Initial commit

Author: goruha

.github/settings.yml

@@ -1,11 +1,7 @@
 # Upstream changes from _extends are only recognized when modifications are made to this file in the default branch.
 _extends: .github
 repository:
-  name: template
-  description: Template for Terraform Components
+  name: aws-eks-datadog-agent
+  description: This component installs the `datadog-agent` for EKS clusters
   homepage: https://cloudposse.com/accelerate
   topics: terraform, terraform-component
-
-
-
-

CHANGELOG.md

@@ -0,0 +1,66 @@
+## PR [#814](https://github.com/cloudposse/terraform-aws-components/pull/814)
+
+### Possible Breaking Change
+
+Removed inputs `iam_role_enabled` and `iam_policy_statements` because the Datadog agent does not need an IAM (IRSA) role
+or any special AWS permissions because it works solely within the Kubernetes environment. (Datadog has AWS integrations
+to handle monitoring that requires AWS permissions.)
+
+This only a breaking change if you were setting these inputs. If you were, simply remove them from your configuration.
+
+### Possible Breaking Change
+
+Previously this component directly created the Kubernetes namespace for the agent when `create_namespace` was set to
+`true`. Now this component delegates that responsibility to the `helm-release` module, which better coordinates the
+destruction of resources at destruction time (for example, ensuring that the Helm release is completely destroyed and
+finalizers run before deleting the namespace).
+
+Generally the simplest upgrade path is to destroy the Helm release, then destroy the namespace, then apply the new
+configuration. Alternatively, you can use `terraform state mv` to move the existing namespace to the new Terraform
+"address", which will preserve the existing deployment and reduce the possibility of the destroy failing and leaving the
+Kubernetes cluster in a bad state.
+
+### Cluster Agent Redundancy
+
+In this PR we have defaulted the number of Cluster Agents to 2. This is because when there are no Cluster Agents, all
+cluster metrics are lost. Having 2 agents makes it possible to keep 1 agent running at all times, even when the other is
+on a node being drained.
+
+### DNS Resolution Enhancement
+
+If Datadog processes are looking for where to send data and are configured to look up
+`datadog.monitoring.svc.cluster.local`, by default the cluster will make a DNS query for each of the following:
+
+1. `datadog.monitoring.svc.cluster.local.monitoring.svc.cluster.local`
+2. `datadog.monitoring.svc.cluster.local.svc.cluster.local`
+3. `datadog.monitoring.svc.cluster.local.cluster.local`
+4. `datadog.monitoring.svc.cluster.local.ec2.internal`
+5. `datadog.monitoring.svc.cluster.local`
+
+due to the DNS resolver's
+[search path](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#namespaces-of-services). Because
+this lookup happens so frequently (several times a second in a production environment), it can cause a lot of
+unnecessary work, even if the DNS query is cached.
+
+In this PR we have set `ndots: 2` in the agent and cluster agent configuration so that only the 5th query is made. (In
+Kubernetes, the default value for `ndots` is 5. DNS queries having fewer than `ndots` dots in them will be attempted
+using each component of the search path in turn until a match is found, while those with more dots, or with a final dot,
+are looked up as is.)
+
+Alternately, where you are setting the host name to be resolved, you can add a final dot at the end so that the search
+path is not used, e.g. `datadog.monitoring.svc.cluster.local.`
+
+### Note for Bottlerocket users
+
+If you are using Bottlerocket, you will want to uncomment the following from `values.yaml` or add it to your `values`
+input:
+
+```yaml
+criSocketPath: /run/dockershim.sock # Bottlerocket Only
+env: # Bottlerocket Only
+  - name: DD_AUTOCONFIG_INCLUDE_FEATURES # Bottlerocket Only
+    value: "containerd" # Bottlerocket Only
+```
+
+See the [Datadog documentation](https://docs.datadoghq.com/containers/kubernetes/distributions/?tab=helm#EKS) for
+details.

README.yaml

@@ -0,0 +1,6 @@
+http_check.yaml:
+  cluster_check: true
+  init_config:
+  instances:
+    - name: "[${stage}] Echo Server"
+      url: "https://echo.${stage}.acme.com"

src/catalog/cluster-checks/defaults/http_checks.yaml

@@ -0,0 +1,4 @@
+http_check.yaml:
+  instances:
+    - name: "[${stage}] Custom Dev App"
+      url: "https://my-custom-dev-app.acme.com"

src/catalog/cluster-checks/dev/http_checks.yaml

@@ -0,0 +1,63 @@
+variable "description" {
+  type        = string
+  description = "Release description attribute (visible in the history)"
+  default     = null
+}
+
+variable "chart" {
+  type        = string
+  description = "Chart name to be installed. The chart name can be local path, a URL to a chart, or the name of the chart if `repository` is specified. It is also possible to use the `<repository>/<chart>` format here if you are running Terraform on a system that the repository has been added to with `helm repo add` but this is not recommended"
+}
+
+variable "repository" {
+  type        = string
+  description = "Repository URL where to locate the requested chart"
+  default     = null
+}
+
+variable "chart_version" {
+  type        = string
+  description = "Specify the exact chart version to install. If this is not specified, the latest version is installed"
+  default     = null
+}
+
+variable "kubernetes_namespace" {
+  type        = string
+  description = "Kubernetes namespace to install the release into"
+}
+
+variable "timeout" {
+  type        = number
+  description = "Time in seconds to wait for any individual kubernetes operation (like Jobs for hooks). Defaults to `300` seconds"
+  default     = null
+}
+
+variable "cleanup_on_fail" {
+  type        = bool
+  description = "Allow deletion of new resources created in this upgrade when upgrade fails"
+  default     = true
+}
+
+variable "atomic" {
+  type        = bool
+  description = "If set, installation process purges chart on fail. The wait flag will be set automatically if atomic is used"
+  default     = true
+}
+
+variable "wait" {
+  type        = bool
+  description = "Will wait until all resources are in a ready state before marking the release as successful. It will wait for as long as `timeout`. Defaults to `true`"
+  default     = null
+}
+
+variable "create_namespace" {
+  type        = bool
+  description = "Create the Kubernetes namespace if it does not yet exist"
+  default     = true
+}
+
+variable "verify" {
+  type        = bool
+  description = "Verify the package before installing it. Helm uses a provenance file to verify the integrity of the chart; this must be hosted alongside the chart"
+  default     = false
+}

