Skip to content

Commit

Permalink
feat: Add support for Amazon CloudWatch Observability IRSA role (#446)
Browse files Browse the repository at this point in the history
Co-authored-by: Joe North <jbnorth@amazon.com>
Co-authored-by: Bryant Biggs <bryantbiggs@gmail.com>
  • Loading branch information
3 people authored Dec 16, 2023
1 parent 7825816 commit 25e2bf9
Show file tree
Hide file tree
Showing 7 changed files with 48 additions and 6 deletions.
2 changes: 1 addition & 1 deletion .pre-commit-config.yaml
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
repos:
- repo: https://github.com/antonbabenko/pre-commit-terraform
rev: v1.83.6
rev: v1.85.0
hooks:
- id: terraform_fmt
- id: terraform_wrapper_module_for_each
Expand Down
5 changes: 3 additions & 2 deletions examples/iam-role-for-service-accounts-eks/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -37,11 +37,12 @@ Run `terraform destroy` when you don't need these resources.
| <a name="module_appmesh_envoy_proxy_irsa_role"></a> [appmesh\_envoy\_proxy\_irsa\_role](#module\_appmesh\_envoy\_proxy\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
| <a name="module_aws_gateway_controller_irsa_role"></a> [aws\_gateway\_controller\_irsa\_role](#module\_aws\_gateway\_controller\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
| <a name="module_cert_manager_irsa_role"></a> [cert\_manager\_irsa\_role](#module\_cert\_manager\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
| <a name="module_cloudwatch_observability_irsa_role"></a> [cloudwatch\_observability\_irsa\_role](#module\_cloudwatch\_observability\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
| <a name="module_cluster_autoscaler_irsa_role"></a> [cluster\_autoscaler\_irsa\_role](#module\_cluster\_autoscaler\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
| <a name="module_disabled"></a> [disabled](#module\_disabled) | ../../modules/iam-role-for-service-accounts-eks | n/a |
| <a name="module_ebs_csi_irsa_role"></a> [ebs\_csi\_irsa\_role](#module\_ebs\_csi\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
| <a name="module_efs_csi_irsa_role"></a> [efs\_csi\_irsa\_role](#module\_efs\_csi\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
| <a name="module_eks"></a> [eks](#module\_eks) | terraform-aws-modules/eks/aws | ~> 19.14 |
| <a name="module_eks"></a> [eks](#module\_eks) | terraform-aws-modules/eks/aws | ~> 19.21 |
| <a name="module_external_dns_irsa_role"></a> [external\_dns\_irsa\_role](#module\_external\_dns\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
| <a name="module_external_secrets_irsa_role"></a> [external\_secrets\_irsa\_role](#module\_external\_secrets\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
| <a name="module_fsx_lustre_csi_irsa_role"></a> [fsx\_lustre\_csi\_irsa\_role](#module\_fsx\_lustre\_csi\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
Expand All @@ -53,7 +54,7 @@ Run `terraform destroy` when you don't need these resources.
| <a name="module_load_balancer_controller_targetgroup_binding_only_irsa_role"></a> [load\_balancer\_controller\_targetgroup\_binding\_only\_irsa\_role](#module\_load\_balancer\_controller\_targetgroup\_binding\_only\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
| <a name="module_node_termination_handler_irsa_role"></a> [node\_termination\_handler\_irsa\_role](#module\_node\_termination\_handler\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
| <a name="module_velero_irsa_role"></a> [velero\_irsa\_role](#module\_velero\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 4.0 |
| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 5.0 |
| <a name="module_vpc_cni_ipv4_irsa_role"></a> [vpc\_cni\_ipv4\_irsa\_role](#module\_vpc\_cni\_ipv4\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
| <a name="module_vpc_cni_ipv6_irsa_role"></a> [vpc\_cni\_ipv6\_irsa\_role](#module\_vpc\_cni\_ipv6\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |

Expand Down
23 changes: 20 additions & 3 deletions examples/iam-role-for-service-accounts-eks/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@ locals {
module "disabled" {
source = "../../modules/iam-role-for-service-accounts-eks"

role_name = "disabled"
create_role = false
}

Expand Down Expand Up @@ -352,6 +353,22 @@ module "vpc_cni_ipv6_irsa_role" {
tags = local.tags
}

module "cloudwatch_observability_irsa_role" {
source = "../../modules/iam-role-for-service-accounts-eks"

role_name = "cloudwatch-observability"
attach_cloudwatch_observability_policy = true

oidc_providers = {
ex = {
provider_arn = module.eks.oidc_provider_arn
namespace_service_accounts = ["amazon-cloudwatch:cloudwatch-agent"]
}
}

tags = local.tags
}

################################################################################
# Custom IRSA Roles
################################################################################
Expand Down Expand Up @@ -405,7 +422,7 @@ module "iam_eks_role" {

module "vpc" {
source = "terraform-aws-modules/vpc/aws"
version = "~> 4.0"
version = "~> 5.0"

name = local.name
cidr = local.vpc_cidr
Expand All @@ -430,10 +447,10 @@ module "vpc" {

module "eks" {
source = "terraform-aws-modules/eks/aws"
version = "~> 19.14"
version = "~> 19.21"

