From 2030c646af8f43fd167bc9cd63c075659b486da0 Mon Sep 17 00:00:00 2001 From: Nicolas Lamirault Date: Mon, 26 Aug 2024 18:58:55 +0200 Subject: [PATCH 01/22] feat(adot): EKS Pod identity Signed-off-by: Nicolas Lamirault --- .terraform-version | 1 - modules/adot/README.md | 16 ++++++---------- modules/adot/iam.tf | 19 +++++++++++++++++++ modules/adot/outputs.tf | 9 +++++++-- modules/adot/variables.tf | 10 ++++++++++ 5 files changed, 42 insertions(+), 13 deletions(-) delete mode 100644 .terraform-version diff --git a/.terraform-version b/.terraform-version deleted file mode 100644 index a1c22f8..0000000 --- a/.terraform-version +++ /dev/null @@ -1 +0,0 @@ -latest:^1.3 diff --git a/modules/adot/README.md b/modules/adot/README.md index 6d7114a..76d1ce5 100644 --- a/modules/adot/README.md +++ b/modules/adot/README.md @@ -1,10 +1,3 @@ -# Observability / AWS Distro for OpenTelemetry (ADOT) Operator - -Terraform module which configure the AWS Distro for OpenTelemetry (ADOT) Operator - -## Documentation - - ## Requirements | Name | Version | @@ -22,7 +15,8 @@ Terraform module which configure the AWS Distro for OpenTelemetry (ADOT) Operato | Name | Source | Version | |------|--------|---------| -| [irsa](#module\_irsa) | terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc | 5.5.2 | +| [irsa](#module\_irsa) | terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc | 5.44.0 | +| [pod\_identity](#module\_pod\_identity) | terraform-aws-modules/eks-pod-identity/aws | 1.4.0 | ## Resources @@ -38,6 +32,8 @@ Terraform module which configure the AWS Distro for OpenTelemetry (ADOT) Operato | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [cluster\_name](#input\_cluster\_name) | Name of the EKS cluster | `string` | n/a | yes | +| [enable\_irsa](#input\_enable\_irsa) | Enable IRSA resources | `bool` | n/a | yes | +| [enable\_pod\_identity](#input\_enable\_pod\_identity) | Enable EKS Pod Identity resources | `bool` | n/a | yes | | [namespace](#input\_namespace) | The Kubernetes namespace | `string` | n/a | yes | | [service\_account](#input\_service\_account) | The Kubernetes service account | `string` | n/a | yes | | [tags](#input\_tags) | Tags for resources | `map(string)` | 
{
  "Made-By": "Terraform"
}
| no | @@ -46,5 +42,5 @@ Terraform module which configure the AWS Distro for OpenTelemetry (ADOT) Operato | Name | Description | |------|-------------| -| [role\_arn](#output\_role\_arn) | Amazon Resource Name for ADOT Collector | - +| [irsa\_role\_arn](#output\_irsa\_role\_arn) | Amazon Resource Name for ADOT Collector | +| [pod\_identity\_role\_arn](#output\_pod\_identity\_role\_arn) | Amazon Resource Name for ADOT Collector | diff --git a/modules/adot/iam.tf b/modules/adot/iam.tf index f5148ef..fc1fb92 100644 --- a/modules/adot/iam.tf +++ b/modules/adot/iam.tf @@ -18,6 +18,8 @@ module "irsa" { source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc" version = "5.44.0" + for_each = var.enable_irsa ? [1] : [] + create_role = true role_description = "ADOTCollector" role_name = local.role_name @@ -34,3 +36,20 @@ module "irsa" { var.tags ) } + +module "pod_identity" { + source = "terraform-aws-modules/eks-pod-identity/aws" + version = "1.4.0" + + for_each = var.enable_pod_identity ? [1] : [] + + name = local.role_name + + attach_amazon_managed_service_prometheus_policy = true + amazon_managed_service_prometheus_workspace_arns = ["arn:aws:prometheus:*:*:workspace/foo"] + + tags = merge( + { "Name" = local.role_name }, + var.tags + ) +} diff --git a/modules/adot/outputs.tf b/modules/adot/outputs.tf index 7b4c557..5673187 100644 --- a/modules/adot/outputs.tf +++ b/modules/adot/outputs.tf @@ -14,7 +14,12 @@ # # SPDX-License-Identifier: Apache-2.0 -output "role_arn" { - value = module.irsa.iam_role_arn +output "irsa_role_arn" { + value = [for irsa in module.irsa : irsa.iam_role_arn] + description = "Amazon Resource Name for ADOT Collector" +} + +output "pod_identity_role_arn" { + value = [for pod_id in module.pod_identity : pod_id.iam_role_arn] description = "Amazon Resource Name for ADOT Collector" } diff --git a/modules/adot/variables.tf b/modules/adot/variables.tf index 9049404..ea3fc77 100644 --- a/modules/adot/variables.tf +++ b/modules/adot/variables.tf @@ -29,6 +29,16 @@ variable "service_account" { description = "The Kubernetes service account" } +variable "enable_irsa" { + type = bool + description = "Enable IRSA resources" +} + +variable "enable_pod_identity" { + type = bool + description = "Enable EKS Pod Identity resources" +} + variable "tags" { type = map(string) description = "Tags for resources" From 9810ccec30ab51827020583497bed656dbf4f9cd Mon Sep 17 00:00:00 2001 From: Nicolas Lamirault Date: Mon, 26 Aug 2024 19:01:11 +0200 Subject: [PATCH 02/22] feat(aws): bump provider version Signed-off-by: Nicolas Lamirault --- modules/adot/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/adot/main.tf b/modules/adot/main.tf index 5f9346e..158e8f5 100644 --- a/modules/adot/main.tf +++ b/modules/adot/main.tf @@ -20,7 +20,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 4.0.0" + version = ">= 5.30" } } } From a196411e43bf0e2bbdec4f179bcdec1c78340351 Mon Sep 17 00:00:00 2001 From: Nicolas Lamirault Date: Tue, 27 Aug 2024 08:18:00 +0200 Subject: [PATCH 03/22] feat(cloudwatch): Enable EKS Pod Identity Signed-off-by: Nicolas Lamirault --- modules/cloudwatch/README.md | 16 ++++++---------- modules/cloudwatch/iam.tf | 20 +++++++++++++++++++- modules/cloudwatch/outputs.tf | 9 +++++++-- modules/cloudwatch/variables.tf | 10 ++++++++++ 4 files changed, 42 insertions(+), 13 deletions(-) diff --git a/modules/cloudwatch/README.md b/modules/cloudwatch/README.md index 62c6b86..3462a43 100644 --- a/modules/cloudwatch/README.md +++ b/modules/cloudwatch/README.md @@ -1,10 +1,3 @@ -# Observability / Cloudwatch - -Terraform module which configure Grafana Cloudwatch resources on Amazon AWS - -## Documentation - - ## Requirements | Name | Version | @@ -22,7 +15,8 @@ Terraform module which configure Grafana Cloudwatch resources on Amazon AWS | Name | Source | Version | |------|--------|---------| -| [irsa\_agent](#module\_irsa\_agent) | terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc | 5.5.2 | +| [irsa](#module\_irsa) | terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc | 5.44.0 | +| [pod\_identity](#module\_pod\_identity) | terraform-aws-modules/eks-pod-identity/aws | 1.4.0 | ## Resources @@ -41,7 +35,9 @@ Terraform module which configure Grafana Cloudwatch resources on Amazon AWS |------|-------------|------|---------|:--------:| | [cluster\_name](#input\_cluster\_name) | Name of the EKS cluster | `string` | n/a | yes | | [deletion\_window\_in\_days](#input\_deletion\_window\_in\_days) | Duration in days after which the key is deleted after destruction of the resource, must be between 7 and 30 days | `number` | `30` | no | +| [enable\_irsa](#input\_enable\_irsa) | Enable IRSA resources | `bool` | n/a | yes | | [enable\_kms](#input\_enable\_kms) | Enable custom KMS key | `bool` | n/a | yes | +| [enable\_pod\_identity](#input\_enable\_pod\_identity) | Enable EKS Pod Identity resources | `bool` | n/a | yes | | [log\_retention\_in\_days](#input\_log\_retention\_in\_days) | Number of days to retain log events | `number` | `90` | no | | [namespace](#input\_namespace) | The Kubernetes namespace | `string` | n/a | yes | | [service\_account](#input\_service\_account) | The Kubernetes service account | `string` | n/a | yes | @@ -51,5 +47,5 @@ Terraform module which configure Grafana Cloudwatch resources on Amazon AWS | Name | Description | |------|-------------| -| [agent\_role\_arn](#output\_agent\_role\_arn) | Amazon Resource Name for Cloudwatch Agent | - +| [irsa\_role\_arn](#output\_irsa\_role\_arn) | Amazon Resource Name for Cloudwatch Agent | +| [pod\_identity\_role\_arn](#output\_pod\_identity\_role\_arn) | Amazon Resource Name for Cloudwatch Agent | diff --git a/modules/cloudwatch/iam.tf b/modules/cloudwatch/iam.tf index 7d8ee56..d962fab 100644 --- a/modules/cloudwatch/iam.tf +++ b/modules/cloudwatch/iam.tf @@ -14,10 +14,12 @@ # # SPDX-License-Identifier: Apache-2.0 -module "irsa_agent" { +module "irsa" { source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc" version = "5.44.0" + for_each = var.enable_irsa ? [1] : [] + create_role = true role_description = "Cloudwatch Agent" role_name = local.role_name @@ -32,3 +34,19 @@ module "irsa_agent" { var.tags ) } + +module "pod_identity" { + source = "terraform-aws-modules/eks-pod-identity/aws" + version = "1.4.0" + + for_each = var.enable_pod_identity ? [1] : [] + + name = local.role_name + + attach_aws_cloudwatch_observability_policy = true + + tags = merge( + { "Name" = local.role_name }, + var.tags + ) +} diff --git a/modules/cloudwatch/outputs.tf b/modules/cloudwatch/outputs.tf index 1cd18bc..364922f 100644 --- a/modules/cloudwatch/outputs.tf +++ b/modules/cloudwatch/outputs.tf @@ -14,7 +14,12 @@ # # SPDX-License-Identifier: Apache-2.0 -output "agent_role_arn" { - value = module.irsa_agent.iam_role_arn +output "irsa_role_arn" { + value = [for irsa in module.irsa : irsa.iam_role_arn] + description = "Amazon Resource Name for Cloudwatch Agent" +} + +output "pod_identity_role_arn" { + value = [for pod_id in module.pod_identity : pod_id.iam_role_arn] description = "Amazon Resource Name for Cloudwatch Agent" } diff --git a/modules/cloudwatch/variables.tf b/modules/cloudwatch/variables.tf index fd7c713..c40b4f4 100644 --- a/modules/cloudwatch/variables.tf +++ b/modules/cloudwatch/variables.tf @@ -38,6 +38,16 @@ variable "service_account" { description = "The Kubernetes service account" } +variable "enable_irsa" { + type = bool + description = "Enable IRSA resources" +} + +variable "enable_pod_identity" { + type = bool + description = "Enable EKS Pod Identity resources" +} + variable "tags" { type = map(string) description = "Tags for Cloudwatch" From 83fd2ee7ac55464903410286df5acdf0bdea609f Mon Sep 17 00:00:00 2001 From: Nicolas Lamirault Date: Tue, 27 Aug 2024 08:19:49 +0200 Subject: [PATCH 04/22] feat(cloudwatch): bump provider version Signed-off-by: Nicolas Lamirault --- modules/cloudwatch/README.md | 4 ++-- modules/cloudwatch/main.tf | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/cloudwatch/README.md b/modules/cloudwatch/README.md index 3462a43..556b577 100644 --- a/modules/cloudwatch/README.md +++ b/modules/cloudwatch/README.md @@ -3,13 +3,13 @@ | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0.0 | -| [aws](#requirement\_aws) | >= 4.0.0 | +| [aws](#requirement\_aws) | >= 5.30.0 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 4.0.0 | +| [aws](#provider\_aws) | >= 5.30.0 | ## Modules diff --git a/modules/cloudwatch/main.tf b/modules/cloudwatch/main.tf index 5f9346e..e56a471 100644 --- a/modules/cloudwatch/main.tf +++ b/modules/cloudwatch/main.tf @@ -20,7 +20,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 4.0.0" + version = ">= 5.30.0" } } } From 1aafcf30eb679244700f005c5e1245445a61ddd6 Mon Sep 17 00:00:00 2001 From: Nicolas Lamirault Date: Tue, 27 Aug 2024 18:10:45 +0200 Subject: [PATCH 05/22] feat(loki): Enable EKS Pod Identity Signed-off-by: Nicolas Lamirault --- modules/loki/iam.tf | 33 +++++++++++++++++++++++++++++++++ modules/loki/main.tf | 2 +- modules/loki/outputs.tf | 10 ++++++++++ modules/loki/variables.tf | 10 ++++++++++ 4 files changed, 54 insertions(+), 1 deletion(-) diff --git a/modules/loki/iam.tf b/modules/loki/iam.tf index 0eb5087..2cc5a51 100644 --- a/modules/loki/iam.tf +++ b/modules/loki/iam.tf @@ -99,6 +99,8 @@ module "irsa" { source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc" version = "5.44.0" + for_each = var.enable_irsa ? [1] : [] + create_role = true role_description = "Role for Loki" role_name = local.role_name @@ -111,6 +113,37 @@ module "irsa" { ] oidc_fully_qualified_subjects = ["system:serviceaccount:${var.namespace}:${var.service_account}"] + tags = merge( + { "Name" = local.role_name }, + var.tags + ) +} + +module "pod_identity" { + source = "terraform-aws-modules/eks-pod-identity/aws" + version = "1.4.0" + + for_each = var.enable_pod_identity ? [1] : [] + + name = local.role_name + + # attach_custom_policy = true + additional_policy_arns = var.enable_kms ? { + LokiS3Access : aws_iam_policy.bucket.arn, + LokiKMSAccess : aws_iam_policy.kms[0].arn, + } : { + LokiS3Access : aws_iam_policy.bucket.arn, + } + + associations = { + main = { + cluster_name = data.aws_eks_cluster.cluster_name + namespace = var.namespace + service_account = var.service_account + } + } + + tags = merge( { "Name" = local.role_name }, var.tags diff --git a/modules/loki/main.tf b/modules/loki/main.tf index 5f9346e..e56a471 100644 --- a/modules/loki/main.tf +++ b/modules/loki/main.tf @@ -20,7 +20,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 4.0.0" + version = ">= 5.30.0" } } } diff --git a/modules/loki/outputs.tf b/modules/loki/outputs.tf index 80bcb89..4104036 100644 --- a/modules/loki/outputs.tf +++ b/modules/loki/outputs.tf @@ -28,3 +28,13 @@ output "role_arn" { value = module.irsa.iam_role_arn description = "Amazon Resource Name for Loki" } + +output "irsa_role_arn" { + value = [for irsa in module.irsa : irsa.iam_role_arn] + description = "Amazon Resource Name for Loki" +} + +output "pod_identity_role_arn" { + value = [for pod_id in module.pod_identity : pod_id.iam_role_arn] + description = "Amazon Resource Name for Loki" +} diff --git a/modules/loki/variables.tf b/modules/loki/variables.tf index 212414c..3eb92c3 100644 --- a/modules/loki/variables.tf +++ b/modules/loki/variables.tf @@ -39,6 +39,16 @@ variable "tags" { } } +variable "enable_irsa" { + type = bool + description = "Enable IRSA resources" +} + +variable "enable_pod_identity" { + type = bool + description = "Enable EKS Pod Identity resources" +} + ############################################################################# # KMS From 7b8a82e442b44d91c5dda167fb1ab6eb0ff904a5 Mon Sep 17 00:00:00 2001 From: Nicolas Lamirault Date: Tue, 27 Aug 2024 18:10:54 +0200 Subject: [PATCH 06/22] feat(eks): cleanup Signed-off-by: Nicolas Lamirault --- modules/adot/iam.tf | 16 ++++++++++++++-- modules/grafana/iam.tf | 32 ++++++++++++++++++++++++++++++++ modules/grafana/main.tf | 2 +- modules/grafana/outputs.tf | 9 +++++++-- modules/grafana/variables.tf | 10 ++++++++++ 5 files changed, 64 insertions(+), 5 deletions(-) diff --git a/modules/adot/iam.tf b/modules/adot/iam.tf index fc1fb92..cc1ab4c 100644 --- a/modules/adot/iam.tf +++ b/modules/adot/iam.tf @@ -45,8 +45,20 @@ module "pod_identity" { name = local.role_name - attach_amazon_managed_service_prometheus_policy = true - amazon_managed_service_prometheus_workspace_arns = ["arn:aws:prometheus:*:*:workspace/foo"] + # attach_custom_policy = true + additional_policy_arns = { + CloudWatchAgentServerPolicy = data.aws_iam_policy.cloudwatch_agent_server.arn, + AmazonPrometheusRemoteWriteAccess = data.aws_iam_policy.amp_remote_write_access.arn, + AWSXrayWriteOnlyAccess = data.aws_iam_policy.xray_write_access.arn + } + + associations = { + main = { + cluster_name = data.aws_eks_cluster.cluster_name + namespace = var.namespace + service_account = var.service_account + } + } tags = merge( { "Name" = local.role_name }, diff --git a/modules/grafana/iam.tf b/modules/grafana/iam.tf index d42a168..67ff43b 100644 --- a/modules/grafana/iam.tf +++ b/modules/grafana/iam.tf @@ -18,6 +18,8 @@ module "irsa" { source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc" version = "5.44.0" + for_each = var.enable_irsa ? [1] : [] + create_role = true role_description = "Role for Grafana" role_name = local.role_name @@ -32,6 +34,36 @@ module "irsa" { oidc_fully_qualified_subjects = ["system:serviceaccount:${var.namespace}:${var.service_account}"] oidc_fully_qualified_audiences = ["sts.amazonaws.com"] + tags = merge( + { "Name" = local.role_name }, + var.tags + ) +} + +module "pod_identity" { + source = "terraform-aws-modules/eks-pod-identity/aws" + version = "1.4.0" + + for_each = var.enable_pod_identity ? [1] : [] + + name = local.role_name + + # attach_custom_policy = true + additional_policy_arns = { + CloudWatchReadOnlyAccess = data.aws_iam_policy.cloudwatch_readonly_access.arn, + AmazonTimestreamReadOnlyAccess = data.aws_iam_policy.timestream_readonly_access.arn, + AmazonPrometheusQueryAccess = data.aws_iam_policy.amp_query_access.arn + } + + associations = { + main = { + cluster_name = data.aws_eks_cluster.cluster_name + namespace = var.namespace + service_account = var.service_account + } + } + + tags = merge( { "Name" = local.role_name }, var.tags diff --git a/modules/grafana/main.tf b/modules/grafana/main.tf index 5f9346e..e56a471 100644 --- a/modules/grafana/main.tf +++ b/modules/grafana/main.tf @@ -20,7 +20,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 4.0.0" + version = ">= 5.30.0" } } } diff --git a/modules/grafana/outputs.tf b/modules/grafana/outputs.tf index c593b03..bf7b6d4 100644 --- a/modules/grafana/outputs.tf +++ b/modules/grafana/outputs.tf @@ -14,7 +14,12 @@ # # SPDX-License-Identifier: Apache-2.0 -output "role_arn" { - value = module.irsa.iam_role_arn +output "irsa_role_arn" { + value = [for irsa in module.irsa : irsa.iam_role_arn] + description = "Amazon Resource Name for Grafana" +} + +output "pod_identity_role_arn" { + value = [for pod_id in module.pod_identity : pod_id.iam_role_arn] description = "Amazon Resource Name for Grafana" } diff --git a/modules/grafana/variables.tf b/modules/grafana/variables.tf index 1095bc2..c9b70cd 100644 --- a/modules/grafana/variables.tf +++ b/modules/grafana/variables.tf @@ -38,6 +38,16 @@ variable "service_account" { description = "The Kubernetes service account" } +variable "enable_irsa" { + type = bool + description = "Enable IRSA resources" +} + +variable "enable_pod_identity" { + type = bool + description = "Enable EKS Pod Identity resources" +} + variable "tags" { type = map(string) description = "Tags for grafana" From d93ea04fb5ca501ae4f79a9887d66f2588fe8b68 Mon Sep 17 00:00:00 2001 From: Nicolas Lamirault Date: Tue, 27 Aug 2024 18:14:01 +0200 Subject: [PATCH 07/22] feat(cloudwatch): associations Signed-off-by: Nicolas Lamirault --- modules/cloudwatch/iam.tf | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/modules/cloudwatch/iam.tf b/modules/cloudwatch/iam.tf index d962fab..45b3e1c 100644 --- a/modules/cloudwatch/iam.tf +++ b/modules/cloudwatch/iam.tf @@ -45,6 +45,14 @@ module "pod_identity" { attach_aws_cloudwatch_observability_policy = true + associations = { + main = { + cluster_name = data.aws_eks_cluster.cluster_name + namespace = var.namespace + service_account = var.service_account + } + } + tags = merge( { "Name" = local.role_name }, var.tags From f9e096b93bd625f93d81fbebe567bf058437555e Mon Sep 17 00:00:00 2001 From: Nicolas Lamirault Date: Tue, 27 Aug 2024 18:24:05 +0200 Subject: [PATCH 08/22] feat(tempo): Enable EKS Pod Identity Signed-off-by: Nicolas Lamirault --- modules/tempo/iam.tf | 32 ++++++++++++++++++++++++++++++++ modules/tempo/main.tf | 2 +- modules/tempo/outputs.tf | 9 +++++++-- modules/tempo/variables.tf | 11 ++++++++++- 4 files changed, 50 insertions(+), 4 deletions(-) diff --git a/modules/tempo/iam.tf b/modules/tempo/iam.tf index f95c6c1..df86886 100644 --- a/modules/tempo/iam.tf +++ b/modules/tempo/iam.tf @@ -98,6 +98,8 @@ module "irsa" { source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc" version = "5.44.0" + for_each = var.enable_irsa ? [1] : [] + create_role = true role_description = "Role for Tempo" role_name = local.role_name @@ -114,3 +116,33 @@ module "irsa" { var.tags ) } + +module "pod_identity" { + source = "terraform-aws-modules/eks-pod-identity/aws" + version = "1.4.0" + + for_each = var.enable_pod_identity ? [1] : [] + + name = local.role_name + + # attach_custom_policy = true + additional_policy_arns = var.enable_kms ? { + TempoS3Access : aws_iam_policy.bucket.arn, + TempoKMSAccess : aws_iam_policy.kms[0].arn, + } : { + TempoS3Access : aws_iam_policy.bucket.arn, + } + + associations = { + main = { + cluster_name = data.aws_eks_cluster.cluster_name + namespace = var.namespace + service_account = var.service_account + } + } + + tags = merge( + { "Name" = local.role_name }, + var.tags + ) +} diff --git a/modules/tempo/main.tf b/modules/tempo/main.tf index 5f9346e..e56a471 100644 --- a/modules/tempo/main.tf +++ b/modules/tempo/main.tf @@ -20,7 +20,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 4.0.0" + version = ">= 5.30.0" } } } diff --git a/modules/tempo/outputs.tf b/modules/tempo/outputs.tf index 8e0ccf9..5abb9b2 100644 --- a/modules/tempo/outputs.tf +++ b/modules/tempo/outputs.tf @@ -24,7 +24,12 @@ output "bucket_log" { description = "S3 log bucket for Tempo" } -output "role_arn" { - value = module.irsa.iam_role_arn +output "irsa_role_arn" { + value = [for irsa in module.irsa : irsa.iam_role_arn] + description = "Amazon Resource Name for Tempo" +} + +output "pod_identity_role_arn" { + value = [for pod_id in module.pod_identity : pod_id.iam_role_arn] description = "Amazon Resource Name for Tempo" } diff --git a/modules/tempo/variables.tf b/modules/tempo/variables.tf index ea4de4e..4348ab0 100644 --- a/modules/tempo/variables.tf +++ b/modules/tempo/variables.tf @@ -40,6 +40,16 @@ variable "tags" { } } +variable "enable_irsa" { + type = bool + description = "Enable IRSA resources" +} + +variable "enable_pod_identity" { + type = bool + description = "Enable EKS Pod Identity resources" +} + ############################################################################# # KMS @@ -48,7 +58,6 @@ variable "enable_kms" { description = "Enable custom KMS key" } - variable "deletion_window_in_days" { type = number description = "Duration in days after which the key is deleted after destruction of the resource, must be between 7 and 30 days" From a1b987330b9fa94622d035c605b0ef6c2606220e Mon Sep 17 00:00:00 2001 From: Nicolas Lamirault Date: Tue, 27 Aug 2024 18:24:30 +0200 Subject: [PATCH 09/22] feat(thanos): remove module Signed-off-by: Nicolas Lamirault --- modules/thanos/README.md | 97 ------------------------------- modules/thanos/bucket.tf | 85 --------------------------- modules/thanos/data.tf | 19 ------ modules/thanos/iam.tf | 113 ------------------------------------ modules/thanos/kms.tf | 32 ---------- modules/thanos/locals.tf | 21 ------- modules/thanos/main.tf | 26 --------- modules/thanos/outputs.tf | 30 ---------- modules/thanos/variables.tf | 55 ------------------ 9 files changed, 478 deletions(-) delete mode 100644 modules/thanos/README.md delete mode 100644 modules/thanos/bucket.tf delete mode 100644 modules/thanos/data.tf delete mode 100644 modules/thanos/iam.tf delete mode 100644 modules/thanos/kms.tf delete mode 100644 modules/thanos/locals.tf delete mode 100644 modules/thanos/main.tf delete mode 100644 modules/thanos/outputs.tf delete mode 100644 modules/thanos/variables.tf diff --git a/modules/thanos/README.md b/modules/thanos/README.md deleted file mode 100644 index 83b56ce..0000000 --- a/modules/thanos/README.md +++ /dev/null @@ -1,97 +0,0 @@ -# Observability / Thanos - -Terraform module which configure Thanos resources on Amazon AWS - -## Terraform versions - -Use Terraform `0.13` and Terraform Provider Google `3.45+`. - -These types of resources are supported: - -## Usage - -```hcl -module "thanos" { - source = "nlamirault/observability/aws//modules/thanos" - version = "0.0.0" - - cluster_name = var.cluster_name - - namespace = var.namespace - service_accounts = var.service_accounts - - tags = var.tags -} -``` - -and variables : - -```hcl -cluster_name = "foo-staging-eks" - -namespace = "monitoring" -service_accounts = ["thanos-store", "thanos-query", "thanos-compact", "thanos-sidecar"] - -tags = { - "project" = "foo" - "env" = "staging" - "service" = "thanos" - "made-by" = "terraform" -} -``` - -## Documentation - - -## Requirements - -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | >= 1.0.0 | -| [aws](#requirement\_aws) | >= 4.0.0 | - -## Providers - -| Name | Version | -|------|---------| -| [aws](#provider\_aws) | >= 4.0.0 | - -## Modules - -| Name | Source | Version | -|------|--------|---------| -| [irsa](#module\_irsa) | terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc | 5.5.2 | -| [thanos](#module\_thanos) | terraform-aws-modules/s3-bucket/aws | 3.4.0 | -| [thanos\_log](#module\_thanos\_log) | terraform-aws-modules/s3-bucket/aws | 3.4.0 | - -## Resources - -| Name | Type | -|------|------| -| [aws_iam_policy.bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [aws_iam_policy.kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [aws_kms_alias.thanos](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource | -| [aws_kms_key.thanos](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource | -| [aws_eks_cluster.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster) | data source | -| [aws_iam_policy_document.bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_policy_document.kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | - -## Inputs - -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [cluster\_name](#input\_cluster\_name) | Name of the EKS cluster | `string` | n/a | yes | -| [deletion\_window\_in\_days](#input\_deletion\_window\_in\_days) | Duration in days after which the key is deleted after destruction of the resource, must be between 7 and 30 days | `number` | `30` | no | -| [enable\_kms](#input\_enable\_kms) | Enable custom KMS key | `bool` | n/a | yes | -| [namespace](#input\_namespace) | The Kubernetes namespace | `string` | n/a | yes | -| [service\_accounts](#input\_service\_accounts) | The Kubernetes service account | `list(string)` | n/a | yes | -| [tags](#input\_tags) | Tags for Thanos | `map(string)` | 
