Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: adds yet-another-cloudwatch-exporter helm chart #1766

Merged
merged 3 commits into from
Feb 3, 2023
Merged

feat: adds yet-another-cloudwatch-exporter helm chart #1766

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
ce9e5ea
adds yet-another-cloudwatch-exporter
cebidhem Feb 2, 2023
f176caf
Merge branch 'particuleio:main' into feat/yace
cebidhem Feb 3, 2023
2b10883
fixes end-of-file for variables-aws.tf
cebidhem Feb 3, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions helm-dependencies.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -137,3 +137,6 @@ dependencies:
- name: victoria-metrics-k8s-stack
version: 0.14.7
repository: https://victoriametrics.github.io/helm-charts/
- name: yet-another-cloudwatch-exporter
version: 0.12.0
repository: https://nerdswords.github.io/yet-another-cloudwatch-exporter
8 changes: 8 additions & 0 deletions modules/aws/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,7 @@ This module can uses [IRSA](https://aws.amazon.com/blogs/opensource/introducing-
| <a name="module_iam_assumable_role_thanos-storegateway"></a> [iam\_assumable\_role\_thanos-storegateway](#module\_iam\_assumable\_role\_thanos-storegateway) | terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc | ~> 5.0 |
| <a name="module_iam_assumable_role_vault"></a> [iam\_assumable\_role\_vault](#module\_iam\_assumable\_role\_vault) | terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc | ~> 5.0 |
| <a name="module_iam_assumable_role_velero"></a> [iam\_assumable\_role\_velero](#module\_iam\_assumable\_role\_velero) | terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc | ~> 5.0 |
| <a name="module_iam_assumable_role_yet-another-cloudwatch-exporter"></a> [iam\_assumable\_role\_yet-another-cloudwatch-exporter](#module\_iam\_assumable\_role\_yet-another-cloudwatch-exporter) | terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc | ~> 5.0 |
| <a name="module_kube-prometheus-stack_thanos_bucket"></a> [kube-prometheus-stack\_thanos\_bucket](#module\_kube-prometheus-stack\_thanos\_bucket) | terraform-aws-modules/s3-bucket/aws | ~> 3.0 |
| <a name="module_loki_bucket"></a> [loki\_bucket](#module\_loki\_bucket) | terraform-aws-modules/s3-bucket/aws | ~> 3.0 |
| <a name="module_security-group-efs-csi-driver"></a> [security-group-efs-csi-driver](#module\_security-group-efs-csi-driver) | terraform-aws-modules/security-group/aws//modules/nfs | ~> 4.0 |
Expand Down Expand Up @@ -94,6 +95,7 @@ This module can uses [IRSA](https://aws.amazon.com/blogs/opensource/introducing-
| [aws_iam_policy.thanos-storegateway](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.vault](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.velero](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.yet-another-cloudwatch-exporter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_kms_alias.aws-ebs-csi-driver](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource |
| [aws_kms_alias.vault](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource |
| [aws_kms_key.aws-ebs-csi-driver](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
Expand Down Expand Up @@ -149,6 +151,7 @@ This module can uses [IRSA](https://aws.amazon.com/blogs/opensource/introducing-
| [helm_release.vault](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.velero](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.victoria-metrics-k8s-stack](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [helm_release.yet-another-cloudwatch-exporter](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [kubectl_manifest.apply](https://registry.terraform.io/providers/gavinbunney/kubectl/latest/docs/resources/manifest) | resource |
| [kubectl_manifest.aws-ebs-csi-driver_vsc](https://registry.terraform.io/providers/gavinbunney/kubectl/latest/docs/resources/manifest) | resource |
| [kubectl_manifest.cert-manager_cluster_issuers](https://registry.terraform.io/providers/gavinbunney/kubectl/latest/docs/resources/manifest) | resource |
Expand Down Expand Up @@ -201,6 +204,7 @@ This module can uses [IRSA](https://aws.amazon.com/blogs/opensource/introducing-
| [kubernetes_namespace.vault](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.velero](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.victoria-metrics-k8s-stack](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_namespace.yet-another-cloudwatch-exporter](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
| [kubernetes_network_policy.admiralty_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.admiralty_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.aws-ebs-csi-driver_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
Expand Down Expand Up @@ -304,6 +308,8 @@ This module can uses [IRSA](https://aws.amazon.com/blogs/opensource/introducing-
| [kubernetes_network_policy.victoria-metrics-k8s-stack_allow_ingress](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.victoria-metrics-k8s-stack_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.victoria-metrics-k8s-stack_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.yet-another-cloudwatch-exporter_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_network_policy.yet-another-cloudwatch-exporter_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
| [kubernetes_priority_class.kubernetes_addons](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/priority_class) | resource |
| [kubernetes_priority_class.kubernetes_addons_ds](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/priority_class) | resource |
| [kubernetes_role.flux](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/role) | resource |
Expand Down Expand Up @@ -361,6 +367,7 @@ This module can uses [IRSA](https://aws.amazon.com/blogs/opensource/introducing-
| [aws_iam_policy_document.velero](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.velero_default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.velero_kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.yet-another-cloudwatch-exporter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
| [flux_install.main](https://registry.terraform.io/providers/fluxcd/flux/latest/docs/data-sources/install) | data source |
Expand Down Expand Up @@ -439,6 +446,7 @@ This module can uses [IRSA](https://aws.amazon.com/blogs/opensource/introducing-
| <a name="input_vault"></a> [vault](#input\_vault) | Customize Hashicorp Vault chart, see `vault.tf` for supported values | `any` | `{}` | no |
| <a name="input_velero"></a> [velero](#input\_velero) | Customize velero chart, see `velero.tf` for supported values | `any` | `{}` | no |
| <a name="input_victoria-metrics-k8s-stack"></a> [victoria-metrics-k8s-stack](#input\_victoria-metrics-k8s-stack) | Customize Victoria Metrics chart, see `victoria-metrics-k8s-stack.tf` for supported values | `any` | `{}` | no |
| <a name="input_yet-another-cloudwatch-exporter"></a> [yet-another-cloudwatch-exporter](#input\_yet-another-cloudwatch-exporter) | Customize yet-another-cloudwatch-exporter chart, see `yet-another-cloudwatch-exporter.tf` for supported values | `any` | `{}` | no |

