camptocamp · lentidas · Apr 23, 2024 · Apr 16, 2024 · Apr 16, 2024 · Apr 19, 2024
@@ -5,7 +5,7 @@
 
 A https://devops-stack.io[DevOps Stack] module to deploy and configure https://thanos.io[Thanos].
 
-The Thanos chart used by this module is shipped in this repository as well, in order to avoid any unwanted behaviors caused by unsupported versions. 
+The Thanos chart used by this module is shipped in this repository as well, in order to avoid any unwanted behaviors caused by unsupported versions.
 
 [cols="1,1,1",options="autowidth,header"]
 |===
@@ -36,14 +36,14 @@ The following requirements are needed by this module:
 
 The following providers are used by this module:
 
-- [[provider_null]] <<provider_null,null>> (>= 3)
-
 - [[provider_random]] <<provider_random,random>> (>= 3)
 
 - [[provider_utils]] <<provider_utils,utils>> (>= 1)
 
 - [[provider_argocd]] <<provider_argocd,argocd>> (>= 5)
 
+- [[provider_null]] <<provider_null,null>> (>= 3)
+
 === Resources
 
 The following resources are used by this module:
@@ -114,7 +114,7 @@ Description: Override of target revision of the application chart.
 
 Type: `string`
 
-Default: `"v4.0.0"`
+Default: `"v4.1.0"`
 
 ==== [[input_cluster_issuer]] <<input_cluster_issuer,cluster_issuer>>
 
@@ -301,10 +301,10 @@ Description: ID to pass other modules in order to refer to this module as a depe
 [cols="a,a",options="header,autowidth"]
 |===
 |Name |Version
+|[[provider_null]] <<provider_null,null>> |>= 3
 |[[provider_random]] <<provider_random,random>> |>= 3
 |[[provider_utils]] <<provider_utils,utils>> |>= 1
 |[[provider_argocd]] <<provider_argocd,argocd>> |>= 5
-|[[provider_null]] <<provider_null,null>> |>= 3
 |===
 
 = Resources
@@ -365,7 +365,7 @@ Description: ID to pass other modules in order to refer to this module as a depe
 |[[input_target_revision]] <<input_target_revision,target_revision>>
 |Override of target revision of the application chart.
 |`string`
-|`"v4.0.0"`
+|`"v4.1.0"`
 |no
 
 |[[input_cluster_issuer]] <<input_cluster_issuer,cluster_issuer>>

@@ -318,7 +318,7 @@ Description: Override of target revision of the application chart.
 
 Type: `string`
 
-Default: `"v4.0.0"`
+Default: `"v4.1.0"`
 
 ==== [[input_cluster_issuer]] <<input_cluster_issuer,cluster_issuer>>
 
@@ -592,7 +592,7 @@ object({
 |[[input_target_revision]] <<input_target_revision,target_revision>>
 |Override of target revision of the application chart.
 |`string`
-|`"v4.0.0"`
+|`"v4.1.0"`
 |no
 
 |[[input_cluster_issuer]] <<input_cluster_issuer,cluster_issuer>>

@@ -10,10 +10,10 @@ variable "metrics_storage" {
 
   validation {
     condition     = (var.metrics_storage.managed_identity_node_rg_name == null && var.metrics_storage.managed_identity_oidc_issuer_url == null) != (var.metrics_storage.storage_account_key == null)
-    error_message = "You can either set the variables for the managed identity or use storage account key, not both at the same time."
+    error_message = "You can either set the variables for the managed identity or use a storage account key, not both at the same time."
   }
 
-    validation {
+  validation {
     condition     = (var.metrics_storage.managed_identity_node_rg_name == null) == (var.metrics_storage.managed_identity_oidc_issuer_url == null)
     error_message = "When using the managed identity, both `managed_identity_node_rg_name` and `managed_identity_oidc_issuer_url` are required."
   }

@@ -17,9 +17,9 @@ module "thanos" {
   argocd_namespace = module.argocd_bootstrap.argocd_namespace
 
   metrics_storage = {
-    bucket_id    = aws_s3_bucket.thanos_metrics_storage.id
-    region       = aws_s3_bucket.thanos_metrics_storage.region
-    iam_role_arn = module.iam_assumable_role_thanos.iam_role_arn
+    bucket_id               = resource.aws_s3_bucket.thanos_metrics_storage.id
+    create_role             = true
+    cluster_oidc_issuer_url = module.eks.cluster_oidc_issuer_url
   }
   thanos = {
     oidc = module.oidc.oidc
@@ -34,9 +34,14 @@ module "thanos" {
 }  
 ----
 
-As you can see, a minimum requirement for this module is an S3 bucket with an IAM policy attached and an OIDC provider (more information below).
+As you can see, a minimum requirement for this module is an S3 bucket and an OIDC provider (more information below).
 
