-
Notifications
You must be signed in to change notification settings - Fork 16
/
thanos.tf
84 lines (70 loc) · 2.71 KB
/
thanos.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
resource "helm_release" "thanos" {
count = var.enable_thanos_helm_chart ? 1 : 0
name = "thanos"
namespace = kubernetes_namespace.monitoring.id
repository = "https://charts.bitnami.com/bitnami"
chart = "thanos"
version = "15.0.0"
timeout = 900
values = [templatefile("${path.module}/templates/thanos-values.yaml.tpl", {
prometheus_sa_name = local.prometheus_sa_name
enabled_compact = var.enable_thanos_compact
monitoring_aws_role = module.iam_assumable_role_monitoring.this_iam_role_name
clusterName = terraform.workspace
})]
depends_on = [
helm_release.prometheus_operator_eks,
]
lifecycle {
ignore_changes = [keyring]
}
}
# Kubernetes Secret holding thanos configuration file (this is also used by Prometheus Operator)
resource "kubernetes_secret" "thanos_config" {
metadata {
name = "thanos-objstore-config"
namespace = kubernetes_namespace.monitoring.id
}
data = {
"thanos.yaml" = file("${path.module}/templates/thanos-objstore-config.yaml.tpl")
"object-store.yaml" = file("${path.module}/templates/thanos-objstore-config.yaml.tpl")
}
type = "Opaque"
}
##############
# IAM / IRSA #
##############
# This is to create a policy which allows Prometheus (thanos to be precise) to have a role to write to S3 without credentials
data "aws_iam_policy_document" "monitoring" {
statement {
actions = [
"s3:ListBucket",
"s3:GetObject",
"s3:DeleteObject",
"s3:PutObject"
]
# Bucket name is hardcoded because it hasn't been created with terraform
# files inside this repository. Once we are happy with the test we must:
# 1. Create S3 bucket from the cp-environments repo (or maybe from here?)
# 2. Use the output (S3 bucket name) in this policy
resources = [
"arn:aws:s3:::cloud-platform-prometheus-thanos/*",
"arn:aws:s3:::cloud-platform-prometheus-thanos"
]
}
}
# IRSA
module "iam_assumable_role_monitoring" {
source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
version = "3.13.0"
create_role = true
role_name = "monitoring.${var.cluster_domain_name}"
provider_url = var.eks_cluster_oidc_issuer_url
role_policy_arns = [length(aws_iam_policy.monitoring) >= 1 ? aws_iam_policy.monitoring.arn : ""]
oidc_fully_qualified_subjects = ["system:serviceaccount:monitoring:prometheus-operator-kube-p-prometheus"]
}
resource "aws_iam_policy" "monitoring" {
name_prefix = "monitoring"
description = "EKS monitoring policy for cluster ${var.cluster_domain_name}"
policy = data.aws_iam_policy_document.monitoring.json
}