From 2acad8ad86e40bf82c905183398757c279057ac4 Mon Sep 17 00:00:00 2001 From: badra001 Date: Tue, 28 May 2024 17:05:11 -0400 Subject: [PATCH] add datadog-agent/ --- examples/extras/datadog-agent/.gitignore | 1 + examples/extras/datadog-agent/.tf-control | 20 ++ .../extras/datadog-agent/.tf-control.tfrc | 24 ++ .../extras/datadog-agent/datadog.values.yml | 106 ++++++ .../extras/datadog-agent/dd-agent.kubectl.log | 304 ++++++++++++++++++ examples/extras/datadog-agent/irsa.agent.tf | 59 ++++ .../datadog-agent/irsa.cluster-agent.tf | 59 ++++ examples/extras/datadog-agent/locals.tf | 17 + examples/extras/datadog-agent/main.tf | 150 +++++++++ examples/extras/datadog-agent/region.tf | 3 + examples/extras/datadog-agent/tf-run.data | 31 ++ .../extras/datadog-agent/tf-run.destroy.data | 6 + .../variables.datadog.auto.tfvars | 14 + .../extras/datadog-agent/variables.datadog.tf | 34 ++ .../variables.images.auto.tfvars | 51 +++ examples/extras/datadog-agent/variables.tf | 51 +++ 16 files changed, 930 insertions(+) create mode 100644 examples/extras/datadog-agent/.gitignore create mode 100644 examples/extras/datadog-agent/.tf-control create mode 100644 examples/extras/datadog-agent/.tf-control.tfrc create mode 100644 examples/extras/datadog-agent/datadog.values.yml create mode 100644 examples/extras/datadog-agent/dd-agent.kubectl.log create mode 100644 examples/extras/datadog-agent/irsa.agent.tf create mode 100644 examples/extras/datadog-agent/irsa.cluster-agent.tf create mode 100644 examples/extras/datadog-agent/locals.tf create mode 100644 examples/extras/datadog-agent/main.tf create mode 100644 examples/extras/datadog-agent/region.tf create mode 100644 examples/extras/datadog-agent/tf-run.data create mode 100644 examples/extras/datadog-agent/tf-run.destroy.data create mode 100644 examples/extras/datadog-agent/variables.datadog.auto.tfvars create mode 100644 examples/extras/datadog-agent/variables.datadog.tf create mode 100644 examples/extras/datadog-agent/variables.images.auto.tfvars create mode 100644 examples/extras/datadog-agent/variables.tf diff --git a/examples/extras/datadog-agent/.gitignore b/examples/extras/datadog-agent/.gitignore new file mode 100644 index 0000000..775090b --- /dev/null +++ b/examples/extras/datadog-agent/.gitignore @@ -0,0 +1 @@ +*.values diff --git a/examples/extras/datadog-agent/.tf-control b/examples/extras/datadog-agent/.tf-control new file mode 100644 index 0000000..280f449 --- /dev/null +++ b/examples/extras/datadog-agent/.tf-control @@ -0,0 +1,20 @@ +# .tf-control +# allows for setting a specific command to be used for tf-* commands under this git repo +# see tf-control.sh help for more info + +TFCONTROL_VERSION="1.0.5" + +TFCOMMAND="terraform_latest" +# TF_CLI_CONFIG_FILE=PATH-TO-FILE/.tf-control.tfrc +# TFARGS="" +# TFNOLOG="" +# TFNOCOLOR="" + +# use the following to force a specific version. An upgrade of an existing 0.12.31 to 1.x +# needs you to cycle through 0.13.17, 0.14.11, and then latest (0.15.5 not needed). Other +# steps in between. See https://github.e.it.census.gov/terraform/support/tree/master/docs/how-to/terraform-upgrade for details +# +#TFCOMMAND="terraform_0.12.31" +#TFCOMMAND="terraform_0.13.7" +#TFCOMMAND="terraform_0.14.11" +#TFCOMMAND="terraform_0.15.5" diff --git a/examples/extras/datadog-agent/.tf-control.tfrc b/examples/extras/datadog-agent/.tf-control.tfrc new file mode 100644 index 0000000..7425488 --- /dev/null +++ b/examples/extras/datadog-agent/.tf-control.tfrc @@ -0,0 +1,24 @@ +TFCONTROL_VERSION="1.0.5" + +# https://www.terraform.io/docs/cli/config/config-file.html +plugin_cache_dir = "/data/terraform/terraform.d/plugin-cache" +#disable_checkpoint = true + +provider_installation { +# filesystem_mirror { +# path = "/apps/terraform/terraform.d/providers" +# include = [ "*/*/*" ] +# } + filesystem_mirror { + path = "/data/terraform/terraform.d/providers" + include = [ "*/*/*" ] + } +# filesystem_mirror { +# path = "/apps/terraform/terraform.d/providers" +# include = [ "external.terraform.census.gov/*/*" ] +# } + direct { + include = [ "*/*/*" ] + } +} + diff --git a/examples/extras/datadog-agent/datadog.values.yml b/examples/extras/datadog-agent/datadog.values.yml new file mode 100644 index 0000000..f242c56 --- /dev/null +++ b/examples/extras/datadog-agent/datadog.values.yml @@ -0,0 +1,106 @@ +## Custom Values for our EKS +## Default file located https://github.com/DataDog/helm-charts/blob/main/charts/datadog/values.yaml +## Use this file as reference in TF Helm Resource +datadog: +# pass these in via set{} +## apiKey: # +## appKey: # +## apiKeyExistingSecret: datadog-keys +## appKeyExistingSecret: # +## site: ddog-gov.com +## proxy: +## http: "http://proxy.tco.census.gov:3128" +## https: "http://proxy.tco.census.gov:3128" + apm: + portEnabled: true + serviceMonitoring: + enabled: true + logs: + enabled: false + autoMultiLineDetection: false + processAgent: + processCollection: true + dogstatsd: + useHostPort: true + kubeStateMetricsEnabled: false + kubeStateMetricsCore: + enabled: true + kubelet: + tlsVerify: false + networkMonitoring: + enabled: true + env: + - name: DD_EC2_PREFER_IMDSV2 + value: "true" + - name: DD_INVENTORIES_CONFIGURATION_ENABLED + value: "true" + - name: HTTP_PROXY + value: "http://proxy.tco.census.gov:3128" + - name: HTTPS_PROXY + value: "http://proxy.tco.census.gov:3128" + - name: NO_PROXY + value: ".census.gov,169.254.169.254,127.0.0.1/8,10.0.0.0/8,172.16.0.0/12,148.129.0.0/16,.local,.default,.eks.amazonaws.com" + - name: DD_HOSTNAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + +clusterAgent: + enabled: true + admissionController: + enabled: true + mutateUnlabelled: false + metricsProvider: + enabled: false +# useDatadogMetrics: true + confd: + kube_apiserver_metrics.yaml: |- + cluster_check: true + init_config: + instances: + - prometheus_url: https://kubernetes.default/metrics + ssl_ca_cert: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + bearer_token_auth: true + kube_controller_manager.yaml: |- + cluster_check: true + init_config: + instances: + - prometheus_url: https://kubernetes.default/metrics + ssl_ca_cert: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + bearer_token_auth: true + env: + - name: DD_EC2_PREFER_IMDSV2 + value: "true" + - name: HTTP_PROXY + value: "http://proxy.tco.census.gov:3128" + - name: HTTPS_PROXY + value: "http://proxy.tco.census.gov:3128" + - name: NO_PROXY + value: ".census.gov,169.254.169.254,127.0.0.1/8,10.0.0.0/8,172.16.0.0/12,148.129.0.0/16,.local,.default,.eks.amazonaws.com" + - name: DD_HOSTNAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + +#agents: +# useConfigMap: true +# customAgentConfig: true + +# fips: +# enabled: true +# use_https: false +# +# systemProbe: +# collectDNSStats: false +# enableOOMKill: false +# enableTCPQueueLength: false +# +# securityAgent: +# runtime: +# enabled: true + +# https://docs.datadoghq.com/agent/troubleshooting/hostname_containers/?tab=helm +## for DD_HOSTNAME + +# https://docs.datadoghq.com/containers/guide/cluster_agent_autoscaling_metrics/?tab=helm#setup-datadogmetric-crd +## for datadog metrics (disable, do not want to autoscale based on DD metrics) diff --git a/examples/extras/datadog-agent/dd-agent.kubectl.log b/examples/extras/datadog-agent/dd-agent.kubectl.log new file mode 100644 index 0000000..c35b554 --- /dev/null +++ b/examples/extras/datadog-agent/dd-agent.kubectl.log @@ -0,0 +1,304 @@ +# agent +% kubectl --kubeconfig setup/kube.config logs -n monitoring pod/datadog-agent-zfvlf -c agent +Error: unable to load Datadog config file: While parsing config: yaml: unmarshal errors: + +# trace-agent +% kubectl --kubeconfig setup/kube.config logs -n monitoring pod/datadog-agent-zfvlf -c trace-agent +WARNING: `-config` argument is deprecated and will be removed in a future version. Please use `--config` instead. +Usage: + trace-agent [command] [flags] + trace-agent [command] + +Available Commands: + completion Generate the autocompletion script for the specified shell + help Help about any command + info Gather Datadog trace-agent information. + run Start datadog trace-agent. + version Print the version info + +Flags: + -c, --config string path to directory containing datadog.yaml (default "/opt/datadog-agent/etc/datadog.yaml") + -l, --cpu-profile string enables CPU profiling and specifies profile path. + -h, --help help for trace-agent + -m, --mem-profile string enables memory profiling and specifies profile. + -p, --pidfile string path for the PID file to be created + +Use "trace-agent [command] --help" for more information about a command. + +Error: unable to load Datadog config file: While parsing config: yaml: unmarshal errors: + +# fips-proxy +% kubectl --kubeconfig setup/kube.config logs -n monitoring pod/datadog-agent-zfvlf -c fips-proxy +HMAC : (Module_Integrity) : Pass +SHA1 : (KAT_Digest) : Pass +SHA2 : (KAT_Digest) : Pass +SHA3 : (KAT_Digest) : Pass +TDES : (KAT_Cipher) : Pass +AES_GCM : (KAT_Cipher) : Pass +AES_ECB_Decrypt : (KAT_Cipher) : Pass +RSA : (KAT_Signature) : RNG : (Continuous_RNG_Test) : Pass +Pass +ECDSA : (PCT_Signature) : Pass +ECDSA : (PCT_Signature) : Pass +DSA : (PCT_Signature) : Pass +TLS13_KDF_EXTRACT : (KAT_KDF) : Pass +TLS13_KDF_EXPAND : (KAT_KDF) : Pass +TLS12_PRF : (KAT_KDF) : Pass +PBKDF2 : (KAT_KDF) : Pass +SSHKDF : (KAT_KDF) : Pass +KBKDF : (KAT_KDF) : Pass +HKDF : (KAT_KDF) : Pass +SSKDF : (KAT_KDF) : Pass +X963KDF : (KAT_KDF) : Pass +X942KDF : (KAT_KDF) : Pass +HASH : (DRBG) : Pass +CTR : (DRBG) : Pass +HMAC : (DRBG) : Pass +DH : (KAT_KA) : Pass +ECDH : (KAT_KA) : Pass +RSA_Encrypt : (KAT_AsymmetricCipher) : Pass +RSA_Decrypt : (KAT_AsymmetricCipher) : Pass +RSA_Decrypt : (KAT_AsymmetricCipher) : Pass +INSTALL PASSED +VERIFY PASSED +[WARNING] (2291086) : *** HAPROXY IS RUNNING IN FIPS MODE *** +[WARNING] (2291086) : datadog-api/mothership1 changed its IP from (none) to 3.32.209.35 by my-dns/172.20.0.10. +[WARNING] (2291086) : Server datadog-api/mothership1 ('api.ddog-gov.com') is UP/READY (resolves again). +[WARNING] (2291086) : Server datadog-api/mothership1 administratively READY thanks to valid DNS answer. +[WARNING] (2291086) : datadog-api/mothership2 changed its IP from (none) to 3.32.209.31 by DNS cache. +[WARNING] (2291086) : Server datadog-api/mothership2 ('api.ddog-gov.com') is UP/READY (resolves again). +[WARNING] (2291086) : Server datadog-api/mothership2 administratively READY thanks to valid DNS answer. +[WARNING] (2291086) : datadog-api/mothership3 changed its IP from (none) to 3.32.209.32 by DNS cache. +[WARNING] (2291086) : Server datadog-api/mothership3 ('api.ddog-gov.com') is UP/READY (resolves again). +[WARNING] (2291086) : Server datadog-api/mothership3 administratively READY thanks to valid DNS answer. +[WARNING] (2291086) : datadog-database-monitoring-metrics/mothership1 changed its IP from (none) to 15.205.116.78 by my-dns/172.20.0.10. +[WARNING] (2291086) : Server datadog-database-monitoring-metrics/mothership1 ('dbm-metrics-intake.ddog-gov.com') is UP/READY (resolves again). +[WARNING] (2291086) : Server datadog-database-monitoring-metrics/mothership1 administratively READY thanks to valid DNS answer. +[WARNING] (2291086) : datadog-database-monitoring-metrics/mothership2 changed its IP from (none) to 3.30.33.52 by DNS cache. +[WARNING] (2291086) : Server datadog-database-monitoring-metrics/mothership2 ('dbm-metrics-intake.ddog-gov.com') is UP/READY (resolves again). +[WARNING] (2291086) : Server datadog-database-monitoring-metrics/mothership2 administratively READY thanks to valid DNS answer. +[WARNING] (2291086) : datadog-database-monitoring-metrics/mothership3 changed its IP from (none) to 15.200.117.57 by DNS cache. +[WARNING] (2291086) : Server datadog-database-monitoring-metrics/mothership3 ('dbm-metrics-intake.ddog-gov.com') is UP/READY (resolves again). +[WARNING] (2291086) : Server datadog-database-monitoring-metrics/mothership3 administratively READY thanks to valid DNS answer. +[WARNING] (2291086) : datadog-flare/mothership1 changed its IP from (none) to 3.32.209.59 by my-dns/172.20.0.10. +[WARNING] (2291086) : Server datadog-flare/mothership1 ('flare.ddog-gov.com') is UP/READY (resolves again). +[WARNING] (2291086) : Server datadog-flare/mothership1 administratively READY thanks to valid DNS answer. +[WARNING] (2291086) : datadog-flare/mothership2 changed its IP from (none) to 3.32.209.57 by DNS cache. +[WARNING] (2291086) : Server datadog-flare/mothership2 ('flare.ddog-gov.com') is UP/READY (resolves again). +[WARNING] (2291086) : Server datadog-flare/mothership2 administratively READY thanks to valid DNS answer. +[WARNING] (2291086) : datadog-flare/mothership3 changed its IP from (none) to 3.32.209.58 by DNS cache. +[WARNING] (2291086) : Server datadog-flare/mothership3 ('flare.ddog-gov.com') is UP/READY (resolves again). +[WARNING] (2291086) : Server datadog-flare/mothership3 administratively READY thanks to valid DNS answer. +[WARNING] (2291086) : datadog-metrics/mothership1 changed its IP from (none) to 3.30.62.176 by my-dns/172.20.0.10. +[WARNING] (2291086) : Server datadog-metrics/mothership1 ('haproxy-app.agent.ddog-gov.com') is UP/READY (resolves again). +[WARNING] (2291086) : Server datadog-metrics/mothership1 administratively READY thanks to valid DNS answer. +[WARNING] (2291086) : datadog-metrics/mothership2 changed its IP from (none) to 3.30.62.172 by DNS cache. +[WARNING] (2291086) : Server datadog-metrics/mothership2 ('haproxy-app.agent.ddog-gov.com') is UP/READY (resolves again). +[WARNING] (2291086) : Server datadog-metrics/mothership2 administratively READY thanks to valid DNS answer. +[WARNING] (2291086) : datadog-metrics/mothership3 