Support IAM role for nobl9 agent service account. (#12)

README.md

@@ -79,6 +79,8 @@ To learn how to contribute please read the [contribution guidelines](./CONTRIBUT
           how about following the steps in [this tutorial](https://developer.hashicorp.com/terraform/tutorials/kubernetes/eks)?
           The tutorial defaults to Terraform Cloud (which is quite nice) but for this exercise we recommend you click on the Terraform OSS
           tabs as you proceed.
+    - You need to configure [IAM OIDC provider for the EKS cluster](https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html).
+      Tutorial linked above does it for you, but if you are using an existing cluster, you may need to do it manually.
 
 2. Create a `terraform.tfvars` file. A staring point can be found in `terraform.tfvars.example`
 
@@ -174,14 +176,14 @@ the industry
 | <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.72 |
 | <a name="requirement_helm"></a> [helm](#requirement\_helm) | >= 2.4.1 |
 | <a name="requirement_kubernetes"></a> [kubernetes](#requirement\_kubernetes) | >= 2.10 |
-| <a name="requirement_nobl9"></a> [nobl9](#requirement\_nobl9) | 0.8.0 |
+| <a name="requirement_nobl9"></a> [nobl9](#requirement\_nobl9) | 0.26.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.56.0 |
-| <a name="provider_kubernetes"></a> [kubernetes](#provider\_kubernetes) | 2.18.1 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.53.0 |
+| <a name="provider_kubernetes"></a> [kubernetes](#provider\_kubernetes) | 2.30.0 |
 
 ## Modules
 

cspell.json

@@ -22,6 +22,7 @@
 		"CNCF",
 		"distro",
 		"irsa",
+                "jsonencode",
 		"kubelet",
 		"Kuberhealthy",
 		"Nobl9",

modules/nobl9/README.md

@@ -206,13 +206,13 @@ To adjust this objective, modify:
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.1.0 |
-| <a name="requirement_nobl9"></a> [nobl9](#requirement\_nobl9) | 0.8.0 |
+| <a name="requirement_nobl9"></a> [nobl9](#requirement\_nobl9) | 0.26.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_nobl9"></a> [nobl9](#provider\_nobl9) | 0.8.0 |
+| <a name="provider_nobl9"></a> [nobl9](#provider\_nobl9) | 0.26.0 |
 
 ## Modules
 
@@ -226,7 +226,7 @@ To adjust this objective, modify:
 
 | Name | Type |
 |------|------|
-| [nobl9_project.this](https://registry.terraform.io/providers/nobl9/nobl9/0.8.0/docs/resources/project) | resource |
+| [nobl9_project.this](https://registry.terraform.io/providers/nobl9/nobl9/0.26.0/docs/resources/project) | resource |
 
 ## Inputs
 

modules/nobl9/data-source/README.md

@@ -6,13 +6,13 @@
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.1.0 |
-| <a name="requirement_nobl9"></a> [nobl9](#requirement\_nobl9) | 0.8.0 |
+| <a name="requirement_nobl9"></a> [nobl9](#requirement\_nobl9) | 0.26.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_nobl9"></a> [nobl9](#provider\_nobl9) | 0.8.0 |
+| <a name="provider_nobl9"></a> [nobl9](#provider\_nobl9) | 0.26.0 |
 
 ## Modules
 
@@ -22,7 +22,7 @@ No modules.
 
 | Name | Type |
 |------|------|
-| [nobl9_agent.this](https://registry.terraform.io/providers/nobl9/nobl9/0.8.0/docs/resources/agent) | resource |
+| [nobl9_agent.this](https://registry.terraform.io/providers/nobl9/nobl9/0.26.0/docs/resources/agent) | resource |
 
 ## Inputs
 

modules/nobl9/data-source/main.tf

@@ -2,7 +2,6 @@ resource "nobl9_agent" "this" {
   name         = "ekg-amp-${replace(lower(var.cluster_id), " ", "-")}"
   display_name = "ekg-amp ${var.cluster_id}"
   project      = var.project_name
-  source_of    = ["Metrics"]
   agent_type   = "amazon_prometheus"
   amazon_prometheus_config {
     url    = var.amp_ws_endpoint

modules/nobl9/data-source/versions.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     nobl9 = {
       source  = "nobl9/nobl9"
-      version = "0.8.0"
+      version = "0.26.0"
     }
   }
 }

modules/nobl9/main.tf

@@ -21,6 +21,7 @@ module "n9agent" {
   namespace             = var.namespace
   agent_client_id       = module.data_source.client_id
   agent_client_secret   = module.data_source.client_secret
+  cluster_id            = var.cluster_id
 }
 
 module "slos" {

modules/nobl9/n9agent/README.md

@@ -26,11 +26,12 @@ No modules.
 
