diff --git a/examples/extras/cloudwatch-agent/cloudwatch-agent.tf b/examples/extras/cloudwatch-agent/cloudwatch-agent.tf new file mode 100644 index 0000000..ffc6001 --- /dev/null +++ b/examples/extras/cloudwatch-agent/cloudwatch-agent.tf @@ -0,0 +1,106 @@ +# https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Container-Insights-prerequisites.html +# https://registry.terraform.io/modules/bailey84j/cloudwatch-agent/kubernetes/latest +# cannot let this create the role, as it tries to attache a policy that does not exist +# we need this policy: arn:aws-us-gov:iam::aws:policy/CloudWatchAgentServerPolicy + +# need to hack the module for now +# main.tf +## container { +## name = "${var.name}-agent" +## # image = "amazon/${var.image_name}:${var.image_version}" +## image = "${var.image_name}:${var.image_version}" +# +# want to replace this with var.image_repository +# +# also want to do the same for the role, to allow a different managed role(s) besides +# the appsync one to be used + +module "cloudwatch-agent" { + source = "bailey84j/cloudwatch-agent/kubernetes" + version = "1.0.1" + + eks_cluster_name = var.cluster_name + create_namespace = false + image_name = split(":", local.cloudwatch_agent_images_output["cloudwatch-agent"].dest_full_path)[0] + image_version = local.cloudwatch_agent_images_output["cloudwatch-agent"].tag + create_iam_role = false + iam_role_arn = module.role_cloudwatch-agent.iam_role_arn + + tags = merge( + local.base_tags, + local.common_tags, + var.application_tags, + ) +} + +data "aws_iam_policy" "policy_cloudwatch-agent" { + name = "CloudWatchAgentServerPolicy" +} + +module "role_cloudwatch-agent" { + source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks" + + role_description = "EKS IAM Role for ${var.cluster_name} for service account ${var.cloudwatch_agent_namespace}:${var.cloudwatch_agent_name}" + role_name = format("%v%v-irsa__%v", local._prefixes["eks"], var.cluster_name, var.cloudwatch_agent_name) + + role_policy_arns = { + policy = data.aws_iam_policy.policy_cloudwatch-agent.arn + } + + oidc_providers = { + main = { + provider_arn = local.oidc_provider_arn + namespace_service_accounts = [format("%v:%v", var.cloudwatch_agent_namespace, var.cloudwatch_agent_name)] + } + } + + tags = merge( + local.base_tags, + local.common_tags, + var.application_tags, + { + "eks:namespace" = var.cloudwatch_agent_namespace + "eks:user" = var.cloudwatch_agent_name + } + ) +} + +## module "role_cloudwatch-agent" { +## source = "git@github.e.it.census.gov:terraform-modules/aws-iam-role.git?ref=tf-upgrade" +## +## role_description = "EKS IAM Role for ${var.cluster_name} for service account ${var.cloudwatch_agent_namespace}:${var.cloudwatch_agent_name}" +## role_name = format("%v%v-irsa__%v", local._prefixes["eks"], var.cluster_name, var.cloudwatch_agent_name) +## enable_ldap_creation = false +## assume_policy_document = data.aws_iam_policy_document.assume_role_cloudwatch-agent.json +## attached_policies = [aws_iam_policy.policy_cloudwatch-agent.arn] +## +## tags = merge( +## local.base_tags, +## local.common_tags, +## var.tags, +## var.application_tags, +## { +## "eks:namespace" = var.namespace +## "eks:user" = var.name +## } +## ) +## } + + +locals { + cloudwatch_agent_images_output = { for k, v in module.images_cloudwatch-agent.images : v.name => v } +} + +module "images_cloudwatch-agent" { + source = "git@github.e.it.census.gov:terraform-modules/aws-ecr-copy-images.git?ref=tf-upgrade" + + profile = var.profile + application_list = [] + application_name = format("eks/%v", var.cluster_name) + image_config = [for k, v in var.cloudwatch_agent_images : v if v.enabled] + tags = merge( + local.base_tags, + local.common_tags, + var.application_tags, + ) +} diff --git a/examples/extras/cloudwatch-agent/locals.tf b/examples/extras/cloudwatch-agent/locals.tf new file mode 100644 index 0000000..4b9ae5a --- /dev/null +++ b/examples/extras/cloudwatch-agent/locals.tf @@ -0,0 +1,17 @@ +locals { + base_tags = { + "eks-cluster-name" = var.cluster_name + "boc:tf_module_version" = local._module_version + "boc:created_by" = "terraform" + } +} + +# replace TF remote state accordingly in parent_rs with that from the parent directory, and be sure to make the link +locals { + vpc_id = local.parent_rs.cluster_vpc_id + subnet_ids = local.parent_rs.cluster_subnet_ids + cluster_worker_sg_id = local.parent_rs.cluster_worker_sg_id + + oidc_provider_url = local.parent_rs.oidc_provider_url + oidc_provider_arn = local.parent_rs.oidc_provider_arn +} diff --git a/examples/extras/cloudwatch-agent/tf-run.data b/examples/extras/cloudwatch-agent/tf-run.data new file mode 100644 index 0000000..0db70b8 --- /dev/null +++ b/examples/extras/cloudwatch-agent/tf-run.data @@ -0,0 +1,31 @@ +VERSION 1.4.2 +REMOTE-STATE +COMMAND tf-directory-setup.py -l none -f +COMMAND setup-new-directory.sh + +LINKTOP init +LINKTOP includes.d/variables.account_tags.tf +LINKTOP includes.d/variables.account_tags.auto.tfvars +LINKTOP includes.d/variables.infrastructure_tags.tf +LINKTOP includes.d/variables.infrastructure_tags.auto.tfvars +LINKTOP includes.d/variables.application_tags.tf +# LINKTOP includes.d/variables.application_tags.auto.tfvars +LINK variables.application_tags.auto.tfvars +LINKTOP provider_configs.d/provider.ldap_new.auto.tfvars +LINKTOP provider_configs.d/provider.ldap_new.tf +LINKTOP provider_configs.d/provider.ldap_new.variables.tf +LINK settings.auto.tfvars +LINK includes.d/parent_rs.tf +LINK includes.d/data.eks-subdirectory.tf +LINK includes.d/kubeconfig.eks-subdirectory.tf +LINK variables.eks.tf +LINK prefixes.tf +LINK providers.tf +LINK variables.addons.tf +LINK versions.tf +LINK version.tf +LINK variables.vpc.tf +LINK variables.vpc.auto.tfvars +COMMAND tf-init + +ALL diff --git a/examples/extras/cloudwatch-agent/tf-run.destroy.data b/examples/extras/cloudwatch-agent/tf-run.destroy.data new file mode 100644 index 0000000..7a82c9f --- /dev/null +++ b/examples/extras/cloudwatch-agent/tf-run.destroy.data @@ -0,0 +1,6 @@ +VERSION 1.0.1 +BACKUP-STATE +COMMAND tf-init +COMMAND tf-state list + +ALL diff --git a/examples/extras/cloudwatch-agent/variables.cloudwatch-agent.auto.tfvars b/examples/extras/cloudwatch-agent/variables.cloudwatch-agent.auto.tfvars new file mode 100644 index 0000000..1d9ae8f --- /dev/null +++ b/examples/extras/cloudwatch-agent/variables.cloudwatch-agent.auto.tfvars @@ -0,0 +1,13 @@ +cloudwatch_agent_images = { + "cloudwatch-agent" = { + name = "cloudwatch-agent" + image = "public.ecr.aws/cloudwatch-agent/cloudwatch-agent" + dest_path = null + source_registry = "public.ecr.aws" + source_image = "cloudwatch-agent/cloudwatch-agent" + source_tag = null + # tag = "latest" + tag = "1.300026.2b172" + enabled = true + } +} diff --git a/examples/extras/cloudwatch-agent/variables.cloudwatch-agent.tf b/examples/extras/cloudwatch-agent/variables.cloudwatch-agent.tf new file mode 100644 index 0000000..0129808 --- /dev/null +++ b/examples/extras/cloudwatch-agent/variables.cloudwatch-agent.tf @@ -0,0 +1,25 @@ +variable "cloudwatch_agent_namespace" { + description = "Cloudwatch agent namespace" + type = string + default = "kube-system" +} + +variable "cloudwatch_agent_name" { + description = "Cloudwatch Agent name" + type = string + default = "cloudwatch" +} + +variable "cloudwatch_agent_images" { + description = "Cloudwatch List of image configuration objects to copy from SOURCE to DESTINATION" + type = map(object({ + name = string, + tag = string, + dest_path = string, + source_registry = string, + source_image = string, + source_tag = string, + enabled = bool, + })) + default = {} +} diff --git a/examples/full-cluster-tf-upgrade/1.25/common-services/cloudwatch-agent/cloudwatch-agent.tf b/examples/full-cluster-tf-upgrade/1.25/common-services/cloudwatch-agent/cloudwatch-agent.tf new file mode 100644 index 0000000..ffc6001 --- /dev/null +++ b/examples/full-cluster-tf-upgrade/1.25/common-services/cloudwatch-agent/cloudwatch-agent.tf @@ -0,0 +1,106 @@ +# https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Container-Insights-prerequisites.html +# https://registry.terraform.io/modules/bailey84j/cloudwatch-agent/kubernetes/latest +# cannot let this create the role, as it tries to attache a policy that does not exist +# we need this policy: arn:aws-us-gov:iam::aws:policy/CloudWatchAgentServerPolicy + +# need to hack the module for now +# main.tf +## container { +## name = "${var.name}-agent" +## # image = "amazon/${var.image_name}:${var.image_version}" +## image = "${var.image_name}:${var.image_version}" +# +# want to replace this with var.image_repository +# +# also want to do the same for the role, to allow a different managed role(s) besides +# the appsync one to be used + +module "cloudwatch-agent" { + source = "bailey84j/cloudwatch-agent/kubernetes" + version = "1.0.1" + + eks_cluster_name = var.cluster_name + create_namespace = false + image_name = split(":", local.cloudwatch_agent_images_output["cloudwatch-agent"].dest_full_path)[0] + image_version = local.cloudwatch_agent_images_output["cloudwatch-agent"].tag + create_iam_role = false + iam_role_arn = module.role_cloudwatch-agent.iam_role_arn + + tags = merge( + local.base_tags, + local.common_tags, + var.application_tags, + ) +} + +data "aws_iam_policy" "policy_cloudwatch-agent" { + name = "CloudWatchAgentServerPolicy" +} + +module "role_cloudwatch-agent" { + source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks" + + role_description = "EKS IAM Role for ${var.cluster_name} for service account ${var.cloudwatch_agent_namespace}:${var.cloudwatch_agent_name}" + role_name = format("%v%v-irsa__%v", local._prefixes["eks"], var.cluster_name, var.cloudwatch_agent_name) + + role_policy_arns = { + policy = data.aws_iam_policy.policy_cloudwatch-agent.arn + } + + oidc_providers = { + main = { + provider_arn = local.oidc_provider_arn + namespace_service_accounts = [format("%v:%v", var.cloudwatch_agent_namespace, var.cloudwatch_agent_name)] + } + } + + tags = merge( + local.base_tags, + local.common_tags, + var.application_tags, + { + "eks:namespace" = var.cloudwatch_agent_namespace + "eks:user" = var.cloudwatch_agent_name + } + ) +} + +## module "role_cloudwatch-agent" { +## source = "git@github.e.it.census.gov:terraform-modules/aws-iam-role.git?ref=tf-upgrade" +## +## role_description = "EKS IAM Role for ${var.cluster_name} for service account ${var.cloudwatch_agent_namespace}:${var.cloudwatch_agent_name}" +## role_name = format("%v%v-irsa__%v", local._prefixes["eks"], var.cluster_name, var.cloudwatch_agent_name) +## enable_ldap_creation = false +## assume_policy_document = data.aws_iam_policy_document.assume_role_cloudwatch-agent.json +## attached_policies = [aws_iam_policy.policy_cloudwatch-agent.arn] +## +## tags = merge( +## local.base_tags, +## local.common_tags, +## var.tags, +## var.application_tags, +## { +## "eks:namespace" = var.namespace +## "eks:user" = var.name +## } +## ) +## } + + +locals { + cloudwatch_agent_images_output = { for k, v in module.images_cloudwatch-agent.images : v.name => v } +} + +module "images_cloudwatch-agent" { + source = "git@github.e.it.census.gov:terraform-modules/aws-ecr-copy-images.git?ref=tf-upgrade" + + profile = var.profile + application_list = [] + application_name = format("eks/%v", var.cluster_name) + image_config = [for k, v in var.cloudwatch_agent_images : v if v.enabled] + tags = merge( + local.base_tags, + local.common_tags, + var.application_tags, + ) +} diff --git a/examples/full-cluster-tf-upgrade/1.25/common-services/cloudwatch-agent/locals.tf b/examples/full-cluster-tf-upgrade/1.25/common-services/cloudwatch-agent/locals.tf new file mode 100644 index 0000000..4b9ae5a --- /dev/null +++ b/examples/full-cluster-tf-upgrade/1.25/common-services/cloudwatch-agent/locals.tf @@ -0,0 +1,17 @@ +locals { + base_tags = { + "eks-cluster-name" = var.cluster_name + "boc:tf_module_version" = local._module_version + "boc:created_by" = "terraform" + } +} + +# replace TF remote state accordingly in parent_rs with that from the parent directory, and be sure to make the link +locals { + vpc_id = local.parent_rs.cluster_vpc_id + subnet_ids = local.parent_rs.cluster_subnet_ids + cluster_worker_sg_id = local.parent_rs.cluster_worker_sg_id + + oidc_provider_url = local.parent_rs.oidc_provider_url + oidc_provider_arn = local.parent_rs.oidc_provider_arn +} diff --git a/examples/full-cluster-tf-upgrade/1.25/common-services/cloudwatch-agent/tf-run.data b/examples/full-cluster-tf-upgrade/1.25/common-services/cloudwatch-agent/tf-run.data new file mode 100644 index 0000000..0db70b8 --- /dev/null +++ b/examples/full-cluster-tf-upgrade/1.25/common-services/cloudwatch-agent/tf-run.data @@ -0,0 +1,31 @@ +VERSION 1.4.2 +REMOTE-STATE +COMMAND tf-directory-setup.py -l none -f +COMMAND setup-new-directory.sh + +LINKTOP init +LINKTOP includes.d/variables.account_tags.tf +LINKTOP includes.d/variables.account_tags.auto.tfvars +LINKTOP includes.d/variables.infrastructure_tags.tf +LINKTOP includes.d/variables.infrastructure_tags.auto.tfvars +LINKTOP includes.d/variables.application_tags.tf +# LINKTOP includes.d/variables.application_tags.auto.tfvars +LINK variables.application_tags.auto.tfvars +LINKTOP provider_configs.d/provider.ldap_new.auto.tfvars +LINKTOP provider_configs.d/provider.ldap_new.tf +LINKTOP provider_configs.d/provider.ldap_new.variables.tf +LINK settings.auto.tfvars +LINK includes.d/parent_rs.tf +LINK includes.d/data.eks-subdirectory.tf +LINK includes.d/kubeconfig.eks-subdirectory.tf +LINK variables.eks.tf +LINK prefixes.tf +LINK providers.tf +LINK variables.addons.tf +LINK versions.tf +LINK version.tf +LINK variables.vpc.tf +LINK variables.vpc.auto.tfvars +COMMAND tf-init + +ALL diff --git a/examples/full-cluster-tf-upgrade/1.25/common-services/cloudwatch-agent/tf-run.destroy.data b/examples/full-cluster-tf-upgrade/1.25/common-services/cloudwatch-agent/tf-run.destroy.data new file mode 100644 index 0000000..7a82c9f --- /dev/null +++ b/examples/full-cluster-tf-upgrade/1.25/common-services/cloudwatch-agent/tf-run.destroy.data @@ -0,0 +1,6 @@ +VERSION 1.0.1 +BACKUP-STATE +COMMAND tf-init +COMMAND tf-state list + +ALL diff --git a/examples/full-cluster-tf-upgrade/1.25/common-services/cloudwatch-agent/variables.cloudwatch-agent.auto.tfvars b/examples/full-cluster-tf-upgrade/1.25/common-services/cloudwatch-agent/variables.cloudwatch-agent.auto.tfvars new file mode 100644 index 0000000..1d9ae8f --- /dev/null +++ b/examples/full-cluster-tf-upgrade/1.25/common-services/cloudwatch-agent/variables.cloudwatch-agent.auto.tfvars @@ -0,0 +1,13 @@ +cloudwatch_agent_images = { + "cloudwatch-agent" = { + name = "cloudwatch-agent" + image = "public.ecr.aws/cloudwatch-agent/cloudwatch-agent" + dest_path = null + source_registry = "public.ecr.aws" + source_image = "cloudwatch-agent/cloudwatch-agent" + source_tag = null + # tag = "latest" + tag = "1.300026.2b172" + enabled = true + } +} diff --git a/examples/full-cluster-tf-upgrade/1.25/common-services/cloudwatch-agent/variables.cloudwatch-agent.tf b/examples/full-cluster-tf-upgrade/1.25/common-services/cloudwatch-agent/variables.cloudwatch-agent.tf new file mode 100644 index 0000000..0129808 --- /dev/null +++ b/examples/full-cluster-tf-upgrade/1.25/common-services/cloudwatch-agent/variables.cloudwatch-agent.tf @@ -0,0 +1,25 @@ +variable "cloudwatch_agent_namespace" { + description = "Cloudwatch agent namespace" + type = string + default = "kube-system" +} + +variable "cloudwatch_agent_name" { + description = "Cloudwatch Agent name" + type = string + default = "cloudwatch" +} + +variable "cloudwatch_agent_images" { + description = "Cloudwatch List of image configuration objects to copy from SOURCE to DESTINATION" + type = map(object({ + name = string, + tag = string, + dest_path = string, + source_registry = string, + source_image = string, + source_tag = string, + enabled = bool, + })) + default = {} +}