changed its IP from (none) to 3.30.62.171 by DNS cache. +[WARNING] (2291086) : Server datadog-metrics/mothership3 ('haproxy-app.agent.ddog-gov.com') is UP/READY (resolves again). +[WARNING] (2291086) : Server datadog-metrics/mothership3 administratively READY thanks to valid DNS answer. +[WARNING] (2291086) : datadog-profiles/mothership1 changed its IP from (none) to 3.32.209.201 by my-dns/172.20.0.10. +[WARNING] (2291086) : Server datadog-profiles/mothership1 ('intake.profile.ddog-gov.com') is UP/READY (resolves again). +[WARNING] (2291086) : Server datadog-profiles/mothership1 administratively READY thanks to valid DNS answer. +[WARNING] (2291086) : datadog-profiles/mothership2 changed its IP from (none) to 3.32.209.202 by DNS cache. +[WARNING] (2291086) : Server datadog-profiles/mothership2 ('intake.profile.ddog-gov.com') is UP/READY (resolves again). +[WARNING] (2291086) : Server datadog-profiles/mothership2 administratively READY thanks to valid DNS answer. +[WARNING] (2291086) : datadog-profiles/mothership3 changed its IP from (none) to 3.32.209.199 by DNS cache. +[WARNING] (2291086) : Server datadog-profiles/mothership3 ('intake.profile.ddog-gov.com') is UP/READY (resolves again). +[WARNING] (2291086) : Server datadog-profiles/mothership3 administratively READY thanks to valid DNS answer. +[WARNING] (2291086) : datadog-traces/mothership1 changed its IP from (none) to 3.32.209.215 by my-dns/172.20.0.10. +[WARNING] (2291086) : Server datadog-traces/mothership1 ('trace.agent.ddog-gov.com') is UP/READY (resolves again). +[WARNING] (2291086) : Server datadog-traces/mothership1 administratively READY thanks to valid DNS answer. +[WARNING] (2291086) : datadog-traces/mothership2 changed its IP from (none) to 3.32.209.216 by DNS cache. +[WARNING] (2291086) : Server datadog-traces/mothership2 ('trace.agent.ddog-gov.com') is UP/READY (resolves again). +[WARNING] (2291086) : Server datadog-traces/mothership2 administratively READY thanks to valid DNS answer. +[WARNING] (2291086) : datadog-traces/mothership3 changed its IP from (none) to 3.32.209.218 by DNS cache. +[WARNING] (2291086) : Server datadog-traces/mothership3 ('trace.agent.ddog-gov.com') is UP/READY (resolves again). +[WARNING] (2291086) : Server datadog-traces/mothership3 administratively READY thanks to valid DNS answer. +[WARNING] (2291086) : datadog-network-devices-netflow/mothership1 changed its IP from (none) to 3.32.209.201 by my-dns/172.20.0.10. +[WARNING] (2291086) : Server datadog-network-devices-netflow/mothership1 ('ndmflow-intake.ddog-gov.com') is UP/READY (resolves again). +[WARNING] (2291086) : Server datadog-network-devices-netflow/mothership1 administratively READY thanks to valid DNS answer. +[WARNING] (2291086) : datadog-network-devices-netflow/mothership2 changed its IP from (none) to 3.32.209.202 by DNS cache. +[WARNING] (2291086) : Server datadog-network-devices-netflow/mothership2 ('ndmflow-intake.ddog-gov.com') is UP/READY (resolves again). +[WARNING] (2291086) : Server datadog-network-devices-netflow/mothership2 administratively READY thanks to valid DNS answer. +[WARNING] (2291086) : datadog-network-devices-netflow/mothership3 changed its IP from (none) to 3.32.209.199 by DNS cache. +[WARNING] (2291086) : Server datadog-network-devices-netflow/mothership3 ('ndmflow-intake.ddog-gov.com') is UP/READY (resolves again). +[WARNING] (2291086) : Server datadog-network-devices-netflow/mothership3 administratively READY thanks to valid DNS answer. +[WARNING] (2291086) : datadog-database-monitoring-samples/mothership1 changed its IP from (none) to 15.200.117.57 by my-dns/172.20.0.10. +[WARNING] (2291086) : Server datadog-database-monitoring-samples/mothership1 ('dbquery-intake.ddog-gov.com') is UP/READY (resolves again). +[WARNING] (2291086) : Server datadog-database-monitoring-samples/mothership1 administratively READY thanks to valid DNS answer. +[WARNING] (2291086) : datadog-database-monitoring-samples/mothership2 changed its IP from (none) to 3.30.33.52 by DNS cache. +[WARNING] (2291086) : Server datadog-database-monitoring-samples/mothership2 ('dbquery-intake.ddog-gov.com') is UP/READY (resolves again). +[WARNING] (2291086) : Server datadog-database-monitoring-samples/mothership2 administratively READY thanks to valid DNS answer. +[WARNING] (2291086) : datadog-database-monitoring-samples/mothership3 changed its IP from (none) to 15.205.116.78 by DNS cache. +[WARNING] (2291086) : Server datadog-database-monitoring-samples/mothership3 ('dbquery-intake.ddog-gov.com') is UP/READY (resolves again). +[WARNING] (2291086) : Server datadog-database-monitoring-samples/mothership3 administratively READY thanks to valid DNS answer. +[WARNING] (2291086) : datadog-processes/mothership1 changed its IP from (none) to 3.30.62.159 by my-dns/172.20.0.10. +[WARNING] (2291086) : Server datadog-processes/mothership1 ('process.ddog-gov.com') is UP/READY (resolves again). +[WARNING] (2291086) : Server datadog-processes/mothership1 administratively READY thanks to valid DNS answer. +[WARNING] (2291086) : datadog-processes/mothership2 changed its IP from (none) to 3.30.62.164 by DNS cache. +[WARNING] (2291086) : Server datadog-processes/mothership2 ('process.ddog-gov.com') is UP/READY (resolves again). +[WARNING] (2291086) : Server datadog-processes/mothership2 administratively READY thanks to valid DNS answer. +[WARNING] (2291086) : datadog-processes/mothership3 changed its IP from (none) to 3.30.62.160 by DNS cache. +[WARNING] (2291086) : Server datadog-processes/mothership3 ('process.ddog-gov.com') is UP/READY (resolves again). +[WARNING] (2291086) : Server datadog-processes/mothership3 administratively READY thanks to valid DNS answer. +[WARNING] (2291086) : datadog-synthetics/mothership1 changed its IP from (none) to 3.30.62.132 by my-dns/172.20.0.10. +[WARNING] (2291086) : Server datadog-synthetics/mothership1 ('intake.synthetics.ddog-gov.com') is UP/READY (resolves again). +[WARNING] (2291086) : Server datadog-synthetics/mothership1 administratively READY thanks to valid DNS answer. +[WARNING] (2291086) : datadog-synthetics/mothership2 changed its IP from (none) to 3.30.62.133 by DNS cache. +[WARNING] (2291086) : Server datadog-synthetics/mothership2 ('intake.synthetics.ddog-gov.com') is UP/READY (resolves again). +[WARNING] (2291086) : Server datadog-synthetics/mothership2 administratively READY thanks to valid DNS answer. +[WARNING] (2291086) : datadog-synthetics/mothership3 changed its IP from (none) to 3.30.62.127 by DNS cache. +[WARNING] (2291086) : Server datadog-synthetics/mothership3 ('intake.synthetics.ddog-gov.com') is UP/READY (resolves again). +[WARNING] (2291086) : Server datadog-synthetics/mothership3 administratively READY thanks to valid DNS answer. +[WARNING] (2291086) : datadog-instrumentations-telemetry/mothership1 