Feature | Merge EKS clusters into one (#659)

Angelo, the author of this PR, shared the following message with me: "This is now fully tested, it just needs approval to be merged. I won’t be available tomorrow, but feel free to merge it on my behalf if everything looks good." Since it’s ready to go and fully tested, I’ll proceed to merge the PR. * Drop config for argocd exclusive nodes * Drop unused namespaces * Upgrade Argo and add nodeSelector and tolerations * Typos * Configure Slack notifications for ArgoCD * Change switchboard layout * Fix cert manager reference * Add Alertmanager and Grafana implementation to Kube Prom Stack * Make Fluent-Bit use IRSA and OpenSearch * Add IAM roles for grafana and fluent-bit * Add Goldilocks * Add Gatus * Fix ArgoCD definition * Conform keda to switchboard * Bump terraform version CC: @binbashar/leverage-ref-architecture-aws-admin @binbashar/leverage-ref-architecture-aws-dev
binbashar · Jan 21, 2025 · ea9fe27 · ea9fe27
1 parent f8929ce
commit ea9fe27
Show file tree

Hide file tree

Showing 35 changed files with 1,121 additions and 512 deletions.
diff --git a/apps-devstg/us-east-1/k8s-eks-demoapps/README.md b/apps-devstg/us-east-1/k8s-eks-demoapps/README.md
@@ -100,7 +100,7 @@ The EKS CLUSTER layers need to be orchestrated in the following order:
     6. In the output you should see the credentials you need to talk to Kubernetes API via kubectl (or other clients).
 
         ```shell
-        apps-devstg//k8s-eks-v1.17/cluster$ leverage terraform output
+        apps-devstg//k8s-eks-demoapps/cluster$ leverage terraform output
 
         ...
         kubectl_config = apiVersion: v1

diff --git a/apps-devstg/us-east-1/k8s-eks-demoapps/cluster/eks-workers-managed.tf b/apps-devstg/us-east-1/k8s-eks-demoapps/cluster/eks-workers-managed.tf
@@ -148,22 +148,6 @@ module "cluster" {
     #     }
     #   }
     # }
-    # argocd = {
-    #   desired_size   = 1
-    #   max_size       = 2
-    #   min_size       = 1
-    #   capacity_type  = "SPOT"
-    #   instance_types = ["t3.medium"]
-
-    #   labels = merge(local.tags, { "stack" = "argocd" })
-    #   taints = {
-    #     dedicated_argocd = {
-    #       key    = "stack"
-    #       value  = "argocd"
-    #       effect = "NO_SCHEDULE"
-    #     }
-    #   }
-    # }
   }
 
