diff --git a/.mise.toml b/.mise.toml
new file mode 100644
index 0000000..c5709da
--- /dev/null
+++ b/.mise.toml
@@ -0,0 +1,2 @@
+[tools]
+terraform = "latest"
diff --git a/.terraform-version b/.terraform-version
deleted file mode 100644
index a1c22f8..0000000
--- a/.terraform-version
+++ /dev/null
@@ -1 +0,0 @@
-latest:^1.3
diff --git a/README.md b/README.md
index 03e8863..45a959e 100644
--- a/README.md
+++ b/README.md
@@ -6,7 +6,6 @@ This module consists of the following submodules:
- [Prometheus](https://github.com/nlamirault/terraform-aws-observability/tree/master/modules/prometheus)
- [Mimir](https://github.com/nlamirault/terraform-aws-observability/tree/master/modules/mimir)
-- [Thanos](https://github.com/nlamirault/terraform-aws-observability/tree/master/modules/thanos)
- [Loki](https://github.com/nlamirault/terraform-aws-observability/tree/master/modules/loki)
- [Tempo](https://github.com/nlamirault/terraform-aws-observability/tree/master/modules/tempo)
- [Grafana](https://github.com/nlamirault/terraform-aws-observability/tree/master/modules/grafana)
diff --git a/modules/adot/README.md b/modules/adot/README.md
index 6d7114a..cbd5c27 100644
--- a/modules/adot/README.md
+++ b/modules/adot/README.md
@@ -1,28 +1,22 @@
-# Observability / AWS Distro for OpenTelemetry (ADOT) Operator
-
-Terraform module which configure the AWS Distro for OpenTelemetry (ADOT) Operator
-
-## Documentation
-
-
## Requirements
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.0.0 |
-| [aws](#requirement\_aws) | >= 4.0.0 |
+| [aws](#requirement\_aws) | >= 5.30 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | >= 4.0.0 |
+| [aws](#provider\_aws) | >= 5.30 |
## Modules
| Name | Source | Version |
|------|--------|---------|
-| [irsa](#module\_irsa) | terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc | 5.5.2 |
+| [irsa](#module\_irsa) | terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc | 5.44.0 |
+| [pod\_identity](#module\_pod\_identity) | terraform-aws-modules/eks-pod-identity/aws | 1.4.0 |
## Resources
@@ -38,6 +32,8 @@ Terraform module which configure the AWS Distro for OpenTelemetry (ADOT) Operato
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| [cluster\_name](#input\_cluster\_name) | Name of the EKS cluster | `string` | n/a | yes |
+| [enable\_irsa](#input\_enable\_irsa) | Enable IRSA resources | `bool` | n/a | yes |
+| [enable\_pod\_identity](#input\_enable\_pod\_identity) | Enable EKS Pod Identity resources | `bool` | n/a | yes |
| [namespace](#input\_namespace) | The Kubernetes namespace | `string` | n/a | yes |
| [service\_account](#input\_service\_account) | The Kubernetes service account | `string` | n/a | yes |
| [tags](#input\_tags) | Tags for resources | `map(string)` | {
"Made-By": "Terraform"
} | no |
@@ -46,5 +42,5 @@ Terraform module which configure the AWS Distro for OpenTelemetry (ADOT) Operato
| Name | Description |
|------|-------------|
-| [role\_arn](#output\_role\_arn) | Amazon Resource Name for ADOT Collector |
-
+| [irsa\_role\_arn](#output\_irsa\_role\_arn) | Amazon Resource Name for ADOT Collector |
+| [pod\_identity\_role\_arn](#output\_pod\_identity\_role\_arn) | Amazon Resource Name for ADOT Collector |
diff --git a/modules/adot/iam.tf b/modules/adot/iam.tf
index f5148ef..21bf48e 100644
--- a/modules/adot/iam.tf
+++ b/modules/adot/iam.tf
@@ -18,6 +18,8 @@ module "irsa" {
source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
version = "5.44.0"
+ for_each = var.enable_irsa ? toset(["1"]) : toset([])
+
create_role = true
role_description = "ADOTCollector"
role_name = local.role_name
@@ -34,3 +36,32 @@ module "irsa" {
var.tags
)
}
+
+module "pod_identity" {
+ source = "terraform-aws-modules/eks-pod-identity/aws"
+ version = "1.4.0"
+
+ for_each = var.enable_pod_identity ? toset(["1"]) : toset([])
+
+ name = local.role_name
+
+ # attach_custom_policy = true
+ additional_policy_arns = {
+ CloudWatchAgentServerPolicy = data.aws_iam_policy.cloudwatch_agent_server.arn,
+ AmazonPrometheusRemoteWriteAccess = data.aws_iam_policy.amp_remote_write_access.arn,
+ AWSXrayWriteOnlyAccess = data.aws_iam_policy.xray_write_access.arn
+ }
+
+ associations = {
+ main = {
+ cluster_name = data.aws_eks_cluster.this.id
+ namespace = var.namespace
+ service_account = var.service_account
+ }
+ }
+
+ tags = merge(
+ { "Name" = local.role_name },
+ var.tags
+ )
+}
diff --git a/modules/adot/main.tf b/modules/adot/main.tf
index 5f9346e..158e8f5 100644
--- a/modules/adot/main.tf
+++ b/modules/adot/main.tf
@@ -20,7 +20,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 4.0.0"
+ version = ">= 5.30"
}
}
}
diff --git a/modules/adot/outputs.tf b/modules/adot/outputs.tf
index 7b4c557..5673187 100644
--- a/modules/adot/outputs.tf
+++ b/modules/adot/outputs.tf
@@ -14,7 +14,12 @@
#
# SPDX-License-Identifier: Apache-2.0
-output "role_arn" {
- value = module.irsa.iam_role_arn
+output "irsa_role_arn" {
+ value = [for irsa in module.irsa : irsa.iam_role_arn]
+ description = "Amazon Resource Name for ADOT Collector"
+}
+
+output "pod_identity_role_arn" {
+ value = [for pod_id in module.pod_identity : pod_id.iam_role_arn]
description = "Amazon Resource Name for ADOT Collector"
}
diff --git a/modules/adot/variables.tf b/modules/adot/variables.tf
index 9049404..ea3fc77 100644
--- a/modules/adot/variables.tf
+++ b/modules/adot/variables.tf
@@ -29,6 +29,16 @@ variable "service_account" {
description = "The Kubernetes service account"
}
+variable "enable_irsa" {
+ type = bool
+ description = "Enable IRSA resources"
+}
+
+variable "enable_pod_identity" {
+ type = bool
+ description = "Enable EKS Pod Identity resources"
+}
+
variable "tags" {
type = map(string)
description = "Tags for resources"
diff --git a/modules/amg/README.md b/modules/amg/README.md
index 24fd2d5..0f93c14 100644
--- a/modules/amg/README.md
+++ b/modules/amg/README.md
@@ -1,10 +1,3 @@
-# Observability / Amazon Managed Grafana
-
-Terraform module which configure Amazon Managed Grafana resources on Amazon AWS
-
-## Documentation
-
-
## Requirements
| Name | Version |
@@ -20,7 +13,7 @@ No providers.
| Name | Source | Version |
|------|--------|---------|
-| [managed\_grafana](#module\_managed\_grafana) | terraform-aws-modules/managed-service-grafana/aws | 1.5.0 |
+| [managed\_grafana](#module\_managed\_grafana) | terraform-aws-modules/managed-service-grafana/aws | 2.1.1 |
## Resources
@@ -36,4 +29,3 @@ No resources.