changed its IP from (none) to 3.32.209.58 by my-dns/172.20.0.10. +[WARNING] (2291086) : Server datadog-instrumentations-telemetry/mothership1 ('instrumentation-telemetry-intake.ddog-gov.com') is UP/READY (resolves again). +[WARNING] (2291086) : Server datadog-instrumentations-telemetry/mothership1 administratively READY thanks to valid DNS answer. +[WARNING] (2291086) : datadog-instrumentations-telemetry/mothership2 changed its IP from (none) to 3.32.209.57 by DNS cache. +[WARNING] (2291086) : Server datadog-instrumentations-telemetry/mothership2 ('instrumentation-telemetry-intake.ddog-gov.com') is UP/READY (resolves again). +[WARNING] (2291086) : Server datadog-instrumentations-telemetry/mothership2 administratively READY thanks to valid DNS answer. +[WARNING] (2291086) : datadog-instrumentations-telemetry/mothership3 changed its IP from (none) to 3.32.209.59 by DNS cache. +[WARNING] (2291086) : Server datadog-instrumentations-telemetry/mothership3 ('instrumentation-telemetry-intake.ddog-gov.com') is UP/READY (resolves again). +[WARNING] (2291086) : Server datadog-instrumentations-telemetry/mothership3 administratively READY thanks to valid DNS answer. +[WARNING] (2291086) : datadog-network-devices-metadata/mothership1 changed its IP from (none) to 3.32.209.199 by my-dns/172.20.0.10. +[WARNING] (2291086) : Server datadog-network-devices-metadata/mothership1 ('ndm-intake.ddog-gov.com') is UP/READY (resolves again). +[WARNING] (2291086) : Server datadog-network-devices-metadata/mothership1 administratively READY thanks to valid DNS answer. +[WARNING] (2291086) : datadog-network-devices-metadata/mothership2 changed its IP from (none) to 3.32.209.201 by DNS cache. +[WARNING] (2291086) : Server datadog-network-devices-metadata/mothership2 ('ndm-intake.ddog-gov.com') is UP/READY (resolves again). +[WARNING] (2291086) : Server datadog-network-devices-metadata/mothership2 administratively READY thanks to valid DNS answer. +[WARNING] (2291086) : datadog-network-devices-metadata/mothership3 changed its IP from (none) to 3.32.209.202 by DNS cache. +[WARNING] (2291086) : Server datadog-network-devices-metadata/mothership3 ('ndm-intake.ddog-gov.com') is UP/READY (resolves again). +[WARNING] (2291086) : Server datadog-network-devices-metadata/mothership3 administratively READY thanks to valid DNS answer. +[WARNING] (2291086) : datadog-logs-http/mothership1 changed its IP from (none) to 3.32.209.243 by my-dns/172.20.0.10. +[WARNING] (2291086) : Server datadog-logs-http/mothership1 ('agent-http-intake.logs.ddog-gov.com') is UP/READY (resolves again). +[WARNING] (2291086) : Server datadog-logs-http/mothership1 administratively READY thanks to valid DNS answer. +[WARNING] (2291086) : datadog-logs-http/mothership2 changed its IP from (none) to 3.32.209.245 by DNS cache. +[WARNING] (2291086) : Server datadog-logs-http/mothership2 ('agent-http-intake.logs.ddog-gov.com') is UP/READY (resolves again). +[WARNING] (2291086) : Server datadog-logs-http/mothership2 administratively READY thanks to valid DNS answer. +[WARNING] (2291086) : datadog-logs-http/mothership3 changed its IP from (none) to 3.32.209.244 by DNS cache. +[WARNING] (2291086) : Server datadog-logs-http/mothership3 ('agent-http-intake.logs.ddog-gov.com') is UP/READY (resolves again). +[WARNING] (2291086) : Server datadog-logs-http/mothership3 administratively READY thanks to valid DNS answer. +[WARNING] (2291086) : datadog-runtime-security/mothership1 changed its IP from (none) to 3.32.209.245 by my-dns/172.20.0.10. +[WARNING] (2291086) : Server datadog-runtime-security/mothership1 ('runtime-security-http-intake.logs.ddog-gov.com') is UP/READY (resolves again). +[WARNING] (2291086) : Server datadog-runtime-security/mothership1 administratively READY thanks to valid DNS answer. +[WARNING] (2291086) : datadog-runtime-security/mothership2 changed its IP from (none) to 3.32.209.243 by DNS cache. +[WARNING] (2291086) : Server datadog-runtime-security/mothership2 ('runtime-security-http-intake.logs.ddog-gov.com') is UP/READY (resolves again). +[WARNING] (2291086) : Server datadog-runtime-security/mothership2 administratively READY thanks to valid DNS answer. +[WARNING] (2291086) : datadog-runtime-security/mothership3 changed its IP from (none) to 3.32.209.244 by DNS cache. +[WARNING] (2291086) : Server datadog-runtime-security/mothership3 ('runtime-security-http-intake.logs.ddog-gov.com') is UP/READY (resolves again). +[WARNING] (2291086) : Server datadog-runtime-security/mothership3 administratively READY thanks to valid DNS answer. +[WARNING] (2291086) : datadog-network-devices-snmp-traps/mothership1 changed its IP from (none) to 3.32.209.199 by my-dns/172.20.0.10. +[WARNING] (2291086) : Server datadog-network-devices-snmp-traps/mothership1 ('snmp-traps-intake.ddog-gov.com') is UP/READY (resolves again). +[WARNING] (2291086) : Server datadog-network-devices-snmp-traps/mothership1 administratively READY thanks to valid DNS answer. +[WARNING] (2291086) : datadog-network-devices-snmp-traps/mothership2 changed its IP from (none) to 3.32.209.202 by DNS cache. +[WARNING] (2291086) : Server datadog-network-devices-snmp-traps/mothership2 ('snmp-traps-intake.ddog-gov.com') is UP/READY (resolves again). +[WARNING] (2291086) : Server datadog-network-devices-snmp-traps/mothership2 administratively READY thanks to valid DNS answer. +[WARNING] (2291086) : datadog-network-devices-snmp-traps/mothership3 changed its IP from (none) to 3.32.209.201 by DNS cache. +[WARNING] (2291086) : Server datadog-network-devices-snmp-traps/mothership3 ('snmp-traps-intake.ddog-gov.com') is UP/READY (resolves again). +[WARNING] (2291086) : Server datadog-network-devices-snmp-traps/mothership3 administratively READY thanks to valid DNS answer. +[WARNING] (2291086) : datadog-orchestrator-explorer/mothership1 changed its IP from (none) to 3.30.62.148 by my-dns/172.20.0.10. +[WARNING] (2291086) : Server datadog-orchestrator-explorer/mothership1 ('orchestrator.ddog-gov.com') is UP/READY (resolves again). +[WARNING] (2291086) : Server datadog-orchestrator-explorer/mothership1 administratively READY thanks to valid DNS answer. +[WARNING] (2291086) : datadog-orchestrator-explorer/mothership2 changed its IP from (none) to 3.30.62.144 by DNS cache. +[WARNING] (2291086) : Server datadog-orchestrator-explorer/mothership2 ('orchestrator.ddog-gov.com') is UP/READY (resolves again). +[WARNING] (2291086) : Server datadog-orchestrator-explorer/mothership2 administratively READY thanks to valid DNS answer. +[WARNING] (2291086) : datadog-orchestrator-explorer/mothership3 changed its IP from (none) to 3.30.62.149 by DNS cache. +[WARNING] (2291086) : Server datadog-orchestrator-explorer/mothership3 ('orchestrator.ddog-gov.com') is UP/READY (resolves again). +[WARNING] (2291086) : Server datadog-orchestrator-explorer/mothership3 