From b8d1bf372fa092229b36adac5714255bdbbd4dc0 Mon Sep 17 00:00:00 2001 From: badra001 Date: Thu, 5 Oct 2023 11:52:39 -0400 Subject: [PATCH] - update example code 1.24 and 1.25 to rmeove AmazonS3FullAccess --- CHANGELOG.md | 7 +- common/version.tf | 2 +- examples/full-cluster-tf-upgrade/1.24/role.tf | 2 +- .../cloudwatch-agent/README.md | 127 ++++++++++++++++++ examples/full-cluster-tf-upgrade/1.25/role.tf | 2 +- .../1.25/securitygroup.tf | 4 +- 6 files changed, 136 insertions(+), 8 deletions(-) create mode 100644 examples/full-cluster-tf-upgrade/1.25/common-services/cloudwatch-agent/README.md diff --git a/CHANGELOG.md b/CHANGELOG.md index 6f92f4b..bd57008 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,12 +2,13 @@ ## Version 1.x -* v1.0.0 -- 2021-10-14 +* 1.0.0 -- 2021-10-14 - patch-aws-auth module creation ## Version 2.x -* v2.0.0 -- 20211223 +* 2.0.0 -- 2021-12-23 - add providers for tf 0.13+ - +* 2.0.1 -- 2023-10-05 + - update example code 1.24 and 1.25 to rmeove AmazonS3FullAccess diff --git a/common/version.tf b/common/version.tf index 6b49608..100daf2 100644 --- a/common/version.tf +++ b/common/version.tf @@ -1,3 +1,3 @@ locals { - _module_version = "2.0.0" + _module_version = "2.0.1" } diff --git a/examples/full-cluster-tf-upgrade/1.24/role.tf b/examples/full-cluster-tf-upgrade/1.24/role.tf index 3e97a71..df9de09 100644 --- a/examples/full-cluster-tf-upgrade/1.24/role.tf +++ b/examples/full-cluster-tf-upgrade/1.24/role.tf @@ -63,7 +63,7 @@ locals { "AmazonEC2ContainerRegistryPowerUser", "AmazonEC2ContainerRegistryReadOnly", "CloudWatchLogsFullAccess", - "AmazonS3FullAccess", + # "AmazonS3FullAccess", "AmazonSSMManagedInstanceCore", "AmazonEC2RoleforSSM", ] diff --git a/examples/full-cluster-tf-upgrade/1.25/common-services/cloudwatch-agent/README.md b/examples/full-cluster-tf-upgrade/1.25/common-services/cloudwatch-agent/README.md new file mode 100644 index 0000000..ee7afb6 --- /dev/null +++ b/examples/full-cluster-tf-upgrade/1.25/common-services/cloudwatch-agent/README.md @@ -0,0 +1,127 @@ +# Extras :: cloudwatch-agent + +The configuration in this dierectory will deploy cloudwatch-agent and fluentbit, to be used for EKS Container Insights. + +# Links + +* AWS Docs + * https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Container-Insights-prerequisites.html + * https://aws.amazon.com/blogs/opensource/centralized-container-logging-fluent-bit/ + * https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/ContainerInsights-use-kubelet.html + * https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Container-Insights-setup-logs-FluentBit.html + * https://aws.github.io/eks-charts" +* Cloudwatch Agnet + * https://github.com/aws/eks-charts/tree/master/stable/aws-cloudwatch-metrics +* Fluent Bit + * https://github.com/aws/aws-for-fluent-bit + * https://github.com/aws/eks-charts/tree/master/stable/aws-for-fluent-bit + +# Supported Versions + +This configuration has been tested and validated on EKS versions + +* 1.24 +* 1.25 + +# Configuration + +This uses a helm chart, an IRSA role, and pulls the latest images at the time of creating this module. +Look in the `variables.