From cb642af1e21584926955c4443602ade6a4396b2d Mon Sep 17 00:00:00 2001
From: Marcelo Grebois <grebois@gmail.com>
Date: Wed, 24 Nov 2021 19:42:39 +0100
Subject: [PATCH] Adding new loki-stack storing the logs on an s3 bucket (#212)

---
 terraform-modules/aws/loki-stack/README.md    |  40 +++++++
 terraform-modules/aws/loki-stack/main.tf      | 105 ++++++++++++++++++
 terraform-modules/aws/loki-stack/values.yaml  |  62 +++++++++++
 terraform-modules/aws/loki-stack/variables.tf |  17 +++
 4 files changed, 224 insertions(+)
 create mode 100644 terraform-modules/aws/loki-stack/README.md
 create mode 100644 terraform-modules/aws/loki-stack/main.tf
 create mode 100644 terraform-modules/aws/loki-stack/values.yaml
 create mode 100644 terraform-modules/aws/loki-stack/variables.tf

diff --git a/terraform-modules/aws/loki-stack/README.md b/terraform-modules/aws/loki-stack/README.md
new file mode 100644
index 000000000..d0d9640df
--- /dev/null
+++ b/terraform-modules/aws/loki-stack/README.md
@@ -0,0 +1,40 @@
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
+| <a name="provider_template"></a> [template](#provider\_template) | n/a |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_iam_assumable_role_admin"></a> [iam\_assumable\_role\_admin](#module\_iam\_assumable\_role\_admin) | terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc | 3.6.0 |
+| <a name="module_loki"></a> [loki](#module\_loki) | github.com/ManagedKube/kubernetes-ops//terraform-modules/aws/helm/helm_generic | v1.0.30 |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_iam_policy.loki-stack](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_kms_key.loki-stack](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
+| [aws_s3_bucket.loki-stack](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_iam_policy_document.loki-stack](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [template_file.helm_values](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_aws_region"></a> [aws\_region](#input\_aws\_region) | AWS region | `string` | `"us-east-1"` | no |
+| <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | EKS cluster name | `string` | `"cluster"` | no |
+| <a name="input_eks_cluster_oidc_issuer_url"></a> [eks\_cluster\_oidc\_issuer\_url](#input\_eks\_cluster\_oidc\_issuer\_url) | EKS cluster oidc issuer url | `string` | `""` | no |
+
+## Outputs
+
+No outputs.
diff --git a/terraform-modules/aws/loki-stack/main.tf b/terraform-modules/aws/loki-stack/main.tf
new file mode 100644
index 000000000..3ea31e17d
--- /dev/null
+++ b/terraform-modules/aws/loki-stack/main.tf
@@ -0,0 +1,105 @@
+locals {
+  name = "loki-stack"
+}
+
+resource "aws_kms_key" "loki-stack" {
+  description             = "${local.name}-${var.cluster_name}"
+  deletion_window_in_days = 10
+}
+
+resource "aws_s3_bucket" "loki-stack" {
+  bucket = "${local.name}-${var.cluster_name}"
+  acl    = "private"
+
+  versioning {
+    enabled = true
+  }
+
+  server_side_encryption_configuration {
+    rule {
+      apply_server_side_encryption_by_default {
+        kms_master_key_id = aws_kms_key.loki-stack.arn
+        sse_algorithm     = "aws:kms"
+      }
+    }
+  }
+
+  depends_on = [aws_kms_key.loki-stack]
+}
+
+module "iam_assumable_role_admin" {
+  source                        = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
+  version                       = "3.6.0"
+  create_role                   = true
+  role_name                     = "loki-stack-${var.cluster_name}"
+  provider_url                  = replace(var.eks_cluster_oidc_issuer_url, "https://", "")
+  role_policy_arns              = [aws_iam_policy.loki-stack.arn]
+  oidc_fully_qualified_subjects = ["system:serviceaccount:monitoring:${local.name}"]
+}
+
+resource "aws_iam_policy" "loki-stack" {
+  name_prefix = "${local.name}-${var.cluster_name}"
+  description = "IAM policy for ${local.name}"
+  policy      = data.aws_iam_policy_document.loki-stack.json