## Outputs
No outputs.
-
diff --git a/modules/amp/README.md b/modules/amp/README.md
index dc166fd..a8a5695 100644
--- a/modules/amp/README.md
+++ b/modules/amp/README.md
@@ -1,10 +1,3 @@
-# Observability / AWS Managed Service for Prometheus
-
-Terraform module which configure an AWS managed service for Prometheus instance.
-
-## Documentation
-
-
## Requirements
| Name | Version |
@@ -20,7 +13,7 @@ No providers.
| Name | Source | Version |
|------|--------|---------|
-| [amp](#module\_amp) | terraform-aws-modules/managed-service-prometheus/aws | 2.2.0 |
+| [amp](#module\_amp) | terraform-aws-modules/managed-service-prometheus/aws | 3.0.0 |
## Resources
@@ -40,4 +33,3 @@ No resources.
| [amp\_arn](#output\_amp\_arn) | Amazon Resource Name of the workspace |
| [amp\_endpoint](#output\_amp\_endpoint) | Prometheus endpoint available for this workspace |
| [amp\_id](#output\_amp\_id) | Identifier of the workspace |
-
diff --git a/modules/cloudwatch/README.md b/modules/cloudwatch/README.md
index 62c6b86..556b577 100644
--- a/modules/cloudwatch/README.md
+++ b/modules/cloudwatch/README.md
@@ -1,28 +1,22 @@
-# Observability / Cloudwatch
-
-Terraform module which configure Grafana Cloudwatch resources on Amazon AWS
-
-## Documentation
-
-
## Requirements
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.0.0 |
-| [aws](#requirement\_aws) | >= 4.0.0 |
+| [aws](#requirement\_aws) | >= 5.30.0 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | >= 4.0.0 |
+| [aws](#provider\_aws) | >= 5.30.0 |
## Modules
| Name | Source | Version |
|------|--------|---------|
-| [irsa\_agent](#module\_irsa\_agent) | terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc | 5.5.2 |
+| [irsa](#module\_irsa) | terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc | 5.44.0 |
+| [pod\_identity](#module\_pod\_identity) | terraform-aws-modules/eks-pod-identity/aws | 1.4.0 |
## Resources
@@ -41,7 +35,9 @@ Terraform module which configure Grafana Cloudwatch resources on Amazon AWS
|------|-------------|------|---------|:--------:|
| [cluster\_name](#input\_cluster\_name) | Name of the EKS cluster | `string` | n/a | yes |
| [deletion\_window\_in\_days](#input\_deletion\_window\_in\_days) | Duration in days after which the key is deleted after destruction of the resource, must be between 7 and 30 days | `number` | `30` | no |
+| [enable\_irsa](#input\_enable\_irsa) | Enable IRSA resources | `bool` | n/a | yes |
| [enable\_kms](#input\_enable\_kms) | Enable custom KMS key | `bool` | n/a | yes |
+| [enable\_pod\_identity](#input\_enable\_pod\_identity) | Enable EKS Pod Identity resources | `bool` | n/a | yes |
| [log\_retention\_in\_days](#input\_log\_retention\_in\_days) | Number of days to retain log events | `number` | `90` | no |
| [namespace](#input\_namespace) | The Kubernetes namespace | `string` | n/a | yes |
| [service\_account](#input\_service\_account) | The Kubernetes service account | `string` | n/a | yes |
@@ -51,5 +47,5 @@ Terraform module which configure Grafana Cloudwatch resources on Amazon AWS
| Name | Description |
|------|-------------|
-| [agent\_role\_arn](#output\_agent\_role\_arn) | Amazon Resource Name for Cloudwatch Agent |
-
+| [irsa\_role\_arn](#output\_irsa\_role\_arn) | Amazon Resource Name for Cloudwatch Agent |
+| [pod\_identity\_role\_arn](#output\_pod\_identity\_role\_arn) | Amazon Resource Name for Cloudwatch Agent |
diff --git a/modules/cloudwatch/iam.tf b/modules/cloudwatch/iam.tf
index 7d8ee56..201c5b6 100644
--- a/modules/cloudwatch/iam.tf
+++ b/modules/cloudwatch/iam.tf
@@ -14,10 +14,12 @@
#
# SPDX-License-Identifier: Apache-2.0
-module "irsa_agent" {
+module "irsa" {
source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
version = "5.44.0"
+ for_each = var.enable_irsa ? toset(["1"]) : toset([])
+
create_role = true
role_description = "Cloudwatch Agent"
role_name = local.role_name
@@ -32,3 +34,27 @@ module "irsa_agent" {
var.tags
)
}
+
+module "pod_identity" {
+ source = "terraform-aws-modules/eks-pod-identity/aws"
+ version = "1.4.0"
+
+ for_each = var.enable_pod_identity ? toset(["1"]) : toset([])
+
+ name = local.role_name
+
+ attach_aws_cloudwatch_observability_policy = true
+
+ associations = {
+ main = {
+ cluster_name = data.aws_eks_cluster.this.id
+ namespace = var.namespace
+ service_account = var.service_account
+ }
+ }
+
+ tags = merge(
+ { "Name" = local.role_name },
+ var.tags
+ )
+}
diff --git a/modules/cloudwatch/main.tf b/modules/cloudwatch/main.tf
index 5f9346e..e56a471 100644
--- a/modules/cloudwatch/main.tf
+++ b/modules/cloudwatch/main.tf
@@ -20,7 +20,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 4.0.0"
+ version = ">= 5.30.0"
}
}
}
diff --git a/modules/cloudwatch/outputs.tf b/modules/cloudwatch/outputs.tf
index 1cd18bc..364922f 100644
--- a/modules/cloudwatch/outputs.tf
+++ b/modules/cloudwatch/outputs.tf
@@ -14,7 +14,12 @@
#
# SPDX-License-Identifier: Apache-2.0
-output "agent_role_arn" {
- value = module.irsa_agent.iam_role_arn
+output "irsa_role_arn" {
+ value = [for irsa in module.irsa : irsa.iam_role_arn]
+ description = "Amazon Resource Name for Cloudwatch Agent"
+}
+
+output "pod_identity_role_arn" {
+ value = [for pod_id in module.pod_identity : pod_id.iam_role_arn]
description = "Amazon Resource Name for Cloudwatch Agent"
}
diff --git a/modules/cloudwatch/variables.tf b/modules/cloudwatch/variables.tf
index fd7c713..c40b4f4 100644
--- a/modules/cloudwatch/variables.tf
+++ b/modules/cloudwatch/variables.tf
@@ -38,6 +38,16 @@ variable "service_account" {
description = "The Kubernetes service account"
}
+variable "enable_irsa" {
