move cloudwatch agent to an addon (1.25+)

CHANGELOG.md

@@ -43,3 +43,6 @@
     - xray
     - secrets-manager
     - cloudwatch-agent
+
+* 2.2.0 -- 2024-03-25
+  - move cloudwatch agent to an addon

examples/full-cluster-tf-upgrade/1.25/addons/addon_cloudwatch.tf

@@ -0,0 +1,66 @@
+# https://docs.aws.amazon.com/eks/latest/userguide/eks-add-ons.html
+# amazon-cloudwatch-observability
+
+locals {
+  cloudwatch_managed_policies        = ["AWSXrayWriteOnlyAccess", "CloudWatchAgentServerPolicy"]
+  cloudwatch_observability_name      = "cloudwatch-agent"
+  cloudwatch_observability_namespace = "amazon-cloudwatch"
+}
+
+data "aws_iam_policy" "cloudwatch-observability-policies" {
+  for_each = toset(local.cloudwatch_managed_policies)
+  name     = each.key
+}
+
+resource "aws_eks_addon" "amazon-cloudwatch-observability" {
+  count = lookup(local.addon_versions, "amazon-cloudwatch-observability", null) != null ? 1 : 0
+
+  cluster_name             = var.cluster_name
+  addon_name               = "amazon-cloudwatch-observability"
+  addon_version            = lookup(local.addon_versions, "amazon-cloudwatch-observability")
+  service_account_role_arn = module.role_cloudwatch-observability.iam_role_arn
+  configuration_values     = null
+  #  resolve_conflicts        = "OVERWRITE"
+  # note OVERWRITE resets to eks addon defaults, PRESERVE uses any values set here
+  resolve_conflicts_on_create = "OVERWRITE"
+  resolve_conflicts_on_update = "OVERWRITE"
+
+  depends_on = [aws_cloudwatch_log_group.cloudwatch-observability]
+}
+
+module "role_cloudwatch-observability" {
+  source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
+
+  role_description = "EKS IAM Role for ${var.cluster_name} for service account ${local.cloudwatch_observability_namespace}:${local.cloudwatch_observability_name}"
+  role_name        = format("%v%v-irsa__%v", local._prefixes["eks-role"], var.cluster_name, local.cloudwatch_observability_name)
+  role_policy_arns = { for k, v in data.aws_iam_policy.cloudwatch-observability-policies : k => v.arn }
+
+  oidc_providers = {
+    main = {
+      provider_arn               = local.oidc_provider_arn
+      namespace_service_accounts = [format("%v:%v", local.cloudwatch_observability_namespace, local.cloudwatch_observability_name)]
+    }
+  }
+
+  tags = merge(
+    local.base_tags,
+    local.common_tags,
+    var.application_tags,
+    {
+      "eks:namespace" = local.cloudwatch_observability_namespace
+      "eks:user"      = local.cloudwatch_observability_name
+    }
+  )
+}
+
+resource "aws_cloudwatch_log_group" "cloudwatch-observability" {
+  for_each          = toset(var.cloudwatch-observability_log_names)
+  name              = format("/aws/containerinsights/%v/%v", var.cluster_name, each.key)
+  retention_in_days = var.cloudwatch-observability_log_retention_days
+
+  tags = merge(
+    local.base_tags,
+    local.common_tags,
+    var.application_tags,
+  )
+}

examples/full-cluster-tf-upgrade/1.25/addons/variables.addons.tf

@@ -1,3 +1,5 @@
+# aws eks describe-addon-versions --kubernetes-version 1.25  --query 'addons[].{Name:addonName,Version:addonVersions[].addonVersion}' --output text
+
 variable "addon_versions" {
   description = "Map of addon versions by Kubernetes version"
   type        = map(map(string))
@@ -9,12 +11,49 @@ variable "addon_versions" {
       "aws-ebs-csi-driver" = "v1.18.0-eksbuild.1"
     }
     "1.25" = {
-      "coredns"            = "v1.9.3-eksbuild.5"
-      "kube-proxy"         = "v1.25.11-eksbuild.2"
-      "vpc-cni"            = "v1.13.4-eksbuild.1"
-      "aws-ebs-csi-driver" = "v1.21.0-eksbuild.1"
-      "aws-efs-csi-driver" = "v1.5.8-eksbuild.1"
-      "adot"               = "v0.78.0-eksbuild.1"
+      ##      "coredns" = "v1.9.3-eksbuild.5"
+      "coredns" = "v1.9.3-eksbuild.11"
+      ##      "kube-proxy" = "v1.25.11-eksbuild.2"
+      "kube-proxy" = "v1.25.16-eksbuild.3"
+      ##      "vpc-cni" = "v1.13.4-eksbuild.1"
+      "vpc-cni" = "v1.17.1-eksbuild.1"
+      ##      "aws-ebs-csi-driver" = "v1.21.0-eksbuild.1"
+      "aws-ebs-csi-driver" = "v1.28.0-eksbuild.1"
+      ##      "aws-efs-csi-driver" = "v1.5.8-eksbuild.1"
+      "aws-efs-csi-driver" = "v1.7.6-eksbuild.1"
+      ##      "adot" = "v0.78.0-eksbuild.1"
+      "adot"                            = "v0.94.1-eksbuild.1"
+      "amazon-cloudwatch-observability" = "v1.4.0-eksbuild.1"
+    }
+    "1.28" = {
+      "coredns"            = "v1.10.1-eksbuild.6"
+      "kube-proxy"         = "v1.28.2-eksbuild.2"
+      "vpc-cni"            = "v1.15.4-eksbuild.1"
+      "aws-ebs-csi-driver" = "v1.25.0-eksbuild.1"
+      "aws-efs-csi-driver" = "v1.7.1-eksbuild.1"
+      "adot"               = "v0.88.0-eksbuild.2"
+    }
+    "1.29" = {
+      "coredns"                         = "v1.11.1-eksbuild.6"
+      "kube-proxy"                      = "v1.29.1-eksbuild.2"
+      "vpc-cni"                         = "v1.17.1-eksbuild.1"
+      "aws-ebs-csi-driver"              = "v1.28.0-eksbuild.1"
+      "aws-efs-csi-driver"              = "v1.7.6-eksbuild.1"
+      "adot"                            = "v0.94.1-eksbuild.1"
+      "snapshot-controller"             = "v6.3.2-eksbuild.1"
+      "amazon-cloudwatch-observability" = "v1.4.0-eksbuild.1"
     }
   }
 }
+
+variable "cloudwatch-observability_log_names" {
+  description = "Amazon Cloudwatch Observability log group names"
+  type        = list(string)
+  default     = ["application", "dataplane", "host", "performance"]
+}
+
+variable "cloudwatch-observability_log_retention_days" {
+  description = "Amazon Cloudwatch Observability log group retention in days"
+  type        = number
+  default     = 90
+}