feat: adds cloudwatch logs policy to vpc-cni for networkpolicy logging

examples/iam-role-for-service-accounts-eks/main.tf

@@ -340,9 +340,10 @@ module "velero_irsa_role" {
 module "vpc_cni_ipv4_irsa_role" {
   source = "../../modules/iam-role-for-service-accounts-eks"
 
-  role_name             = "vpc-cni-ipv4"
-  attach_vpc_cni_policy = true
-  vpc_cni_enable_ipv4   = true
+  role_name                      = "vpc-cni-ipv4"
+  attach_vpc_cni_policy          = true
+  vpc_cni_enable_ipv4            = true
+  vpc_cni_enable_cloudwatch_logs = true
 
   oidc_providers = {
     ex = {

modules/iam-role-for-service-accounts-eks/README.md

@@ -246,6 +246,7 @@ No modules.
 | <a name="input_role_policy_arns"></a> [role\_policy\_arns](#input\_role\_policy\_arns) | ARNs of any policies to attach to the IAM role | `map(string)` | `{}` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to add the the IAM role | `map(any)` | `{}` | no |
 | <a name="input_velero_s3_bucket_arns"></a> [velero\_s3\_bucket\_arns](#input\_velero\_s3\_bucket\_arns) | List of S3 Bucket ARNs that Velero needs access to in order to backup and restore cluster resources | `list(string)` | <pre>[<br>  "*"<br>]</pre> | no |
+| <a name="input_vpc_cni_enable_cloudwatch_logs"></a> [vpc\_cni\_enable\_cloudwatch\_logs](#input\_vpc\_cni\_enable\_cloudwatch\_logs) | Enable CloudWatch Logs policy for VPC CNI | `bool` | `false` | no |
 | <a name="input_vpc_cni_enable_ipv4"></a> [vpc\_cni\_enable\_ipv4](#input\_vpc\_cni\_enable\_ipv4) | Determines whether to enable IPv4 permissions for VPC CNI policy | `bool` | `false` | no |
 | <a name="input_vpc_cni_enable_ipv6"></a> [vpc\_cni\_enable\_ipv6](#input\_vpc\_cni\_enable\_ipv6) | Determines whether to enable IPv6 permissions for VPC CNI policy | `bool` | `false` | no |
 

modules/iam-role-for-service-accounts-eks/policies.tf

@@ -1480,6 +1480,21 @@ data "aws_iam_policy_document" "vpc_cni" {
     }
   }
 
+  # https://docs.aws.amazon.com/eks/latest/userguide/cni-network-policy.html#cni-network-policy-setup
+  dynamic "statement" {
+    for_each = var.vpc_cni_enable_cloudwatch_logs ? [1] : []
+    content {
+      sid = "CloudWatchLogs"
+      actions = [
+        "logs:DescribeLogGroups",
+        "logs:CreateLogGroup",
+        "logs:CreateLogStream",
+        "logs:PutLogEvents",
+      ]
+      resources = ["*"]
+    }
+  }
+
   statement {
     sid       = "CreateTags"
     actions   = ["ec2:CreateTags"]

modules/iam-role-for-service-accounts-eks/variables.tf

@@ -351,6 +351,12 @@ variable "attach_vpc_cni_policy" {
   default     = false
 }
 
+variable "vpc_cni_enable_cloudwatch_logs" {
+  description = "Enable CloudWatch Logs policy for VPC CNI"
+  type        = bool
+  default     = false
+}
+
 variable "vpc_cni_enable_ipv4" {
   description = "Determines whether to enable IPv4 permissions for VPC CNI policy"
   type        = bool

wrappers/iam-role-for-service-accounts-eks/main.tf

@@ -61,6 +61,7 @@ module "wrapper" {
   role_policy_arns                                                = try(each.value.role_policy_arns, var.defaults.role_policy_arns, {})
   tags                                                            = try(each.value.tags, var.defaults.tags, {})
   velero_s3_bucket_arns                                           = try(each.value.velero_s3_bucket_arns, var.defaults.velero_s3_bucket_arns, ["*"])
+  vpc_cni_enable_cloudwatch_logs                                  = try(each.value.vpc_cni_enable_cloudwatch_logs, var.defaults.vpc_cni_enable_cloudwatch_logs, false)
   vpc_cni_enable_ipv4                                             = try(each.value.vpc_cni_enable_ipv4, var.defaults.vpc_cni_enable_ipv4, false)
   vpc_cni_enable_ipv6                                             = try(each.value.vpc_cni_enable_ipv6, var.defaults.vpc_cni_enable_ipv6, false)
 }