+ type = bool
+ description = "Enable IRSA resources"
+}
+
+variable "enable_pod_identity" {
+ type = bool
+ description = "Enable EKS Pod Identity resources"
+}
+
variable "tags" {
type = map(string)
description = "Tags for Cloudwatch"
diff --git a/modules/grafana/README.md b/modules/grafana/README.md
index eb58780..636299f 100644
--- a/modules/grafana/README.md
+++ b/modules/grafana/README.md
@@ -1,60 +1,22 @@
-# Observability / Grafana
-
-Terraform module which configure Grafana resources on Amazon AWS
-
-## Usage
-
-```hcl
-module "Grafana" {
- source = "nlamirault/observability/aws//modules/Grafana"
- version = "0.0.0"
-
- cluster_name = var.cluster_name
-
- namespace = var.namespace
- service_accounts = var.service_accounts
-
- tags = var.tags
-}
-```
-
-and variables :
-
-```hcl
-cluster_name = "foo-staging-eks"
-
-namespace = "monitoring"
-service_accounts = "grafana"
-
-tags = {
- "project" = "foo"
- "env" = "staging"
- "service" = "grafana"
- "made-by" = "terraform"
-}
-```
-
-## Documentation
-
-
## Requirements
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.0.0 |
-| [aws](#requirement\_aws) | >= 4.0.0 |
+| [aws](#requirement\_aws) | >= 5.30.0 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | >= 4.0.0 |
+| [aws](#provider\_aws) | >= 5.30.0 |
## Modules
| Name | Source | Version |
|------|--------|---------|
-| [irsa](#module\_irsa) | terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc | 5.5.2 |
+| [irsa](#module\_irsa) | terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc | 5.44.0 |
+| [pod\_identity](#module\_pod\_identity) | terraform-aws-modules/eks-pod-identity/aws | 1.4.0 |
## Resources
@@ -70,6 +32,8 @@ tags = {
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| [cluster\_name](#input\_cluster\_name) | Name of the EKS cluster | `string` | n/a | yes |
+| [enable\_irsa](#input\_enable\_irsa) | Enable IRSA resources | `bool` | n/a | yes |
+| [enable\_pod\_identity](#input\_enable\_pod\_identity) | Enable EKS Pod Identity resources | `bool` | n/a | yes |
| [namespace](#input\_namespace) | The Kubernetes namespace | `string` | n/a | yes |
| [role\_policy\_arns](#input\_role\_policy\_arns) | List of ARNs of IAM policies to attach to IAM role | `list(string)` | `[]` | no |
| [service\_account](#input\_service\_account) | The Kubernetes service account | `string` | n/a | yes |
@@ -79,5 +43,5 @@ tags = {
| Name | Description |
|------|-------------|
-| [role\_arn](#output\_role\_arn) | Amazon Resource Name for Grafana |
-
+| [irsa\_role\_arn](#output\_irsa\_role\_arn) | Amazon Resource Name for Grafana |
+| [pod\_identity\_role\_arn](#output\_pod\_identity\_role\_arn) | Amazon Resource Name for Grafana |
diff --git a/modules/grafana/iam.tf b/modules/grafana/iam.tf
index d42a168..9728b2d 100644
--- a/modules/grafana/iam.tf
+++ b/modules/grafana/iam.tf
@@ -18,6 +18,8 @@ module "irsa" {
source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
version = "5.44.0"
+ for_each = var.enable_irsa ? toset(["1"]) : toset([])
+
create_role = true
role_description = "Role for Grafana"
role_name = local.role_name
@@ -37,3 +39,32 @@ module "irsa" {
var.tags
)
}
+
+module "pod_identity" {
+ source = "terraform-aws-modules/eks-pod-identity/aws"
+ version = "1.4.0"
+
+ for_each = var.enable_pod_identity ? toset(["1"]) : toset([])
+
+ name = local.role_name
+
+ # attach_custom_policy = true
+ additional_policy_arns = {
+ CloudWatchReadOnlyAccess = data.aws_iam_policy.cloudwatch_readonly_access.arn,
+ AmazonTimestreamReadOnlyAccess = data.aws_iam_policy.timestream_readonly_access.arn,
+ AmazonPrometheusQueryAccess = data.aws_iam_policy.amp_query_access.arn
+ }
+
+ associations = {
+ main = {
+ cluster_name = data.aws_eks_cluster.this.id
+ namespace = var.namespace
+ service_account = var.service_account
+ }
+ }
+
+ tags = merge(
+ { "Name" = local.role_name },
+ var.tags
+ )
+}
diff --git a/modules/grafana/main.tf b/modules/grafana/main.tf
index 5f9346e..e56a471 100644
--- a/modules/grafana/main.tf
+++ b/modules/grafana/main.tf
@@ -20,7 +20,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 4.0.0"
+ version = ">= 5.30.0"
}
}
}
diff --git a/modules/grafana/outputs.tf b/modules/grafana/outputs.tf
index c593b03..bf7b6d4 100644
--- a/modules/grafana/outputs.tf
+++ b/modules/grafana/outputs.tf
@@ -14,7 +14,12 @@
#
# SPDX-License-Identifier: Apache-2.0
-output "role_arn" {
- value = module.irsa.iam_role_arn
+output "irsa_role_arn" {
+ value = [for irsa in module.irsa : irsa.iam_role_arn]
+ description = "Amazon Resource Name for Grafana"
+}
+
+output "pod_identity_role_arn" {
+ value = [for pod_id in module.pod_identity : pod_id.iam_role_arn]
description = "Amazon Resource Name for Grafana"
}
diff --git a/modules/grafana/variables.tf b/modules/grafana/variables.tf
index 1095bc2..c9b70cd 100644
--- a/modules/grafana/variables.tf
+++ b/modules/grafana/variables.tf
@@ -38,6 +38,16 @@ variable "service_account" {
description = "The Kubernetes service account"
}
+variable "enable_irsa" {
+ type = bool
+ description = "Enable IRSA resources"
+}
+
+variable "enable_pod_identity" {
+ type = bool
+ description = "Enable EKS Pod Identity resources"
+}
+
variable "tags" {
type = map(string)
description = "Tags for grafana"
diff --git a/modules/loki/README.md b/modules/loki/README.md
index a688e96..6027d80 100644
--- a/modules/loki/README.md
+++ b/modules/loki/README.md
@@ -1,68 +1,23 @@
-# Observability / Loki
-
-Terraform module which configure Loki resources on Amazon AWS
-
-## Terraform versions
-
-Use Terraform `0.13` and Terraform Provider Google `3.45+`.