 | Name | Type |
 |------|------|
-| [aws_iam_access_key.nobl9-ekg](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_access_key) | resource |
-| [aws_iam_user.nobl9-ekg](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user) | resource |
-| [aws_iam_user_policy.nobl9-ekg-ro](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy) | resource |
+| [aws_iam_role.nobl9-ekg-ro](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role_policy.nobl9-ekg-ro](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [helm_release.n9agent](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
-| [kubernetes_secret.aws_credentials](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |
+| [kubernetes_service_account.service_account](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/service_account) | resource |
+| [aws_caller_identity.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_eks_cluster.cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster) | data source |
 | [aws_iam_policy_document.nobl9-ekg-ro](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 
 ## Inputs
@@ -40,6 +41,7 @@ No modules.
 | <a name="input_agent_client_id"></a> [agent\_client\_id](#input\_agent\_client\_id) | Client ID of the data source agent (from Nobl9 UI: Integrations > Sources > [your data source] > Agent Configuration) | `string` | n/a | yes |
 | <a name="input_agent_client_secret"></a> [agent\_client\_secret](#input\_agent\_client\_secret) | Client Secret of the data source agent (from Nobl9 UI: Integrations > Sources > [your data source] > Agent Configuration) | `string` | n/a | yes |
 | <a name="input_chart_version"></a> [chart\_version](#input\_chart\_version) | Version of Helm Chart | `string` | `"1.0.4"` | no |
+| <a name="input_cluster_id"></a> [cluster\_id](#input\_cluster\_id) | Name of the Kubernetes cluster | `string` | n/a | yes |
 | <a name="input_data_source_name"></a> [data\_source\_name](#input\_data\_source\_name) | Name (ID) of the agent data source in Nobl9 | `string` | n/a | yes |
 | <a name="input_namespace"></a> [namespace](#input\_namespace) | Namespace where Helm Chart will be installed | `string` | n/a | yes |
 | <a name="input_nobl9_organization_id"></a> [nobl9\_organization\_id](#input\_nobl9\_organization\_id) | Nobl9 Organization ID (visible in Nobl9 web app under Settings > Account) | `string` | n/a | yes |

modules/nobl9/n9agent/main.tf

@@ -1,15 +1,11 @@
-resource "kubernetes_secret" "aws_credentials" {
-  metadata {
-    name      = var.data_source_name
-    namespace = var.namespace
-  }
+data "aws_caller_identity" "this" {}
 
-  data = {
-    aws_access_key_id     = aws_iam_access_key.nobl9-ekg.id
-    aws_secret_access_key = aws_iam_access_key.nobl9-ekg.secret
-  }
+data "aws_eks_cluster" "cluster" {
+  name = var.cluster_id
+}
 
-  type = "Opaque"
+locals {
+  k8s_oidc_provider = replace(data.aws_eks_cluster.cluster.identity[0].oidc[0].issuer, "https://", "")
 }
 
 resource "helm_release" "n9agent" {
@@ -25,6 +21,7 @@ resource "helm_release" "n9agent" {
       nobl9_organization_id = var.nobl9_organization_id
       client_id             = var.agent_client_id
       client_secret         = var.agent_client_secret
+      service_account_name  = kubernetes_service_account.service_account.metadata[0].name
     })
   ]
 
@@ -36,13 +33,36 @@ resource "helm_release" "n9agent" {
   cleanup_on_fail = true
 }
 
-resource "aws_iam_user" "nobl9-ekg" {
-  name = "nobl9-ekg"
-  path = "/"
+resource "aws_iam_role" "nobl9-ekg-ro" {
+  name = "nobl9-ekg-ro-${var.cluster_id}"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = ["sts:AssumeRoleWithWebIdentity"]
+        Effect = "Allow"
+        Principal = {
+          Federated = "arn:aws:iam::${data.aws_caller_identity.this.account_id}:oidc-provider/${local.k8s_oidc_provider}"
+        }
+        Condition = {
+          StringEquals = {
+            "${local.k8s_oidc_provider}:sub" = "system:serviceaccount:${var.namespace}:nobl9-agent"
+          }
+        }
+      }
+    ]
+  })
 }
 
-resource "aws_iam_access_key" "nobl9-ekg" {
-  user = aws_iam_user.nobl9-ekg.name
+resource "kubernetes_service_account" "service_account" {
+  metadata {
+    name      = "nobl9-agent"
+    namespace = var.namespace
+    annotations = {
+      "eks.amazonaws.com/role-arn" = aws_iam_role.nobl9-ekg-ro.arn
+    }
+  }
 }
 
 data "aws_iam_policy_document" "nobl9-ekg-ro" {
@@ -53,8 +73,7 @@ data "aws_iam_policy_document" "nobl9-ekg-ro" {
   }
 }
 
-resource "aws_iam_user_policy" "nobl9-ekg-ro" {
-  name   = "nobl9-ekg"
-  user   = aws_iam_user.nobl9-ekg.name
+resource "aws_iam_role_policy" "nobl9-ekg-ro" {
   policy = data.aws_iam_policy_document.nobl9-ekg-ro.json
-}
+  role   = aws_iam_role.nobl9-ekg-ro.id
+}