add extras, cloudwatch-agent

terraform-modules · Aug 15, 2023 · d4e98bb · d4e98bb
1 parent 7eb68ea
commit d4e98bb
Show file tree

Hide file tree

Showing 12 changed files with 396 additions and 0 deletions.
diff --git a/examples/extras/cloudwatch-agent/cloudwatch-agent.tf b/examples/extras/cloudwatch-agent/cloudwatch-agent.tf
@@ -0,0 +1,106 @@
+# https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Container-Insights-prerequisites.html
+# https://registry.terraform.io/modules/bailey84j/cloudwatch-agent/kubernetes/latest
+#   cannot let this create the role, as it tries to attache a policy that does not exist
+#   we need this policy: arn:aws-us-gov:iam::aws:policy/CloudWatchAgentServerPolicy
+
+# need to hack the module for now
+# main.tf
+##        container {
+##          name  = "${var.name}-agent"
+## #          image = "amazon/${var.image_name}:${var.image_version}"
+##           image = "${var.image_name}:${var.image_version}"
+#
+# want to replace this with var.image_repository
+#
+# also want to do the same for the role, to allow a different managed role(s) besides
+# the appsync one to be used
+
+module "cloudwatch-agent" {
+  source  = "bailey84j/cloudwatch-agent/kubernetes"
+  version = "1.0.1"
+
+  eks_cluster_name = var.cluster_name
+  create_namespace = false
+  image_name       = split(":", local.cloudwatch_agent_images_output["cloudwatch-agent"].dest_full_path)[0]
+  image_version    = local.cloudwatch_agent_images_output["cloudwatch-agent"].tag
+  create_iam_role  = false
+  iam_role_arn     = module.role_cloudwatch-agent.iam_role_arn
+
+  tags = merge(
+    local.base_tags,
+    local.common_tags,
+    var.application_tags,
+  )
+}
+
+data "aws_iam_policy" "policy_cloudwatch-agent" {
+  name = "CloudWatchAgentServerPolicy"
+}
+
+module "role_cloudwatch-agent" {
+  source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
+
+  role_description = "EKS IAM Role for ${var.cluster_name} for service account ${var.cloudwatch_agent_namespace}:${var.cloudwatch_agent_name}"
+  role_name        = format("%v%v-irsa__%v", local._prefixes["eks"], var.cluster_name, var.cloudwatch_agent_name)
+
+  role_policy_arns = {
+    policy = data.aws_iam_policy.policy_cloudwatch-agent.arn
+  }
+
+  oidc_providers = {
+    main = {
+      provider_arn               = local.oidc_provider_arn
+      namespace_service_accounts = [format("%v:%v", var.cloudwatch_agent_namespace, var.cloudwatch_agent_name)]
+    }
+  }
+
+  tags = merge(
+    local.base_tags,
+    local.common_tags,
+    var.application_tags,
+    {
+      "eks:namespace" = var.cloudwatch_agent_namespace
+      "eks:user"      = var.cloudwatch_agent_name
+    }
+  )
+}
+
+## module "role_cloudwatch-agent" {
+##   source = "git@github.e.it.census.gov:terraform-modules/aws-iam-role.git?ref=tf-upgrade"
+## 
+##   role_description       = "EKS IAM Role for ${var.cluster_name} for service account ${var.cloudwatch_agent_namespace}:${var.cloudwatch_agent_name}"
+##   role_name = format("%v%v-irsa__%v", local._prefixes["eks"], var.cluster_name, var.cloudwatch_agent_name)
+##   enable_ldap_creation   = false
+##   assume_policy_document = data.aws_iam_policy_document.assume_role_cloudwatch-agent.json
+##   attached_policies      = [aws_iam_policy.policy_cloudwatch-agent.arn]
+## 
+##   tags = merge(
+##     local.base_tags,
+##     local.common_tags,
+##     var.tags,
+##     var.application_tags,
+##     {
+##       "eks:namespace" = var.namespace
+##       "eks:user"      = var.name
+##     }
+##   )
+## }
+
+
+locals {
+  cloudwatch_agent_images_output = { for k, v in module.images_cloudwatch-agent.images : v.name => v }