   # Configure which roles, users and accounts can access the k8s api

diff --git a/apps-devstg/us-east-1/k8s-eks-demoapps/identities/ids_fluentbit.tf b/apps-devstg/us-east-1/k8s-eks-demoapps/identities/ids_fluentbit.tf
@@ -0,0 +1,44 @@
+#
+# Fluent-bit Roles & Policies
+#
+module "role_fluent_bit" {
+  source = "github.com/binbashar/terraform-aws-iam.git//modules/iam-assumable-role-with-oidc?ref=v5.2.0"
+
+  providers = {
+    aws = aws.shared
+  }
+
+  create_role  = true
+  role_name    = "${local.environment}-fluent-bit"
+  provider_url = replace(data.terraform_remote_state.cluster.outputs.cluster_oidc_issuer_url, "https://", "")
+
+  role_policy_arns = [
+    aws_iam_policy.fluent_bit.arn
+  ]
+  oidc_fully_qualified_subjects = [
+    "system:serviceaccount:monitoring-logging:fluent-bit"
+  ]
+
+  tags = local.tags_fluent_bit
+}
+
+resource "aws_iam_policy" "fluent_bit" {
+  provider    = aws.shared
+  name        = "${local.environment}-fluent-bit"
+  description = "Fluent Bit"
+  tags        = local.tags_fluent_bit
+  policy      = <<-EOF
+  {
+    "Version": "2012-10-17",
+    "Statement": [
+      {
+        "Effect": "Allow",
+        "Action": [
+          "es:ESHttp*"
+        ],
+        "Resource": "arn:aws:es:${var.region}:${var.accounts.shared.id}:domain/example-domain"
+      }
+    ]
+  }
+  EOF
+}
diff --git a/apps-devstg/us-east-1/k8s-eks-demoapps/identities/ids_grafana.tf b/apps-devstg/us-east-1/k8s-eks-demoapps/identities/ids_grafana.tf
@@ -0,0 +1,70 @@
+#
+# Grafana Roles & Policies
+#
+module "role_grafana" {
+  source = "github.com/binbashar/terraform-aws-iam.git//modules/iam-assumable-role-with-oidc?ref=v5.2.0"
+
+  create_role  = true
+  role_name    = "${local.environment}-grafana"
+  provider_url = replace(data.terraform_remote_state.cluster.outputs.cluster_oidc_issuer_url, "https://", "")
+
+  role_policy_arns = [
+    aws_iam_policy.grafana.arn
+  ]
+  oidc_fully_qualified_subjects = [
+    "system:serviceaccount:monitoring-metrics:grafana"
+  ]
+
+  tags = local.tags_grafana
+}
+
+resource "aws_iam_policy" "grafana" {
+  name        = "${local.environment}-grafana"
+  description = "Grafana permissions for fetching data from Cloudwatch"
+  tags        = local.tags_grafana
+  policy      = <<-EOF
+  {
+    "Version": "2012-10-17",
+    "Statement": [
+      {
+        "Sid": "AllowReadingMetricsFromCloudWatch",
+        "Effect": "Allow",
+        "Action": [
+          "cloudwatch:DescribeAlarmsForMetric",
+          "cloudwatch:DescribeAlarmHistory",
+          "cloudwatch:DescribeAlarms",
+          "cloudwatch:ListMetrics",
+          "cloudwatch:GetMetricData",
+          "cloudwatch:GetInsightRuleReport"
+        ],
+        "Resource": "*"
+      },
+      {
+        "Sid": "AllowReadingLogsFromCloudWatch",
+        "Effect": "Allow",
+        "Action": [
+          "logs:DescribeLogGroups",
+          "logs:GetLogGroupFields",
+          "logs:StartQuery",
+          "logs:StopQuery",
+          "logs:GetQueryResults",
+          "logs:GetLogEvents"
+        ],
+        "Resource": "*"
+      },
+      {
+        "Sid": "AllowReadingTagsInstancesRegionsFromEC2",
+        "Effect": "Allow",
+        "Action": ["ec2:DescribeTags", "ec2:DescribeInstances", "ec2:DescribeRegions"],
+        "Resource": "*"
+      },
+      {
+        "Sid": "AllowReadingResourcesForTags",
+        "Effect": "Allow",
+        "Action": "tag:GetResources",
+        "Resource": "*"
+      }
+    ]
+  }
+  EOF
+}
diff --git a/apps-devstg/us-east-1/k8s-eks-demoapps/identities/locals.tf b/apps-devstg/us-east-1/k8s-eks-demoapps/identities/locals.tf
@@ -14,6 +14,8 @@ locals {
   tags_externaldns_public  = merge(local.tags, { Subject = "externaldns-public" })
   tags_aws_lb_controller   = merge(local.tags, { Subject = "aws-lb-controller" })
   tags_external_secrets    = merge(local.tags, { Subject = "external-secrets" })
+  tags_grafana             = merge(local.tags, { Subject = "grafana" })
+  tags_fluent_bit          = merge(local.tags, { Subject = "fluent-bit" })
   tags_argo_image_updater  = merge(local.tags, { Subject = "argo-image-updater" })
   tags_vpc_cni             = merge(local.tags, { Subject = "vpc-cni" })
   tags_ebs_csi             = merge(local.tags, { Subject = "ebs-csi" })

diff --git a/apps-devstg/us-east-1/k8s-eks-demoapps/identities/outputs.tf b/apps-devstg/us-east-1/k8s-eks-demoapps/identities/outputs.tf
@@ -28,6 +28,16 @@ output "external_secrets_role_arn" {
   value       = module.role_external_secrets.iam_role_arn
 }
 
+output "grafana_role_arn" {
+  description = "Grafana Role ARN"
+  value       = module.role_grafana.iam_role_arn
+}
+
+output "fluent_bit_role_arn" {
+  description = "Fluent Bit Role ARN"
+  value       = module.role_fluent_bit.iam_role_arn
+}
+
 output "argo_cd_image_updater_role_arn" {
   description = "Argo CD Image Updater Role ARN"
   value       = module.role_argo_cd_image_updater.iam_role_arn