src/helm-variables.tf

@@ -1,8 +1,147 @@
 locals {
   enabled = module.this.enabled
+
+  tags = module.this.tags
+
+  datadog_api_key = module.datadog_configuration.datadog_api_key
+  datadog_app_key = module.datadog_configuration.datadog_app_key
+  datadog_site    = module.datadog_configuration.datadog_site
+
+  # combine context tags with passed in datadog_tags
+  # skip name since that won't be relevant for each metric
+  datadog_tags = toset(distinct(concat([
+    for k, v in module.this.tags : "${lower(k)}:${v}" if lower(k) != "name"
+  ], tolist(var.datadog_tags))))
+
+  cluster_checks_enabled = local.enabled && var.cluster_checks_enabled
+
+  context_tags = {
+    for k, v in module.this.tags :
+    lower(k) => v
+  }
+
+  deep_map_merge = local.cluster_checks_enabled ? module.datadog_cluster_check_yaml_config[0].map_configs : {}
+  datadog_cluster_checks = {
+    for k, v in local.deep_map_merge :
+    k => merge(v, {
+      instances = [
+        for key, val in v.instances :
+        merge(val, {
+          tags = [
+            for tag, tag_value in local.context_tags :
+            format("%s:%s", tag, tag_value)
+            if contains(var.datadog_cluster_check_auto_added_tags, tag)
+          ]
+        })
+      ]
+    })
+  }
+  set_datadog_cluster_checks = [
+    for cluster_check_key, cluster_check_value in local.datadog_cluster_checks : {
+      # Since we are using json pathing to set deep yaml values, and the key we want to set is `something.yaml`
+      # we need to escape the key of the cluster check.
+      name  = format("clusterAgent.confd.%s", replace(cluster_check_key, ".", "\\."))
+      type  = "auto"
+      value = yamlencode(cluster_check_value)
+    }
+  ]
 }
 
+module "datadog_configuration" {
+  source  = "../../datadog-configuration/modules/datadog_keys"
+  context = module.this.context
+}
 
+module "datadog_cluster_check_yaml_config" {
+  count = local.cluster_checks_enabled ? 1 : 0
 
+  source  = "cloudposse/config/yaml"
+  version = "1.0.2"
 
+  map_config_local_base_path = path.module
+  map_config_paths           = var.datadog_cluster_check_config_paths
 
+  append_list_enabled = true
+
+  parameters = merge(
+    var.datadog_cluster_check_config_parameters,
+    local.context_tags
+  )
+
+  context = module.this.context
+}
+
+module "values_merge" {
+  source  = "cloudposse/config/yaml//modules/deepmerge"
+  version = "1.0.2"
+
+  # Merge in order: datadog values, var.values
+  maps = [
+    yamldecode(
+      file("${path.module}/values.yaml")
+    ),
+    var.values,
+  ]
+}
+
+
+module "datadog_agent" {
+  source  = "cloudposse/helm-release/aws"
+  version = "0.10.0"
+
+  name          = module.this.name
+  chart         = var.chart
+  description   = var.description
+  repository    = var.repository
+  chart_version = var.chart_version
+
+  kubernetes_namespace             = var.kubernetes_namespace
+  create_namespace_with_kubernetes = var.create_namespace
+
+  verify          = var.verify
+  wait            = var.wait
+  atomic          = var.atomic
+  cleanup_on_fail = var.cleanup_on_fail
+  timeout         = var.timeout
+
+  eks_cluster_oidc_issuer_url = module.eks.outputs.eks_cluster_identity_oidc_issuer
+
+  values = [
+    yamlencode(module.values_merge.merged)
+  ]
+
+  set_sensitive = [
+    {
+      name  = "datadog.apiKey"
+      type  = "string"
+      value = local.datadog_api_key
+    },
+    {
+      name  = "datadog.appKey"
+      type  = "string"
+      value = local.datadog_app_key
+    },
+    {
+      name  = "datadog.site"
+      type  = "string"
+      value = local.datadog_site
+    }
+  ]
+
+  set = concat([
+    {
+      name  = "datadog.tags"
+      type  = "auto"
+      value = yamlencode(local.datadog_tags)
+    },
+    {
+      name  = "datadog.clusterName"
+      type  = "string"
+      value = module.eks.outputs.eks_cluster_id
+    },
+  ], local.set_datadog_cluster_checks)
+
+  iam_role_enabled = false
+
+  context = module.this.context
+}

src/main.tf

@@ -1,4 +1,9 @@
-output "mock" {
-  description = "Mock output example for the Cloud Posse Terraform component template"
-  value       = local.enabled ? "hello ${basename(abspath(path.module))}" : ""
+output "metadata" {
+  value       = local.enabled ? module.datadog_agent.metadata : null
+  description = "Block status of the deployed release"
+}
+
+output "cluster_checks" {
+  value       = local.datadog_cluster_checks
+  description = "Cluster Checks for the cluster"
 }