Refactor fargate profile to only create securitygrouppolicy optionall…

…y, and create it part of fargate EKS cluster deployment (#72)

* Refactor fargate profile to only create securitygrouppolicy optionally, and create it part of fargate EKS cluster deployment

* Add correct var type

* add toset

* Set variable type to list of strings

* Add fix for fargate logger error

* Add default name for fargate logging policly

---------

Co-authored-by: Poh Peng <thepoppingone@users.noreply.github.com>

README.md

@@ -224,18 +224,21 @@ module "karpenter" {
 
 | Name | Type |
 |------|------|
+| [aws_iam_policy.fargate_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_role.cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role.workers](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role_policy.ebs_csi_kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [aws_iam_role_policy_attachment.cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.workers](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_service_linked_role.autoscaling](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_service_linked_role) | resource |
 | [kubernetes_config_map_v1.amazon_vpc_cni](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/config_map_v1) | resource |
+| [kubernetes_manifest.fargate_node_security_group_policy](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/manifest) | resource |
 | [aws_ami.eks_default_bottlerocket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source |
 | [aws_arn.cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_iam_policy_document.ec2_assume_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.eks_assume_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.fargate_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.kms_csi_ebs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.kms_ebs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
@@ -309,7 +312,9 @@ module "karpenter" {
 | <a name="output_cluster_iam_role_name"></a> [cluster\_iam\_role\_name](#output\_cluster\_iam\_role\_name) | IAM Role Name used by Cluster |
 | <a name="output_cluster_name"></a> [cluster\_name](#output\_cluster\_name) | EKS Cluster name created |
 | <a name="output_cluster_oidc_issuer_url"></a> [cluster\_oidc\_issuer\_url](#output\_cluster\_oidc\_issuer\_url) | The URL on the EKS cluster for the OpenID Connect identity provider |
+| <a name="output_cluster_platform_version"></a> [cluster\_platform\_version](#output\_cluster\_platform\_version) | Platform version of the EKS Cluster |
 | <a name="output_cluster_security_group_id"></a> [cluster\_security\_group\_id](#output\_cluster\_security\_group\_id) | Security Group ID of the master nodes |
+| <a name="output_cluster_version"></a> [cluster\_version](#output\_cluster\_version) | Version of the EKS Cluster |
 | <a name="output_ebs_kms_key_arn"></a> [ebs\_kms\_key\_arn](#output\_ebs\_kms\_key\_arn) | KMS Key ARN used for EBS encryption |
 | <a name="output_ebs_kms_key_id"></a> [ebs\_kms\_key\_id](#output\_ebs\_kms\_key\_id) | KMS Key ID used for EBS encryption |
 | <a name="output_fargate_namespaces_for_security_group"></a> [fargate\_namespaces\_for\_security\_group](#output\_fargate\_namespaces\_for\_security\_group) | value for fargate\_namespaces\_for\_security\_group |

fargate_profile.tf

@@ -8,6 +8,10 @@ locals {
   default_fargate_profiles = merge(
     {
       essentials = {
+        iam_role_name = "fargate_profile_essentials"
+        iam_role_additional_policies = {
+          additional = aws_iam_policy.fargate_logging.arn
+        }
         subnet_ids = var.subnet_ids
         selectors = [
           for ns_value in local.essentials_namespaces : {
@@ -18,6 +22,10 @@ locals {
     },
     { for subnet in var.subnet_ids :
       "kube-system-${substr(data.aws_subnet.subnets[subnet].availability_zone, -2, -1)}" => {
+        iam_role_name = "fargate_profile_${substr(data.aws_subnet.subnets[subnet].availability_zone, -2, -1)}"
+        iam_role_additional_policies = {
+          additional = aws_iam_policy.fargate_logging.arn
+        }
         selectors = [
           { namespace = "kube-system" }
         ]
@@ -44,8 +52,53 @@ module "fargate_profiles" {
   create_aws_observability_ns     = var.create_aws_observability_ns
   create_fargate_logger_configmap = var.create_fargate_logger_configmap
 