-
-These types of resources are supported:
-
-## Usage
-
-```hcl
-module "loki" {
- source = "nlamirault/observability/aws//modules/loki"
- version = "0.0.0"
-
- cluster_name = var.cluster_name
-
- namespace = var.namespace
- service_accounts = var.service_accounts
-
- tags = var.tags
-}
-```
-
-and variables :
-
-```hcl
-cluster_name = "foo-staging-eks"
-
-namespace = "monitoring"
-service_accounts = "loki"]
-
-tags = {
- "project" = "foo"
- "env" = "staging"
- "service" = "loki"
- "made-by" = "terraform"
-}
-```
-
-## Documentation
-
-
## Requirements
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.0.0 |
-| [aws](#requirement\_aws) | >= 4.0.0 |
+| [aws](#requirement\_aws) | >= 5.30.0 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | >= 4.0.0 |
+| [aws](#provider\_aws) | >= 5.30.0 |
## Modules
| Name | Source | Version |
|------|--------|---------|
-| [buckets\_data](#module\_buckets\_data) | terraform-aws-modules/s3-bucket/aws | 3.6.0 |
-| [buckets\_logging](#module\_buckets\_logging) | terraform-aws-modules/s3-bucket/aws | 3.6.0 |
-| [irsa](#module\_irsa) | terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc | 5.5.7 |
+| [buckets\_data](#module\_buckets\_data) | terraform-aws-modules/s3-bucket/aws | 4.1.1 |
+| [irsa](#module\_irsa) | terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc | 5.44.0 |
+| [pod\_identity](#module\_pod\_identity) | terraform-aws-modules/eks-pod-identity/aws | 1.4.0 |
## Resources
@@ -82,7 +37,9 @@ tags = {
|------|-------------|------|---------|:--------:|
| [cluster\_name](#input\_cluster\_name) | Name of the EKS cluster | `string` | n/a | yes |
| [deletion\_window\_in\_days](#input\_deletion\_window\_in\_days) | Duration in days after which the key is deleted after destruction of the resource, must be between 7 and 30 days | `number` | `30` | no |
+| [enable\_irsa](#input\_enable\_irsa) | Enable IRSA resources | `bool` | n/a | yes |
| [enable\_kms](#input\_enable\_kms) | Enable custom KMS key | `bool` | n/a | yes |
+| [enable\_pod\_identity](#input\_enable\_pod\_identity) | Enable EKS Pod Identity resources | `bool` | n/a | yes |
| [namespace](#input\_namespace) | The Kubernetes namespace | `string` | n/a | yes |
| [service\_account](#input\_service\_account) | The Kubernetes service account | `string` | n/a | yes |
| [tags](#input\_tags) | Tags for Loki | `map(string)` | {
"Made-By": "Terraform"
} | no |
@@ -92,6 +49,5 @@ tags = {
| Name | Description |
|------|-------------|
| [bucket](#output\_bucket) | S3 bucket for Loki |
-| [bucket\_log](#output\_bucket\_log) | S3 log bucket for Loki |
-| [role\_arn](#output\_role\_arn) | Amazon Resource Name for Loki |
-
+| [irsa\_role\_arn](#output\_irsa\_role\_arn) | Amazon Resource Name for Loki |
+| [pod\_identity\_role\_arn](#output\_pod\_identity\_role\_arn) | Amazon Resource Name for Loki |
diff --git a/modules/loki/bucket.tf b/modules/loki/bucket.tf
index b011bfa..a763608 100644
--- a/modules/loki/bucket.tf
+++ b/modules/loki/bucket.tf
@@ -14,11 +14,12 @@
#
# SPDX-License-Identifier: Apache-2.0
-module "buckets_logging" {
+#tfsec:ignore:aws-s3-encryption-customer-key
+module "buckets_data" {
source = "terraform-aws-modules/s3-bucket/aws"
version = "4.1.1"
- for_each = local.buckets_names
+ for_each = toset(local.buckets_names)
bucket = format("%s-%s", local.service_name, each.value)
block_public_acls = true
@@ -28,11 +29,6 @@ module "buckets_logging" {
force_destroy = true
- tags = merge(
- { "Name" = format("%s-%s", local.service_name, each.value) },
- var.tags
- )
-
versioning = {
enabled = true
}
@@ -46,44 +42,9 @@ module "buckets_logging" {
}
}
} : {}
-}
-
-#tfsec:ignore:aws-s3-encryption-customer-key
-module "buckets_data" {
- source = "terraform-aws-modules/s3-bucket/aws"
- version = "4.1.1"
-
- for_each = local.buckets_names
-
- bucket = format("%s-%s", local.service_name, each.value)
- block_public_acls = true
- block_public_policy = true
- restrict_public_buckets = true
- ignore_public_acls = true
-
- force_destroy = true
tags = merge(
{ "Name" = format("%s-%s", local.service_name, each.value) },
var.tags
)
-
- logging = {
- target_bucket = module.buckets_logging[format("%s-%s", local.service_name, each.value)].s3_bucket_id
- target_prefix = "log/"
- }
-
- versioning = {
- enabled = true
- }
-
- server_side_encryption_configuration = var.enable_kms ? {
- rule = {
- bucket_key_enabled = true
- apply_server_side_encryption_by_default = {
- kms_master_key_id = aws_kms_key.loki[0].arn
- sse_algorithm = "aws:kms"
- }
- }
- } : {}
}
diff --git a/modules/loki/iam.tf b/modules/loki/iam.tf
index 0eb5087..a4f359b 100644
--- a/modules/loki/iam.tf
+++ b/modules/loki/iam.tf
@@ -33,7 +33,7 @@ data "aws_iam_policy_document" "bucket" {
}
dynamic "statement" {
- for_each = var.enable_kms ? [1] : []
+ for_each = var.enable_kms ? toset(["1"]) : toset([])
content {
effect = "Allow"
@@ -99,6 +99,8 @@ module "irsa" {
source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
version = "5.44.0"
+ for_each = var.enable_irsa ? toset(["1"]) : toset([])
+
create_role = true
role_description = "Role for Loki"
role_name = local.role_name
@@ -116,3 +118,33 @@ module "irsa" {
var.tags
)
}
+
+module "pod_identity" {
+ source = "terraform-aws-modules/eks-pod-identity/aws"
+ version = "1.4.0"
+
+ for_each = var.enable_pod_identity ? toset(["1"]) : toset([])
+
+ name = local.role_name
+
+ # attach_custom_policy = true
+ additional_policy_arns = var.enable_kms ? {
+ LokiS3Access : aws_iam_policy.bucket.arn,
+ LokiKMSAccess : aws_iam_policy.kms[0].arn,
+ } : {
+ LokiS3Access : aws_iam_policy.bucket.arn,
+ }
+
+ associations = {
+ main = {
+ cluster_name = data.aws_eks_cluster.this.id
+ namespace = var.namespace
+ service_account = var.service_account
+ }
+ }
+
+ tags = merge(
+ { "Name" = local.role_name },
+ var.tags
+ )
+}
diff --git a/modules/loki/main.tf b/modules/loki/main.tf
index 5f9346e..e56a471 100644
--- a/modules/loki/main.tf
+++ b/modules/loki/main.tf
@@ -20,7 +20,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 4.0.0"