+}
+
+data "aws_iam_policy_document" "loki-stack" {
+  statement {
+    sid    = replace(local.name, "-", "")
+    effect = "Allow"
+
+    # https://grafana.com/docs/loki/latest/operations/storage/
+    actions = [
+      "s3:ListBucket",
+      "s3:PutObject",
+      "s3:GetObject",
+      "dynamodb:ListTables",
+      "dynamodb:BatchGetItem",
+      "dynamodb:BatchWriteItem",
+      "dynamodb:DeleteItem",
+      "dynamodb:DescribeTable",
+      "dynamodb:GetItem",
+      "dynamodb:ListTagsOfResource",
+      "dynamodb:PutItem",
+      "dynamodb:Query",
+      "dynamodb:TagResource",
+      "dynamodb:UntagResource",
+      "dynamodb:UpdateItem",
+      "dynamodb:UpdateTable",
+      "dynamodb:CreateTable",
+      "dynamodb:DeleteTable"
+    ]
+
+    resources = ["*"]
+  }
+}
+
+data "aws_caller_identity" "current" {}
+
+#
+# Helm - ${local.name}
+#
+data "template_file" "helm_values" {
+  template = file("${path.module}/values.yaml")
+  vars = {
+    s3           = aws_s3_bucket.loki-stack.bucket
+    awsAccountID = data.aws_caller_identity.current.account_id
+    awsRegion    = var.aws_region
+    clusterName  = var.cluster_name
+  }
+}
+
+module "loki" {
+  source = "github.com/ManagedKube/kubernetes-ops//terraform-modules/aws/helm/helm_generic?ref=v1.0.30"
+
+  repository          = "https://grafana.github.io/helm-charts"
+  official_chart_name = local.name
+  user_chart_name     = local.name
+  helm_version        = "2.5.0"
+  namespace           = "monitoring"
+  helm_values         = data.template_file.helm_values.rendered
+
+  depends_on = [
+    aws_s3_bucket.loki-stack, aws_iam_policy.loki-stack
+  ]
+}
diff --git a/terraform-modules/aws/loki-stack/values.yaml b/terraform-modules/aws/loki-stack/values.yaml
new file mode 100644
index 000000000..848dd8770
--- /dev/null
+++ b/terraform-modules/aws/loki-stack/values.yaml
@@ -0,0 +1,62 @@
+---
+loki:
+  enabled: true
+
+  serviceAccount:
+    annotations:
+      eks.amazonaws.com/role-arn: "arn:aws:iam::${awsAccountID}:role/loki-stack-${clusterName}"
+
+  config:
+    schema_config:
+      configs:
+        - from: 2021-11-09
+          store: aws
+          object_store: s3
+          schema: v11
+          index:
+            prefix: index_
+            period: 24h
+            tags: {}
+
+    storage_config:
+      aws:
+        s3: ${s3}
+        region: ${awsRegion}
+        s3forcepathstyle: true
+        dynamodb:
+          dynamodb_url: dynamodb://${awsRegion}
+
+promtail:
+  enabled: true
+  image:
+    tag: 2.3.0
+  # https://grafana.com/docs/loki/latest/installation/helm/#run-promtail-with-systemd-journal-support
+  extraScrapeConfigs:
+    - job_name: journal
+      journal:
+        path: /var/log/journal
+        max_age: 12h
+        labels:
+          job: systemd-journal
+      relabel_configs:
+        - source_labels: ['__journal__systemd_unit']
+          target_label: 'unit'
+        - source_labels: ['__journal__hostname']
+          target_label: 'hostname'
+
+  # Mount journal directory into promtail pods
+  extraVolumes:
+    - name: journal
+      hostPath:
+        path: /var/log/journal
+
+  extraVolumeMounts:
+    - name: journal
+      mountPath: /var/log/journal
+      readOnly: true
+
+fluent-bit:
+  enabled: false
+
+grafana:
+  enabled: false
diff --git a/terraform-modules/aws/loki-stack/variables.tf b/terraform-modules/aws/loki-stack/variables.tf
new file mode 100644
index 000000000..f3f69ca2e
--- /dev/null
+++ b/terraform-modules/aws/loki-stack/variables.tf
@@ -0,0 +1,17 @@
+variable "aws_region" {
+  type        = string
+  default     = "us-east-1"
+  description = "AWS region"
+}
+
+variable "cluster_name" {
+  type        = string
+  default     = "cluster"
+  description = "EKS cluster name"
+}
+
+variable "eks_cluster_oidc_issuer_url" {
+  type        = string
+  default     = ""
+  description = "EKS cluster oidc issuer url"
+}