-  eks_worker_security_group_id          = module.eks.node_security_group_id
-  fargate_namespaces_for_security_group = local.fargate_namespaces
-
   tags = var.tags
 }
+
+resource "kubernetes_manifest" "fargate_node_security_group_policy" {
+
+  count = var.fargate_cluster && var.create_node_security_group ? 1 : 0
+
+  manifest = {
+    apiVersion = "vpcresources.k8s.aws/v1beta1"
+    kind       = "SecurityGroupPolicy"
+    metadata = {
+      name      = "fargate-node-default-namespace-sg"
+      namespace = "kube-system"
+    }
+    spec = {
+      podSelector = {
+        matchLabels = {}
+      }
+      securityGroups = {
+        groupIds = [module.eks.node_security_group_id]
+      }
+    }
+  }
+}
+
+resource "aws_iam_policy" "fargate_logging" {
+  name        = "fargate_logging_cloudwatch_default"
+  path        = "/"
+  description = "AWS recommended cloudwatch perms policy"
+
+  policy = data.aws_iam_policy_document.fargate_logging.json
+}
+
+#tfsec:ignore:aws-iam-no-policy-wildcards
+data "aws_iam_policy_document" "fargate_logging" {
+  #checkov:skip=CKV_AWS_111:Restricted to Cloudwatch Actions only
+  #checkov:skip=CKV_AWS_356: Only logs actions
+  statement {
+    sid       = ""
+    effect    = "Allow"
+    resources = ["*"]
+
+    actions = [
+      "logs:CreateLogStream",
+      "logs:CreateLogGroup",
+      "logs:DescribeLogStreams",
+      "logs:PutLogEvents",
+    ]
+  }
+}

modules/fargate_profile/README.md

@@ -92,7 +92,7 @@ module "fargate_profile" {
 | <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | EKS Cluster name | `string` | n/a | yes |
 | <a name="input_create_aws_observability_ns"></a> [create\_aws\_observability\_ns](#input\_create\_aws\_observability\_ns) | value to determine if aws-observability namespace is created | `bool` | `true` | no |
 | <a name="input_create_fargate_logger_configmap"></a> [create\_fargate\_logger\_configmap](#input\_create\_fargate\_logger\_configmap) | value to determine if create\_fargate\_logger\_configmap is created | `bool` | `true` | no |
-| <a name="input_eks_worker_security_group_id"></a> [eks\_worker\_security\_group\_id](#input\_eks\_worker\_security\_group\_id) | Security Group ID of the worker nodes | `string` | n/a | yes |
+| <a name="input_eks_worker_security_group_id"></a> [eks\_worker\_security\_group\_id](#input\_eks\_worker\_security\_group\_id) | Security Group ID of the worker nodes | `string` | `""` | no |
 | <a name="input_fargate_namespaces_for_security_group"></a> [fargate\_namespaces\_for\_security\_group](#input\_fargate\_namespaces\_for\_security\_group) | List of fargate namespaces to craete SecurityGroupPolicy for talking to managed nodes | `list(string)` | `[]` | no |
 | <a name="input_fargate_profile_defaults"></a> [fargate\_profile\_defaults](#input\_fargate\_profile\_defaults) | Map of Fargate Profile default configurations | `any` | `{}` | no |
 | <a name="input_fargate_profiles"></a> [fargate\_profiles](#input\_fargate\_profiles) | Map of maps of `fargate_profiles` to create | `any` | `{}` | no |

modules/fargate_profile/main.tf

@@ -23,8 +23,7 @@ module "fargate_profile" {
   tags                          = merge(var.tags, lookup(each.value, "tags", {}))
 }
 
-
-
+## Only used when needed for testing pods running in a namespace which requires access to the managed nodes
 resource "kubernetes_manifest" "sg" {
 
   for_each = toset(var.fargate_namespaces_for_security_group)

modules/fargate_profile/variables.tf

@@ -55,12 +55,13 @@ variable "create_fargate_logger_configmap" {
 ### Fargate Selector Namespaces ##
 ##################################
 variable "fargate_namespaces_for_security_group" {
-  description = "List of fargate namespaces to craete SecurityGroupPolicy for talking to managed nodes"
+  description = "List of fargate namespaces to craete SecurityGroupPolicy for talking to managed nodes" # remember to `toset` the list before parsing into this variable
   type        = list(string)
   default     = []
 }
 
 variable "eks_worker_security_group_id" {
   description = "Security Group ID of the worker nodes"
   type        = string
+  default     = ""
 }