-IMPORTANT: You are in charge of creating a S3 bucket for Thanos to store the archived metrics. We've decided to keep the creation of this bucket outside of this module, mainly because the persistence of the data should not be related to the instantiation of the module itself.
+IMPORTANT
+====
+You are in charge of creating a S3 bucket for Thanos to store the archived metrics. We've decided to keep the creation of this bucket outside of this module, mainly because the persistence of the data should not be related to the instantiation of the module itself.
+
+However, the IAM role used to give permissions to the Thanos components to access the bucket can be created by the module itself. If you want to create the role, you can set the attribute `create_role` to `true` and the module will create the role for you. If you already have a role created, you can pass the ARN of the role to the module using the attribute `iam_role_arn`.
+====
 
 TIP: Check the xref:ROOT:ROOT:tutorials/deploy_eks.adoc[EKS deployment example] to see how to create the S3 bucket and to better understand the values passed on the example above.
 
@@ -55,9 +60,9 @@ module "thanos" {
   argocd_namespace = module.argocd_bootstrap.argocd_namespace
 
   metrics_storage = {
-    bucket_id    = aws_s3_bucket.thanos_metrics_storage.id
-    region       = aws_s3_bucket.thanos_metrics_storage.region
-    iam_role_arn = module.iam_assumable_role_thanos.iam_role_arn
+    bucket_id               = resource.aws_s3_bucket.thanos_metrics_storage.id
+    create_role             = true
+    cluster_oidc_issuer_url = module.eks.cluster_oidc_issuer_url
   }
 
   thanos = {
@@ -128,9 +133,9 @@ module "thanos" {
   argocd_namespace = module.argocd_bootstrap.argocd_namespace
 
   metrics_storage = {
-    bucket_id    = aws_s3_bucket.thanos_metrics_storage.id
-    region       = aws_s3_bucket.thanos_metrics_storage.region
-    iam_role_arn = module.iam_assumable_role_thanos.iam_role_arn
+    bucket_id               = resource.aws_s3_bucket.thanos_metrics_storage.id
+    create_role             = true
+    cluster_oidc_issuer_url = module.eks.cluster_oidc_issuer_url
   }
 
   thanos = {
@@ -169,6 +174,14 @@ module "thanos" {
 }
 ----
 
+=== S3 bucket and IAM role
+
+Thanos needs an S3 bucket to store the archived metrics. The bucket can be created and its ID should be passed to the module, along with the attribute `create_role` explicitly set. Set it to true if you want the module to create the required IAM role.
+
+However, if you want to create and manage this IAM role yourself, you can simply pass the ARN of the role to the module using the attribute `iam_role_arn` while setting the attribute `create_role` to `false`.
+
+TIP: The code https://github.com/camptocamp/devops-stack/blob/main/examples/eks/s3_thanos.tf.disabled[in this example] should help you create the IAM policy and role with the required permissions.
+
 === OIDC
 
 NOTE: This module was developed with OIDC in mind.
@@ -229,16 +242,36 @@ The following requirements are needed by this module:
 
 - [[requirement_utils]] <<requirement_utils,utils>> (>= 1)
 
+=== Providers
+
+The following providers are used by this module:
+
+- [[provider_aws]] <<provider_aws,aws>>
+
 === Modules
 
 The following Modules are called:
 
+==== [[module_iam_assumable_role_thanos]] <<module_iam_assumable_role_thanos,iam_assumable_role_thanos>>
+
+Source: terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc
+
+Version: ~> 5.0
+
 ==== [[module_thanos]] <<module_thanos,thanos>>
 
 Source: ../
 
 Version:
 
+=== Resources
+
+The following resources are used by this module:
+
+- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy[aws_iam_policy.thanos] (resource)
+- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document[aws_iam_policy_document.thanos] (data source)
+- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/s3_bucket[aws_s3_bucket.thanos] (data source)
+
 === Required Inputs
 
 The following input variables are required:
@@ -247,13 +280,16 @@ The following input variables are required:
 
 Description: AWS S3 bucket configuration values for the bucket where the archived metrics will be stored.
 
+An IAM role is required to give the Thanos components read and write access to the S3 bucket. You can create this role yourself or let the module create it for you. If you want the module to create the role, you need to provide the OIDC issuer's URL for the EKS cluster. If you create the role yourself, you need to provide the ARN of the IAM role you created.
+
 Type:
 [source,hcl]
 ----
 object({
-    bucket_id    = string
-    region       = string
-    iam_role_arn = string
+    bucket_id               = string
+    create_role             = bool
+    iam_role_arn            = optional(string, null)
+    cluster_oidc_issuer_url = optional(string, null)
   })
 ----
 
@@ -311,7 +347,7 @@ Description: Override of target revision of the application chart.
 
