@ -32,3 +34,27 @@ module "irsa_agent" {
     var.tags
   )
 }
+
+module "pod_identity" {
+  source  = "terraform-aws-modules/eks-pod-identity/aws"
+  version = "1.4.0"
+
+  for_each = var.enable_pod_identity ? toset(["1"]) : toset([])
+
+  name = local.role_name
+
+  attach_aws_cloudwatch_observability_policy = true
+
+  associations = {
+    main = {
+      cluster_name    = data.aws_eks_cluster.this.id
+      namespace       = var.namespace
+      service_account = var.service_account
+    }
+  }
+
+  tags = merge(
+    { "Name" = local.role_name },
+    var.tags
+  )
+}
diff --git a/modules/cloudwatch/main.tf b/modules/cloudwatch/main.tf
@@ -20,7 +20,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 4.0.0"
+      version = ">= 5.30.0"
     }
   }
 }
diff --git a/modules/cloudwatch/outputs.tf b/modules/cloudwatch/outputs.tf
@@ -14,7 +14,12 @@
 #
 # SPDX-License-Identifier: Apache-2.0
 
-output "agent_role_arn" {
-  value       = module.irsa_agent.iam_role_arn
+output "irsa_role_arn" {
+  value       = [for irsa in module.irsa : irsa.iam_role_arn]
+  description = "Amazon Resource Name for Cloudwatch Agent"
+}
+
+output "pod_identity_role_arn" {
+  value       = [for pod_id in module.pod_identity : pod_id.iam_role_arn]
   description = "Amazon Resource Name for Cloudwatch Agent"
 }
diff --git a/modules/cloudwatch/variables.tf b/modules/cloudwatch/variables.tf
@@ -38,6 +38,16 @@ variable "service_account" {
   description = "The Kubernetes service account"
 }
 
+variable "enable_irsa" {
+  type        = bool
+  description = "Enable IRSA resources"
+}
+
+variable "enable_pod_identity" {
+  type        = bool
+  description = "Enable EKS Pod Identity resources"
+}
+
 variable "tags" {
   type        = map(string)
   description = "Tags for Cloudwatch"