From b87e5c258646ccf02550b506103cbbc313876f67 Mon Sep 17 00:00:00 2001
From: badra001 <donald.e.badrak.ii@census.gov>
Date: Mon, 14 Aug 2023 17:58:14 -0400
Subject: [PATCH] add cloudwatch-agent

---
 .../1.25/common-services/cloudwatch-agent.tf  | 122 ++++++++++++++++++
 .../1.25/common-services/main.tf              |  26 ++--
 .../variables.images.auto.tfvars              |  25 +++-
 3 files changed, 153 insertions(+), 20 deletions(-)
 create mode 100644 examples/full-cluster-tf-upgrade/1.25/common-services/cloudwatch-agent.tf

diff --git a/examples/full-cluster-tf-upgrade/1.25/common-services/cloudwatch-agent.tf b/examples/full-cluster-tf-upgrade/1.25/common-services/cloudwatch-agent.tf
new file mode 100644
index 0000000..08a1a00
--- /dev/null
+++ b/examples/full-cluster-tf-upgrade/1.25/common-services/cloudwatch-agent.tf
@@ -0,0 +1,122 @@
+# https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Container-Insights-prerequisites.html
+# https://registry.terraform.io/modules/bailey84j/cloudwatch-agent/kubernetes/latest
+#   cannot let this create the role, as it tries to attache a policy that does not exist
+#   we need this policy: arn:aws-us-gov:iam::aws:policy/CloudWatchAgentServerPolicy
+
+# need to hack the module for now
+# main.tf
+##        container {
+##          name  = "${var.name}-agent"
+## #          image = "amazon/${var.image_name}:${var.image_version}"
+##           image = "${var.image_name}:${var.image_version}"
+#
+# also want to do the same for the role, to allow a different managed role(s) besides
+# the appsync one to be used
+
+module "cloudwatch-agent" {
+  source  = "bailey84j/cloudwatch-agent/kubernetes"
+  version = "1.0.1"
+
+  eks_cluster_name = var.cluster_name
+  create_namespace = false
+  image_name       = split(":", local.image_output["cloudwatch-agent"].dest_full_path)[0]
+  image_version    = local.image_output["cloudwatch-agent"].tag
+  create_iam_role  = false
+  iam_role_arn     = module.role_cloudwatch-agent.iam_role_arn
+
+  tags = merge(
+    local.base_tags,
+    local.common_tags,
+    var.application_tags,
+  )
+}
+
+locals {
+  cloudwatch_agent_namespace = "kube-system"
+  cloudwatch_agent_name      = "cloudwatch"
+}
+
+data "aws_iam_policy" "policy_cloudwatch-agent" {
+  name = "CloudWatchAgentServerPolicy"
+}
+
+module "role_cloudwatch-agent" {
+  source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
+
+  role_description = "EKS IAM Role for ${var.cluster_name} for service account ${local.cloudwatch_agent_namespace}:${local.cloudwatch_agent_name}"
+  role_name        = format("%v%v-irsa__%v", local._prefixes["eks"], var.cluster_name, local.cloudwatch_agent_name)
+
+  role_policy_arns = {
+    policy = data.aws_iam_policy.policy_cloudwatch-agent.arn
+  }
+
+  oidc_providers = {
+    main = {
+      provider_arn               = local.oidc_provider_arn
+      namespace_service_accounts = [format("%v:%v", local.cloudwatch_agent_namespace, local.cloudwatch_agent_name)]
+    }
+  }
+
+  tags = merge(
+    local.base_tags,
+    local.common_tags,
+    var.application_tags,
+    {
+      "eks:namespace" = local.cloudwatch_agent_namespace
+      "eks:user"      = local.cloudwatch_agent_name
+    }
+  )
+}
+
+## module "role_cloudwatch-agent" {
+##   source = "git@github.e.it.census.gov:terraform-modules/aws-iam-role.git?ref=tf-upgrade"
+## 
+##   role_description       = "EKS IAM Role for ${var.cluster_name} for service account ${local.cloudwatch_agent_namespace}:${local.cloudwatch_agent_name}"
+##   role_name = format("%v%v-irsa__%v", local._prefixes["eks"], var.cluster_name, local.cloudwatch_agent_name)
+##   enable_ldap_creation   = false
+##   assume_policy_document = data.aws_iam_policy_document.assume_role_cloudwatch-agent.json
+##   attached_policies      = [aws_iam_policy.policy_cloudwatch-agent.arn]
+## 
+##   tags = merge(
+##     local.base_tags,
+##     local.common_tags,
+##     var.tags,
+##     var.application_tags,
+##     {
+##       "eks:namespace" = var.namespace
+##       "eks:user"      = var.name
+##     }
+##   )
+## }
+## 
+## data "aws_iam_policy_document" "assume_role_cloudwatch-agent" {
+##   statement {
+##     actions = ["sts:AssumeRoleWithWebIdentity"]
+##     effect  = "Allow"
+## 
+##     condition {
+##       test     = "StringEquals"
+##       variable = "${local.oidc_provider_url}:sub"
+##       values   = ["system:serviceaccount:${local.cloudwatch_agent_namespace}:${local.cloudwatch_agent_name}"]
+##     }
+## 
+##     principals {
+##       identifiers = [local.oidc_provider_arn]
+##       type        = "Federated"
+##     }
+##   }
+## }
+## 
+
+##   "cloudwatch-agent" = {
+##     name           = "cloudwatch-agent"
+##     image          = "docker.io/amazon/cloudwatch-agent"
+##     dest_path      = null
+##     source_registry = "docker.io"
+##     source_image    = "amazon/cloudwatch-agent"
+##     source_tag     = null
+## #    tag            = "latest"
+##     tag            = "1.300026.2b172"
+##     enabled        = true
+##   }
+## }
diff --git a/examples/full-cluster-tf-upgrade/1.25/common-services/main.tf b/examples/full-cluster-tf-upgrade/1.25/common-services/main.tf
index 2613f1d..3338eb4 100644
--- a/examples/full-cluster-tf-upgrade/1.25/common-services/main.tf
+++ b/examples/full-cluster-tf-upgrade/1.25/common-services/main.tf
@@ -66,10 +66,10 @@ resource "helm_release" "metrics-server" {
 }
 
