Skip to content

Commit

Permalink
feat(eks)!: add option to create IAM role for the metrics storage
Browse files Browse the repository at this point in the history
This commit solves ISDEVOPS-279 and ISDEVOPS-283 for the EKS variants.
  • Loading branch information
lentidas committed Apr 23, 2024
1 parent dbb132c commit 90f9f54
Show file tree
Hide file tree
Showing 4 changed files with 72 additions and 13 deletions.
4 changes: 2 additions & 2 deletions aks/extra-variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -10,10 +10,10 @@ variable "metrics_storage" {

validation {
condition = (var.metrics_storage.managed_identity_node_rg_name == null && var.metrics_storage.managed_identity_oidc_issuer_url == null) != (var.metrics_storage.storage_account_key == null)
error_message = "You can either set the variables for the managed identity or use storage account key, not both at the same time."
error_message = "You can either set the variables for the managed identity or use a storage account key, not both at the same time."
}

validation {
validation {
condition = (var.metrics_storage.managed_identity_node_rg_name == null) == (var.metrics_storage.managed_identity_oidc_issuer_url == null)
error_message = "When using the managed identity, both `managed_identity_node_rg_name` and `managed_identity_oidc_issuer_url` are required."
}
Expand Down
18 changes: 14 additions & 4 deletions eks/extra-variables.tf
Original file line number Diff line number Diff line change
@@ -1,8 +1,18 @@
variable "metrics_storage" {
description = "AWS S3 bucket configuration values for the bucket where the archived metrics will be stored."
description = <<-EOT
AWS S3 bucket configuration values for the bucket where the archived metrics will be stored.
An IAM role is required to give the Thanos components read and write access to the S3 bucket. You can create this role yourself or let the module create it for you. If you want the module to create the role, you need to provide the OIDC issuer's URL for the EKS cluster. If you create the role yourself, you need to provide the ARN of the IAM role you created.
EOT
type = object({
bucket_id = string
region = string
iam_role_arn = string
bucket_id = string
create_role = bool
iam_role_arn = optional(string, null)
cluster_oidc_issuer_url = optional(string, null)
})

validation {
condition = var.metrics_storage.create_role ? var.metrics_storage.cluster_oidc_issuer_url != null : var.metrics_storage.iam_role_arn != null
error_message = "If you want to create a role, you need to provide the OIDC issuer's URL for the EKS cluster. Otherwise, you need to provide the ARN of the IAM role you created."
}
}
14 changes: 7 additions & 7 deletions eks/locals.tf
Original file line number Diff line number Diff line change
@@ -1,13 +1,14 @@
locals {
iam_role_arn = var.metrics_storage.create_role ? module.iam_assumable_role_thanos.iam_role_arn : var.metrics_storage.iam_role_arn

helm_values = [{
thanos = {

objstoreConfig = {
type = "S3"
config = {
bucket = "${var.metrics_storage.bucket_id}"
bucket = "${data.aws_s3_bucket.thanos.id}"
endpoint = "s3.amazonaws.com" # Value explicitly specified by Thanos docs for Amazon S3 buckets
region = "${var.metrics_storage.region}"
region = "${data.aws_s3_bucket.thanos.region}"
signature_version2 = false
insecure = false
}
Expand All @@ -18,25 +19,24 @@ locals {
bucketweb = {
serviceAccount = {
annotations = {
"eks.amazonaws.com/role-arn" = var.metrics_storage.iam_role_arn
"eks.amazonaws.com/role-arn" = local.iam_role_arn
}
}
}
compactor = {
serviceAccount = {
annotations = {
"eks.amazonaws.com/role-arn" = var.metrics_storage.iam_role_arn
"eks.amazonaws.com/role-arn" = local.iam_role_arn
}
}
}
storegateway = {
serviceAccount = {
annotations = {
"eks.amazonaws.com/role-arn" = var.metrics_storage.iam_role_arn
"eks.amazonaws.com/role-arn" = local.iam_role_arn
}
}
}

}
}]
}
49 changes: 49 additions & 0 deletions eks/main.tf
Original file line number Diff line number Diff line change
@@ -1,3 +1,52 @@
data "aws_s3_bucket" "thanos" {
bucket = var.metrics_storage.bucket_id
}

data "aws_iam_policy_document" "thanos" {
count = var.metrics_storage.create_role ? 1 : 0

statement {
actions = [
"s3:ListBucket",
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject",
]

resources = [
data.aws_s3_bucket.thanos.arn,
format("%s/*", data.aws_s3_bucket.thanos.arn),
]

effect = "Allow"
}
}

resource "aws_iam_policy" "thanos" {
count = var.metrics_storage.create_role ? 1 : 0

name_prefix = "thanos-s3-"
description = "Thanos IAM policy for accessing the S3 bucket named ${data.aws_s3_bucket.thanos.id}"
policy = data.aws_iam_policy_document.thanos[0].json
}

module "iam_assumable_role_thanos" {
source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
version = "~> 5.0"
create_role = var.metrics_storage.create_role
number_of_role_policy_arns = 1
role_name_prefix = "thanos-s3-"
provider_url = try(trimprefix(var.metrics_storage.cluster_oidc_issuer_url, "https://"), "")
role_policy_arns = [try(resource.aws_iam_policy.thanos[0].arn, null)]

# List of ServiceAccounts that have permission to attach to this IAM role
oidc_fully_qualified_subjects = [
"system:serviceaccount:thanos:thanos-bucketweb",
"system:serviceaccount:thanos:thanos-storegateway",
"system:serviceaccount:thanos:thanos-compactor",
]
}

module "thanos" {
source = "../"

Expand Down

0 comments on commit 90f9f54

Please sign in to comment.