*.auto.tfvars` files for the version numbers. + +# Installation + +You will need the latest copy of the `aws-eks` module, using the `tf-upgrade` branch. This requires the use of +Terraform 1.x, and as it is deployed in a subdirectory, it should work without issue. + +## Step 1: Get aws-eks repo + +If you do not have the `aws-eks` repo, clone it in the branch `tf-upgrade`. + +```script +# go to your TF repository directory +cd $PATH_TO_TERRAFORM +git clone git@github.e.it.census.gov:terraform-modules/aws-eks.git -b tf-upgrade +cd aws-eks +export EKS_SOURCE=$(pwd) +``` + +If you already have the repo, go into the directory, checkout the branch and refresh it. + +```script +# go to your TF repository directory +cd $PATH_TO_TERRAFORM +cd aws-eks +git checkout tf-upgrade +git pull origin tf-upgrade +export EKS_SOURCE=$(pwd) +``` + +## Step 2: Copy code + +Go into the `common-services` directory of the EKS cluster where you wish to deploy this. Make a directory, `cloudwatch-agent`, and then +rsync the code. Please use rsync, not copy. There is a directory, and there may be softlinks. You'll work in a new branch. An example is below: + +```script +cd $PATH_TO_TERRAFORM +cd 107742151971-do2-govcloud/vpc/east/vpc5/apps/eks-ditd-gups-stage/common-services +mkdir cloudwatch-agent +cd cloudwatch-agent +git checkout -b add-cloudwatch-agent +rsync -avRWH $EKS_SOURCE/examples/extra/cloudwatch-agent/./ ./ +``` + +## Step 3: Plan + +There is no configuration needed. All relevant details are pulled from the parent directories. You do need EKS cluster access, +so be sure you are running with a user who has K8S RBAC access. + +```script +tf-run plan +tf-plan summary + +# add to git +git add . +git commit -m 'add cloudwatch, fluentbit' . +git push +# submit PR with plan summary and plan log +``` + +## Step 4: Apply + +Once the PR is merged, apply, and finalize the directory. + +```script +tf-run apply +``` + +Make sure it started up: + +```console +% kubectl --kubeconfig setup/kube.config get pods -n aws-cloudwatch +NAME READY STATUS RESTARTS AGE +aws-cloudwatch-metrics-8jlwh 1/1 Running 0 24h +aws-cloudwatch-metrics-8jxqs 1/1 Running 0 24h +aws-cloudwatch-metrics-k668c 1/1 Running 0 24h +fluent-bit-aws-for-fluent-bit-6bvgk 1/1 Running 0 24h +fluent-bit-aws-for-fluent-bit-b4hk5 1/1 Running 0 24h +fluent-bit-aws-for-fluent-bit-chx46 1/1 Running 0 24h +``` + +All should be running. If any errors, or not running, look at `events` and `logs`. + +Then, check AWS CloudWatch Logs. There will be four log as follows: /aws/containerinsights/{clustername}/{name} +where {name} is + + * performance + * host + * applications + * dataplane + +The Container Insight dashboard should also show performance data for the cluster, though it may take some +time to appear. + + +# CHANGELOG + +* 1.0.0 -- 2023-08-24 + - initial diff --git a/examples/full-cluster-tf-upgrade/1.25/role.tf b/examples/full-cluster-tf-upgrade/1.25/role.tf index 3e97a71..df9de09 100644 --- a/examples/full-cluster-tf-upgrade/1.25/role.tf +++ b/examples/full-cluster-tf-upgrade/1.25/role.tf @@ -63,7 +63,7 @@ locals { "AmazonEC2ContainerRegistryPowerUser", "AmazonEC2ContainerRegistryReadOnly", "CloudWatchLogsFullAccess", - "AmazonS3FullAccess", + # "AmazonS3FullAccess", "AmazonSSMManagedInstanceCore", "AmazonEC2RoleforSSM", ] diff --git a/examples/full-cluster-tf-upgrade/1.25/securitygroup.tf b/examples/full-cluster-tf-upgrade/1.25/securitygroup.tf index 15672a4..1e6eebd 100644 --- a/examples/full-cluster-tf-upgrade/1.25/securitygroup.tf +++ b/examples/full-cluster-tf-upgrade/1.25/securitygroup.tf @@ -143,7 +143,7 @@ resource "aws_security_group" "extra_cluster_sg" { from_port = 0 to_port = 0 protocol = -1 - self = true + self = true } ingress { @@ -153,7 +153,7 @@ resource "aws_security_group" "extra_cluster_sg" { cidr_blocks = concat(var.census_private_cidr, ["10.0.0.0/8"]) } -# kubectl logs + # kubectl logs ingress { from_port = 10250 to_port = 10250