+}
+
+module "images_cloudwatch-agent" {
+  source = "git@github.e.it.census.gov:terraform-modules/aws-ecr-copy-images.git?ref=tf-upgrade"
+
+  profile          = var.profile
+  application_list = []
+  application_name = format("eks/%v", var.cluster_name)
+  image_config     = [for k, v in var.cloudwatch_agent_images : v if v.enabled]
+  tags = merge(
+    local.base_tags,
+    local.common_tags,
+    var.application_tags,
+  )
+}
diff --git a/examples/extras/cloudwatch-agent/locals.tf b/examples/extras/cloudwatch-agent/locals.tf
@@ -0,0 +1,17 @@
+locals {
+  base_tags = {
+    "eks-cluster-name"      = var.cluster_name
+    "boc:tf_module_version" = local._module_version
+    "boc:created_by"        = "terraform"
+  }
+}
+
+# replace TF remote state accordingly in parent_rs with that from the parent directory, and be sure to make the link
+locals {
+  vpc_id               = local.parent_rs.cluster_vpc_id
+  subnet_ids           = local.parent_rs.cluster_subnet_ids
+  cluster_worker_sg_id = local.parent_rs.cluster_worker_sg_id
+
+  oidc_provider_url = local.parent_rs.oidc_provider_url
+  oidc_provider_arn = local.parent_rs.oidc_provider_arn
+}
diff --git a/examples/extras/cloudwatch-agent/tf-run.data b/examples/extras/cloudwatch-agent/tf-run.data
@@ -0,0 +1,31 @@
+VERSION 1.4.2
+REMOTE-STATE
+COMMAND tf-directory-setup.py -l none -f
+COMMAND setup-new-directory.sh
+
+LINKTOP init
+LINKTOP includes.d/variables.account_tags.tf
+LINKTOP includes.d/variables.account_tags.auto.tfvars
+LINKTOP includes.d/variables.infrastructure_tags.tf
+LINKTOP includes.d/variables.infrastructure_tags.auto.tfvars
+LINKTOP includes.d/variables.application_tags.tf
+# LINKTOP includes.d/variables.application_tags.auto.tfvars
+LINK variables.application_tags.auto.tfvars
+LINKTOP provider_configs.d/provider.ldap_new.auto.tfvars
+LINKTOP provider_configs.d/provider.ldap_new.tf
+LINKTOP provider_configs.d/provider.ldap_new.variables.tf
+LINK settings.auto.tfvars
+LINK includes.d/parent_rs.tf
+LINK includes.d/data.eks-subdirectory.tf
+LINK includes.d/kubeconfig.eks-subdirectory.tf
+LINK variables.eks.tf
+LINK prefixes.tf
+LINK providers.tf
+LINK variables.addons.tf
+LINK versions.tf
+LINK version.tf
+LINK variables.vpc.tf
+LINK variables.vpc.auto.tfvars
+COMMAND tf-init 
+
+ALL
diff --git a/examples/extras/cloudwatch-agent/tf-run.destroy.data b/examples/extras/cloudwatch-agent/tf-run.destroy.data
@@ -0,0 +1,6 @@
+VERSION 1.0.1
+BACKUP-STATE
+COMMAND tf-init
+COMMAND tf-state list
+
+ALL
diff --git a/examples/extras/cloudwatch-agent/variables.cloudwatch-agent.auto.tfvars b/examples/extras/cloudwatch-agent/variables.cloudwatch-agent.auto.tfvars
@@ -0,0 +1,13 @@
+cloudwatch_agent_images = {
+  "cloudwatch-agent" = {
+    name            = "cloudwatch-agent"
+    image           = "public.ecr.aws/cloudwatch-agent/cloudwatch-agent"
+    dest_path       = null
+    source_registry = "public.ecr.aws"
+    source_image    = "cloudwatch-agent/cloudwatch-agent"
+    source_tag      = null
+    #    tag            = "latest"
+    tag     = "1.300026.2b172"
+    enabled = true
+  }
+}
diff --git a/examples/extras/cloudwatch-agent/variables.cloudwatch-agent.tf b/examples/extras/cloudwatch-agent/variables.cloudwatch-agent.tf
@@ -0,0 +1,25 @@
+variable "cloudwatch_agent_namespace" {
+  description = "Cloudwatch agent namespace"
+  type        = string
+  default     = "kube-system"
+}
+
+variable "cloudwatch_agent_name" {
+  description = "Cloudwatch Agent name"
+  type        = string
+  default     = "cloudwatch"
+}
+
+variable "cloudwatch_agent_images" {
