feat(eks)!: add option to create IAM role for the metrics storage

This commit solves ISDEVOPS-279 and ISDEVOPS-283 for the EKS variants.
camptocamp · Apr 23, 2024 · b274598 · b274598
1 parent 326805b
commit b274598
Show file tree

Hide file tree

Showing 4 changed files with 67 additions and 7 deletions.
diff --git a/aks/extra-variables.tf b/aks/extra-variables.tf
@@ -10,7 +10,7 @@ variable "logs_storage" {
 
   validation {
     condition     = (var.logs_storage.managed_identity_node_rg_name == null && var.logs_storage.managed_identity_oidc_issuer_url == null) != (var.logs_storage.storage_account_key == null)
-    error_message = "You can either set the variables for the managed identity or use storage account key, not both at the same time."
+    error_message = "You can either set the variables for the managed identity or use a storage account key, not both at the same time."
   }
 
   validation {

diff --git a/eks/extra-variables.tf b/eks/extra-variables.tf
@@ -1,8 +1,18 @@
 variable "logs_storage" {
-  description = "AWS S3 bucket configuration values for the bucket where the logs will be stored."
+  description = <<-EOT
+    AWS S3 bucket configuration values for the bucket where the logs will be stored.
+
+    An IAM role is required to give the Loki components read and write access to the S3 bucket. You can create this role yourself or let the module create it for you. If you want the module to create the role, you need to provide the OIDC issuer's URL for the EKS cluster. If you create the role yourself, you need to provide the ARN of the IAM role you created.
+  EOT
   type = object({
-    bucket_id    = string
-    region       = string
-    iam_role_arn = string
+    bucket_id               = string
+    create_role             = bool
+    iam_role_arn            = optional(string, null)
+    cluster_oidc_issuer_url = optional(string, null)
   })
+
+  validation {
+    condition     = var.logs_storage.create_role ? var.logs_storage.cluster_oidc_issuer_url != null : var.logs_storage.iam_role_arn != null
+    error_message = "If you want to create a role, you need to provide the OIDC issuer's URL for the EKS cluster. Otherwise, you need to provide the ARN of the IAM role you created."
+  }
 }
diff --git a/eks/locals.tf b/eks/locals.tf
@@ -1,4 +1,6 @@
 locals {
+  iam_role_arn = var.logs_storage.create_role ? module.iam_assumable_role_loki.iam_role_arn : var.logs_storage.iam_role_arn
+
   helm_values = [{
     loki-distributed = {
       loki = {
@@ -16,7 +18,7 @@ locals {
         }
         storageConfig = {
           aws = {
-            s3 = "s3://${var.logs_storage.region}/${var.logs_storage.bucket_id}"
+            s3 = "s3://${data.aws_s3_bucket.loki.region}/${data.aws_s3_bucket.loki.id}"
           }
           boltdb_shipper = {
             shared_store = "s3"
@@ -32,7 +34,7 @@ locals {
       serviceAccount = {
         create = true
         annotations = {
-          "eks.amazonaws.com/role-arn" = var.logs_storage.iam_role_arn
+          "eks.amazonaws.com/role-arn" = local.iam_role_arn
         }
       }
     }

diff --git a/eks/main.tf b/eks/main.tf
@@ -1,3 +1,51 @@
+data "aws_s3_bucket" "loki" {
+  bucket = var.logs_storage.bucket_id
+}
+
+# As per https://grafana.com/docs/loki/latest/operations/storage/#s3
+data "aws_iam_policy_document" "loki" {
+  count = var.logs_storage.create_role ? 1 : 0
+
+  statement {
+    actions = [
+      "s3:ListBucket",
+      "s3:PutObject",
+      "s3:GetObject",
+      "s3:DeleteObject",
+    ]
+
+    resources = [
+      data.aws_s3_bucket.loki.arn,
+      format("%s/*", data.aws_s3_bucket.loki.arn),
+    ]
+
+    effect = "Allow"
+  }
+}
+
+resource "aws_iam_policy" "loki" {
+  count = var.logs_storage.create_role ? 1 : 0
+
+  name_prefix = "loki-s3-"
+  description = "Loki IAM policy for accessing the S3 bucket named ${data.aws_s3_bucket.loki.id}"
+  policy      = data.aws_iam_policy_document.loki[0].json
+}
+
+module "iam_assumable_role_loki" {
+  source                     = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
+  version                    = "~> 5.0"
+  create_role                = var.logs_storage.create_role
+  number_of_role_policy_arns = 1
+  role_name_prefix           = "loki-s3-"
+  provider_url               = var.logs_storage.create_role ? trimprefix(var.logs_storage.cluster_oidc_issuer_url, "https://") : ""
+  role_policy_arns           = [var.logs_storage.create_role ? resource.aws_iam_policy.loki[0].arn : null]
+
+  # List of ServiceAccounts that have permission to attach to this IAM role
+  oidc_fully_qualified_subjects = [
+    "system:serviceaccount:loki-stack:loki",
+  ]
+}
+
 module "loki-stack" {
   source = "../"