{
  "Made-By": "Terraform"
}
| no | - -## Outputs - -| Name | Description | -|------|-------------| -| [bucket](#output\_bucket) | S3 bucket for Thanos | -| [bucket\_log](#output\_bucket\_log) | S3 log bucket for Thanos | -| [role\_arn](#output\_role\_arn) | Amazon Resource Name for Thanos | - diff --git a/modules/thanos/bucket.tf b/modules/thanos/bucket.tf deleted file mode 100644 index 2371704..0000000 --- a/modules/thanos/bucket.tf +++ /dev/null @@ -1,85 +0,0 @@ -# Copyright (C) Nicolas Lamirault -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 - -module "thanos_log" { - source = "terraform-aws-modules/s3-bucket/aws" - version = "4.1.1" - - bucket = format("%s-log", local.service_name) - - control_object_ownership = true - object_ownership = "ObjectWriter" - - acl = "log-delivery-write" - force_destroy = true - - tags = merge( - { "Name" = format("%s-log", local.service_name) }, - var.tags - ) - - versioning = { - enabled = true - } - - server_side_encryption_configuration = var.enable_kms ? { - rule = { - bucket_key_enabled = true - apply_server_side_encryption_by_default = { - kms_master_key_id = aws_kms_key.thanos[0].arn - sse_algorithm = "aws:kms" - } - } - } : {} -} - -#tfsec:ignore:aws-s3-encryption-customer-key -module "thanos" { - source = "terraform-aws-modules/s3-bucket/aws" - version = "4.1.1" - - bucket = local.service_name - - control_object_ownership = true - object_ownership = "ObjectWriter" - - acl = "private" - force_destroy = true - - tags = merge( - { "Name" = local.service_name }, - var.tags - ) - - logging = { - target_bucket = module.thanos_log.s3_bucket_id - target_prefix = "log/" - } - - versioning = { - enabled = true - } - - server_side_encryption_configuration = var.enable_kms ? { - rule = { - bucket_key_enabled = true - apply_server_side_encryption_by_default = { - kms_master_key_id = aws_kms_key.thanos[0].arn - sse_algorithm = "aws:kms" - } - } - } : {} -} diff --git a/modules/thanos/data.tf b/modules/thanos/data.tf deleted file mode 100644 index 02cb993..0000000 --- a/modules/thanos/data.tf +++ /dev/null @@ -1,19 +0,0 @@ -# Copyright (C) Nicolas Lamirault -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 - -data "aws_eks_cluster" "this" { - name = var.cluster_name -} diff --git a/modules/thanos/iam.tf b/modules/thanos/iam.tf deleted file mode 100644 index 12f68e7..0000000 --- a/modules/thanos/iam.tf +++ /dev/null @@ -1,113 +0,0 @@ -# Copyright (C) Nicolas Lamirault -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 - -data "aws_iam_policy_document" "bucket" { - statement { - effect = "Allow" - - actions = [ - "s3:ListBucket", - "s3:GetObject", - "s3:DeleteObject", - "s3:PutObject", - ] - - #tfsec:ignore:aws-iam-no-policy-wildcards - resources = [ - module.thanos.s3_bucket_arn, - "${module.thanos.s3_bucket_arn}/*" - ] - } - - # statement { - # effect = "Allow" - - # actions = [ - # "kms:Encrypt", - # "kms:Decrypt", - # "kms:GenerateDataKey*", - # ] - - # resources = var.enable_kms ? [aws_kms_key.thanos[0].arn] : [] - # } - -} - -data "aws_iam_policy_document" "kms" { - count = var.enable_kms ? 1 : 0 - - statement { - effect = "Allow" - - #tfsec:ignore:aws-iam-no-policy-wildcards - actions = [ - "kms:Encrypt", - "kms:Decrypt", - "kms:GenerateDataKey*", - ] - - resources = [ - aws_kms_key.thanos[0].arn - ] - } -} - -resource "aws_iam_policy" "bucket" { - name = format("%s-bucket", local.service_name) - path = "/" - description = "Bucket permissions for Thanos" - policy = data.aws_iam_policy_document.bucket.json - tags = merge( - { "Name" = format("%s-bucket", local.service_name) }, - var.tags - ) -} - -resource "aws_iam_policy" "kms" { - count = var.enable_kms ? 1 : 0 - - name = format("%s-kms", local.service_name) - path = "/" - description = "Bucket permissions for Thanos" - policy = data.aws_iam_policy_document.kms[0].json - tags = merge( - { "Name" = format("%s-kms", local.service_name) }, - var.tags - ) -} - -module "irsa" { - source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc" - version = "5.44.0" - - for_each = toset(var.service_accounts) - - create_role = true - role_description = "Role for Thanos" - role_name = each.value - provider_url = data.aws_eks_cluster.this.identity[0].oidc[0].issuer - role_policy_arns = var.enable_kms ? [ - aws_iam_policy.bucket.arn, - aws_iam_policy.kms[0].arn, - ] : [ - aws_iam_policy.bucket.arn, - ] - oidc_fully_qualified_subjects = ["system:serviceaccount:${var.namespace}:${each.value}"] - tags = merge( - { "Name" = local.role_name }, - var.tags - ) -} diff --git a/modules/thanos/kms.tf b/modules/thanos/kms.tf deleted file mode 100644 index b7741c8..0000000 --- a/modules/thanos/kms.tf +++ /dev/null @@ -1,32 +0,0 @@ -# Copyright (C) Nicolas Lamirault -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 - -resource "aws_kms_key" "thanos" { - count = var.enable_kms ? 1 : 0 - description = "KMS for Thanos" - deletion_window_in_days = var.deletion_window_in_days - enable_key_rotation = true - tags = merge( - { "Name" = local.service_name }, - var.tags - ) -} - -resource "aws_kms_alias" "thanos" { - count = var.enable_kms ? 1 : 0 - name = "alias/thanos" - target_key_id = aws_kms_key.thanos[0].key_id -} diff --git a/modules/thanos/locals.tf b/modules/thanos/locals.tf deleted file mode 100644 index 4d8f9df..0000000 --- a/modules/thanos/locals.tf +++ /dev/null @@ -1,21 +0,0 @@ -# Copyright (C) Nicolas Lamirault -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 - -locals { - service_name = format("%s-thanos", var.cluster_name) - - role_name = "thanos" -} diff --git a/modules/thanos/main.tf b/modules/thanos/main.tf deleted file mode 100644 index 5f9346e..0000000 --- a/modules/thanos/main.tf +++ /dev/null @@ -1,26 +0,0 @@ -# Copyright (C) Nicolas Lamirault -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 - -terraform { - required_version = ">= 1.0.0" - - required_providers { - aws = { - source = "hashicorp/aws" - version = ">= 4.0.0" - } - } -} diff --git a/modules/thanos/outputs.tf b/modules/thanos/outputs.tf deleted file mode 100644 index b1c91cc..0000000 --- a/modules/thanos/outputs.tf +++ /dev/null @@ -1,30 +0,0 @@ -# Copyright (C) Nicolas Lamirault -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 - -output "bucket" { - value = module.thanos.s3_bucket_id - description = "S3 bucket for Thanos" -} - -output "bucket_log" { - value = module.thanos_log.s3_bucket_id - description = "S3 log bucket for Thanos" -} - -output "role_arn" { - description = "Amazon Resource Name for Thanos" - value = { for sa in toset(var.service_accounts) : sa => module.irsa[sa].iam_role_arn } -} diff --git a/modules/thanos/variables.tf b/modules/thanos/variables.tf deleted file mode 100644 index ea203e4..0000000 --- a/modules/thanos/variables.tf +++ /dev/null @@ -1,55 +0,0 @@ -# Copyright (C) Nicolas Lamirault -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 - -############################################################################# -# Thanos - -variable "cluster_name" { - type = string - description = "Name of the EKS cluster" -} - -variable "namespace" { - type = string - description = "The Kubernetes namespace" -} - -variable "service_accounts" { - type = list(string) - description = "The Kubernetes service account" -} - -variable "tags" { - type = map(string) - description = "Tags for Thanos" - default = { - "Made-By" = "Terraform" - } -} - -############################################################################# -# KMS - -variable "enable_kms" { - type = bool - description = "Enable custom KMS key" -} - -variable "deletion_window_in_days" { - type = number - description = "Duration in days after which the key is deleted after destruction of the resource, must be between 7 and 30 days" - default = 30 -} From e8b0e7331b00300a22cad1376a393c241b9700b6 Mon Sep 17 00:00:00 2001 From: Nicolas Lamirault Date: Tue, 27 Aug 2024 18:25:03 +0200 Subject: [PATCH 10/22] feat(prometheus): Enable EKS Pod Identity Signed-off-by: Nicolas Lamirault --- modules/prometheus/iam.tf | 36 +++++++++++++++++++++++++++++++++ modules/prometheus/main.tf | 2 +- modules/prometheus/outputs.tf | 9 +++++++-- modules/prometheus/variables.tf | 10 +++++++++ 4 files changed, 54 insertions(+), 3 deletions(-) diff --git a/modules/prometheus/iam.tf b/modules/prometheus/iam.tf index 4c716f7..b47bf5e 100644 --- a/modules/prometheus/iam.tf +++ b/modules/prometheus/iam.tf @@ -90,6 +90,8 @@ module "irsa" { source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc" version = "5.44.0" + for_each = var.enable_irsa ? [1] : [] + create_role = true role_description = "Prometheus Role" role_name = local.role_name @@ -110,3 +112,37 @@ module "irsa" { var.tags ) } + +module "pod_identity" { + source = "terraform-aws-modules/eks-pod-identity/aws" + version = "1.4.0" + + for_each = var.enable_pod_identity ? [1] : [] + + name = local.role_name + + # attach_custom_policy = true + additional_policy_arns = var.enable_kms ? { + PrometheusS3Access : aws_iam_policy.bucket.arn, + PrometheusKMSAccess : aws_iam_policy.kms[0].arn, + AmazonPrometheusRemoteWriteAccess : data.aws_iam_policy.amp_remote_write_access.arn, + AmazonEC2ReadOnlyAccess : data.aws_iam_policy.ec2_ro_access.arn + } : { + PrometheusS3Access : aws_iam_policy.bucket.arn, + AmazonPrometheusRemoteWriteAccess : data.aws_iam_policy.amp_remote_write_access.arn, + AmazonEC2ReadOnlyAccess : data.aws_iam_policy.ec2_ro_access.arn + } + + associations = { + main = { + cluster_name = data.aws_eks_cluster.cluster_name + namespace = var.namespace + service_account = var.service_account + } + } + + tags = merge( + { "Name" = local.role_name }, + var.tags + ) +} diff --git a/modules/prometheus/main.tf b/modules/prometheus/main.tf index 5f9346e..e56a471 100644 --- a/modules/prometheus/main.tf +++ b/modules/prometheus/main.tf @@ -20,7 +20,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 4.0.0" + version = ">= 5.30.0" } } } diff --git a/modules/prometheus/outputs.tf b/modules/prometheus/outputs.tf index 287109f..30e0fe9 100644 --- a/modules/prometheus/outputs.tf +++ b/modules/prometheus/outputs.tf @@ -14,7 +14,12 @@ # # SPDX-License-Identifier: Apache-2.0 -output "role_arn" { - value = module.irsa.iam_role_arn +output "irsa_role_arn" { + value = [for irsa in module.irsa : irsa.iam_role_arn] + description = "Amazon Resource Name for Prometheus" +} + +output "pod_identity_role_arn" { + value = [for pod_id in module.pod_identity : pod_id.iam_role_arn] description = "Amazon Resource Name for Prometheus" } diff --git a/modules/prometheus/variables.tf b/modules/prometheus/variables.tf index c222871..572a20f 100644 --- a/modules/prometheus/variables.tf +++ b/modules/prometheus/variables.tf @@ -44,6 +44,16 @@ variable "bucket_name" { description = "Name of the Thanos bucket" } +variable "enable_irsa" { + type = bool + description = "Enable IRSA resources" +} + +variable "enable_pod_identity" { + type = bool + description = "Enable EKS Pod Identity resources" +} + ############################################################################# # KMS From e259dc5a77cba6abb4bcb96c2b24beb5218f22c7 Mon Sep 17 00:00:00 2001 From: Nicolas Lamirault Date: Tue, 27 Aug 2024 18:25:58 +0200 Subject: [PATCH 11/22] feat(mimir): Enable EKS Pod Identity Signed-off-by: Nicolas Lamirault --- modules/mimir/iam.tf | 33 +++++++++++++++++++++++++++++++++ modules/mimir/main.tf | 2 +- modules/mimir/outputs.tf | 9 +++++++-- modules/mimir/variables.tf | 10 ++++++++++ 4 files changed, 51 insertions(+), 3 deletions(-) diff --git a/modules/mimir/iam.tf b/modules/mimir/iam.tf index 952c30f..d573b6d 100644 --- a/modules/mimir/iam.tf +++ b/modules/mimir/iam.tf @@ -97,6 +97,8 @@ module "irsa" { source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc" version = "5.44.0" + for_each = var.enable_irsa ? [1] : [] + create_role = true role_description = "Role for Tempo" role_name = local.role_name @@ -115,3 +117,34 @@ module "irsa" { var.tags ) } + +module "pod_identity" { + source = "terraform-aws-modules/eks-pod-identity/aws" + version = "1.4.0" + + for_each = var.enable_pod_identity ? [1] : [] + + name = local.role_name + + additional_policy_arns = var.enable_kms ? { + MimirS3Access : aws_iam_policy.bucket.arn, + MimirKMSAccess : aws_iam_policy.kms[0].arn, + AmazonPrometheusRemoteWriteAccess : data.aws_iam_policy.amp_remote_write_access.arn + } : { + MimirS3Access : aws_iam_policy.bucket.arn, + AmazonPrometheusRemoteWriteAccess : data.aws_iam_policy.amp_remote_write_access.arn + } + + associations = { + main = { + cluster_name = data.aws_eks_cluster.cluster_name + namespace = var.namespace + service_account = var.service_account + } + } + + tags = merge( + { "Name" = local.role_name }, + var.tags + ) +} diff --git a/modules/mimir/main.tf b/modules/mimir/main.tf index 5f9346e..e56a471 100644 --- a/modules/mimir/main.tf +++ b/modules/mimir/main.tf @@ -20,7 +20,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 4.0.0" + version = ">= 5.30.0" } } } diff --git a/modules/mimir/outputs.tf b/modules/mimir/outputs.tf index 2a43179..997154a 100644 --- a/modules/mimir/outputs.tf +++ b/modules/mimir/outputs.tf @@ -24,7 +24,12 @@ output "bucket_log" { description = "S3 log bucket for Mimir" } -output "role_arn" { - value = module.irsa.iam_role_arn +output "irsa_role_arn" { + value = [for irsa in module.irsa : irsa.iam_role_arn] + description = "Amazon Resource Name for Mimir" +} + +output "pod_identity_role_arn" { + value = [for pod_id in module.pod_identity : pod_id.iam_role_arn] description = "Amazon Resource Name for Mimir" } diff --git a/modules/mimir/variables.tf b/modules/mimir/variables.tf index f51cef8..9b4432a 100644 --- a/modules/mimir/variables.tf +++ b/modules/mimir/variables.tf @@ -40,6 +40,16 @@ variable "tags" { } } +variable "enable_irsa" { + type = bool + description = "Enable IRSA resources" +} + +variable "enable_pod_identity" { + type = bool + description = "Enable EKS Pod Identity resources" +} + ############################################################################# # KMS From 4b505d44c3b6316853ffdde9648d5519abbd2267 Mon Sep 17 00:00:00 2001 From: Nicolas Lamirault Date: Tue, 27 Aug 2024 18:26:10 +0200 Subject: [PATCH 12/22] feat(terraform): cleanup Signed-off-by: Nicolas Lamirault --- README.md | 1 - modules/grafana/iam.tf | 1 - modules/loki/iam.tf | 1 - modules/loki/outputs.tf | 5 ----- 4 files changed, 8 deletions(-) diff --git a/README.md b/README.md index 03e8863..45a959e 100644 --- a/README.md +++ b/README.md @@ -6,7 +6,6 @@ This module consists of the following submodules: - [Prometheus](https://github.com/nlamirault/terraform-aws-observability/tree/master/modules/prometheus) - [Mimir](https://github.com/nlamirault/terraform-aws-observability/tree/master/modules/mimir) -- [Thanos](https://github.com/nlamirault/terraform-aws-observability/tree/master/modules/thanos) - [Loki](https://github.com/nlamirault/terraform-aws-observability/tree/master/modules/loki) - [Tempo](https://github.com/nlamirault/terraform-aws-observability/tree/master/modules/tempo) - [Grafana](https://github.com/nlamirault/terraform-aws-observability/tree/master/modules/grafana) diff --git a/modules/grafana/iam.tf b/modules/grafana/iam.tf index 67ff43b..a3f1353 100644 --- a/modules/grafana/iam.tf +++ b/modules/grafana/iam.tf @@ -63,7 +63,6 @@ module "pod_identity" { } } - tags = merge( { "Name" = local.role_name }, var.tags diff --git a/modules/loki/iam.tf b/modules/loki/iam.tf index 2cc5a51..0896bf3 100644 --- a/modules/loki/iam.tf +++ b/modules/loki/iam.tf @@ -143,7 +143,6 @@ module "pod_identity" { } } - tags = merge( { "Name" = local.role_name }, var.tags diff --git a/modules/loki/outputs.tf b/modules/loki/outputs.tf index 4104036..4c97737 100644 --- a/modules/loki/outputs.tf +++ b/modules/loki/outputs.tf @@ -24,11 +24,6 @@ output "bucket_log" { description = "S3 log bucket for Loki" } -output "role_arn" { - value = module.irsa.iam_role_arn - description = "Amazon Resource Name for Loki" -} - output "irsa_role_arn" { value = [for irsa in module.irsa : irsa.iam_role_arn] description = "Amazon Resource Name for Loki" From 2d5c5d45d7ff7ce6004a2b66beebd876cbf90c66 Mon Sep 17 00:00:00 2001 From: Nicolas Lamirault Date: Tue, 27 Aug 2024 18:27:24 +0200 Subject: [PATCH 13/22] feat(documentation): update Signed-off-by: Nicolas Lamirault --- modules/adot/README.md | 4 +-- modules/amg/README.md | 10 +----- modules/amp/README.md | 10 +----- modules/grafana/README.md | 52 +++++------------------------- modules/loki/README.md | 62 ++++++------------------------------ modules/mimir/README.md | 24 ++++++-------- modules/prometheus/README.md | 61 +++++------------------------------ modules/tempo/README.md | 62 ++++++------------------------------ 8 files changed, 50 insertions(+), 235 deletions(-) diff --git a/modules/adot/README.md b/modules/adot/README.md index 76d1ce5..cbd5c27 100644 --- a/modules/adot/README.md +++ b/modules/adot/README.md @@ -3,13 +3,13 @@ | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0.0 | -| [aws](#requirement\_aws) | >= 4.0.0 | +| [aws](#requirement\_aws) | >= 5.30 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 4.0.0 | +| [aws](#provider\_aws) | >= 5.30 | ## Modules diff --git a/modules/amg/README.md b/modules/amg/README.md index 24fd2d5..0f93c14 100644 --- a/modules/amg/README.md +++ b/modules/amg/README.md @@ -1,10 +1,3 @@ -# Observability / Amazon Managed Grafana - -Terraform module which configure Amazon Managed Grafana resources on Amazon AWS - -## Documentation - - ## Requirements | Name | Version | @@ -20,7 +13,7 @@ No providers. | Name | Source | Version | |------|--------|---------| -| [managed\_grafana](#module\_managed\_grafana) | terraform-aws-modules/managed-service-grafana/aws | 1.5.0 | +| [managed\_grafana](#module\_managed\_grafana) | terraform-aws-modules/managed-service-grafana/aws | 2.1.1 | ## Resources @@ -36,4 +29,3 @@ No resources. ## Outputs No outputs. - diff --git a/modules/amp/README.md b/modules/amp/README.md index dc166fd..a8a5695 100644 --- a/modules/amp/README.md +++ b/modules/amp/README.md @@ -1,10 +1,3 @@ -# Observability / AWS Managed Service for Prometheus - -Terraform module which configure an AWS managed service for Prometheus instance. - -## Documentation - - ## Requirements | Name | Version | @@ -20,7 +13,7 @@ No providers. | Name | Source | Version | |------|--------|---------| -| [amp](#module\_amp) | terraform-aws-modules/managed-service-prometheus/aws | 2.2.0 | +| [amp](#module\_amp) | terraform-aws-modules/managed-service-prometheus/aws | 3.0.0 | ## Resources @@ -40,4 +33,3 @@ No resources. | [amp\_arn](#output\_amp\_arn) | Amazon Resource Name of the workspace | | [amp\_endpoint](#output\_amp\_endpoint) | Prometheus endpoint available for this workspace | | [amp\_id](#output\_amp\_id) | Identifier of the workspace | - diff --git a/modules/grafana/README.md b/modules/grafana/README.md index eb58780..636299f 100644 --- a/modules/grafana/README.md +++ b/modules/grafana/README.md @@ -1,60 +1,22 @@ -# Observability / Grafana - -Terraform module which configure Grafana resources on Amazon AWS - -## Usage - -```hcl -module "Grafana" { - source = "nlamirault/observability/aws//modules/Grafana" - version = "0.0.0" - - cluster_name = var.cluster_name - - namespace = var.namespace - service_accounts = var.service_accounts - - tags = var.tags -} -``` - -and variables : - -```hcl -cluster_name = "foo-staging-eks" - -namespace = "monitoring" -service_accounts = "grafana" - -tags = { - "project" = "foo" - "env" = "staging" - "service" = "grafana" - "made-by" = "terraform" -} -``` - -## Documentation - - ## Requirements | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0.0 | -| [aws](#requirement\_aws) | >= 4.0.0 | +| [aws](#requirement\_aws) | >= 5.30.0 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 4.0.0 | +| [aws](#provider\_aws) | >= 5.30.0 | ## Modules | Name | Source | Version | |------|--------|---------| -| [irsa](#module\_irsa) | terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc | 5.5.2 | +| [irsa](#module\_irsa) | terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc | 5.44.0 | +| [pod\_identity](#module\_pod\_identity) | terraform-aws-modules/eks-pod-identity/aws | 1.4.0 | ## Resources @@ -70,6 +32,8 @@ tags = { | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [cluster\_name](#input\_cluster\_name) | Name of the EKS cluster | `string` | n/a | yes | +| [enable\_irsa](#input\_enable\_irsa) | Enable IRSA resources | `bool` | n/a | yes | +| [enable\_pod\_identity](#input\_enable\_pod\_identity) | Enable EKS Pod Identity resources | `bool` | n/a | yes | | [namespace](#input\_namespace) | The Kubernetes namespace | `string` | n/a | yes | | [role\_policy\_arns](#input\_role\_policy\_arns) | List of ARNs of IAM policies to attach to IAM role | `list(string)` | `[]` | no | | [service\_account](#input\_service\_account) | The Kubernetes service account | `string` | n/a | yes | @@ -79,5 +43,5 @@ tags = { | Name | Description | |------|-------------| -| [role\_arn](#output\_role\_arn) | Amazon Resource Name for Grafana | - +| [irsa\_role\_arn](#output\_irsa\_role\_arn) | Amazon Resource Name for Grafana | +| [pod\_identity\_role\_arn](#output\_pod\_identity\_role\_arn) | Amazon Resource Name for Grafana | diff --git a/modules/loki/README.md b/modules/loki/README.md index a688e96..43435d6 100644 --- a/modules/loki/README.md +++ b/modules/loki/README.md @@ -1,68 +1,24 @@ -# Observability / Loki - -Terraform module which configure Loki resources on Amazon AWS - -## Terraform versions - -Use Terraform `0.13` and Terraform Provider Google `3.45+`. - -These types of resources are supported: - -## Usage - -```hcl -module "loki" { - source = "nlamirault/observability/aws//modules/loki" - version = "0.0.0" - - cluster_name = var.cluster_name - - namespace = var.namespace - service_accounts = var.service_accounts - - tags = var.tags -} -``` - -and variables : - -```hcl -cluster_name = "foo-staging-eks" - -namespace = "monitoring" -service_accounts = "loki"] - -tags = { - "project" = "foo" - "env" = "staging" - "service" = "loki" - "made-by" = "terraform" -} -``` - -## Documentation - - ## Requirements | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0.0 | -| [aws](#requirement\_aws) | >= 4.0.0 | +| [aws](#requirement\_aws) | >= 5.30.0 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 4.0.0 | +| [aws](#provider\_aws) | >= 5.30.0 | ## Modules | Name | Source | Version | |------|--------|---------| -| [buckets\_data](#module\_buckets\_data) | terraform-aws-modules/s3-bucket/aws | 3.6.0 | -| [buckets\_logging](#module\_buckets\_logging) | terraform-aws-modules/s3-bucket/aws | 3.6.0 | -| [irsa](#module\_irsa) | terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc | 5.5.7 | +| [buckets\_data](#module\_buckets\_data) | terraform-aws-modules/s3-bucket/aws | 4.1.1 | +| [buckets\_logging](#module\_buckets\_logging) | terraform-aws-modules/s3-bucket/aws | 4.1.1 | +| [irsa](#module\_irsa) | terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc | 5.44.0 | +| [pod\_identity](#module\_pod\_identity) | terraform-aws-modules/eks-pod-identity/aws | 1.4.0 | ## Resources @@ -82,7 +38,9 @@ tags = { |------|-------------|------|---------|:--------:| | [cluster\_name](#input\_cluster\_name) | Name of the EKS cluster | `string` | n/a | yes | | [deletion\_window\_in\_days](#input\_deletion\_window\_in\_days) | Duration in days after which the key is deleted after destruction of the resource, must be between 7 and 30 days | `number` | `30` | no | +| [enable\_irsa](#input\_enable\_irsa) | Enable IRSA resources | `bool` | n/a | yes | | [enable\_kms](#input\_enable\_kms) | Enable custom KMS key | `bool` | n/a | yes | +| [enable\_pod\_identity](#input\_enable\_pod\_identity) | Enable EKS Pod Identity resources | `bool` | n/a | yes | | [namespace](#input\_namespace) | The Kubernetes namespace | `string` | n/a | yes | | [service\_account](#input\_service\_account) | The Kubernetes service account | `string` | n/a | yes | | [tags](#input\_tags) | Tags for Loki | `map(string)` | 