+  description = "Cloudwatch List of image configuration objects to copy from SOURCE to DESTINATION"
+  type = map(object({
+    name            = string,
+    tag             = string,
+    dest_path       = string,
+    source_registry = string,
+    source_image    = string,
+    source_tag      = string,
+    enabled         = bool,
+  }))
+  default = {}
+}
diff --git a/examples/full-cluster-tf-upgrade/1.25/common-services/cloudwatch-agent/cloudwatch-agent.tf b/examples/full-cluster-tf-upgrade/1.25/common-services/cloudwatch-agent/cloudwatch-agent.tf
@@ -0,0 +1,106 @@
+# https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Container-Insights-prerequisites.html
+# https://registry.terraform.io/modules/bailey84j/cloudwatch-agent/kubernetes/latest
+#   cannot let this create the role, as it tries to attache a policy that does not exist
+#   we need this policy: arn:aws-us-gov:iam::aws:policy/CloudWatchAgentServerPolicy
+
+# need to hack the module for now
+# main.tf
+##        container {
+##          name  = "${var.name}-agent"
+## #          image = "amazon/${var.image_name}:${var.image_version}"
+##           image = "${var.image_name}:${var.image_version}"
+#
+# want to replace this with var.image_repository
+#
+# also want to do the same for the role, to allow a different managed role(s) besides
+# the appsync one to be used
+
+module "cloudwatch-agent" {
+  source  = "bailey84j/cloudwatch-agent/kubernetes"
+  version = "1.0.1"
+
+  eks_cluster_name = var.cluster_name
+  create_namespace = false
+  image_name       = split(":", local.cloudwatch_agent_images_output["cloudwatch-agent"].dest_full_path)[0]
+  image_version    = local.cloudwatch_agent_images_output["cloudwatch-agent"].tag
+  create_iam_role  = false
+  iam_role_arn     = module.role_cloudwatch-agent.iam_role_arn
+
+  tags = merge(
+    local.base_tags,
+    local.common_tags,
+    var.application_tags,
+  )
+}
+
+data "aws_iam_policy" "policy_cloudwatch-agent" {
+  name = "CloudWatchAgentServerPolicy"
+}
+
+module "role_cloudwatch-agent" {
+  source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
+
+  role_description = "EKS IAM Role for ${var.cluster_name} for service account ${var.cloudwatch_agent_namespace}:${var.cloudwatch_agent_name}"
+  role_name        = format("%v%v-irsa__%v", local._prefixes["eks"], var.cluster_name, var.cloudwatch_agent_name)
+
+  role_policy_arns = {
+    policy = data.aws_iam_policy.policy_cloudwatch-agent.arn
+  }
+
+  oidc_providers = {
+    main = {
+      provider_arn               = local.oidc_provider_arn
+      namespace_service_accounts = [format("%v:%v", var.cloudwatch_agent_namespace, var.cloudwatch_agent_name)]
+    }
+  }
+
+  tags = merge(
+    local.base_tags,
+    local.common_tags,
+    var.application_tags,
+    {
+      "eks:namespace" = var.cloudwatch_agent_namespace
+      "eks:user"      = var.cloudwatch_agent_name
+    }
+  )
+}
+
+## module "role_cloudwatch-agent" {
+##   source = "git@github.e.it.census.gov:terraform-modules/aws-iam-role.git?ref=tf-upgrade"
+## 
+##   role_description       = "EKS IAM Role for ${var.cluster_name} for service account ${var.cloudwatch_agent_namespace}:${var.cloudwatch_agent_name}"
+##   role_name = format("%v%v-irsa__%v", local._prefixes["eks"], var.cluster_name, var.cloudwatch_agent_name)
+##   enable_ldap_creation   = false
+##   assume_policy_document = data.aws_iam_policy_document.assume_role_cloudwatch-agent.json
+##   attached_policies      = [aws_iam_policy.policy_cloudwatch-agent.arn]
+## 
+##   tags = merge(
+##     local.base_tags,
+##     local.common_tags,
+##     var.tags,