+ version = ">= 5.30.0"
}
}
}
diff --git a/modules/loki/outputs.tf b/modules/loki/outputs.tf
index 80bcb89..74d142a 100644
--- a/modules/loki/outputs.tf
+++ b/modules/loki/outputs.tf
@@ -15,16 +15,16 @@
# SPDX-License-Identifier: Apache-2.0
output "bucket" {
- value = module.buckets_data[*].s3_bucket_id
+ value = [for b in module.buckets_data : b.s3_bucket_id]
description = "S3 bucket for Loki"
}
-output "bucket_log" {
- value = module.buckets_logging[*].s3_bucket_id
- description = "S3 log bucket for Loki"
+output "irsa_role_arn" {
+ value = [for irsa in module.irsa : irsa.iam_role_arn]
+ description = "Amazon Resource Name for Loki"
}
-output "role_arn" {
- value = module.irsa.iam_role_arn
+output "pod_identity_role_arn" {
+ value = [for pod_id in module.pod_identity : pod_id.iam_role_arn]
description = "Amazon Resource Name for Loki"
}
diff --git a/modules/loki/variables.tf b/modules/loki/variables.tf
index 212414c..3eb92c3 100644
--- a/modules/loki/variables.tf
+++ b/modules/loki/variables.tf
@@ -39,6 +39,16 @@ variable "tags" {
}
}
+variable "enable_irsa" {
+ type = bool
+ description = "Enable IRSA resources"
+}
+
+variable "enable_pod_identity" {
+ type = bool
+ description = "Enable EKS Pod Identity resources"
+}
+
#############################################################################
# KMS
diff --git a/modules/mimir/README.md b/modules/mimir/README.md
index 084ea71..3b10d99 100644
--- a/modules/mimir/README.md
+++ b/modules/mimir/README.md
@@ -1,30 +1,23 @@
-# Observability / Mimir
-
-Terraform module which configure Grafana Mimir resources on Amazon AWS
-
-## Documentation
-
-
## Requirements
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.0.0 |
-| [aws](#requirement\_aws) | >= 4.0.0 |
+| [aws](#requirement\_aws) | >= 5.30.0 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | >= 4.0.0 |
+| [aws](#provider\_aws) | >= 5.30.0 |
## Modules
| Name | Source | Version |
|------|--------|---------|
-| [buckets\_data](#module\_buckets\_data) | terraform-aws-modules/s3-bucket/aws | 3.6.0 |
-| [buckets\_logging](#module\_buckets\_logging) | terraform-aws-modules/s3-bucket/aws | 3.6.0 |
-| [irsa](#module\_irsa) | terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc | 5.8.0 |
+| [buckets\_data](#module\_buckets\_data) | terraform-aws-modules/s3-bucket/aws | 4.1.1 |
+| [irsa](#module\_irsa) | terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc | 5.44.0 |
+| [pod\_identity](#module\_pod\_identity) | terraform-aws-modules/eks-pod-identity/aws | 1.4.0 |
## Resources
@@ -45,7 +38,9 @@ Terraform module which configure Grafana Mimir resources on Amazon AWS
|------|-------------|------|---------|:--------:|
| [cluster\_name](#input\_cluster\_name) | Name of the EKS cluster | `string` | n/a | yes |
| [deletion\_window\_in\_days](#input\_deletion\_window\_in\_days) | Duration in days after which the key is deleted after destruction of the resource, must be between 7 and 30 days | `number` | `30` | no |
+| [enable\_irsa](#input\_enable\_irsa) | Enable IRSA resources | `bool` | n/a | yes |
| [enable\_kms](#input\_enable\_kms) | Enable custom KMS key | `bool` | n/a | yes |
+| [enable\_pod\_identity](#input\_enable\_pod\_identity) | Enable EKS Pod Identity resources | `bool` | n/a | yes |
| [namespace](#input\_namespace) | The Kubernetes namespace | `string` | n/a | yes |
| [service\_account](#input\_service\_account) | The Kubernetes service account | `string` | n/a | yes |
| [tags](#input\_tags) | Tags for Mimir | `map(string)` | {
"Made-By": "Terraform"
} | no |
@@ -55,6 +50,5 @@ Terraform module which configure Grafana Mimir resources on Amazon AWS
| Name | Description |
|------|-------------|
| [bucket](#output\_bucket) | S3 bucket for Mimir |
-| [bucket\_log](#output\_bucket\_log) | S3 log bucket for Mimir |
-| [role\_arn](#output\_role\_arn) | Amazon Resource Name for Mimir |
-
+| [irsa\_role\_arn](#output\_irsa\_role\_arn) | Amazon Resource Name for Mimir |
+| [pod\_identity\_role\_arn](#output\_pod\_identity\_role\_arn) | Amazon Resource Name for Mimir |
diff --git a/modules/mimir/bucket.tf b/modules/mimir/bucket.tf
index ccc9cee..06162b5 100644
--- a/modules/mimir/bucket.tf
+++ b/modules/mimir/bucket.tf
@@ -14,13 +14,14 @@
#
# SPDX-License-Identifier: Apache-2.0
-module "buckets_logging" {
+#tfsec:ignore:aws-s3-encryption-customer-key
+module "buckets_data" {
source = "terraform-aws-modules/s3-bucket/aws"
version = "4.1.1"
- for_each = local.buckets_names
+ for_each = toset(local.buckets_names)
- bucket = format("%s-%s-logging", local.service_name, each.value)
+ bucket = format("%s-%s", local.service_name, each.value)
block_public_acls = true
block_public_policy = true
restrict_public_buckets = true
@@ -28,11 +29,6 @@ module "buckets_logging" {
force_destroy = true
- tags = merge(
- { "Name" = format("%s-%s-logging", local.service_name, each.value) },
- var.tags
- )
-
versioning = {
enabled = true
}
@@ -46,44 +42,9 @@ module "buckets_logging" {
}
}
} : {}
-}
-
-#tfsec:ignore:aws-s3-encryption-customer-key
-module "buckets_data" {
- source = "terraform-aws-modules/s3-bucket/aws"
- version = "4.1.1"
-
- for_each = local.buckets_names
-
- bucket = format("%s-%s", local.service_name, each.value)
- block_public_acls = true
- block_public_policy = true
- restrict_public_buckets = true
- ignore_public_acls = true
-
- force_destroy = true
tags = merge(
{ "Name" = format("%s-%s", local.service_name, each.value) },
var.tags
)
-
- logging = {
- target_bucket = module.buckets_logging[format("%s-%s", local.service_name, each.value)].s3_bucket_id
- target_prefix = "log/"
- }
-
- versioning = {
- enabled = true
- }
-
- server_side_encryption_configuration = var.enable_kms ? {
- rule = {
- bucket_key_enabled = true
- apply_server_side_encryption_by_default = {
- kms_master_key_id = aws_kms_key.mimir[0].arn
- sse_algorithm = "aws:kms"
- }
- }
- } : {}
}
diff --git a/modules/mimir/iam.tf b/modules/mimir/iam.tf
index 952c30f..058b1bd 100644
--- a/modules/mimir/iam.tf