cluster_name = local.name
cluster_version = "1.26"
cluster_version = "1.28"

vpc_id = module.vpc.vpc_id
subnet_ids = module.vpc.private_subnets
Expand Down
2 changes: 2 additions & 0 deletions modules/iam-role-for-service-accounts-eks/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -139,6 +139,7 @@ No modules.
| [aws_iam_policy.velero](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.vpc_cni](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_role.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
| [aws_iam_role_policy_attachment.amazon_cloudwatch_observability](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.amazon_managed_service_prometheus](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.appmesh_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.appmesh_envoy_proxy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
Expand Down Expand Up @@ -191,6 +192,7 @@ No modules.
| <a name="input_attach_appmesh_envoy_proxy_policy"></a> [attach\_appmesh\_envoy\_proxy\_policy](#input\_attach\_appmesh\_envoy\_proxy\_policy) | Determines whether to attach the Appmesh envoy proxy policy to the role | `bool` | `false` | no |
| <a name="input_attach_aws_gateway_controller_policy"></a> [attach\_aws\_gateway\_controller\_policy](#input\_attach\_aws\_gateway\_controller\_policy) | Determines whether to attach the AWS Gateway Controller IAM policy to the role | `bool` | `false` | no |
| <a name="input_attach_cert_manager_policy"></a> [attach\_cert\_manager\_policy](#input\_attach\_cert\_manager\_policy) | Determines whether to attach the Cert Manager IAM policy to the role | `bool` | `false` | no |
| <a name="input_attach_cloudwatch_observability_policy"></a> [attach\_cloudwatch\_observability\_policy](#input\_attach\_cloudwatch\_observability\_policy) | Determines whether to attach the Amazon CloudWatch Observability IAM policies to the role | `bool` | `false` | no |
| <a name="input_attach_cluster_autoscaler_policy"></a> [attach\_cluster\_autoscaler\_policy](#input\_attach\_cluster\_autoscaler\_policy) | Determines whether to attach the Cluster Autoscaler IAM policy to the role | `bool` | `false` | no |
| <a name="input_attach_ebs_csi_policy"></a> [attach\_ebs\_csi\_policy](#input\_attach\_ebs\_csi\_policy) | Determines whether to attach the EBS CSI IAM policy to the role | `bool` | `false` | no |
| <a name="input_attach_efs_csi_policy"></a> [attach\_efs\_csi\_policy](#input\_attach\_efs\_csi\_policy) | Determines whether to attach the EFS CSI IAM policy to the role | `bool` | `false` | no |
Expand Down
14 changes: 14 additions & 0 deletions modules/iam-role-for-service-accounts-eks/policies.tf
Original file line number Diff line number Diff line change
Expand Up @@ -1446,3 +1446,17 @@ resource "aws_iam_role_policy_attachment" "vpc_cni" {
role = aws_iam_role.this[0].name
policy_arn = aws_iam_policy.vpc_cni[0].arn
}

################################################################################
# Amazon CloudWatch Observability Policy
################################################################################

resource "aws_iam_role_policy_attachment" "amazon_cloudwatch_observability" {
for_each = { for k, v in {
CloudWatchAgentServerPolicy = "arn:${local.partition}:iam::aws:policy/CloudWatchAgentServerPolicy"
AWSXrayWriteOnlyAccess = "arn:${local.partition}:iam::aws:policy/AWSXrayWriteOnlyAccess"
} : k => v if var.create_role && var.attach_cloudwatch_observability_policy }

role = aws_iam_role.this[0].name
policy_arn = each.value
}
7 changes: 7 additions & 0 deletions modules/iam-role-for-service-accounts-eks/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -350,3 +350,10 @@ variable "node_termination_handler_sqs_queue_arns" {
type = list(string)
default = ["*"]
}

# Amazon CloudWatch Observability
variable "attach_cloudwatch_observability_policy" {
description = "Determines whether to attach the Amazon CloudWatch Observability IAM policies to the role"
type = bool
default = false
}
1 change: 1 addition & 0 deletions wrappers/iam-role-for-service-accounts-eks/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ module "wrapper" {
attach_appmesh_envoy_proxy_policy = try(each.value.attach_appmesh_envoy_proxy_policy, var.defaults.attach_appmesh_envoy_proxy_policy, false)
attach_aws_gateway_controller_policy = try(each.value.attach_aws_gateway_controller_policy, var.defaults.attach_aws_gateway_controller_policy, false)
attach_cert_manager_policy = try(each.value.attach_cert_manager_policy, var.defaults.attach_cert_manager_policy, false)
attach_cloudwatch_observability_policy = try(each.value.attach_cloudwatch_observability_policy, var.defaults.attach_cloudwatch_observability_policy, false)
attach_cluster_autoscaler_policy = try(each.value.attach_cluster_autoscaler_policy, var.defaults.attach_cluster_autoscaler_policy, false)
attach_ebs_csi_policy = try(each.value.attach_ebs_csi_policy, var.defaults.attach_ebs_csi_policy, false)
attach_efs_csi_policy = try(each.value.attach_efs_csi_policy, var.defaults.attach_efs_csi_policy, false)
Expand Down

0 comments on commit 25e2bf9

Please sign in to comment.