+##     var.application_tags,
+##     {
+##       "eks:namespace" = var.namespace
+##       "eks:user"      = var.name
+##     }
+##   )
+## }
+
+
+locals {
+  cloudwatch_agent_images_output = { for k, v in module.images_cloudwatch-agent.images : v.name => v }
+}
+
+module "images_cloudwatch-agent" {
+  source = "git@github.e.it.census.gov:terraform-modules/aws-ecr-copy-images.git?ref=tf-upgrade"
+
+  profile          = var.profile
+  application_list = []
+  application_name = format("eks/%v", var.cluster_name)
+  image_config     = [for k, v in var.cloudwatch_agent_images : v if v.enabled]
+  tags = merge(
+    local.base_tags,
+    local.common_tags,
+    var.application_tags,
+  )
+}
diff --git a/examples/full-cluster-tf-upgrade/1.25/common-services/cloudwatch-agent/locals.tf b/examples/full-cluster-tf-upgrade/1.25/common-services/cloudwatch-agent/locals.tf
@@ -0,0 +1,17 @@
+locals {
+  base_tags = {
+    "eks-cluster-name"      = var.cluster_name
+    "boc:tf_module_version" = local._module_version
+    "boc:created_by"        = "terraform"
+  }
+}
+
+# replace TF remote state accordingly in parent_rs with that from the parent directory, and be sure to make the link
+locals {
+  vpc_id               = local.parent_rs.cluster_vpc_id
+  subnet_ids           = local.parent_rs.cluster_subnet_ids
+  cluster_worker_sg_id = local.parent_rs.cluster_worker_sg_id
+
+  oidc_provider_url = local.parent_rs.oidc_provider_url
+  oidc_provider_arn = local.parent_rs.oidc_provider_arn
+}
diff --git a/examples/full-cluster-tf-upgrade/1.25/common-services/cloudwatch-agent/tf-run.data b/examples/full-cluster-tf-upgrade/1.25/common-services/cloudwatch-agent/tf-run.data
@@ -0,0 +1,31 @@
+VERSION 1.4.2
+REMOTE-STATE
+COMMAND tf-directory-setup.py -l none -f
+COMMAND setup-new-directory.sh
+
+LINKTOP init
+LINKTOP includes.d/variables.account_tags.tf
+LINKTOP includes.d/variables.account_tags.auto.tfvars
+LINKTOP includes.d/variables.infrastructure_tags.tf
+LINKTOP includes.d/variables.infrastructure_tags.auto.tfvars
+LINKTOP includes.d/variables.application_tags.tf
+# LINKTOP includes.d/variables.application_tags.auto.tfvars
+LINK variables.application_tags.auto.tfvars
+LINKTOP provider_configs.d/provider.ldap_new.auto.tfvars
+LINKTOP provider_configs.d/provider.ldap_new.tf
+LINKTOP provider_configs.d/provider.ldap_new.variables.tf
+LINK settings.auto.tfvars
+LINK includes.d/parent_rs.tf
+LINK includes.d/data.eks-subdirectory.tf
+LINK includes.d/kubeconfig.eks-subdirectory.tf
+LINK variables.eks.tf
+LINK prefixes.tf
+LINK providers.tf
+LINK variables.addons.tf
+LINK versions.tf
+LINK version.tf
+LINK variables.vpc.tf
+LINK variables.vpc.auto.tfvars
+COMMAND tf-init 
+
+ALL
diff --git a/examples/full-cluster-tf-upgrade/1.25/common-services/cloudwatch-agent/tf-run.destroy.data b/examples/full-cluster-tf-upgrade/1.25/common-services/cloudwatch-agent/tf-run.destroy.data
@@ -0,0 +1,6 @@
+VERSION 1.0.1
+BACKUP-STATE
+COMMAND tf-init
+COMMAND tf-state list
+
+ALL
diff --git a/...r-tf-upgrade/1.25/common-services/cloudwatch-agent/variables.cloudwatch-agent.auto.tfvars b/...r-tf-upgrade/1.25/common-services/cloudwatch-agent/variables.cloudwatch-agent.auto.tfvars
@@ -0,0 +1,13 @@
+cloudwatch_agent_images = {
+  "cloudwatch-agent" = {
+    name            = "cloudwatch-agent"
+    image           = "public.ecr.aws/cloudwatch-agent/cloudwatch-agent"
+    dest_path       = null
+    source_registry = "public.ecr.aws"
+    source_image    = "cloudwatch-agent/cloudwatch-agent"
+    source_tag      = null
+    #    tag            = "latest"
+    tag     = "1.300026.2b172"
+    enabled = true
+  }
+}