administratively READY thanks to valid DNS answer. +[WARNING] (2291086) : Server datadog-metrics/mothership2 is DOWN, reason: Layer4 timeout, check duration: 10001ms. 2 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue. +[WARNING] (2291086) : Server datadog-metrics/mothership3 is DOWN, reason: Layer4 timeout, check duration: 10000ms. 1 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue. +[WARNING] (2291086) : Server datadog-api/mothership1 is DOWN, reason: Layer4 timeout, check duration: 10001ms. 2 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue. +[WARNING] (2291086) : Server datadog-api/mothership2 is DOWN, reason: Layer4 timeout, check duration: 10001ms. 1 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue. +[WARNING] (2291086) : Server datadog-api/mothership3 is DOWN, reason: Layer4 timeout, check duration: 10001ms. 0 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue. +[NOTICE] (2291086) : haproxy version is 2.4.25-6cfe787 +[NOTICE] (2291086) : path to executable is /opt/datadog-fips-proxy/embedded/sbin/haproxy +[ALERT] (2291086) : backend 'datadog-api' has no server available! +[WARNING] (2291086) : Server datadog-flare/mothership1 is DOWN, reason: Layer4 timeout, check duration: 10003ms. 2 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue. +[WARNING] (2291086) : Server datadog-flare/mothership2 is DOWN, reason: Layer4 timeout, check duration: 10001ms. 1 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue. +[WARNING] (2291086) : Server datadog-flare/mothership3 is DOWN, reason: Layer4 timeout, check duration: 10001ms. 0 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue. +[ALERT] (2291086) : backend 'datadog-flare' has no server available! +[WARNING] (2291086) : Server datadog-traces/mothership1 is DOWN, reason: Layer4 timeout, check duration: 10000ms. 2 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue. +[WARNING] (2291086) : Server datadog-traces/mothership2 is DOWN, reason: Layer4 timeout, check duration: 10000ms. 1 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue. +[WARNING] (2291086) : Server datadog-traces/mothership3 is DOWN, reason: Layer4 timeout, check duration: 10000ms. 0 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue. +[ALERT] (2291086) : backend 'datadog-traces' has no server available! +[WARNING] (2291086) : Server datadog-profiles/mothership1 is DOWN, reason: Layer4 timeout, check duration: 10000ms. 2 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue. +[WARNING] (2291086) : Server datadog-profiles/mothership2 is DOWN, reason: Layer4 timeout, check duration: 10001ms. 1 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue. +[WARNING] (2291086) : Server datadog-profiles/mothership3 is DOWN, reason: Layer4 timeout, check duration: 10000ms. 0 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue. +[ALERT] (2291086) : backend 'datadog-profiles' has no server available! +[WARNING] (2291086) : Server datadog-processes/mothership1 is DOWN, reason: Layer4 timeout, check duration: 10000ms. 2 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue. +[WARNING] (2291086) : Server datadog-processes/mothership2 is DOWN, reason: Layer4 timeout, check duration: 10001ms. 1 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue. +[WARNING] (2291086) : Server datadog-processes/mothership3 is DOWN, reason: Layer4 timeout, check duration: 10001ms. 0 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue. +[ALERT] (2291086) : backend 'datadog-processes' has no server available! +[WARNING] (2291086) : Server datadog-logs-http/mothership1 is DOWN, reason: Layer4 timeout, check duration: 10001ms. 2 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue. +[WARNING] (2291086) : Server datadog-logs-http/mothership2 is DOWN, reason: Layer4 timeout, check duration: 10001ms. 1 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue. +[WARNING] (2291086) : Server datadog-logs-http/mothership3 is DOWN, reason: Layer4 timeout, check duration: 10000ms. 0 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue. +[ALERT] (2291086) : backend 'datadog-logs-http' has no server available! +[WARNING] (2291086) : Server datadog-database-monitoring-metrics/mothership1 is DOWN, reason: Layer4 timeout, check duration: 10000ms. 2 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue. +[WARNING] (2291086) : Server datadog-database-monitoring-metrics/mothership2 is DOWN, reason: Layer4 timeout, check duration: 10001ms. 1 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue. +[WARNING] (2291086) : Server datadog-database-monitoring-metrics/mothership3 is DOWN, reason: Layer4 timeout, check duration: 10001ms. 0 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue. +[ALERT] (2291086) : backend 'datadog-database-monitoring-metrics' has no server available! +[WARNING] (2291086) : Server datadog-database-monitoring-samples/mothership1 is DOWN, reason: Layer4 timeout, check duration: 10002ms. 2 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue. +[WARNING] (2291086) : Server datadog-database-monitoring-samples/mothership2 is DOWN, reason: Layer4 timeout, check duration: 10001ms. 1 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue. +[WARNING] (2291086) : Server datadog-database-monitoring-samples/mothership3 is DOWN, reason: Layer4 timeout, check duration: 10000ms. 0 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue. +[ALERT] (2291086) : backend 'datadog-database-monitoring-samples' has no server available! +[WARNING] (2291086) : Server datadog-network-devices-metadata/mothership1 is DOWN, reason: Layer4 timeout, check duration: 10001ms. 2 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue. +[WARNING] (2291086) : Server datadog-network-devices-metadata/mothership2 is DOWN, reason: Layer4 timeout, check duration: 10001ms. 1 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue. +[WARNING] (2291086) : Server datadog-network-devices-metadata/mothership3 is DOWN, reason: Layer4 timeout, check duration: 10000ms. 0 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue. +[ALERT] (2291086) : backend 'datadog-network-devices-metadata' has no server available! +[WARNING] (2291086) : Server datadog-network-devices-snmp-traps/mothership1 is DOWN, reason: Layer4 timeout, check duration: 10001ms. 2 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue. +[WARNING] (2291086) : Server datadog-network-devices-snmp-traps/mothership2 is DOWN, reason: Layer4 timeout, check duration: 10001ms. 1 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue. +[WARNING] (2291086) : Server datadog-network-devices-snmp-traps/mothership3 is DOWN, reason: Layer4 timeout, check duration: 10001ms. 0 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue. +[ALERT] (2291086) : backend 'datadog-network-devices-snmp-traps' has no server