From 0c64f56455df5a269df5958828f7d777a937032e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gon=C3=A7alo=20Heleno?= Date: Tue, 16 Apr 2024 17:32:51 +0200 Subject: [PATCH] docs(eks): add info about IAM role for the S3 bucket --- README.adoc | 2 +- eks/README.adoc | 200 ++++++------------------------------------------ 2 files changed, 25 insertions(+), 177 deletions(-) diff --git a/README.adoc b/README.adoc index a2aa1d96..1f8cc0a1 100644 --- a/README.adoc +++ b/README.adoc @@ -5,7 +5,7 @@ A https://devops-stack.io[DevOps Stack] module to deploy and configure https://thanos.io[Thanos]. -The Thanos chart used by this module is shipped in this repository as well, in order to avoid any unwanted behaviors caused by unsupported versions. +The Thanos chart used by this module is shipped in this repository as well, in order to avoid any unwanted behaviors caused by unsupported versions. [cols="1,1,1",options="autowidth,header"] |=== diff --git a/eks/README.adoc b/eks/README.adoc index 3d2182a0..69ca861a 100644 --- a/eks/README.adoc +++ b/eks/README.adoc @@ -17,9 +17,9 @@ module "thanos" { argocd_namespace = module.argocd_bootstrap.argocd_namespace metrics_storage = { - bucket_id = aws_s3_bucket.thanos_metrics_storage.id - region = aws_s3_bucket.thanos_metrics_storage.region - iam_role_arn = module.iam_assumable_role_thanos.iam_role_arn + bucket_id = resource.aws_s3_bucket.thanos_metrics_storage.id + create_role = true + cluster_oidc_issuer_url = module.eks.cluster_oidc_issuer_url } thanos = { oidc = module.oidc.oidc @@ -34,9 +34,14 @@ module "thanos" { } ---- -As you can see, a minimum requirement for this module is an S3 bucket with an IAM policy attached and an OIDC provider (more information below). +As you can see, a minimum requirement for this module is an S3 bucket and an OIDC provider (more information below). -IMPORTANT: You are in charge of creating a S3 bucket for Thanos to store the archived metrics. We've decided to keep the creation of this bucket outside of this module, mainly because the persistence of the data should not be related to the instantiation of the module itself. +IMPORTANT +==== +You are in charge of creating a S3 bucket for Thanos to store the archived metrics. We've decided to keep the creation of this bucket outside of this module, mainly because the persistence of the data should not be related to the instantiation of the module itself. + +However, the IAM role used to give permissions to the Thanos components to access the bucket can be created by the module itself. If you want to create the role, you can set the attribute `create_role` to `true` and the module will create the role for you. If you already have a role created, you can pass the ARN of the role to the module using the attribute `iam_role_arn`. +==== TIP: Check the xref:ROOT:ROOT:tutorials/deploy_eks.adoc[EKS deployment example] to see how to create the S3 bucket and to better understand the values passed on the example above. @@ -55,9 +60,9 @@ module "thanos" { argocd_namespace = module.argocd_bootstrap.argocd_namespace metrics_storage = { - bucket_id = aws_s3_bucket.thanos_metrics_storage.id - region = aws_s3_bucket.thanos_metrics_storage.region - iam_role_arn = module.iam_assumable_role_thanos.iam_role_arn + bucket_id = resource.aws_s3_bucket.thanos_metrics_storage.id + create_role = true + cluster_oidc_issuer_url = module.eks.cluster_oidc_issuer_url } thanos = { @@ -128,9 +133,9 @@ module "thanos" { argocd_namespace = module.argocd_bootstrap.argocd_namespace metrics_storage = { - bucket_id = aws_s3_bucket.thanos_metrics_storage.id - region = aws_s3_bucket.thanos_metrics_storage.region - iam_role_arn = module.iam_assumable_role_thanos.iam_role_arn + bucket_id = resource.aws_s3_bucket.thanos_metrics_storage.id + create_role = true + cluster_oidc_issuer_url = module.eks.cluster_oidc_issuer_url } thanos = { @@ -169,6 +174,14 @@ module "thanos" { } ---- +=== S3 bucket and IAM role + +Thanos needs an S3 bucket to store the archived metrics. The bucket can be created and its ID should be passed to the module, along with the attribute `create_role` explicitly set. Set it to true if you want the module to create the required IAM role. + +However, if you want to create and manage this IAM role yourself, you can simply pass the ARN of the role to the module using the attribute `iam_role_arn` while setting the attribute `create_role` to `false`. + +TIP: The code https://github.com/camptocamp/devops-stack/blob/main/examples/eks/s3_thanos.tf.disabled[in this example] should help you create the IAM policy and role with the required permissions. + === OIDC NOTE: This module was developed with OIDC in mind. @@ -377,88 +390,6 @@ Type: `any` Default: `{}` -==== [[input_resources]] <> - -Description: Resource limits and requests for Thanos' components. Follow the style on https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/[official documentation] to understand the format of the values. - -IMPORTANT: These are not production values. You should always adjust them to your needs. - -Type: -[source,hcl] ----- -object({ - - query = optional(object({ - requests = optional(object({ - cpu = optional(string, "250m") - memory = optional(string, "512Mi") - }), {}) - limits = optional(object({ - cpu = optional(string) - memory = optional(string, "512Mi") - }), {}) - }), {}) - - query_frontend = optional(object({ - requests = optional(object({ - cpu = optional(string, "250m") - memory = optional(string, "256Mi") - }), {}) - limits = optional(object({ - cpu = optional(string) - memory = optional(string, "512Mi") - }), {}) - }), {}) - - bucketweb = optional(object({ - requests = optional(object({ - cpu = optional(string, "50m") - memory = optional(string, "128Mi") - }), {}) - limits = optional(object({ - cpu = optional(string) - memory = optional(string, "128Mi") - }), {}) - }), {}) - - compactor = optional(object({ - requests = optional(object({ - cpu = optional(string, "250m") - memory = optional(string, "256Mi") - }), {}) - limits = optional(object({ - cpu = optional(string) - memory = optional(string, "512Mi") - }), {}) - }), {}) - - storegateway = optional(object({ - requests = optional(object({ - cpu = optional(string, "250m") - memory = optional(string, "512Mi") - }), {}) - limits = optional(object({ - cpu = optional(string) - memory = optional(string, "512Mi") - }), {}) - }), {}) - - redis = optional(object({ - requests = optional(object({ - cpu = optional(string, "200m") - memory = optional(string, "256Mi") - }), {}) - limits = optional(object({ - cpu = optional(string) - memory = optional(string, "512Mi") - }), {}) - }), {}) - - }) ----- - -Default: `{}` - ==== [[input_enable_service_monitor]] <> Description: Boolean to enable the deployment of a service monitor for Prometheus. This also enables the deployment of default Prometheus rules and Grafana dashboards, which are embedded inside the chart templates and are taken from the official Thanos examples, available https://github.com/thanos-io/thanos/blob/main/examples/alerts/alerts.yaml[here]. @@ -620,89 +551,6 @@ object({ |`{}` |no -|[[input_resources]] <> -|Resource limits and requests for Thanos' components. Follow the style on https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/[official documentation] to understand the format of the values. - -IMPORTANT: These are not production values. You should always adjust them to your needs. - -| - -[source] ----- -object({ - - query = optional(object({ - requests = optional(object({ - cpu = optional(string, "250m") - memory = optional(string, "512Mi") - }), {}) - limits = optional(object({ - cpu = optional(string) - memory = optional(string, "512Mi") - }), {}) - }), {}) - - query_frontend = optional(object({ - requests = optional(object({ - cpu = optional(string, "250m") - memory = optional(string, "256Mi") - }), {}) - limits = optional(object({ - cpu = optional(string) - memory = optional(string, "512Mi") - }), {}) - }), {}) - - bucketweb = optional(object({ - requests = optional(object({ - cpu = optional(string, "50m") - memory = optional(string, "128Mi") - }), {}) - limits = optional(object({ - cpu = optional(string) - memory = optional(string, "128Mi") - }), {}) - }), {}) - - compactor = optional(object({ - requests = optional(object({ - cpu = optional(string, "250m") - memory = optional(string, "256Mi") - }), {}) - limits = optional(object({ - cpu = optional(string) - memory = optional(string, "512Mi") - }), {}) - }), {}) - - storegateway = optional(object({ - requests = optional(object({ - cpu = optional(string, "250m") - memory = optional(string, "512Mi") - }), {}) - limits = optional(object({ - cpu = optional(string) - memory = optional(string, "512Mi") - }), {}) - }), {}) - - redis = optional(object({ - requests = optional(object({ - cpu = optional(string, "200m") - memory = optional(string, "256Mi") - }), {}) - limits = optional(object({ - cpu = optional(string) - memory = optional(string, "512Mi") - }), {}) - }), {}) - - }) ----- - -|`{}` -|no - |[[input_enable_service_monitor]] <> |Boolean to enable the deployment of a service monitor for Prometheus. This also enables the deployment of default Prometheus rules and Grafana dashboards, which are embedded inside the chart templates and are taken from the official Thanos examples, available https://github.com/thanos-io/thanos/blob/main/examples/alerts/alerts.yaml[here]. |`bool`