+++ b/modules/mimir/iam.tf
@@ -33,7 +33,7 @@ data "aws_iam_policy_document" "bucket" {
}
dynamic "statement" {
- for_each = var.enable_kms ? [1] : []
+ for_each = var.enable_kms ? toset([1]) : toset([])
content {
effect = "Allow"
@@ -97,6 +97,8 @@ module "irsa" {
source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
version = "5.44.0"
+ for_each = var.enable_irsa ? toset(["1"]) : toset([])
+
create_role = true
role_description = "Role for Tempo"
role_name = local.role_name
@@ -115,3 +117,34 @@ module "irsa" {
var.tags
)
}
+
+module "pod_identity" {
+ source = "terraform-aws-modules/eks-pod-identity/aws"
+ version = "1.4.0"
+
+ for_each = var.enable_pod_identity ? toset(["1"]) : toset([])
+
+ name = local.role_name
+
+ additional_policy_arns = var.enable_kms ? {
+ MimirS3Access : aws_iam_policy.bucket.arn,
+ MimirKMSAccess : aws_iam_policy.kms[0].arn,
+ AmazonPrometheusRemoteWriteAccess : data.aws_iam_policy.amp_remote_write_access.arn
+ } : {
+ MimirS3Access : aws_iam_policy.bucket.arn,
+ AmazonPrometheusRemoteWriteAccess : data.aws_iam_policy.amp_remote_write_access.arn
+ }
+
+ associations = {
+ main = {
+ cluster_name = data.aws_eks_cluster.this.id
+ namespace = var.namespace
+ service_account = var.service_account
+ }
+ }
+
+ tags = merge(
+ { "Name" = local.role_name },
+ var.tags
+ )
+}
diff --git a/modules/mimir/main.tf b/modules/mimir/main.tf
index 5f9346e..e56a471 100644
--- a/modules/mimir/main.tf
+++ b/modules/mimir/main.tf
@@ -20,7 +20,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 4.0.0"
+ version = ">= 5.30.0"
}
}
}
diff --git a/modules/mimir/outputs.tf b/modules/mimir/outputs.tf
index 2a43179..7f3888f 100644
--- a/modules/mimir/outputs.tf
+++ b/modules/mimir/outputs.tf
@@ -15,16 +15,16 @@
# SPDX-License-Identifier: Apache-2.0
output "bucket" {
- value = module.buckets_data[*].s3_bucket_id
+ value = [for b in module.buckets_data : b.s3_bucket_id]
description = "S3 bucket for Mimir"
}
-output "bucket_log" {
- value = module.buckets_logging[*].s3_bucket_id
- description = "S3 log bucket for Mimir"
+output "irsa_role_arn" {
+ value = [for irsa in module.irsa : irsa.iam_role_arn]
+ description = "Amazon Resource Name for Mimir"
}
-output "role_arn" {
- value = module.irsa.iam_role_arn
+output "pod_identity_role_arn" {
+ value = [for pod_id in module.pod_identity : pod_id.iam_role_arn]
description = "Amazon Resource Name for Mimir"
}
diff --git a/modules/mimir/variables.tf b/modules/mimir/variables.tf
index f51cef8..9b4432a 100644
--- a/modules/mimir/variables.tf
+++ b/modules/mimir/variables.tf
@@ -40,6 +40,16 @@ variable "tags" {
}
}
+variable "enable_irsa" {
+ type = bool
+ description = "Enable IRSA resources"
+}
+
+variable "enable_pod_identity" {
+ type = bool
+ description = "Enable EKS Pod Identity resources"
+}
+
#############################################################################
# KMS
diff --git a/modules/prometheus/README.md b/modules/prometheus/README.md
index 014280f..d7b2371 100644
--- a/modules/prometheus/README.md
+++ b/modules/prometheus/README.md
@@ -1,91 +1,38 @@
-# Observability / Prometheus
-
-Terraform module which configure Prometheus resources on Amazon AWS
-
-## Terraform versions
-
-Use Terraform `0.13` and Terraform Provider Google `3.45+`.
-
-These types of resources are supported:
-
-## Usage
-
-```hcl
-module "prometheus" {
- source = "nlamirault/observability/aws//modules/prometheus"
- version = "0.0.0"
-
- cluster_name = var.cluster_name
-
- namespace = var.namespace
- service_accounts = var.service_accounts
- bucket_name = var.bucket_name
-
- tags = var.tags
-}
-```
-
-and variables :
-
-```hcl
-cluster_name = "foo-staging-eks"
-
-namespace = "monitoring"
-service_accounts = "prometheus"
-
-bucket_name = "foo-staging-eks-thanos"
-
-tags = {
- "project" = "foo"
- "env" = "staging"
- "service" = "prometheus"
- "made-by" = "terraform"
-}
-```
-
-## Documentation
-
-
## Requirements
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.0.0 |
-| [aws](#requirement\_aws) | >= 4.0.0 |
+| [aws](#requirement\_aws) | >= 5.30.0 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | >= 4.0.0 |
+| [aws](#provider\_aws) | >= 5.30.0 |
## Modules
| Name | Source | Version |
|------|--------|---------|
-| [irsa](#module\_irsa) | terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc | 5.5.4 |
+| [irsa](#module\_irsa) | terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc | 5.44.0 |
+| [pod\_identity](#module\_pod\_identity) | terraform-aws-modules/eks-pod-identity/aws | 1.4.0 |
## Resources
| Name | Type |
|------|------|
-| [aws_iam_policy.bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
-| [aws_iam_policy.kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_eks_cluster.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster) | data source |
| [aws_iam_policy.amp_remote_write_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source |
| [aws_iam_policy.ec2_ro_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source |
-| [aws_iam_policy_document.bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
-| [aws_iam_policy_document.kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
-| [aws_kms_key.thanos](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_key) | data source |
-| [aws_s3_bucket.thanos](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/s3_bucket) | data source |
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
-| [bucket\_name](#input\_bucket\_name) | Name of the Thanos bucket | `string` | n/a | yes |
| [cluster\_name](#input\_cluster\_name) | Name of the EKS cluster | `string` | n/a | yes |
-| [enable\_kms](#input\_enable\_kms) | Enable custom KMS key | `bool` | n/a | yes |
+| [enable\_irsa](#input\_enable\_irsa) | Enable IRSA resources | `bool` | n/a | yes |
+| [enable\_pod\_identity](#input\_enable\_pod\_identity) | Enable EKS Pod Identity resources | `bool` | n/a | yes |
| [namespace](#input\_namespace) | The Kubernetes namespace | `string` | n/a | yes |
