feat(eks)!: add option to create IAM role for the metrics storage

This commit solves ISDEVOPS-279 and ISDEVOPS-283 for the EKS variants.
camptocamp · Apr 19, 2024 · 509017b · 509017b
1 parent dbb132c
commit 509017b
Show file tree

Hide file tree

Showing 4 changed files with 72 additions and 13 deletions.
diff --git a/aks/extra-variables.tf b/aks/extra-variables.tf
@@ -10,10 +10,10 @@ variable "metrics_storage" {
 
   validation {
     condition     = (var.metrics_storage.managed_identity_node_rg_name == null && var.metrics_storage.managed_identity_oidc_issuer_url == null) != (var.metrics_storage.storage_account_key == null)
-    error_message = "You can either set the variables for the managed identity or use storage account key, not both at the same time."
+    error_message = "You can either set the variables for the managed identity or use a storage account key, not both at the same time."
   }
 
-    validation {
+  validation {
     condition     = (var.metrics_storage.managed_identity_node_rg_name == null) == (var.metrics_storage.managed_identity_oidc_issuer_url == null)
     error_message = "When using the managed identity, both `managed_identity_node_rg_name` and `managed_identity_oidc_issuer_url` are required."
   }

diff --git a/eks/extra-variables.tf b/eks/extra-variables.tf
@@ -1,8 +1,18 @@
 variable "metrics_storage" {
-  description = "AWS S3 bucket configuration values for the bucket where the archived metrics will be stored."
+  description = <<-EOT
+    AWS S3 bucket configuration values for the bucket where the archived metrics will be stored.
+
+    An IAM role is required to give the Thanos components read and write access to the S3 bucket. You can create this role yourself or let the module create it for you. If you want the module to create the role, you need to provide the OIDC issuer's URL for the EKS cluster. If you create the role yourself, you need to provide the ARN of the IAM role you created.
+  EOT
   type = object({
-    bucket_id    = string
-    region       = string
-    iam_role_arn = string
+    bucket_id               = string
+    create_role             = bool
+    iam_role_arn            = optional(string, null)
+    cluster_oidc_issuer_url = optional(string, null)
   })
+
+  validation {
+    condition     = var.metrics_storage.create_role ? var.metrics_storage.cluster_oidc_issuer_url != null : var.metrics_storage.iam_role_arn != null
+    error_message = "If you want to create a role, you need to provide the OIDC issuer's URL for the EKS cluster. Otherwise, you need to provide the ARN of the IAM role you created."
+  }
 }
diff --git a/eks/locals.tf b/eks/locals.tf
@@ -1,13 +1,14 @@
 locals {
+  iam_role_arn = var.metrics_storage.create_role ? module.iam_assumable_role_thanos.iam_role_arn : var.metrics_storage.iam_role_arn
+
   helm_values = [{
     thanos = {
-
       objstoreConfig = {
         type = "S3"
         config = {
-          bucket             = "${var.metrics_storage.bucket_id}"
+          bucket             = "${data.aws_s3_bucket.thanos.id}"
           endpoint           = "s3.amazonaws.com" # Value explicitly specified by Thanos docs for Amazon S3 buckets
-          region             = "${var.metrics_storage.region}"
+          region             = "${data.aws_s3_bucket.thanos.region}"
           signature_version2 = false
           insecure           = false
         }
@@ -18,25 +19,24 @@ locals {
       bucketweb = {
         serviceAccount = {
           annotations = {
-            "eks.amazonaws.com/role-arn" = var.metrics_storage.iam_role_arn
+            "eks.amazonaws.com/role-arn" = local.iam_role_arn
           }
         }
       }
       compactor = {
         serviceAccount = {
           annotations = {
-            "eks.amazonaws.com/role-arn" = var.metrics_storage.iam_role_arn
+            "eks.amazonaws.com/role-arn" = local.iam_role_arn
           }
         }
       }
       storegateway = {
         serviceAccount = {
           annotations = {
-            "eks.amazonaws.com/role-arn" = var.metrics_storage.iam_role_arn
+            "eks.amazonaws.com/role-arn" = local.iam_role_arn
           }
         }
       }
-
     }
   }]
 }
diff --git a/eks/main.tf b/eks/main.tf
@@ -1,3 +1,52 @@
+data "aws_s3_bucket" "thanos" {
+  bucket = var.metrics_storage.bucket_id
+}
+
+data "aws_iam_policy_document" "thanos" {
+  count = var.metrics_storage.create_role ? 1 : 0
+
+  statement {
+    actions = [
+      "s3:ListBucket",
+      "s3:PutObject",
+      "s3:GetObject",
+      "s3:DeleteObject",
+    ]
+
+    resources = [
+      data.aws_s3_bucket.thanos.arn,
+      format("%s/*", data.aws_s3_bucket.thanos.arn),
+    ]
+
+    effect = "Allow"
+  }
+}
+
+resource "aws_iam_policy" "thanos" {
+  count = var.metrics_storage.create_role ? 1 : 0
+
+  name_prefix = "thanos-s3-"
+  description = "Thanos IAM policy for accessing the S3 bucket named ${data.aws_s3_bucket.thanos.id}"
+  policy      = data.aws_iam_policy_document.thanos[0].json
+}
+
+module "iam_assumable_role_thanos" {
+  source                     = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
+  version                    = "~> 5.0"
+  create_role                = var.metrics_storage.create_role
+  number_of_role_policy_arns = 1
+  role_name_prefix           = "thanos-s3-"
+  provider_url               = try(trimprefix(var.metrics_storage.cluster_oidc_issuer_url, "https://"), "")
+  role_policy_arns           = [try(resource.aws_iam_policy.thanos[0].arn, null)]
+
+  # List of ServiceAccounts that have permission to attach to this IAM role
+  oidc_fully_qualified_subjects = [
+    "system:serviceaccount:thanos:thanos-bucketweb",
+    "system:serviceaccount:thanos:thanos-storegateway",
+    "system:serviceaccount:thanos:thanos-compactor",
+  ]
+}
+
 module "thanos" {
   source = "../"