kube-prom-stack-grafana-iam-policy (#385)

terraform-modules/aws/helm/kube-prometheus-stack/main.tf

@@ -1,3 +1,8 @@
+locals {
+  base_name                = "kube-prometheus-stack"
+  k8s_service_account_name = "kube-prometheus-stack-grafana"
+}
+
 resource "helm_release" "helm_chart" {
   chart            = "kube-prometheus-stack"
   namespace        = var.namespace
@@ -8,8 +13,40 @@ resource "helm_release" "helm_chart" {
   repository       = "https://prometheus-community.github.io/helm-charts"
 
   values = [
-    file("${path.module}/values.yaml"),
+    # templatefile("${path.module}/values.yaml", {
+    templatefile("./values_local.yaml", {
+      enable_grafana_aws_role = var.enable_iam_assumable_role_grafana
+      aws_account_id          = var.aws_account_id
+      role_name               = local.k8s_service_account_name
+    }),
     var.helm_values,
   ]
+}
+
+############################
+# An AWS assumable role for grafana
+#
+# Use case:
+# * If you want to give Grafana IAM permission to query AWS Cloudwatch logs
+#
+############################
+module "iam_assumable_role_grafana" {
+  count                         = var.enable_iam_assumable_role_grafana ? 1 : 0
+  source                        = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
+  version                       = "3.6.0"
+  create_role                   = true
+  role_name                     = local.k8s_service_account_name
+  provider_url                  = replace(var.eks_cluster_oidc_issuer_url, "https://", "")
+  role_policy_arns              = [aws_iam_policy.grafana[0].arn]
+  oidc_fully_qualified_subjects = ["system:serviceaccount:${var.namespace}:${local.k8s_service_account_name}"]
+  tags                          = var.tags
+}
 
+# Policy doc: https://github.com/kubernetes-sigs/aws-efs-csi-driver/blob/master/docs/iam-policy-example.json
+resource "aws_iam_policy" "grafana" {
+  count       = var.enable_iam_assumable_role_grafana ? 1 : 0
+  name_prefix = "${local.base_name}-${var.environment_name}"
+  description = "${local.base_name} for ${var.environment_name}"
+  policy      = var.aws_policy_grafana
+  tags        = var.tags
 }

terraform-modules/aws/helm/kube-prometheus-stack/values.yaml → terraform-modules/aws/helm/kube-prometheus-stack/values_local.yaml

@@ -50,7 +50,10 @@ grafana:
   #   operator: "Equal"
   #   value: "my-app"
   #   effect: "NoSchedule"
-
+  %{ if enable_grafana_aws_role }
+  annotations:
+    eks.amazonaws.com/role-arn: arn:aws:iam::${aws_account_id}:role/${role_name}
+  %{ endif }
 
 ## Configuration for alertmanager
 ## ref: https://prometheus.io/docs/alerting/alertmanager/

terraform-modules/aws/helm/kube-prometheus-stack/variables.tf

@@ -27,3 +27,63 @@ variable helm_values {
   default     = ""
   description = "Additional helm values to pass in.  These values would override the default in this module."
 }
+
+variable "tags" {
+  type    = map(any)
+  default = {}
+}
+
+variable "aws_account_id" {
+  type        = string
+  default     = ""
+  description = "AWS account ID.  Used in creating IAM assumable role if enabled"
+}
+
+variable "eks_cluster_oidc_issuer_url" {
+  type        = string
+  default     = ""
+  description = "EKS cluster oidc issuer url"
+}
+
+variable "enable_iam_assumable_role_grafana" {
+  type        = bool
+  default     = false
+  description = "Enable the creation of an AWS IAM assumable role that is attached to the Grafana kubernetes service account.  Use case is to give Grafana access to AWS Cloudwatch log via an assumable role."
+}
+
+variable "environment_name" {
+  type        = string
+  default     = "env"
+  description = "An environment name to attach to some resources.  Optional only needed if you are going to create more than one of these items in an AWS account"
+}
+
+# Sample AWS IAM policy: https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/iam-identity-based-access-control-cwl.html#managed-policies-cwl
+variable "aws_policy_grafana" {
+  type        = string
+  default     = <<EOF
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Action": [
+                "logs:Describe*",
+                "logs:Get*",
+                "logs:List*",
+                "logs:StartQuery",
+                "logs:StopQuery",
+                "logs:TestMetricFilter",
+                "logs:FilterLogEvents",
+                "cloudwatch:ListMetrics",
+                "cloudwatch:GetMetricData",
+                "cloudwatch:GetMetricStatistics",
+                "cloudwatch:DescribeAlarmHistory",
+                "cloudwatch:DescribeAlarms"
+            ],
+            "Effect": "Allow",
+            "Resource": "*"
+        }
+    ]
+}
+EOF
+  description = "The AWS policy for the Grafana AWS role.  The default is a read only role to all Cloudwatch logs."
+}