| [service\_account](#input\_service\_account) | The Kubernetes service account | `string` | n/a | yes |
| [tags](#input\_tags) | Tags for Loki | `map(string)` | {
"Made-By": "Terraform"
} | no |
@@ -94,5 +41,5 @@ tags = {
| Name | Description |
|------|-------------|
-| [role\_arn](#output\_role\_arn) | Amazon Resource Name for Prometheus |
-
+| [irsa\_role\_arn](#output\_irsa\_role\_arn) | Amazon Resource Name for Prometheus |
+| [pod\_identity\_role\_arn](#output\_pod\_identity\_role\_arn) | Amazon Resource Name for Prometheus |
diff --git a/modules/prometheus/data.tf b/modules/prometheus/data.tf
index 5e834b3..ede3027 100644
--- a/modules/prometheus/data.tf
+++ b/modules/prometheus/data.tf
@@ -14,15 +14,6 @@
#
# SPDX-License-Identifier: Apache-2.0
-data "aws_s3_bucket" "thanos" {
- bucket = var.bucket_name
-}
-
-data "aws_kms_key" "thanos" {
- count = var.enable_kms ? 1 : 0
- key_id = "alias/thanos"
-}
-
data "aws_eks_cluster" "this" {
name = var.cluster_name
}
diff --git a/modules/prometheus/iam.tf b/modules/prometheus/iam.tf
index 4c716f7..95e40ab 100644
--- a/modules/prometheus/iam.tf
+++ b/modules/prometheus/iam.tf
@@ -14,93 +14,17 @@
#
# SPDX-License-Identifier: Apache-2.0
-data "aws_iam_policy_document" "bucket" {
- statement {
- actions = [
- "s3:ListBucket",
- "s3:GetObject",
- "s3:DeleteObject",
- "s3:PutObject",
- ]
-
- #tfsec:ignore:aws-iam-no-policy-wildcards
- resources = [
- data.aws_s3_bucket.thanos.arn,
- "${data.aws_s3_bucket.thanos.arn}/*"
- ]
- }
-
- # statement {
- # effect = "Allow"
-
- # actions = [
- # "kms:Encrypt",
- # "kms:Decrypt",
- # "kms:GenerateDataKey*",
- # ]
-
- # resources = var.enable_kms ? [data.aws_kms_key.thanos[0].arn] : []
- # }
-}
-
-data "aws_iam_policy_document" "kms" {
- count = var.enable_kms ? 1 : 0
-
- statement {
- effect = "Allow"
-
- #tfsec:ignore:aws-iam-no-policy-wildcards
- actions = [
- "kms:Encrypt",
- "kms:Decrypt",
- "kms:GenerateDataKey*",
- ]
-
- resources = [
- data.aws_kms_key.thanos[0].arn
- ]
- }
-}
-
-resource "aws_iam_policy" "bucket" {
- name = format("%s-bucket", local.service_name)
- path = "/"
- description = "Bucket permissions for Prometheus"
- policy = data.aws_iam_policy_document.bucket.json
- tags = merge(
- { "Name" = format("%s-bucket", local.service_name) },
- var.tags
- )
-}
-
-resource "aws_iam_policy" "kms" {
- count = var.enable_kms ? 1 : 0
-
- name = format("%s-kms", local.service_name)
- path = "/"
- description = "KMS permissions for Prometheus"
- policy = data.aws_iam_policy_document.kms[0].json
- tags = merge(
- { "Name" = format("%s-kms", local.service_name) },
- var.tags
- )
-}
-
module "irsa" {
source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
version = "5.44.0"
+ for_each = var.enable_irsa ? toset(["1"]) : toset([])
+
create_role = true
role_description = "Prometheus Role"
role_name = local.role_name
provider_url = data.aws_eks_cluster.this.identity[0].oidc[0].issuer
- role_policy_arns = var.enable_kms ? [
- aws_iam_policy.bucket.arn,
- aws_iam_policy.kms[0].arn,
- data.aws_iam_policy.amp_remote_write_access.arn,
- data.aws_iam_policy.ec2_ro_access.arn
- ] : [
- aws_iam_policy.bucket.arn,
+ role_policy_arns = [
data.aws_iam_policy.amp_remote_write_access.arn,
data.aws_iam_policy.ec2_ro_access.arn
]
@@ -110,3 +34,31 @@ module "irsa" {
var.tags
)
}
+
+module "pod_identity" {
+ source = "terraform-aws-modules/eks-pod-identity/aws"
+ version = "1.4.0"
+
+ for_each = var.enable_pod_identity ? toset(["1"]) : toset([])
+
+ name = local.role_name
+
+ # attach_custom_policy = true
+ additional_policy_arns = {
+ AmazonPrometheusRemoteWriteAccess : data.aws_iam_policy.amp_remote_write_access.arn,
+ AmazonEC2ReadOnlyAccess : data.aws_iam_policy.ec2_ro_access.arn
+ }
+
+ associations = {
+ main = {
+ cluster_name = data.aws_eks_cluster.this.id
+ namespace = var.namespace
+ service_account = var.service_account
+ }
+ }
+
+ tags = merge(
+ { "Name" = local.role_name },
+ var.tags
+ )
+}
diff --git a/modules/prometheus/main.tf b/modules/prometheus/main.tf
index 5f9346e..e56a471 100644
--- a/modules/prometheus/main.tf
+++ b/modules/prometheus/main.tf
@@ -20,7 +20,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 4.0.0"
+ version = ">= 5.30.0"
}
}
}
diff --git a/modules/prometheus/outputs.tf b/modules/prometheus/outputs.tf
index 287109f..30e0fe9 100644
--- a/modules/prometheus/outputs.tf
+++ b/modules/prometheus/outputs.tf
@@ -14,7 +14,12 @@
#
# SPDX-License-Identifier: Apache-2.0
-output "role_arn" {
- value = module.irsa.iam_role_arn
+output "irsa_role_arn" {
+ value = [for irsa in module.irsa : irsa.iam_role_arn]
+ description = "Amazon Resource Name for Prometheus"
+}
+
+output "pod_identity_role_arn" {
+ value = [for pod_id in module.pod_identity : pod_id.iam_role_arn]
description = "Amazon Resource Name for Prometheus"
}
diff --git a/modules/prometheus/variables.tf b/modules/prometheus/variables.tf
index c222871..a562e72 100644
--- a/modules/prometheus/variables.tf
+++ b/modules/prometheus/variables.tf
@@ -31,6 +31,16 @@ variable "service_account" {
description = "The Kubernetes service account"
}
+variable "enable_irsa" {
+ type = bool
+ description = "Enable IRSA resources"
+}
+
+variable "enable_pod_identity" {
+ type = bool
+ description = "Enable EKS Pod Identity resources"
+}
+
variable "tags" {
type = map(string)
description = "Tags for Loki"
@@ -38,16 +48,3 @@ variable "tags" {
"Made-By" = "Terraform"
}
}
-
-variable "bucket_name" {
- type = string
- description = "Name of the Thanos bucket"
-}
-
-#############################################################################
-# KMS
-
-variable "enable_kms" {
- type = bool
- description = "Enable custom KMS key"
-}
diff --git a/modules/tempo/README.md b/modules/tempo/README.md
index c8adf92..233ffb2 100644
--- a/modules/tempo/README.md
+++ b/modules/tempo/README.md
@@ -1,68 +1,23 @@
-# Observability / Tempo
-
-Terraform module which configure Tempo resources on Amazon AWS
-
-## Terraform versions
-
-Use Terraform `0.13` and Terraform Provider Google `3.45+`.