 Type: `string`
 
-Default: `"v4.0.0"`
+Default: `"v4.1.0"`
 
 ==== [[input_cluster_issuer]] <<input_cluster_issuer,cluster_issuer>>
 
@@ -493,29 +529,52 @@ Description: ID to pass other modules in order to refer to this module as a depe
 |[[requirement_utils]] <<requirement_utils,utils>> |>= 1
 |===
 
+= Providers
+
+[cols="a,a",options="header,autowidth"]
+|===
+|Name |Version
+|[[provider_aws]] <<provider_aws,aws>> |n/a
+|===
+
 = Modules
 
 [cols="a,a,a",options="header,autowidth"]
 |===
 |Name |Source |Version
+|[[module_iam_assumable_role_thanos]] <<module_iam_assumable_role_thanos,iam_assumable_role_thanos>> |terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc |~> 5.0
 |[[module_thanos]] <<module_thanos,thanos>> |../ |
 |===
 
+= Resources
+
+[cols="a,a",options="header,autowidth"]
+|===
+|Name |Type
+|https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy[aws_iam_policy.thanos] |resource
+|https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document[aws_iam_policy_document.thanos] |data source
+|https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/s3_bucket[aws_s3_bucket.thanos] |data source
+|===
+
 = Inputs
 
 [cols="a,a,a,a,a",options="header,autowidth"]
 |===
 |Name |Description |Type |Default |Required
 |[[input_metrics_storage]] <<input_metrics_storage,metrics_storage>>
 |AWS S3 bucket configuration values for the bucket where the archived metrics will be stored.
+
+An IAM role is required to give the Thanos components read and write access to the S3 bucket. You can create this role yourself or let the module create it for you. If you want the module to create the role, you need to provide the OIDC issuer's URL for the EKS cluster. If you create the role yourself, you need to provide the ARN of the IAM role you created.
+
 |
 
 [source]
 ----
 object({
-    bucket_id    = string
-    region       = string
-    iam_role_arn = string
+    bucket_id               = string
+    create_role             = bool
+    iam_role_arn            = optional(string, null)
+    cluster_oidc_issuer_url = optional(string, null)
   })
 ----
 
@@ -561,7 +620,7 @@ object({
 |[[input_target_revision]] <<input_target_revision,target_revision>>
 |Override of target revision of the application chart.
 |`string`
-|`"v4.0.0"`
+|`"v4.1.0"`
 |no
 
 |[[input_cluster_issuer]] <<input_cluster_issuer,cluster_issuer>>

@@ -1,8 +1,18 @@
 variable "metrics_storage" {
-  description = "AWS S3 bucket configuration values for the bucket where the archived metrics will be stored."
+  description = <<-EOT
+    AWS S3 bucket configuration values for the bucket where the archived metrics will be stored.
+
+    An IAM role is required to give the Thanos components read and write access to the S3 bucket. You can create this role yourself or let the module create it for you. If you want the module to create the role, you need to provide the OIDC issuer's URL for the EKS cluster. If you create the role yourself, you need to provide the ARN of the IAM role you created.
+  EOT
   type = object({
-    bucket_id    = string
-    region       = string
-    iam_role_arn = string
+    bucket_id               = string
+    create_role             = bool
+    iam_role_arn            = optional(string, null)
+    cluster_oidc_issuer_url = optional(string, null)
   })
+
+  validation {
+    condition     = var.metrics_storage.create_role ? var.metrics_storage.cluster_oidc_issuer_url != null : var.metrics_storage.iam_role_arn != null
+    error_message = "If you want to create a role, you need to provide the OIDC issuer's URL for the EKS cluster. Otherwise, you need to provide the ARN of the IAM role you created."
+  }
 }
@@ -1,13 +1,14 @@
 locals {
+  iam_role_arn = var.metrics_storage.create_role ? module.iam_assumable_role_thanos.iam_role_arn : var.metrics_storage.iam_role_arn
+
   helm_values = [{
     thanos = {
-
       objstoreConfig = {
         type = "S3"
         config = {
-          bucket             = "${var.metrics_storage.bucket_id}"
+          bucket             = "${data.aws_s3_bucket.thanos.id}"
           endpoint           = "s3.amazonaws.com" # Value explicitly specified by Thanos docs for Amazon S3 buckets
-          region             = "${var.metrics_storage.region}"
+          region             = "${data.aws_s3_bucket.thanos.region}"
           signature_version2 = false
           insecure           = false
         }
@@ -18,25 +19,24 @@ locals {
       bucketweb = {
         serviceAccount = {
           annotations = {
-            "eks.amazonaws.com/role-arn" = var.metrics_storage.iam_role_arn
+            "eks.amazonaws.com/role-arn" = local.iam_role_arn
           }
         }
       }
       compactor = {
         serviceAccount = {
           annotations = {
-            "eks.amazonaws.com/role-arn" = var.metrics_storage.iam_role_arn
+            "eks.amazonaws.com/role-arn" = local.iam_role_arn
           }
         }
       }
       storegateway = {
         serviceAccount = {
           annotations = {
-            "eks.amazonaws.com/role-arn" = var.metrics_storage.iam_role_arn
+            "eks.amazonaws.com/role-arn" = local.iam_role_arn
           }
         }
       }
-
     }
   }]
 }