## Outputs

Expand Down
6 changes: 6 additions & 0 deletions modules/aws/variables-aws.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -81,3 +81,9 @@ variable "velero" {
type = any
default = {}
}

variable "yet-another-cloudwatch-exporter" {
description = "Customize yet-another-cloudwatch-exporter chart, see `yet-another-cloudwatch-exporter.tf` for supported values"
type = any
default = {}
}
156 changes: 156 additions & 0 deletions modules/aws/yet-another-cloudwatch-exporter.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,156 @@
locals {
yet-another-cloudwatch-exporter = merge(
local.helm_defaults,
{
name = local.helm_dependencies[index(local.helm_dependencies.*.name, "yet-another-cloudwatch-exporter")].name
chart = local.helm_dependencies[index(local.helm_dependencies.*.name, "yet-another-cloudwatch-exporter")].name
repository = local.helm_dependencies[index(local.helm_dependencies.*.name, "yet-another-cloudwatch-exporter")].repository
chart_version = local.helm_dependencies[index(local.helm_dependencies.*.name, "yet-another-cloudwatch-exporter")].version
namespace = "monitoring"
create_ns = false
enabled = false
default_network_policy = true
service_account_name = "yace"
create_iam_resources_irsa = true
iam_policy_override = null
name_prefix = "${var.cluster-name}-yace"
},
var.yet-another-cloudwatch-exporter
)

values_yet-another-cloudwatch-exporter = <<-VALUES
serviceMonitor:
enabled: ${local.kube-prometheus-stack["enabled"] || local.victoria-metrics-k8s-stack["enabled"]}
serviceAccount:
name: ${local.yet-another-cloudwatch-exporter["service_account_name"]}
annotations:
eks.amazonaws.com/role-arn: "${local.yet-another-cloudwatch-exporter["enabled"] && local.yet-another-cloudwatch-exporter["create_iam_resources_irsa"] ? module.iam_assumable_role_yet-another-cloudwatch-exporter.iam_role_arn : ""}"
VALUES
}

module "iam_assumable_role_yet-another-cloudwatch-exporter" {
source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
version = "~> 5.0"
create_role = local.yet-another-cloudwatch-exporter["enabled"] && local.yet-another-cloudwatch-exporter["create_iam_resources_irsa"]
role_name = local.yet-another-cloudwatch-exporter["name_prefix"]
provider_url = replace(var.eks["cluster_oidc_issuer_url"], "https://", "")
role_policy_arns = local.yet-another-cloudwatch-exporter["enabled"] && local.yet-another-cloudwatch-exporter["create_iam_resources_irsa"] ? [aws_iam_policy.yet-another-cloudwatch-exporter[0].arn] : []
number_of_role_policy_arns = 1
oidc_fully_qualified_subjects = ["system:serviceaccount:${local.yet-another-cloudwatch-exporter["namespace"]}:${local.yet-another-cloudwatch-exporter["service_account_name"]}"]
tags = local.tags
}

resource "aws_iam_policy" "yet-another-cloudwatch-exporter" {
count = local.yet-another-cloudwatch-exporter["enabled"] && local.yet-another-cloudwatch-exporter["create_iam_resources_irsa"] ? 1 : 0
name = local.yet-another-cloudwatch-exporter["name_prefix"]
policy = local.yet-another-cloudwatch-exporter["iam_policy_override"] == null ? data.aws_iam_policy_document.yet-another-cloudwatch-exporter.json : local.yet-another-cloudwatch-exporter["iam_policy_override"]
tags = local.tags
}