available! +[WARNING] (2291086) : Server datadog-network-devices-netflow/mothership1 is DOWN, reason: Layer4 timeout, check duration: 10001ms. 2 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue. +[WARNING] (2291086) : Server datadog-network-devices-netflow/mothership2 is DOWN, reason: Layer4 timeout, check duration: 10001ms. 1 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue. +[WARNING] (2291086) : Server datadog-network-devices-netflow/mothership3 is DOWN, reason: Layer4 timeout, check duration: 10001ms. 0 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue. +[ALERT] (2291086) : backend 'datadog-network-devices-netflow' has no server available! +[WARNING] (2291086) : Server datadog-instrumentations-telemetry/mothership1 is DOWN, reason: Layer4 timeout, check duration: 10001ms. 2 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue. +[WARNING] (2291086) : Server datadog-instrumentations-telemetry/mothership2 is DOWN, reason: Layer4 timeout, check duration: 10001ms. 1 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue. +[WARNING] (2291086) : Server datadog-instrumentations-telemetry/mothership3 is DOWN, reason: Layer4 timeout, check duration: 10001ms. 0 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue. +[ALERT] (2291086) : backend 'datadog-instrumentations-telemetry' has no server available! +[WARNING] (2291086) : Server datadog-synthetics/mothership1 is DOWN, reason: Layer4 timeout, check duration: 10000ms. 2 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue. +[WARNING] (2291086) : Server datadog-synthetics/mothership2 is DOWN, reason: Layer4 timeout, check duration: 10000ms. 1 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue. +[WARNING] (2291086) : Server datadog-synthetics/mothership3 is DOWN, reason: Layer4 timeout, check duration: 10001ms. 0 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue. +[ALERT] (2291086) : backend 'datadog-synthetics' has no server available! +[WARNING] (2291086) : Server datadog-orchestrator-explorer/mothership1 is DOWN, reason: Layer4 timeout, check duration: 10000ms. 2 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue. +[WARNING] (2291086) : Server datadog-orchestrator-explorer/mothership2 is DOWN, reason: Layer4 timeout, check duration: 10001ms. 1 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue. +[WARNING] (2291086) : Server datadog-orchestrator-explorer/mothership3 is DOWN, reason: Layer4 timeout, check duration: 10001ms. 0 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue. +[ALERT] (2291086) : backend 'datadog-orchestrator-explorer' has no server available! +[WARNING] (2291086) : Server datadog-runtime-security/mothership1 is DOWN, reason: Layer4 timeout, check duration: 10000ms. 2 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue. +[WARNING] (2291086) : Server datadog-runtime-security/mothership2 is DOWN, reason: Layer4 timeout, check duration: 10000ms. 1 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue. +[WARNING] (2291086) : Server datadog-runtime-security/mothership3 is DOWN, reason: Layer4 timeout, check duration: 10001ms. 0 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue. +[ALERT] (2291086) : backend 'datadog-runtime-security' has no server available! +[WARNING] (2291086) : Server datadog-metrics/mothership1 is DOWN, reason: Layer4 timeout, check duration: 10001ms. 0 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue. +[ALERT] (2291086) : backend 'datadog-metrics' has no server available! + +# process-agent +% kubectl --kubeconfig setup/kube.config logs -n monitoring pod/datadog-agent-zfvlf -c process-agent +Failed to initialize the process agent: unable to load Datadog config file: While parsing config: yaml: unmarshal errors: + +# system-probe +% kubectl --kubeconfig setup/kube.config logs -n monitoring pod/datadog-agent-zfvlf -c system-probe +2024-03-08 21:16:49 UTC | SYS-PROBE | WARN | (pkg/util/log/log.go:693 in func1) | Unknown key in config file: runtime_security_config.syscall_monitor.enabled +2024-03-08 21:16:49 UTC | SYS-PROBE | WARN | (pkg/util/log/log.go:693 in func1) | Unknown key in config file: runtime_security_config.network.enabled +2024-03-08 21:16:49 UTC | SYS-PROBE | WARN | (pkg/util/log/log.go:693 in func1) | Unknown key in config file: runtime_security_config.activity_dump.cgroup_wait_list_size +2024-03-08 21:16:49 UTC | SYS-PROBE | WARN | (pkg/util/log/log.go:693 in func1) | Unknown key in config file: runtime_security_config.activity_dump.path_merge.enabled +2024-03-08 21:16:49 UTC | SYS-PROBE | WARN | (pkg/util/log/log.go:688 in func1) | configuration key `network_config.enable_http_monitoring` is deprecated, use `service_monitoring_config.enable_http_monitoring` instead +2024-03-08 21:16:49 UTC | SYS-PROBE | WARN | (pkg/util/log/log.go:688 in func1) | configuration key `network_config.enable_https_monitoring` is deprecated, use `service_monitoring_config.tls.native.enabled` instead +2024-03-08 21:16:49 UTC | SYS-PROBE | WARN | (pkg/util/log/log.go:688 in func1) | configuration key `runtime_security_config.activity_dump.cgroup_dump_timeout` is deprecated, use `runtime_security_config.activity_dump.dump_duration` instead +2024-03-08 21:16:49 UTC | SYS-PROBE | WARN | (pkg/config/model/viper.go:340 in GetStringSlice) | failed to get configuration value for key "flare_stripped_keys": unable to cast of type to []string +2024-03-08 21:16:49 UTC | SYS-PROBE | WARN | (pkg/config/setup/config.go:1549 in LoadDatadogCustom) | Error loading config: While parsing config: yaml: unmarshal errors: + line 1: cannot unmarshal !!bool `true` into map[string]interface {} +2024-03-08 21:16:49 UTC | SYS-PROBE | INFO | (pkg/config/env/environment_detection.go:124 in DetectFeatures) | 1 Features detected from environment: kubernetes +Error: unable to load Datadog config file: While parsing config: yaml: unmarshal errors: + +# init-volume +% kubectl --kubeconfig setup/kube.config logs -n monitoring pod/datadog-agent-zfvlf -c init-volume + +# init-config +% kubectl --kubeconfig setup/kube.config logs -n monitoring pod/datadog-agent-zfvlf -c init-config +Disabling the apiserver check as leader election is disabled + +# seccomp-setup +% kubectl --kubeconfig setup/kube.config logs -n monitoring pod/datadog-agent-zfvlf -c seccomp-setup + diff --git a/examples/extras/datadog-agent/irsa.agent.tf b/examples/extras/datadog-agent/irsa.agent.tf new file mode 100644 index 0000000..745284a --- /dev/null +++ b/examples/extras/datadog-agent/irsa.agent.tf @@ -0,0 +1,59 @@ +module "role_agent" { + source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks" + + role_description = "EKS IAM Role for ${var.cluster_name} for service account ${var.namespace}:${var.agent_name}" + role_name = format("%v%v-irsa__%v", local._prefixes["eks-role"], var.cluster_name, var.agent_name) + + role_policy_arns = { + policy = aws_iam_policy.policy_agent.arn + } + + oidc_providers = { + main = { + provider_arn = local.oidc_provider_arn + namespace_service_accounts = [format("%v:%v", var.namespace, var.agent_name)] + } + } + + tags = merge( + local.base_tags, + local.common_tags, + var.application_tags, + { + "eks:namespace" = var.namespace + "eks:user" = var.agent_name + } + ) +} + +data "aws_iam_policy_document" "policy_agent" { + statement { + sid = "DataDogAccess" + effect = "Allow" + resources = ["*"] + actions = [ + "ec2:DescribeTags", + "ec2:DescribeSecurityGroups", + "ec2:DescribeInstances", + "ec2:DescribeInstanceStatus", + ] + } +} + +resource "aws_iam_policy" "policy_agent" { + name = format("%v%v-irsa__%v", local._prefixes["eks-policy"], var.cluster_name, var.agent_name) + description = "EKS IAM Policy for ${var.cluster_name} for service account ${var.namespace}:${var.agent_name}" + path = "/" + policy = data.aws_iam_policy_document.policy_agent.json + + tags = merge( + local.base_tags, + local.common_tags, + var.application_tags, + { + "Name" = format("%v%v-irsa__%v", local._prefixes["eks-policy"], var.cluster_name, var.agent_name) + "eks:namespace" = var.namespace + "eks:user" = var.agent_name + } + ) +} diff --git a/examples/extras/datadog-agent/irsa.cluster-agent.tf b/examples/extras/datadog-agent/irsa.cluster-agent.tf new file mode 100644 index 0000000..8b74db4 --- /dev/null +++ b/examples/extras/datadog-agent/irsa.cluster-agent.tf @@ -0,0 +1,59 @@ +module "role_cluster-agent" { + source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks" + + role_description = "EKS IAM Role for ${var.cluster_name} for service account ${var.namespace}:${var.cluster-agent_name}" + role_name = format("%v%v-irsa__%v", local._prefixes["eks-role"], var.cluster_name, var.cluster-agent_name) + + role_policy_arns = { + policy = aws_iam_policy.policy_cluster-agent.arn + } + + oidc_providers = { + main = { + provider_arn = local.oidc_provider_arn + namespace_service_accounts = [format("%v:%v", var.namespace, var.cluster-agent_name)] + } + } + + tags = merge( + local.base_tags, + local.common_tags, + var.application_tags, + { + "eks:namespace" = var.namespace + "eks:user" = var.cluster-agent_name + } + ) +} + +data "aws_iam_policy_document" "policy_cluster-agent" { + statement { + sid = "DataDogAccess" + effect = "Allow" + resources = ["*"] + actions = [ + "ec2:DescribeTags", + "ec2:DescribeSecurityGroups", + "ec2:DescribeInstances", + "ec2:DescribeInstanceStatus", + ] + } +} + +resource "aws_iam_policy" "policy_cluster-agent" { + name = format("%v%v-irsa__%v", local._prefixes["eks-policy"], var.cluster_name, var.cluster-agent_name) + description = "EKS IAM Policy for ${var.cluster_name} for service account ${var.namespace}:${var.cluster-agent_name}" + path = "/" + policy = data.aws_iam_policy_document.policy_cluster-agent.json + + tags = merge( + local.base_tags, + local.common_tags, + var.application_tags, + { + "Name" = format("%v%v-irsa__%v", local._prefixes["eks-policy"], var.cluster_name, var.cluster-agent_name) + "eks:namespace" = var.namespace + "eks:user" = var.cluster-agent_name + } + ) +} diff --git a/examples/extras/datadog-agent/locals.tf b/examples/extras/datadog-agent/locals.tf new file mode 100644 index 0000000..4b9ae5a --- /dev/null +++ b/examples/extras/datadog-agent/locals.tf @@ -0,0 +1,17 @@ +locals { + base_tags = { + "eks-cluster-name" = var.cluster_name + "boc:tf_module_version" = local._module_version + "boc:created_by" = "terraform" + } +} + +# replace TF remote state accordingly in parent_rs with that from the parent directory, and be sure to make the link +locals { + vpc_id = local.parent_rs.cluster_vpc_id + subnet_ids = local.parent_rs.cluster_subnet_ids + cluster_worker_sg_id = local.parent_rs.cluster_worker_sg_id + + oidc_provider_url = local.parent_rs.oidc_provider_url + oidc_provider_arn = local.parent_rs.oidc_provider_arn +} diff --git a/examples/extras/datadog-agent/main.tf b/examples/extras/datadog-agent/main.tf new file mode 100644 index 0000000..140d4e9 --- /dev/null +++ b/examples/extras/datadog-agent/main.tf @@ -0,0 +1,150 @@ +## +# https://github.com/DataDog/helm-charts/issues/1073 + +locals { + images_output = { for k, v in module.images.images : v.name => v } +} + +resource "kubernetes_namespace" "namespace" { + count = var.create_namespace ? 1 : 0 + metadata { + name = var.namespace + } +} + +module "images" { + source = "git@github.e.it.census.gov:terraform-modules/aws-ecr-copy-images.git?ref=tf-upgrade" + + profile = var.profile + application_list = [] + application_name = format("eks/%v", var.cluster_name) + image_config = [for k, v in var.images : v if v.enabled] + tags = merge( + local.base_tags, + local.common_tags, + var.application_tags, + ) +} + +resource "helm_release" "datadog" { + name = "datadog-agent" + chart = "datadog" + namespace = var.namespace + repository = var.charts["agent"].repository + version = var.charts["agent"].version + + depends_on = [module.images, kubernetes_namespace.namespace] + + values = [ + file("datadog.values.yml"), + # templatefile("${path.root}/templates/fluentbit.env.yml.tpl", { + # region = local.region + # cluster_name = var.cluster_name + # }) + ] + + set_sensitive { + name = "datadog.apiKey" + value = var.datadog_api_key + } + + set_sensitive { + name = "datadog.appKey" + value = var.datadog_app_key + } + + set { + name = "datadog.site" + value = var.datadog_site + } + + set { + name = "datadog.clusterName" + value = var.cluster_name + } + + ## set { + ## name = "datadog.dd_url" + ## value = var.datadog_site_url + ## } + + ## set { + ## name = "clusterAgent.endpoint" + ## value = var.datadog_api_url + ## } + + # set { + # name = "datadog.logs.enabled" + # value = false + # } + + ## set { + ## name = "datadog.proxy.http" + ## value = var.datadog_proxy.http + ## } + ## + ## set { + ## name = "datadog.proxy.https" + ## value = var.datadog_proxy.https + ## } + + set { + name = "registry" + value = dirname(split(":", local.images_output["datadog/cluster-agent"].dest_full_path)[0]) + } + # set { + # name = "clusterAgent.image.repository" + # value = split(":", local.images_output["datadog/cluster-agent"].dest_full_path)[0] + # } + set { + name = "clusterAgent.image.tag" + value = local.images_output["datadog/cluster-agent"].tag + } + # set { + # name = "agents.image.repository" + # value = split(":", local.images_output["datadog/agent"].dest_full_path)[0] + # } + set { + name = "agents.image.tag" + value = local.images_output["datadog/agent"].tag + } + # set { + # name = "fips.image.repository" + # value = split(":", local.images_output["datadog/fips-proxy"].dest_full_path)[0] + # } + set { + name = "fips.image.tag" + value = local.images_output["datadog/fips-proxy"].tag + } + + # cluster agent rbac + set { + name = "clusterAgent.rbac.serviceAccount.name" + value = var.cluster-agent_name + } + set { + name = "clusterAgent.rbac.serviceAccount.create" + value = "true" + } + + set { + name = "clusterAgent.rbac.serviceAccountAnnotations.eks\\.amazonaws\\.com/role-arn" + value = module.role_cluster-agent.iam_role_arn + } + + # agent rbac + set { + name = "agents.rbac.serviceAccount.name" + value = var.agent_name + } + set { + name = "agents.rbac.serviceAccount.create" + value = "true" + } + + set { + name = "agents.rbac.serviceAccountAnnotations.eks\\.amazonaws\\.com/role-arn" + value = module.role_agent.iam_role_arn + } +} + diff --git a/examples/extras/datadog-agent/region.tf b/examples/extras/datadog-agent/region.tf new file mode 100644 index 0000000..f617506 --- /dev/null +++ b/examples/extras/datadog-agent/region.tf @@ -0,0 +1,3 @@ +locals { + region = var.region +} diff --git a/examples/extras/datadog-agent/tf-run.data b/examples/extras/datadog-agent/tf-run.data new file mode 100644 index 0000000..0db70b8 --- /dev/null +++ b/examples/extras/datadog-agent/tf-run.data @@ -0,0 +1,31 @@ +VERSION 1.4.2 +REMOTE-STATE +COMMAND tf-directory-setup.py -l none -f +COMMAND setup-new-directory.sh + +LINKTOP init +LINKTOP includes.d/variables.account_tags.tf +LINKTOP includes.d/variables.account_tags.auto.tfvars +LINKTOP includes.d/variables.infrastructure_tags.tf +LINKTOP includes.d/variables.infrastructure_tags.auto.tfvars +LINKTOP includes.d/variables.application_tags.tf +# LINKTOP includes.d/variables.application_tags.auto.tfvars +LINK variables.application_tags.auto.tfvars +LINKTOP provider_configs.d/provider.ldap_new.auto.tfvars +LINKTOP provider_configs.d/provider.ldap_new.tf +LINKTOP provider_configs.d/provider.ldap_new.variables.tf +LINK settings.auto.tfvars +LINK includes.d/parent_rs.tf +LINK includes.d/data.eks-subdirectory.tf +LINK includes.d/kubeconfig.eks-subdirectory.tf +LINK variables.eks.tf +LINK prefixes.tf +LINK providers.tf +LINK variables.addons.tf +LINK versions.tf +LINK version.tf +LINK variables.vpc.tf +LINK variables.vpc.auto.tfvars +COMMAND tf-init + +ALL diff --git a/examples/extras/datadog-agent/tf-run.destroy.data b/examples/extras/datadog-agent/tf-run.destroy.data new file mode 100644 index 0000000..7a82c9f --- /dev/null +++ b/examples/extras/datadog-agent/tf-run.destroy.data @@ -0,0 +1,6 @@ +VERSION 1.0.1 +BACKUP-STATE +COMMAND tf-init +COMMAND tf-state list + +ALL diff --git a/examples/extras/datadog-agent/variables.datadog.auto.tfvars b/examples/extras/datadog-agent/variables.datadog.auto.tfvars new file mode 100644 index 0000000..ce3e707 --- /dev/null +++ b/examples/extras/datadog-agent/variables.datadog.auto.tfvars @@ -0,0 +1,14 @@ +namespace = "monitoring" +create_namespace = true +#name = "datadog-agent" + +# get keys from proper source +#datadog_api_key = "" +#datadog_app_key = "" +datadog_site = "ddog-gov.com" +datadog_site_url = "https://app.ddog-gov.com" +datadog_api_url = "https://api.ddog-gov.com" +datadog_proxy = { + http = "http://proxy.tco.census.gov:3128" + https = "http://proxy.tco.census.gov:3128" +} diff --git a/examples/extras/datadog-agent/variables.datadog.tf b/examples/extras/datadog-agent/variables.datadog.tf new file mode 100644 index 0000000..faa3756 --- /dev/null +++ b/examples/extras/datadog-agent/variables.datadog.tf @@ -0,0 +1,34 @@ +variable "datadog_api_key" { + description = "Datadog API Key" + type = string +} + +variable "datadog_app_key" { + description = "Datadog Application Key" + type = string +} + +variable "datadog_site" { + description = "Datadog Site Parameter" + type = string + default = "ddog-gov.com" +} + +variable "datadog_site_url" { + description = "Datadog APP URL" + type = string + default = "https://app.ddog-gov.com" +} + +variable "datadog_api_url" { + description = "Datadog API URL" + type = string + default = "https://api.ddog-gov.com" +} + +variable "datadog_proxy" { + description = "Map of http, https to proxy for each protocol" + type = map(string) + default = {} +} + diff --git a/examples/extras/datadog-agent/variables.images.auto.tfvars b/examples/extras/datadog-agent/variables.images.auto.tfvars new file mode 100644 index 0000000..1cf4cf7 --- /dev/null +++ b/examples/extras/datadog-agent/variables.images.auto.tfvars @@ -0,0 +1,51 @@ +charts = { + "agent" = { + name = "datadog-agent" + documentation = "https://artifacthub.io/packages/helm/datadog/datadog" + repository = "https://helm.datadoghq.com" + # version = "3.57.3" + # version = "3.58.1" + version = "3.65.1" + use_remote = true + } +} +images = { + "agent" = { + name = "datadog/agent" + image = "public.ecr.aws/datadog/agent" + dest_path = null + source_registry = "public.ecr.aws" + source_image = "datadog/agent" + source_tag = null + # tag = "7.51.0" + # tag = "7.51.1" + tag = "7.53.0" + enabled = true + } + "cluster-agent" = { + name = "datadog/cluster-agent" + image = "public.ecr.aws/datadog/cluster-agent" + dest_path = null + source_registry = "public.ecr.aws" + source_image = "datadog/cluster-agent" + source_tag = null + # tag = "7.51.0" + # tag = "7.51.1" + tag = "7.53.0" + enabled = true + } + "fips-proxy" = { + name = "datadog/fips-proxy" + image = "public.ecr.aws/datadog/fips-proxy" + dest_path = null + source_registry = "public.ecr.aws" + source_image = "datadog/fips-proxy" + source_tag = null + # tag = "1.1.1" + tag = "1.1.2" + enabled = true + } +} +#public.ecr.aws/datadog/agent:7.51.1 +#public.ecr.aws/datadog/cluster-agent:7.51.1 +#public.ecr.aws/datadog/fips-proxy:1.1.1 diff --git a/examples/extras/datadog-agent/variables.tf b/examples/extras/datadog-agent/variables.tf new file mode 100644 index 0000000..f8f06ce --- /dev/null +++ b/examples/extras/datadog-agent/variables.tf @@ -0,0 +1,51 @@ +variable "namespace" { + description = "Service namespace" + type = string + default = "default" +} + +variable "create_namespace" { + description = "Flag to enable or disable creation of namespace" + type = bool + default = false +} + +variable "cluster-agent_name" { + description = "DataDog ClusterAgent Service account name" + type = string + default = "datadog-agent-cluster-agent" +} + +variable "agent_name" { + description = "DataDog Agent Service account name" + type = string + default = "datadog-agent" +} + +variable "charts" { + description = "Map of object with details about remote charts" + type = map(object( + { + name = string + documentation = optional(string, null) + repository = string + version = string + use_remote = bool + })) + default = {} +} + +variable "images" { + description = "List of image configuration objects to copy from SOURCE to DESTINATION" + type = map(object({ + name = string, + documentation = optional(string, null) + tag = string, + dest_path = string, + source_registry = string, + source_image = string, + source_tag = string, + enabled = bool, + })) + default = {} +}