-
-These types of resources are supported:
-
-## Usage
-
-```hcl
-module "tempo" {
- source = "nlamirault/observability/aws//modules/tempo"
- version = "0.0.0"
-
- cluster_name = var.cluster_name
-
- namespace = var.namespace
- service_accounts = var.service_accounts
-
- tags = var.tags
-}
-```
-
-and variables :
-
-```hcl
-cluster_name = "foo-staging-eks"
-
-namespace = "monitoring"
-service_accounts = ["tempo-store", "tempo-query", "tempo-compact"]
-
-tags = {
- "project" = "foo"
- "env" = "staging"
- "service" = "tempo"
- "made-by" = "terraform"
-}
-```
-
-## Documentation
-
-
## Requirements
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.0.0 |
-| [aws](#requirement\_aws) | >= 4.0.0 |
+| [aws](#requirement\_aws) | >= 5.30.0 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | >= 4.0.0 |
+| [aws](#provider\_aws) | >= 5.30.0 |
## Modules
| Name | Source | Version |
|------|--------|---------|
-| [buckets\_data](#module\_buckets\_data) | terraform-aws-modules/s3-bucket/aws | 3.6.0 |
-| [buckets\_logging](#module\_buckets\_logging) | terraform-aws-modules/s3-bucket/aws | 3.6.0 |
-| [irsa](#module\_irsa) | terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc | 5.10.0 |
+| [buckets\_data](#module\_buckets\_data) | terraform-aws-modules/s3-bucket/aws | 4.1.1 |
+| [irsa](#module\_irsa) | terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc | 5.44.0 |
+| [pod\_identity](#module\_pod\_identity) | terraform-aws-modules/eks-pod-identity/aws | 1.4.0 |
## Resources
@@ -82,7 +37,9 @@ tags = {
|------|-------------|------|---------|:--------:|
| [cluster\_name](#input\_cluster\_name) | Name of the EKS cluster | `string` | n/a | yes |
| [deletion\_window\_in\_days](#input\_deletion\_window\_in\_days) | Duration in days after which the key is deleted after destruction of the resource, must be between 7 and 30 days | `number` | `30` | no |
+| [enable\_irsa](#input\_enable\_irsa) | Enable IRSA resources | `bool` | n/a | yes |
| [enable\_kms](#input\_enable\_kms) | Enable custom KMS key | `bool` | n/a | yes |
+| [enable\_pod\_identity](#input\_enable\_pod\_identity) | Enable EKS Pod Identity resources | `bool` | n/a | yes |
| [namespace](#input\_namespace) | The Kubernetes namespace | `string` | n/a | yes |
| [service\_account](#input\_service\_account) | The Kubernetes service account | `string` | n/a | yes |
| [tags](#input\_tags) | Tags for Tempo | `map(string)` | {
"Made-By": "Terraform"
} | no |
@@ -92,6 +49,5 @@ tags = {
| Name | Description |
|------|-------------|
| [bucket](#output\_bucket) | S3 bucket for Tempo |
-| [bucket\_log](#output\_bucket\_log) | S3 log bucket for Tempo |
-| [role\_arn](#output\_role\_arn) | Amazon Resource Name for Tempo |
-
+| [irsa\_role\_arn](#output\_irsa\_role\_arn) | Amazon Resource Name for Tempo |
+| [pod\_identity\_role\_arn](#output\_pod\_identity\_role\_arn) | Amazon Resource Name for Tempo |
diff --git a/modules/tempo/bucket.tf b/modules/tempo/bucket.tf
index 1b20fb9..4f7654e 100644
--- a/modules/tempo/bucket.tf
+++ b/modules/tempo/bucket.tf
@@ -14,13 +14,14 @@
#
# SPDX-License-Identifier: Apache-2.0
-module "buckets_logging" {
+#tfsec:ignore:aws-s3-encryption-customer-key
+module "buckets_data" {
source = "terraform-aws-modules/s3-bucket/aws"
version = "4.1.1"
- for_each = local.buckets_names
+ for_each = toset(local.buckets_names)
- bucket = format("%s-%s-logging", local.service_name, each.value)
+ bucket = format("%s-%s", local.service_name, each.value)
block_public_acls = true
block_public_policy = true
restrict_public_buckets = true
@@ -28,11 +29,6 @@ module "buckets_logging" {
force_destroy = true
- tags = merge(
- { "Name" = format("%s-%s-logging", local.service_name, each.value) },
- var.tags
- )
-
versioning = {
enabled = true
}
@@ -46,44 +42,9 @@ module "buckets_logging" {
}
}
} : {}
-}
-
-#tfsec:ignore:aws-s3-encryption-customer-key
-module "buckets_data" {
- source = "terraform-aws-modules/s3-bucket/aws"
- version = "4.1.1"
-
- for_each = local.buckets_names
-
- bucket = format("%s-%s", local.service_name, each.value)
- block_public_acls = true
- block_public_policy = true
- restrict_public_buckets = true
- ignore_public_acls = true
-
- force_destroy = true
tags = merge(
{ "Name" = format("%s-%s", local.service_name, each.value) },
var.tags
)
-
- logging = {
- target_bucket = module.buckets_logging[format("%s-%s", local.service_name, each.value)].s3_bucket_id
- target_prefix = "log/"
- }
-
- versioning = {
- enabled = true
- }
-
- server_side_encryption_configuration = var.enable_kms ? {
- rule = {
- bucket_key_enabled = true
- apply_server_side_encryption_by_default = {
- kms_master_key_id = aws_kms_key.tempo[0].arn
- sse_algorithm = "aws:kms"
- }
- }
- } : {}
}
diff --git a/modules/tempo/iam.tf b/modules/tempo/iam.tf
index f95c6c1..24d454b 100644
--- a/modules/tempo/iam.tf
+++ b/modules/tempo/iam.tf
@@ -98,6 +98,8 @@ module "irsa" {
source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
version = "5.44.0"
+ for_each = var.enable_irsa ? toset(["1"]) : toset([])
+
create_role = true
role_description = "Role for Tempo"
role_name = local.role_name
@@ -114,3 +116,33 @@ module "irsa" {
var.tags
)
}
+
+module "pod_identity" {
+ source = "terraform-aws-modules/eks-pod-identity/aws"
+ version = "1.4.0"
+
+ for_each = var.enable_pod_identity ? toset(["1"]) : toset([])
+
+ name = local.role_name
+
+ # attach_custom_policy = true
+ additional_policy_arns = var.enable_kms ? {
+ TempoS3Access : aws_iam_policy.bucket.arn,
+ TempoKMSAccess : aws_iam_policy.kms[0].arn,
+ } : {
+ TempoS3Access : aws_iam_policy.bucket.arn,
+ }
+
+ associations = {
+ main = {
+ cluster_name = data.aws_eks_cluster.this.id
+ namespace = var.namespace
+ service_account = var.service_account
+ }
+ }
+
+ tags = merge(
+ { "Name" = local.role_name },
+ var.tags
+ )
+}
diff --git a/modules/tempo/main.tf b/modules/tempo/main.tf
index 5f9346e..e56a471 100644
--- a/modules/tempo/main.tf
+++ b/modules/tempo/main.tf
@@ -20,7 +20,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 4.0.0"
+ version = ">= 5.30.0"
}
}
}
diff --git a/modules/tempo/outputs.tf b/modules/tempo/outputs.tf
index 8e0ccf9..49d1e68 100644
--- a/modules/tempo/outputs.tf
+++ b/modules/tempo/outputs.tf
@@ -15,16 +15,16 @@
# SPDX-License-Identifier: Apache-2.0
output "bucket" {
- value = module.buckets_data[*].s3_bucket_id
+ value = [for b in module.buckets_data : b.s3_bucket_id]
description = "S3 bucket for Tempo"
}
-output "bucket_log" {
- value = module.buckets_logging[*].s3_bucket_id
- description = "S3 log bucket for Tempo"
+output "irsa_role_arn" {
+ value = [for irsa in module.irsa : irsa.iam_role_arn]
+ description = "Amazon Resource Name for Tempo"
}
-output "role_arn" {
- value = module.irsa.iam_role_arn
+output "pod_identity_role_arn" {
+ value = [for pod_id in module.pod_identity : pod_id.iam_role_arn]
description = "Amazon Resource Name for Tempo"
}
diff --git a/modules/tempo/variables.tf b/modules/tempo/variables.tf
index ea4de4e..4348ab0 100644
--- a/modules/tempo/variables.tf
+++ b/modules/tempo/variables.tf
@@ -40,6 +40,16 @@ variable "tags" {
}
}
+variable "enable_irsa" {
+ type = bool
+ description = "Enable IRSA resources"
+}
+
+variable "enable_pod_identity" {
+ type = bool
+ description = "Enable EKS Pod Identity resources"
+}
+
#############################################################################
# KMS
@@ -48,7 +58,6 @@ variable "enable_kms" {
description = "Enable custom KMS key"
}
-
variable "deletion_window_in_days" {
type = number
description = "Duration in days after which the key is deleted after destruction of the resource, must be between 7 and 30 days"