data "aws_iam_policy_document" "yet-another-cloudwatch-exporter" {
statement {
effect = "Allow"

actions = [
"tag:GetResources",
"cloudwatch:GetMetricData",
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics",
"ec2:DescribeTags",
"ec2:DescribeInstances",
"ec2:DescribeRegions",
"ec2:DescribeTransitGateway*",
"apigateway:GET",
"dms:DescribeReplicationInstances",
"dms:DescribeReplicationTasks"
]

resources = ["*"]
}
}

resource "kubernetes_namespace" "yet-another-cloudwatch-exporter" {
count = local.yet-another-cloudwatch-exporter["enabled"] && local.yet-another-cloudwatch-exporter["create_ns"] ? 1 : 0

metadata {
labels = {
name = local.yet-another-cloudwatch-exporter["namespace"]
"${local.labels_prefix}/component" = "monitoring"
}

name = local.yet-another-cloudwatch-exporter["namespace"]
}
}

resource "helm_release" "yet-another-cloudwatch-exporter" {
count = local.yet-another-cloudwatch-exporter["enabled"] ? 1 : 0
repository = local.yet-another-cloudwatch-exporter["repository"]
name = local.yet-another-cloudwatch-exporter["name"]
chart = local.yet-another-cloudwatch-exporter["chart"]
version = local.yet-another-cloudwatch-exporter["chart_version"]
timeout = local.yet-another-cloudwatch-exporter["timeout"]
force_update = local.yet-another-cloudwatch-exporter["force_update"]
recreate_pods = local.yet-another-cloudwatch-exporter["recreate_pods"]
wait = local.yet-another-cloudwatch-exporter["wait"]
atomic = local.yet-another-cloudwatch-exporter["atomic"]
cleanup_on_fail = local.yet-another-cloudwatch-exporter["cleanup_on_fail"]
dependency_update = local.yet-another-cloudwatch-exporter["dependency_update"]
disable_crd_hooks = local.yet-another-cloudwatch-exporter["disable_crd_hooks"]
disable_webhooks = local.yet-another-cloudwatch-exporter["disable_webhooks"]
render_subchart_notes = local.yet-another-cloudwatch-exporter["render_subchart_notes"]
replace = local.yet-another-cloudwatch-exporter["replace"]
reset_values = local.yet-another-cloudwatch-exporter["reset_values"]
reuse_values = local.yet-another-cloudwatch-exporter["reuse_values"]
skip_crds = local.yet-another-cloudwatch-exporter["skip_crds"]
verify = local.yet-another-cloudwatch-exporter["verify"]
values = [
local.values_yet-another-cloudwatch-exporter,
local.yet-another-cloudwatch-exporter["extra_values"]
]
namespace = local.yet-another-cloudwatch-exporter["create_ns"] ? kubernetes_namespace.yet-another-cloudwatch-exporter.*.metadata.0.name[count.index] : local.yet-another-cloudwatch-exporter["namespace"]

depends_on = [
kubectl_manifest.prometheus-operator_crds
]
}

resource "kubernetes_network_policy" "yet-another-cloudwatch-exporter_default_deny" {
count = local.yet-another-cloudwatch-exporter["create_ns"] && local.yet-another-cloudwatch-exporter["enabled"] && local.yet-another-cloudwatch-exporter["default_network_policy"] ? 1 : 0

metadata {
name = "${kubernetes_namespace.yet-another-cloudwatch-exporter.*.metadata.0.name[count.index]}-default-deny"
namespace = kubernetes_namespace.yet-another-cloudwatch-exporter.*.metadata.0.name[count.index]
}

spec {
pod_selector {
}
policy_types = ["Ingress"]
}
}

resource "kubernetes_network_policy" "yet-another-cloudwatch-exporter_allow_namespace" {
count = local.yet-another-cloudwatch-exporter["create_ns"] && local.yet-another-cloudwatch-exporter["enabled"] && local.yet-another-cloudwatch-exporter["default_network_policy"] ? 1 : 0

metadata {
name = "${kubernetes_namespace.yet-another-cloudwatch-exporter.*.metadata.0.name[count.index]}-allow-namespace"
namespace = kubernetes_namespace.yet-another-cloudwatch-exporter.*.metadata.0.name[count.index]
}

spec {
pod_selector {
}

ingress {
from {
namespace_selector {
match_labels = {
name = kubernetes_namespace.yet-another-cloudwatch-exporter.*.metadata.0.name[count.index]
}
}
}
}

policy_types = ["Ingress"]
}
}