{
  "Made-By": "Terraform"
}
| no | @@ -93,5 +51,5 @@ tags = { |------|-------------| | [bucket](#output\_bucket) | S3 bucket for Loki | | [bucket\_log](#output\_bucket\_log) | S3 log bucket for Loki | -| [role\_arn](#output\_role\_arn) | Amazon Resource Name for Loki | - +| [irsa\_role\_arn](#output\_irsa\_role\_arn) | Amazon Resource Name for Loki | +| [pod\_identity\_role\_arn](#output\_pod\_identity\_role\_arn) | Amazon Resource Name for Loki | diff --git a/modules/mimir/README.md b/modules/mimir/README.md index 084ea71..8b9f884 100644 --- a/modules/mimir/README.md +++ b/modules/mimir/README.md @@ -1,30 +1,24 @@ -# Observability / Mimir - -Terraform module which configure Grafana Mimir resources on Amazon AWS - -## Documentation - - ## Requirements | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0.0 | -| [aws](#requirement\_aws) | >= 4.0.0 | +| [aws](#requirement\_aws) | >= 5.30.0 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 4.0.0 | +| [aws](#provider\_aws) | >= 5.30.0 | ## Modules | Name | Source | Version | |------|--------|---------| -| [buckets\_data](#module\_buckets\_data) | terraform-aws-modules/s3-bucket/aws | 3.6.0 | -| [buckets\_logging](#module\_buckets\_logging) | terraform-aws-modules/s3-bucket/aws | 3.6.0 | -| [irsa](#module\_irsa) | terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc | 5.8.0 | +| [buckets\_data](#module\_buckets\_data) | terraform-aws-modules/s3-bucket/aws | 4.1.1 | +| [buckets\_logging](#module\_buckets\_logging) | terraform-aws-modules/s3-bucket/aws | 4.1.1 | +| [irsa](#module\_irsa) | terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc | 5.44.0 | +| [pod\_identity](#module\_pod\_identity) | terraform-aws-modules/eks-pod-identity/aws | 1.4.0 | ## Resources @@ -45,7 +39,9 @@ Terraform module which configure Grafana Mimir resources on Amazon AWS |------|-------------|------|---------|:--------:| | [cluster\_name](#input\_cluster\_name) | Name of the EKS cluster | `string` | n/a | yes | | [deletion\_window\_in\_days](#input\_deletion\_window\_in\_days) | Duration in days after which the key is deleted after destruction of the resource, must be between 7 and 30 days | `number` | `30` | no | +| [enable\_irsa](#input\_enable\_irsa) | Enable IRSA resources | `bool` | n/a | yes | | [enable\_kms](#input\_enable\_kms) | Enable custom KMS key | `bool` | n/a | yes | +| [enable\_pod\_identity](#input\_enable\_pod\_identity) | Enable EKS Pod Identity resources | `bool` | n/a | yes | | [namespace](#input\_namespace) | The Kubernetes namespace | `string` | n/a | yes | | [service\_account](#input\_service\_account) | The Kubernetes service account | `string` | n/a | yes | | [tags](#input\_tags) | Tags for Mimir | `map(string)` | 
{
  "Made-By": "Terraform"
}
| no | @@ -56,5 +52,5 @@ Terraform module which configure Grafana Mimir resources on Amazon AWS |------|-------------| | [bucket](#output\_bucket) | S3 bucket for Mimir | | [bucket\_log](#output\_bucket\_log) | S3 log bucket for Mimir | -| [role\_arn](#output\_role\_arn) | Amazon Resource Name for Mimir | - +| [irsa\_role\_arn](#output\_irsa\_role\_arn) | Amazon Resource Name for Mimir | +| [pod\_identity\_role\_arn](#output\_pod\_identity\_role\_arn) | Amazon Resource Name for Mimir | diff --git a/modules/prometheus/README.md b/modules/prometheus/README.md index 014280f..82a2aac 100644 --- a/modules/prometheus/README.md +++ b/modules/prometheus/README.md @@ -1,69 +1,22 @@ -# Observability / Prometheus - -Terraform module which configure Prometheus resources on Amazon AWS - -## Terraform versions - -Use Terraform `0.13` and Terraform Provider Google `3.45+`. - -These types of resources are supported: - -## Usage - -```hcl -module "prometheus" { - source = "nlamirault/observability/aws//modules/prometheus" - version = "0.0.0" - - cluster_name = var.cluster_name - - namespace = var.namespace - service_accounts = var.service_accounts - bucket_name = var.bucket_name - - tags = var.tags -} -``` - -and variables : - -```hcl -cluster_name = "foo-staging-eks" - -namespace = "monitoring" -service_accounts = "prometheus" - -bucket_name = "foo-staging-eks-thanos" - -tags = { - "project" = "foo" - "env" = "staging" - "service" = "prometheus" - "made-by" = "terraform" -} -``` - -## Documentation - - ## Requirements | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0.0 | -| [aws](#requirement\_aws) | >= 4.0.0 | +| [aws](#requirement\_aws) | >= 5.30.0 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 4.0.0 | +| [aws](#provider\_aws) | >= 5.30.0 | ## Modules | Name | Source | Version | |------|--------|---------| -| [irsa](#module\_irsa) | terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc | 5.5.4 | +| [irsa](#module\_irsa) | terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc | 5.44.0 | +| [pod\_identity](#module\_pod\_identity) | terraform-aws-modules/eks-pod-identity/aws | 1.4.0 | ## Resources @@ -85,7 +38,9 @@ tags = { |------|-------------|------|---------|:--------:| | [bucket\_name](#input\_bucket\_name) | Name of the Thanos bucket | `string` | n/a | yes | | [cluster\_name](#input\_cluster\_name) | Name of the EKS cluster | `string` | n/a | yes | +| [enable\_irsa](#input\_enable\_irsa) | Enable IRSA resources | `bool` | n/a | yes | | [enable\_kms](#input\_enable\_kms) | Enable custom KMS key | `bool` | n/a | yes | +| [enable\_pod\_identity](#input\_enable\_pod\_identity) | Enable EKS Pod Identity resources | `bool` | n/a | yes | | [namespace](#input\_namespace) | The Kubernetes namespace | `string` | n/a | yes | | [service\_account](#input\_service\_account) | The Kubernetes service account | `string` | n/a | yes | | [tags](#input\_tags) | Tags for Loki | `map(string)` | 
{
  "Made-By": "Terraform"
}
| no | @@ -94,5 +49,5 @@ tags = { | Name | Description | |------|-------------| -| [role\_arn](#output\_role\_arn) | Amazon Resource Name for Prometheus | - +| [irsa\_role\_arn](#output\_irsa\_role\_arn) | Amazon Resource Name for Prometheus | +| [pod\_identity\_role\_arn](#output\_pod\_identity\_role\_arn) | Amazon Resource Name for Prometheus | diff --git a/modules/tempo/README.md b/modules/tempo/README.md index c8adf92..ddd131c 100644 --- a/modules/tempo/README.md +++ b/modules/tempo/README.md @@ -1,68 +1,24 @@ -# Observability / Tempo - -Terraform module which configure Tempo resources on Amazon AWS - -## Terraform versions - -Use Terraform `0.13` and Terraform Provider Google `3.45+`. - -These types of resources are supported: - -## Usage - -```hcl -module "tempo" { - source = "nlamirault/observability/aws//modules/tempo" - version = "0.0.0" - - cluster_name = var.cluster_name - - namespace = var.namespace - service_accounts = var.service_accounts - - tags = var.tags -} -``` - -and variables : - -```hcl -cluster_name = "foo-staging-eks" - -namespace = "monitoring" -service_accounts = ["tempo-store", "tempo-query", "tempo-compact"] - -tags = { - "project" = "foo" - "env" = "staging" - "service" = "tempo" - "made-by" = "terraform" -} -``` - -## Documentation - - ## Requirements | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0.0 | -| [aws](#requirement\_aws) | >= 4.0.0 | +| [aws](#requirement\_aws) | >= 5.30.0 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 4.0.0 | +| [aws](#provider\_aws) | >= 5.30.0 | ## Modules | Name | Source | Version | |------|--------|---------| -| [buckets\_data](#module\_buckets\_data) | terraform-aws-modules/s3-bucket/aws | 3.6.0 | -| [buckets\_logging](#module\_buckets\_logging) | terraform-aws-modules/s3-bucket/aws | 3.6.0 | -| [irsa](#module\_irsa) | terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc | 5.10.0 | +| [buckets\_data](#module\_buckets\_data) | terraform-aws-modules/s3-bucket/aws | 4.1.1 | +| [buckets\_logging](#module\_buckets\_logging) | terraform-aws-modules/s3-bucket/aws | 4.1.1 | +| [irsa](#module\_irsa) | terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc | 5.44.0 | +| [pod\_identity](#module\_pod\_identity) | terraform-aws-modules/eks-pod-identity/aws | 1.4.0 | ## Resources @@ -82,7 +38,9 @@ tags = { |------|-------------|------|---------|:--------:| | [cluster\_name](#input\_cluster\_name) | Name of the EKS cluster | `string` | n/a | yes | | [deletion\_window\_in\_days](#input\_deletion\_window\_in\_days) | Duration in days after which the key is deleted after destruction of the resource, must be between 7 and 30 days | `number` | `30` | no | +| [enable\_irsa](#input\_enable\_irsa) | Enable IRSA resources | `bool` | n/a | yes | | [enable\_kms](#input\_enable\_kms) | Enable custom KMS key | `bool` | n/a | yes | +| [enable\_pod\_identity](#input\_enable\_pod\_identity) | Enable EKS Pod Identity resources | `bool` | n/a | yes | | [namespace](#input\_namespace) | The Kubernetes namespace | `string` | n/a | yes | | [service\_account](#input\_service\_account) | The Kubernetes service account | `string` | n/a | yes | | [tags](#input\_tags) | Tags for Tempo | `map(string)` | 
{
  "Made-By": "Terraform"
}