 resource "helm_release" "cluster-autoscaler" {
-  chart      = "cluster-autoscaler"
-  name       = "cluster-autoscaler"
-  namespace  = "kube-system"
-#  repository = "${path.module}/charts/"
+  chart     = "cluster-autoscaler"
+  name      = "cluster-autoscaler"
+  namespace = "kube-system"
+  #  repository = "${path.module}/charts/"
   repository = local.charts["cluster-autoscaler"].use_remote ? local.charts["cluster-autoscaler"].repository : "${path.module}/charts"
   version    = local.charts["cluster-autoscaler"].use_remote ? local.charts["cluster-autoscaler"].version : null
   #  depends_on = [null_resource.copy_images]
@@ -153,20 +153,20 @@ resource "helm_release" "cert-manager" {
     #    value = var.cert_manager_webhook_tag
     value = local.image_output["cert-manager-webhook"].tag
   }
-#  set {
-#    name = "startupapicheck.enabled"
-#    value = "false"
-#  }
+  #  set {
+  #    name = "startupapicheck.enabled"
+  #    value = "false"
+  #  }
   set {
-    name = "startupapicheck.image.repository"
+    name  = "startupapicheck.image.repository"
     value = split(":", local.image_output["cert-manager-ctl"].dest_full_path)[0]
   }
   set {
-    name = "startupapicheck.image.tag"
+    name  = "startupapicheck.image.tag"
     value = local.image_output["cert-manager-ctl"].tag
   }
 
-#  timeout = 180
+  #  timeout = 180
   timeout = 600
 }
 
@@ -326,8 +326,8 @@ resource "helm_release" "istio-operator" {
   depends_on = [helm_release.cert-manager]
 
   set {
-    name  = "hub"
-#    value = format("%v/%v", local.account_ecr, "istio")
+    name = "hub"
+    #    value = format("%v/%v", local.account_ecr, "istio")
     value = format("%v/eks/%v/%v", local.image_output["istio-operator"].dest_registry, var.cluster_name, "istio")
   }
   set {
diff --git a/examples/full-cluster-tf-upgrade/1.25/common-services/variables.images.auto.tfvars b/examples/full-cluster-tf-upgrade/1.25/common-services/variables.images.auto.tfvars
index ec4c2be..6e2fc75 100644
--- a/examples/full-cluster-tf-upgrade/1.25/common-services/variables.images.auto.tfvars
+++ b/examples/full-cluster-tf-upgrade/1.25/common-services/variables.images.auto.tfvars
@@ -125,19 +125,30 @@ image_details = {
     image           = "docker.io/bitnami/prometheus"
     dest_path       = null
     source_registry = "docker.io"
-    source_image     = "bitnami/prometheus"
+    source_image    = "bitnami/prometheus"
     source_tag      = null
     tag             = "2.28.1"
     enabled         = true
   }
   "alertmanager" = {
-    name           = "alertmanager"
-    image          = "docker.io/bitnami/alertmanager"
-    dest_path      = null
+    name            = "alertmanager"
+    image           = "docker.io/bitnami/alertmanager"
+    dest_path       = null
     source_registry = "docker.io"
     source_image    = "bitnami/alertmanager"
-    source_tag     = null
-    tag            = "0.22.2"
-    enabled        = true
+    source_tag      = null
+    tag             = "0.22.2"
+    enabled         = true
+  }
+  "cloudwatch-agent" = {
+    name            = "cloudwatch-agent"
+    image           = "public.ecr.aws/cloudwatch-agent/cloudwatch-agent"
+    dest_path       = null
+    source_registry = "public.ecr.aws"
+    source_image    = "cloudwatch-agent/cloudwatch-agent"
+    source_tag      = null
+    #    tag            = "latest"
+    tag     = "1.300026.2b172"
+    enabled = true
   }
 }