feat(eks)!: add option to create IAM role for the metrics storage

This commit solves ISDEVOPS-279 and ISDEVOPS-283 for the EKS variants.
camptocamp · Apr 23, 2024 · f678c15 · f678c15
1 parent 1b6dce5
commit f678c15
Show file tree

Hide file tree

Showing 3 changed files with 72 additions and 6 deletions.
diff --git a/eks/extra-variables.tf b/eks/extra-variables.tf
@@ -1,9 +1,18 @@
 variable "metrics_storage" {
   description = "AWS S3 bucket configuration values for the bucket where the archived metrics will be stored."
   type = object({
-    bucket_id    = string
-    region       = string
-    iam_role_arn = string
+    bucket_id               = string
+    create_role             = bool
+    iam_role_arn            = optional(string, null)
+    cluster_oidc_issuer_url = optional(string, null)
   })
+
   default = null
+
+  validation {
+    # We use the try() function to avoid errors here when we deactivate the metrics storage by setting the 
+    # `metrics_storage` variable to `null`.
+    condition     = try(var.metrics_storage.create_role ? var.metrics_storage.cluster_oidc_issuer_url != null : var.metrics_storage.iam_role_arn != null, true)
+    error_message = "If you want to create a role, you need to provide the OIDC issuer's URL for the EKS cluster. Otherwise, you need to provide the ARN of the IAM role you created."
+  }
 }
diff --git a/eks/locals.tf b/eks/locals.tf
@@ -1,10 +1,14 @@
 locals {
+  # We use the try() function to avoid errors here when we deactivate the metrics storage by setting the 
+  # `metrics_storage` variable to `null`.
+  iam_role_arn = try(var.metrics_storage.create_role ? module.iam_assumable_role_kube_prometheus_stack.iam_role_arn : var.metrics_storage.iam_role_arn, null)
+
   metrics_storage = var.metrics_storage != null ? {
     storage_config = {
       type = "s3"
       config = {
-        bucket   = "${var.metrics_storage.bucket_id}"
-        endpoint = "s3.${var.metrics_storage.region}.amazonaws.com"
+        bucket   = "${data.aws_s3_bucket.kube_prometheus_stack[0].id}"
+        endpoint = "s3.${data.aws_s3_bucket.kube_prometheus_stack[0].region}.amazonaws.com"
       }
     }
   } : null
@@ -14,7 +18,7 @@ locals {
       prometheus = {
         serviceAccount = {
           annotations = {
-            "eks.amazonaws.com/role-arn" = var.metrics_storage.iam_role_arn
+            "eks.amazonaws.com/role-arn" = local.iam_role_arn
           }
         }
       }

diff --git a/eks/main.tf b/eks/main.tf
@@ -1,3 +1,56 @@
+data "aws_s3_bucket" "kube_prometheus_stack" {
+  count = var.metrics_storage != null ? 1 : 0
+
+  bucket = var.metrics_storage.bucket_id
+}
+
+data "aws_iam_policy_document" "kube_prometheus_stack" {
+  count = var.metrics_storage != null ? (var.metrics_storage.create_role ? 1 : 0) : 0
+
+  statement {
+    actions = [
+      "s3:ListBucket",
+      "s3:GetBucketLocation",
+      "s3:PutObject",
+      "s3:GetObject",
+      "s3:DeleteObject",
+    ]
+
+    resources = [
+      data.aws_s3_bucket.kube_prometheus_stack[0].arn,
+      format("%s/*", data.aws_s3_bucket.kube_prometheus_stack[0].arn),
+    ]
+
+    effect = "Allow"
+  }
+}
+
+resource "aws_iam_policy" "kube_prometheus_stack" {
+  count = var.metrics_storage != null ? (var.metrics_storage.create_role ? 1 : 0) : 0
+
+  name        = "kube-prometheus-stack-s3"
+  description = "IAM policy for the kube-prometheus-stack to access the S3 bucket named ${data.aws_s3_bucket.kube_prometheus_stack[0].id}"
+  policy      = data.aws_iam_policy_document.kube_prometheus_stack[0].json
+}
+
+module "iam_assumable_role_kube_prometheus_stack" {
+  source                     = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
+  version                    = "~> 5.0"
+  create_role                = var.metrics_storage != null ? var.metrics_storage.create_role : false
+  number_of_role_policy_arns = 1
+  role_name_prefix           = "kube-prometheus-stack-s3-"
+
+  # We use the try() function to avoid errors here when we deactivate the metrics storage by setting the 
+  # `metrics_storage` variable to `null`.
+  provider_url     = try(trimprefix(var.metrics_storage.cluster_oidc_issuer_url, "https://"), "")
+  role_policy_arns = [try(resource.aws_iam_policy.kube_prometheus_stack[0].arn, null)]
+
+  # List of ServiceAccounts that have permission to attach to this IAM role
+  oidc_fully_qualified_subjects = [
+    "system:serviceaccount:kube-prometheus-stack:kube-prometheus-stack-prometheus"
+  ]
+}
+
 module "kube-prometheus-stack" {
   source = "../"