| no | @@ -93,5 +51,5 @@ tags = { |------|-------------| | [bucket](#output\_bucket) | S3 bucket for Tempo | | [bucket\_log](#output\_bucket\_log) | S3 log bucket for Tempo | -| [role\_arn](#output\_role\_arn) | Amazon Resource Name for Tempo | - +| [irsa\_role\_arn](#output\_irsa\_role\_arn) | Amazon Resource Name for Tempo | +| [pod\_identity\_role\_arn](#output\_pod\_identity\_role\_arn) | Amazon Resource Name for Tempo | From 31dae6202d55fc715899a81b6d3e1360945212e4 Mon Sep 17 00:00:00 2001 From: Nicolas Lamirault Date: Tue, 27 Aug 2024 18:34:16 +0200 Subject: [PATCH 14/22] feat(thanos): add module Signed-off-by: Nicolas Lamirault --- modules/thanos/README.md | 97 +++++++++++++++++++++++++++++++ modules/thanos/bucket.tf | 85 +++++++++++++++++++++++++++ modules/thanos/data.tf | 19 ++++++ modules/thanos/iam.tf | 113 ++++++++++++++++++++++++++++++++++++ modules/thanos/kms.tf | 32 ++++++++++ modules/thanos/locals.tf | 21 +++++++ modules/thanos/main.tf | 26 +++++++++ modules/thanos/outputs.tf | 30 ++++++++++ modules/thanos/variables.tf | 55 ++++++++++++++++++ 9 files changed, 478 insertions(+) create mode 100644 modules/thanos/README.md create mode 100644 modules/thanos/bucket.tf create mode 100644 modules/thanos/data.tf create mode 100644 modules/thanos/iam.tf create mode 100644 modules/thanos/kms.tf create mode 100644 modules/thanos/locals.tf create mode 100644 modules/thanos/main.tf create mode 100644 modules/thanos/outputs.tf create mode 100644 modules/thanos/variables.tf diff --git a/modules/thanos/README.md b/modules/thanos/README.md new file mode 100644 index 0000000..83b56ce --- /dev/null +++ b/modules/thanos/README.md @@ -0,0 +1,97 @@ +# Observability / Thanos + +Terraform module which configure Thanos resources on Amazon AWS + +## Terraform versions + +Use Terraform `0.13` and Terraform Provider Google `3.45+`. + +These types of resources are supported: + +## Usage + +```hcl +module "thanos" { + source = "nlamirault/observability/aws//modules/thanos" + version = "0.0.0" + + cluster_name = var.cluster_name + + namespace = var.namespace + service_accounts = var.service_accounts + + tags = var.tags +} +``` + +and variables : + +```hcl +cluster_name = "foo-staging-eks" + +namespace = "monitoring" +service_accounts = ["thanos-store", "thanos-query", "thanos-compact", "thanos-sidecar"] + +tags = { + "project" = "foo" + "env" = "staging" + "service" = "thanos" + "made-by" = "terraform" +} +``` + +## Documentation + + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.0.0 | +| [aws](#requirement\_aws) | >= 4.0.0 | + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | >= 4.0.0 | + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [irsa](#module\_irsa) | terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc | 5.5.2 | +| [thanos](#module\_thanos) | terraform-aws-modules/s3-bucket/aws | 3.4.0 | +| [thanos\_log](#module\_thanos\_log) | terraform-aws-modules/s3-bucket/aws | 3.4.0 | + +## Resources + +| Name | Type | +|------|------| +| [aws_iam_policy.bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_policy.kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_kms_alias.thanos](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource | +| [aws_kms_key.thanos](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource | +| [aws_eks_cluster.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster) | data source | +| [aws_iam_policy_document.bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [cluster\_name](#input\_cluster\_name) | Name of the EKS cluster | `string` | n/a | yes | +| [deletion\_window\_in\_days](#input\_deletion\_window\_in\_days) | Duration in days after which the key is deleted after destruction of the resource, must be between 7 and 30 days | `number` | `30` | no | +| [enable\_kms](#input\_enable\_kms) | Enable custom KMS key | `bool` | n/a | yes | +| [namespace](#input\_namespace) | The Kubernetes namespace | `string` | n/a | yes | +| [service\_accounts](#input\_service\_accounts) | The Kubernetes service account | `list(string)` | n/a | yes | +| [tags](#input\_tags) | Tags for Thanos | `map(string)` | 
{
  "Made-By": "Terraform"
}
| no | + +## Outputs + +| Name | Description | +|------|-------------| +| [bucket](#output\_bucket) | S3 bucket for Thanos | +| [bucket\_log](#output\_bucket\_log) | S3 log bucket for Thanos | +| [role\_arn](#output\_role\_arn) | Amazon Resource Name for Thanos | + diff --git a/modules/thanos/bucket.tf b/modules/thanos/bucket.tf new file mode 100644 index 0000000..2371704 --- /dev/null +++ b/modules/thanos/bucket.tf @@ -0,0 +1,85 @@ +# Copyright (C) Nicolas Lamirault +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 + +module "thanos_log" { + source = "terraform-aws-modules/s3-bucket/aws" + version = "4.1.1" + + bucket = format("%s-log", local.service_name) + + control_object_ownership = true + object_ownership = "ObjectWriter" + + acl = "log-delivery-write" + force_destroy = true + + tags = merge( + { "Name" = format("%s-log", local.service_name) }, + var.tags + ) + + versioning = { + enabled = true + } + + server_side_encryption_configuration = var.enable_kms ? { + rule = { + bucket_key_enabled = true + apply_server_side_encryption_by_default = { + kms_master_key_id = aws_kms_key.thanos[0].arn + sse_algorithm = "aws:kms" + } + } + } : {} +} + +#tfsec:ignore:aws-s3-encryption-customer-key +module "thanos" { + source = "terraform-aws-modules/s3-bucket/aws" + version = "4.1.1" + + bucket = local.service_name + + control_object_ownership = true + object_ownership = "ObjectWriter" + + acl = "private" + force_destroy = true + + tags = merge( + { "Name" = local.service_name }, + var.tags + ) + + logging = { + target_bucket = module.thanos_log.s3_bucket_id + target_prefix = "log/" + } + + versioning = { + enabled = true + } + + server_side_encryption_configuration = var.enable_kms ? { + rule = { + bucket_key_enabled = true + apply_server_side_encryption_by_default = { + kms_master_key_id = aws_kms_key.thanos[0].arn + sse_algorithm = "aws:kms" + } + } + } : {} +} diff --git a/modules/thanos/data.tf b/modules/thanos/data.tf new file mode 100644 index 0000000..02cb993 --- /dev/null +++ b/modules/thanos/data.tf @@ -0,0 +1,19 @@ +# Copyright (C) Nicolas Lamirault +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 + +data "aws_eks_cluster" "this" { + name = var.cluster_name +} diff --git a/modules/thanos/iam.tf b/modules/thanos/iam.tf new file mode 100644 index 0000000..12f68e7 --- /dev/null +++ b/modules/thanos/iam.tf @@ -0,0 +1,113 @@ +# Copyright (C) Nicolas Lamirault +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 + +data "aws_iam_policy_document" "bucket" { + statement { + effect = "Allow" + + actions = [ + "s3:ListBucket", + "s3:GetObject", + "s3:DeleteObject", + "s3:PutObject", + ] + + #tfsec:ignore:aws-iam-no-policy-wildcards + resources = [ + module.thanos.s3_bucket_arn, + "${module.thanos.s3_bucket_arn}/*" + ] + } + + # statement { + # effect = "Allow" + + # actions = [ + # "kms:Encrypt", + # "kms:Decrypt", + # "kms:GenerateDataKey*", + # ] + + # resources = var.enable_kms ? [aws_kms_key.thanos[0].arn] : [] + # } + +} + +data "aws_iam_policy_document" "kms" { + count = var.enable_kms ? 1 : 0 + + statement { + effect = "Allow" + + #tfsec:ignore:aws-iam-no-policy-wildcards + actions = [ + "kms:Encrypt", + "kms:Decrypt", + "kms:GenerateDataKey*", + ] + + resources = [ + aws_kms_key.thanos[0].arn + ] + } +} + +resource "aws_iam_policy" "bucket" { + name = format("%s-bucket", local.service_name) + path = "/" + description = "Bucket permissions for Thanos" + policy = data.aws_iam_policy_document.bucket.json + tags = merge( + { "Name" = format("%s-bucket", local.service_name) }, + var.tags + ) +} + +resource "aws_iam_policy" "kms" { + count = var.enable_kms ? 1 : 0 + + name = format("%s-kms", local.service_name) + path = "/" + description = "Bucket permissions for Thanos" + policy = data.aws_iam_policy_document.kms[0].json + tags = merge( + { "Name" = format("%s-kms", local.service_name) }, + var.tags + ) +} + +module "irsa" { + source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc" + version = "5.44.0" + + for_each = toset(var.service_accounts) + + create_role = true + role_description = "Role for Thanos" + role_name = each.value + provider_url = data.aws_eks_cluster.this.identity[0].oidc[0].issuer + role_policy_arns = var.enable_kms ? [ + aws_iam_policy.bucket.arn, + aws_iam_policy.kms[0].arn, + ] : [ + aws_iam_policy.bucket.arn, + ] + oidc_fully_qualified_subjects = ["system:serviceaccount:${var.namespace}:${each.value}"] + tags = merge( + { "Name" = local.role_name }, + var.tags + ) +} diff --git a/modules/thanos/kms.tf b/modules/thanos/kms.tf new file mode 100644 index 0000000..b7741c8 --- /dev/null +++ b/modules/thanos/kms.tf @@ -0,0 +1,32 @@ +# Copyright (C) Nicolas Lamirault +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 + +resource "aws_kms_key" "thanos" { + count = var.enable_kms ? 1 : 0 + description = "KMS for Thanos" + deletion_window_in_days = var.deletion_window_in_days + enable_key_rotation = true + tags = merge( + { "Name" = local.service_name }, + var.tags + ) +} + +resource "aws_kms_alias" "thanos" { + count = var.enable_kms ? 1 : 0 + name = "alias/thanos" + target_key_id = aws_kms_key.thanos[0].key_id +} diff --git a/modules/thanos/locals.tf b/modules/thanos/locals.tf new file mode 100644 index 0000000..4d8f9df --- /dev/null +++ b/modules/thanos/locals.tf @@ -0,0 +1,21 @@ +# Copyright (C) Nicolas Lamirault +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 + +locals { + service_name = format("%s-thanos", var.cluster_name) + + role_name = "thanos" +} diff --git a/modules/thanos/main.tf b/modules/thanos/main.tf new file mode 100644 index 0000000..5f9346e --- /dev/null +++ b/modules/thanos/main.tf @@ -0,0 +1,26 @@ +# Copyright (C) Nicolas Lamirault +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 + +terraform { + required_version = ">= 1.0.0" + + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 4.0.0" + } + } +} diff --git a/modules/thanos/outputs.tf b/modules/thanos/outputs.tf new file mode 100644 index 0000000..b1c91cc --- /dev/null +++ b/modules/thanos/outputs.tf @@ -0,0 +1,30 @@ +# Copyright (C) Nicolas Lamirault +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 + +output "bucket" { + value = module.thanos.s3_bucket_id + description = "S3 bucket for Thanos" +} + +output "bucket_log" { + value = module.thanos_log.s3_bucket_id + description = "S3 log bucket for Thanos" +} + +output "role_arn" { + description = "Amazon Resource Name for Thanos" + value = { for sa in toset(var.service_accounts) : sa => module.irsa[sa].iam_role_arn } +} diff --git a/modules/thanos/variables.tf b/modules/thanos/variables.tf new file mode 100644 index 0000000..ea203e4 --- /dev/null +++ b/modules/thanos/variables.tf @@ -0,0 +1,55 @@ +# Copyright (C) Nicolas Lamirault +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 + +############################################################################# +# Thanos + +variable "cluster_name" { + type = string + description = "Name of the EKS cluster" +} + +variable "namespace" { + type = string + description = "The Kubernetes namespace" +} + +variable "service_accounts" { + type = list(string) + description = "The Kubernetes service account" +} + +variable "tags" { + type = map(string) + description = "Tags for Thanos" + default = { + "Made-By" = "Terraform" + } +} + +############################################################################# +# KMS + +variable "enable_kms" { + type = bool + description = "Enable custom KMS key" +} + +variable "deletion_window_in_days" { + type = number + description = "Duration in days after which the key is deleted after destruction of the resource, must be between 7 and 30 days" + default = 30 +} From f32bb2576b4cd0940b1100e9d829b33b619cd5ca Mon Sep 17 00:00:00 2001 From: Nicolas Lamirault Date: Tue, 27 Aug 2024 18:34:50 +0200 Subject: [PATCH 15/22] feat(mise): setup terraform Signed-off-by: Nicolas Lamirault --- .mise.toml | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 .mise.toml diff --git a/.mise.toml b/.mise.toml new file mode 100644 index 0000000..c5709da --- /dev/null +++ b/.mise.toml @@ -0,0 +1,2 @@ +[tools] +terraform = "latest" From 61e7ba8497756af7011d4d1d6f5cd0c1754d88e3 Mon Sep 17 00:00:00 2001 From: Nicolas Lamirault Date: Wed, 28 Aug 2024 10:54:30 +0200 Subject: [PATCH 16/22] fix(adot): terraform syntax and cluster name Signed-off-by: Nicolas Lamirault --- modules/adot/iam.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/adot/iam.tf b/modules/adot/iam.tf index cc1ab4c..21bf48e 100644 --- a/modules/adot/iam.tf +++ b/modules/adot/iam.tf @@ -18,7 +18,7 @@ module "irsa" { source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc" version = "5.44.0" - for_each = var.enable_irsa ? [1] : [] + for_each = var.enable_irsa ? toset(["1"]) : toset([]) create_role = true role_description = "ADOTCollector" @@ -41,7 +41,7 @@ module "pod_identity" { source = "terraform-aws-modules/eks-pod-identity/aws" version = "1.4.0" - for_each = var.enable_pod_identity ? [1] : [] + for_each = var.enable_pod_identity ? toset(["1"]) : toset([]) name = local.role_name @@ -54,7 +54,7 @@ module "pod_identity" { associations = { main = { - cluster_name = data.aws_eks_cluster.cluster_name + cluster_name = data.aws_eks_cluster.this.id namespace = var.namespace service_account = var.service_account } From f62baa0add4430bc451ea05096e7f99a9c4aa910 Mon Sep 17 00:00:00 2001 From: Nicolas Lamirault Date: Wed, 28 Aug 2024 10:55:04 +0200 Subject: [PATCH 17/22] fix(cloudwatch): terraform syntax and cluster name Signed-off-by: Nicolas Lamirault --- modules/cloudwatch/iam.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/cloudwatch/iam.tf b/modules/cloudwatch/iam.tf index 45b3e1c..201c5b6 100644 --- a/modules/cloudwatch/iam.tf +++ b/modules/cloudwatch/iam.tf @@ -18,7 +18,7 @@ module "irsa" { source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc" version = "5.44.0" - for_each = var.enable_irsa ? [1] : [] + for_each = var.enable_irsa ? toset(["1"]) : toset([]) create_role = true role_description = "Cloudwatch Agent" @@ -39,7 +39,7 @@ module "pod_identity" { source = "terraform-aws-modules/eks-pod-identity/aws" version = "1.4.0" - for_each = var.enable_pod_identity ? [1] : [] + for_each = var.enable_pod_identity ? toset(["1"]) : toset([]) name = local.role_name @@ -47,7 +47,7 @@ module "pod_identity" { associations = { main = { - cluster_name = data.aws_eks_cluster.cluster_name + cluster_name = data.aws_eks_cluster.this.id namespace = var.namespace service_account = var.service_account } From d75197124998602025c0e8c696324653368df50a Mon Sep 17 00:00:00 2001 From: Nicolas Lamirault Date: Wed, 28 Aug 2024 10:55:21 +0200 Subject: [PATCH 18/22] fix(grafana): terraform syntax and cluster name Signed-off-by: Nicolas Lamirault --- modules/grafana/iam.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/grafana/iam.tf b/modules/grafana/iam.tf index a3f1353..9728b2d 100644 --- a/modules/grafana/iam.tf +++ b/modules/grafana/iam.tf @@ -18,7 +18,7 @@ module "irsa" { source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc" version = "5.44.0" - for_each = var.enable_irsa ? [1] : [] + for_each = var.enable_irsa ? toset(["1"]) : toset([]) create_role = true role_description = "Role for Grafana" @@ -44,7 +44,7 @@ module "pod_identity" { source = "terraform-aws-modules/eks-pod-identity/aws" version = "1.4.0" - for_each = var.enable_pod_identity ? [1] : [] + for_each = var.enable_pod_identity ? toset(["1"]) : toset([]) name = local.role_name @@ -57,7 +57,7 @@ module "pod_identity" { associations = { main = { - cluster_name = data.aws_eks_cluster.cluster_name + cluster_name = data.aws_eks_cluster.this.id namespace = var.namespace service_account = var.service_account } From 7ece05d280f3d6437cc7b3445f828da9585c510f Mon Sep 17 00:00:00 2001 From: Nicolas Lamirault Date: Wed, 28 Aug 2024 10:55:51 +0200 Subject: [PATCH 19/22] feat(loki): remove logging bucket Signed-off-by: Nicolas Lamirault --- modules/loki/README.md | 2 -- modules/loki/bucket.tf | 45 +++-------------------------------------- modules/loki/iam.tf | 8 ++++---- modules/loki/outputs.tf | 7 +------ 4 files changed, 8 insertions(+), 54 deletions(-) diff --git a/modules/loki/README.md b/modules/loki/README.md index 43435d6..6027d80 100644 --- a/modules/loki/README.md +++ b/modules/loki/README.md @@ -16,7 +16,6 @@ | Name | Source | Version | |------|--------|---------| | [buckets\_data](#module\_buckets\_data) | terraform-aws-modules/s3-bucket/aws | 4.1.1 | -| [buckets\_logging](#module\_buckets\_logging) | terraform-aws-modules/s3-bucket/aws | 4.1.1 | | [irsa](#module\_irsa) | terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc | 5.44.0 | | [pod\_identity](#module\_pod\_identity) | terraform-aws-modules/eks-pod-identity/aws | 1.4.0 | @@ -50,6 +49,5 @@ | Name | Description | |------|-------------| | [bucket](#output\_bucket) | S3 bucket for Loki | -| [bucket\_log](#output\_bucket\_log) | S3 log bucket for Loki | | [irsa\_role\_arn](#output\_irsa\_role\_arn) | Amazon Resource Name for Loki | | [pod\_identity\_role\_arn](#output\_pod\_identity\_role\_arn) | Amazon Resource Name for Loki | diff --git a/modules/loki/bucket.tf b/modules/loki/bucket.tf index b011bfa..a763608 100644 --- a/modules/loki/bucket.tf +++ b/modules/loki/bucket.tf @@ -14,11 +14,12 @@ # # SPDX-License-Identifier: Apache-2.0 -module "buckets_logging" { +#tfsec:ignore:aws-s3-encryption-customer-key +module "buckets_data" { source = "terraform-aws-modules/s3-bucket/aws" version = "4.1.1" - for_each = local.buckets_names + for_each = toset(local.buckets_names) bucket = format("%s-%s", local.service_name, each.value) block_public_acls = true @@ -28,11 +29,6 @@ module "buckets_logging" { force_destroy = true - tags = merge( - { "Name" = format("%s-%s", local.service_name, each.value) }, - var.tags - ) - versioning = { enabled = true } @@ -46,44 +42,9 @@ module "buckets_logging" { } } } : {} -} - -#tfsec:ignore:aws-s3-encryption-customer-key -module "buckets_data" { - source = "terraform-aws-modules/s3-bucket/aws" - version = "4.1.1" - - for_each = local.buckets_names - - bucket = format("%s-%s", local.service_name, each.value) - block_public_acls = true - block_public_policy = true - restrict_public_buckets = true - ignore_public_acls = true - - force_destroy = true tags = merge( { "Name" = format("%s-%s", local.service_name, each.value) }, var.tags ) - - logging = { - target_bucket = module.buckets_logging[format("%s-%s", local.service_name, each.value)].s3_bucket_id - target_prefix = "log/" - } - - versioning = { - enabled = true - } - - server_side_encryption_configuration = var.enable_kms ? { - rule = { - bucket_key_enabled = true - apply_server_side_encryption_by_default = { - kms_master_key_id = aws_kms_key.loki[0].arn - sse_algorithm = "aws:kms" - } - } - } : {} } diff --git a/modules/loki/iam.tf b/modules/loki/iam.tf index 0896bf3..a4f359b 100644 --- a/modules/loki/iam.tf +++ b/modules/loki/iam.tf @@ -33,7 +33,7 @@ data "aws_iam_policy_document" "bucket" { } dynamic "statement" { - for_each = var.enable_kms ? [1] : [] + for_each = var.enable_kms ? toset(["1"]) : toset([]) content { effect = "Allow" @@ -99,7 +99,7 @@ module "irsa" { source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc" version = "5.44.0" - for_each = var.enable_irsa ? [1] : [] + for_each = var.enable_irsa ? toset(["1"]) : toset([]) create_role = true role_description = "Role for Loki" @@ -123,7 +123,7 @@ module "pod_identity" { source = "terraform-aws-modules/eks-pod-identity/aws" version = "1.4.0" - for_each = var.enable_pod_identity ? [1] : [] + for_each = var.enable_pod_identity ? toset(["1"]) : toset([]) name = local.role_name @@ -137,7 +137,7 @@ module "pod_identity" { associations = { main = { - cluster_name = data.aws_eks_cluster.cluster_name + cluster_name = data.aws_eks_cluster.this.id namespace = var.namespace service_account = var.service_account } diff --git a/modules/loki/outputs.tf b/modules/loki/outputs.tf index 4c97737..74d142a 100644 --- a/modules/loki/outputs.tf +++ b/modules/loki/outputs.tf @@ -15,15 +15,10 @@ # SPDX-License-Identifier: Apache-2.0 output "bucket" { - value = module.buckets_data[*].s3_bucket_id + value = [for b in module.buckets_data : b.s3_bucket_id] description = "S3 bucket for Loki" } -output "bucket_log" { - value = module.buckets_logging[*].s3_bucket_id - description = "S3 log bucket for Loki" -} - output "irsa_role_arn" { value = [for irsa in module.irsa : irsa.iam_role_arn] description = "Amazon Resource Name for Loki" From 8445761371b68558b3f47ac63665cf861515a28f Mon Sep 17 00:00:00 2001 From: Nicolas Lamirault Date: Wed, 28 Aug 2024 10:56:08 +0200 Subject: [PATCH 20/22] feat(mimir): remove logging bucket Signed-off-by: Nicolas Lamirault --- modules/mimir/README.md | 2 -- modules/mimir/bucket.tf | 47 ++++------------------------------------ modules/mimir/iam.tf | 8 +++---- modules/mimir/outputs.tf | 7 +----- 4 files changed, 9 insertions(+), 55 deletions(-) diff --git a/modules/mimir/README.md b/modules/mimir/README.md index 8b9f884..3b10d99 100644 --- a/modules/mimir/README.md +++ b/modules/mimir/README.md @@ -16,7 +16,6 @@ | Name | Source | Version | |------|--------|---------| | [buckets\_data](#module\_buckets\_data) | terraform-aws-modules/s3-bucket/aws | 4.1.1 | -| [buckets\_logging](#module\_buckets\_logging) | terraform-aws-modules/s3-bucket/aws | 4.1.1 | | [irsa](#module\_irsa) | terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc | 5.44.0 | | [pod\_identity](#module\_pod\_identity) | terraform-aws-modules/eks-pod-identity/aws | 1.4.0 | @@ -51,6 +50,5 @@ | Name | Description | |------|-------------| | [bucket](#output\_bucket) | S3 bucket for Mimir | -| [bucket\_log](#output\_bucket\_log) | S3 log bucket for Mimir | | [irsa\_role\_arn](#output\_irsa\_role\_arn) | Amazon Resource Name for Mimir | | [pod\_identity\_role\_arn](#output\_pod\_identity\_role\_arn) | Amazon Resource Name for Mimir | diff --git a/modules/mimir/bucket.tf b/modules/mimir/bucket.tf index ccc9cee..06162b5 100644 --- a/modules/mimir/bucket.tf +++ b/modules/mimir/bucket.tf @@ -14,13 +14,14 @@ # # SPDX-License-Identifier: Apache-2.0 -module "buckets_logging" { +#tfsec:ignore:aws-s3-encryption-customer-key +module "buckets_data" { source = "terraform-aws-modules/s3-bucket/aws" version = "4.1.1" - for_each = local.buckets_names + for_each = toset(local.buckets_names) - bucket = format("%s-%s-logging", local.service_name, each.value) + bucket = format("%s-%s", local.service_name, each.value) block_public_acls = true block_public_policy = true restrict_public_buckets = true @@ -28,11 +29,6 @@ module "buckets_logging" { force_destroy = true - tags = merge( - { "Name" = format("%s-%s-logging", local.service_name, each.value) }, - var.tags - ) - versioning = { enabled = true } @@ -46,44 +42,9 @@ module "buckets_logging" { } } } : {} -} - -#tfsec:ignore:aws-s3-encryption-customer-key -module "buckets_data" { - source = "terraform-aws-modules/s3-bucket/aws" - version = "4.1.1" - - for_each = local.buckets_names - - bucket = format("%s-%s", local.service_name, each.value) - block_public_acls = true - block_public_policy = true - restrict_public_buckets = true - ignore_public_acls = true - - force_destroy = true tags = merge( { "Name" = format("%s-%s", local.service_name, each.value) }, var.tags ) - - logging = { - target_bucket = module.buckets_logging[format("%s-%s", local.service_name, each.value)].s3_bucket_id - target_prefix = "log/" - } - - versioning = { - enabled = true - } - - server_side_encryption_configuration = var.enable_kms ? { - rule = { - bucket_key_enabled = true - apply_server_side_encryption_by_default = { - kms_master_key_id = aws_kms_key.mimir[0].arn - sse_algorithm = "aws:kms" - } - } - } : {} } diff --git a/modules/mimir/iam.tf b/modules/mimir/iam.tf index d573b6d..058b1bd 100644 --- a/modules/mimir/iam.tf +++ b/modules/mimir/iam.tf @@ -33,7 +33,7 @@ data "aws_iam_policy_document" "bucket" { } dynamic "statement" { - for_each = var.enable_kms ? [1] : [] + for_each = var.enable_kms ? toset([1]) : toset([]) content { effect = "Allow" @@ -97,7 +97,7 @@ module "irsa" { source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc" version = "5.44.0" - for_each = var.enable_irsa ? [1] : [] + for_each = var.enable_irsa ? toset(["1"]) : toset([]) create_role = true role_description = "Role for Tempo" @@ -122,7 +122,7 @@ module "pod_identity" { source = "terraform-aws-modules/eks-pod-identity/aws" version = "1.4.0" - for_each = var.enable_pod_identity ? [1] : [] + for_each = var.enable_pod_identity ? toset(["1"]) : toset([]) name = local.role_name @@ -137,7 +137,7 @@ module "pod_identity" { associations = { main = { - cluster_name = data.aws_eks_cluster.cluster_name + cluster_name = data.aws_eks_cluster.this.id namespace = var.namespace service_account = var.service_account } diff --git a/modules/mimir/outputs.tf b/modules/mimir/outputs.tf index 997154a..7f3888f 100644 --- a/modules/mimir/outputs.tf +++ b/modules/mimir/outputs.tf @@ -15,15 +15,10 @@ # SPDX-License-Identifier: Apache-2.0 output "bucket" { - value = module.buckets_data[*].s3_bucket_id + value = [for b in module.buckets_data : b.s3_bucket_id] description = "S3 bucket for Mimir" } -output "bucket_log" { - value = module.buckets_logging[*].s3_bucket_id - description = "S3 log bucket for Mimir" -} - output "irsa_role_arn" { value = [for irsa in module.irsa : irsa.iam_role_arn] description = "Amazon Resource Name for Mimir" From d0398f095a4b24f123e10961745e3a88f0514159 Mon Sep 17 00:00:00 2001 From: Nicolas Lamirault Date: Wed, 28 Aug 2024 10:56:30 +0200 Subject: [PATCH 21/22] feat(prometheus): remove Thanos Signed-off-by: Nicolas Lamirault --- modules/prometheus/README.md | 8 --- modules/prometheus/data.tf | 9 ---- modules/prometheus/iam.tf | 94 ++------------------------------- modules/prometheus/variables.tf | 25 +++------ 4 files changed, 11 insertions(+), 125 deletions(-) diff --git a/modules/prometheus/README.md b/modules/prometheus/README.md index 82a2aac..d7b2371 100644 --- a/modules/prometheus/README.md +++ b/modules/prometheus/README.md @@ -22,24 +22,16 @@ | Name | Type | |------|------| -| [aws_iam_policy.bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [aws_iam_policy.kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_eks_cluster.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster) | data source | | [aws_iam_policy.amp_remote_write_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source | | [aws_iam_policy.ec2_ro_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source | -| [aws_iam_policy_document.bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_policy_document.kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_kms_key.thanos](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_key) | data source | -| [aws_s3_bucket.thanos](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/s3_bucket) | data source | ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [bucket\_name](#input\_bucket\_name) | Name of the Thanos bucket | `string` | n/a | yes | | [cluster\_name](#input\_cluster\_name) | Name of the EKS cluster | `string` | n/a | yes | | [enable\_irsa](#input\_enable\_irsa) | Enable IRSA resources | `bool` | n/a | yes | -| [enable\_kms](#input\_enable\_kms) | Enable custom KMS key | `bool` | n/a | yes | | [enable\_pod\_identity](#input\_enable\_pod\_identity) | Enable EKS Pod Identity resources | `bool` | n/a | yes | | [namespace](#input\_namespace) | The Kubernetes namespace | `string` | n/a | yes | | [service\_account](#input\_service\_account) | The Kubernetes service account | `string` | n/a | yes | diff --git a/modules/prometheus/data.tf b/modules/prometheus/data.tf index 5e834b3..ede3027 100644 --- a/modules/prometheus/data.tf +++ b/modules/prometheus/data.tf @@ -14,15 +14,6 @@ # # SPDX-License-Identifier: Apache-2.0 -data "aws_s3_bucket" "thanos" { - bucket = var.bucket_name -} - -data "aws_kms_key" "thanos" { - count = var.enable_kms ? 1 : 0 - key_id = "alias/thanos" -} - data "aws_eks_cluster" "this" { name = var.cluster_name } diff --git a/modules/prometheus/iam.tf b/modules/prometheus/iam.tf index b47bf5e..95e40ab 100644 --- a/modules/prometheus/iam.tf +++ b/modules/prometheus/iam.tf @@ -14,95 +14,17 @@ # # SPDX-License-Identifier: Apache-2.0 -data "aws_iam_policy_document" "bucket" { - statement { - actions = [ - "s3:ListBucket", - "s3:GetObject", - "s3:DeleteObject", - "s3:PutObject", - ] - - #tfsec:ignore:aws-iam-no-policy-wildcards - resources = [ - data.aws_s3_bucket.thanos.arn, - "${data.aws_s3_bucket.thanos.arn}/*" - ] - } - - # statement { - # effect = "Allow" - - # actions = [ - # "kms:Encrypt", - # "kms:Decrypt", - # "kms:GenerateDataKey*", - # ] - - # resources = var.enable_kms ? [data.aws_kms_key.thanos[0].arn] : [] - # } -} - -data "aws_iam_policy_document" "kms" { - count = var.enable_kms ? 1 : 0 - - statement { - effect = "Allow" - - #tfsec:ignore:aws-iam-no-policy-wildcards - actions = [ - "kms:Encrypt", - "kms:Decrypt", - "kms:GenerateDataKey*", - ] - - resources = [ - data.aws_kms_key.thanos[0].arn - ] - } -} - -resource "aws_iam_policy" "bucket" { - name = format("%s-bucket", local.service_name) - path = "/" - description = "Bucket permissions for Prometheus" - policy = data.aws_iam_policy_document.bucket.json - tags = merge( - { "Name" = format("%s-bucket", local.service_name) }, - var.tags - ) -} - -resource "aws_iam_policy" "kms" { - count = var.enable_kms ? 1 : 0 - - name = format("%s-kms", local.service_name) - path = "/" - description = "KMS permissions for Prometheus" - policy = data.aws_iam_policy_document.kms[0].json - tags = merge( - { "Name" = format("%s-kms", local.service_name) }, - var.tags - ) -} - module "irsa" { source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc" version = "5.44.0" - for_each = var.enable_irsa ? [1] : [] + for_each = var.enable_irsa ? toset(["1"]) : toset([]) create_role = true role_description = "Prometheus Role" role_name = local.role_name provider_url = data.aws_eks_cluster.this.identity[0].oidc[0].issuer - role_policy_arns = var.enable_kms ? [ - aws_iam_policy.bucket.arn, - aws_iam_policy.kms[0].arn, - data.aws_iam_policy.amp_remote_write_access.arn, - data.aws_iam_policy.ec2_ro_access.arn - ] : [ - aws_iam_policy.bucket.arn, + role_policy_arns = [ data.aws_iam_policy.amp_remote_write_access.arn, data.aws_iam_policy.ec2_ro_access.arn ] @@ -117,25 +39,19 @@ module "pod_identity" { source = "terraform-aws-modules/eks-pod-identity/aws" version = "1.4.0" - for_each = var.enable_pod_identity ? [1] : [] + for_each = var.enable_pod_identity ? toset(["1"]) : toset([]) name = local.role_name # attach_custom_policy = true - additional_policy_arns = var.enable_kms ? { - PrometheusS3Access : aws_iam_policy.bucket.arn, - PrometheusKMSAccess : aws_iam_policy.kms[0].arn, - AmazonPrometheusRemoteWriteAccess : data.aws_iam_policy.amp_remote_write_access.arn, - AmazonEC2ReadOnlyAccess : data.aws_iam_policy.ec2_ro_access.arn - } : { - PrometheusS3Access : aws_iam_policy.bucket.arn, + additional_policy_arns = { AmazonPrometheusRemoteWriteAccess : data.aws_iam_policy.amp_remote_write_access.arn, AmazonEC2ReadOnlyAccess : data.aws_iam_policy.ec2_ro_access.arn } associations = { main = { - cluster_name = data.aws_eks_cluster.cluster_name + cluster_name = data.aws_eks_cluster.this.id namespace = var.namespace service_account = var.service_account } diff --git a/modules/prometheus/variables.tf b/modules/prometheus/variables.tf index 572a20f..a562e72 100644 --- a/modules/prometheus/variables.tf +++ b/modules/prometheus/variables.tf @@ -31,19 +31,6 @@ variable "service_account" { description = "The Kubernetes service account" } -variable "tags" { - type = map(string) - description = "Tags for Loki" - default = { - "Made-By" = "Terraform" - } -} - -variable "bucket_name" { - type = string - description = "Name of the Thanos bucket" -} - variable "enable_irsa" { type = bool description = "Enable IRSA resources" @@ -54,10 +41,10 @@ variable "enable_pod_identity" { description = "Enable EKS Pod Identity resources" } -############################################################################# -# KMS - -variable "enable_kms" { - type = bool - description = "Enable custom KMS key" +variable "tags" { + type = map(string) + description = "Tags for Loki" + default = { + "Made-By" = "Terraform" + } } From 0778539fe8105f3eb7a605fd223d3587d70e8d0c Mon Sep 17 00:00:00 2001 From: Nicolas Lamirault Date: Wed, 28 Aug 2024 10:56:47 +0200 Subject: [PATCH 22/22] feat(tempo): remove logging bucket Signed-off-by: Nicolas Lamirault --- modules/tempo/README.md | 2 -- modules/tempo/bucket.tf | 47 ++++------------------------------------ modules/tempo/iam.tf | 6 ++--- modules/tempo/outputs.tf | 7 +----- 4 files changed, 8 insertions(+), 54 deletions(-) diff --git a/modules/tempo/README.md b/modules/tempo/README.md index ddd131c..233ffb2 100644 --- a/modules/tempo/README.md +++ b/modules/tempo/README.md @@ -16,7 +16,6 @@ | Name | Source | Version | |------|--------|---------| | [buckets\_data](#module\_buckets\_data) | terraform-aws-modules/s3-bucket/aws | 4.1.1 | -| [buckets\_logging](#module\_buckets\_logging) | terraform-aws-modules/s3-bucket/aws | 4.1.1 | | [irsa](#module\_irsa) | terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc | 5.44.0 | | [pod\_identity](#module\_pod\_identity) | terraform-aws-modules/eks-pod-identity/aws | 1.4.0 | @@ -50,6 +49,5 @@ | Name | Description | |------|-------------| | [bucket](#output\_bucket) | S3 bucket for Tempo | -| [bucket\_log](#output\_bucket\_log) | S3 log bucket for Tempo | | [irsa\_role\_arn](#output\_irsa\_role\_arn) | Amazon Resource Name for Tempo | | [pod\_identity\_role\_arn](#output\_pod\_identity\_role\_arn) | Amazon Resource Name for Tempo | diff --git a/modules/tempo/bucket.tf b/modules/tempo/bucket.tf index 1b20fb9..4f7654e 100644 --- a/modules/tempo/bucket.tf +++ b/modules/tempo/bucket.tf @@ -14,13 +14,14 @@ # # SPDX-License-Identifier: Apache-2.0 -module "buckets_logging" { +#tfsec:ignore:aws-s3-encryption-customer-key +module "buckets_data" { source = "terraform-aws-modules/s3-bucket/aws" version = "4.1.1" - for_each = local.buckets_names + for_each = toset(local.buckets_names) - bucket = format("%s-%s-logging", local.service_name, each.value) + bucket = format("%s-%s", local.service_name, each.value) block_public_acls = true block_public_policy = true restrict_public_buckets = true @@ -28,11 +29,6 @@ module "buckets_logging" { force_destroy = true - tags = merge( - { "Name" = format("%s-%s-logging", local.service_name, each.value) }, - var.tags - ) - versioning = { enabled = true } @@ -46,44 +42,9 @@ module "buckets_logging" { } } } : {} -} - -#tfsec:ignore:aws-s3-encryption-customer-key -module "buckets_data" { - source = "terraform-aws-modules/s3-bucket/aws" - version = "4.1.1" - - for_each = local.buckets_names - - bucket = format("%s-%s", local.service_name, each.value) - block_public_acls = true - block_public_policy = true - restrict_public_buckets = true - ignore_public_acls = true - - force_destroy = true tags = merge( { "Name" = format("%s-%s", local.service_name, each.value) }, var.tags ) - - logging = { - target_bucket = module.buckets_logging[format("%s-%s", local.service_name, each.value)].s3_bucket_id - target_prefix = "log/" - } - - versioning = { - enabled = true - } - - server_side_encryption_configuration = var.enable_kms ? { - rule = { - bucket_key_enabled = true - apply_server_side_encryption_by_default = { - kms_master_key_id = aws_kms_key.tempo[0].arn - sse_algorithm = "aws:kms" - } - } - } : {} } diff --git a/modules/tempo/iam.tf b/modules/tempo/iam.tf index df86886..24d454b 100644 --- a/modules/tempo/iam.tf +++ b/modules/tempo/iam.tf @@ -98,7 +98,7 @@ module "irsa" { source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc" version = "5.44.0" - for_each = var.enable_irsa ? [1] : [] + for_each = var.enable_irsa ? toset(["1"]) : toset([]) create_role = true role_description = "Role for Tempo" @@ -121,7 +121,7 @@ module "pod_identity" { source = "terraform-aws-modules/eks-pod-identity/aws" version = "1.4.0" - for_each = var.enable_pod_identity ? [1] : [] + for_each = var.enable_pod_identity ? toset(["1"]) : toset([]) name = local.role_name @@ -135,7 +135,7 @@ module "pod_identity" { associations = { main = { - cluster_name = data.aws_eks_cluster.cluster_name + cluster_name = data.aws_eks_cluster.this.id namespace = var.namespace service_account = var.service_account } diff --git a/modules/tempo/outputs.tf b/modules/tempo/outputs.tf index 5abb9b2..49d1e68 100644 --- a/modules/tempo/outputs.tf +++ b/modules/tempo/outputs.tf @@ -15,15 +15,10 @@ # SPDX-License-Identifier: Apache-2.0 output "bucket" { - value = module.buckets_data[*].s3_bucket_id + value = [for b in module.buckets_data : b.s3_bucket_id] description = "S3 bucket for Tempo" } -output "bucket_log" { - value = module.buckets_logging[*].s3_bucket_id - description = "S3 log bucket for Tempo" -} - output "irsa_role_arn" { value = [for irsa in module.irsa : irsa.iam_role_arn] description = "Amazon Resource Name for Tempo"