Skip to content

Commit af11383

Browse files
authored
Merge branch 'main' into Karpenter-auto
2 parents 8d946c6 + 602ebf6 commit af11383

File tree

7 files changed

+23
-3
lines changed

7 files changed

+23
-3
lines changed

README.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -216,6 +216,7 @@ the PSP to the [equivalent new standard](https://kubernetes.io/docs/tasks/config
216216
| <a name="input_cidr_block"></a> [cidr\_block](#input\_cidr\_block) | The CIDR block used by the VPC | `string` | `"10.2.0.0/16"` | no |
217217
| <a name="input_cidr_block_private_subnet"></a> [cidr\_block\_private\_subnet](#input\_cidr\_block\_private\_subnet) | The CIDR block used by the private subnet | `list` | <pre>[<br/> "10.2.2.0/24",<br/> "10.2.3.0/24"<br/>]</pre> | no |
218218
| <a name="input_cidr_block_public_subnet"></a> [cidr\_block\_public\_subnet](#input\_cidr\_block\_public\_subnet) | The CIDR block used by the private subnet | `list` | <pre>[<br/> "10.2.0.0/24",<br/> "10.2.1.0/24"<br/>]</pre> | no |
219+
| <a name="input_cloudwatch_observability_enabled"></a> [cloudwatch\_observability\_enabled](#input\_cloudwatch\_observability\_enabled) | Enable or disable the CloudWatch Observability Add-on for EKS | `bool` | `false` | no |
219220
| <a name="input_cloudwatch_pod_logs_enabled"></a> [cloudwatch\_pod\_logs\_enabled](#input\_cloudwatch\_pod\_logs\_enabled) | Stream EKS pod logs to cloudwatch | `bool` | `false` | no |
220221
| <a name="input_cloudwatch_retention_in_days"></a> [cloudwatch\_retention\_in\_days](#input\_cloudwatch\_retention\_in\_days) | How long to keep CloudWatch logs in days | `number` | `30` | no |
221222
| <a name="input_cluster_authentication_mode"></a> [cluster\_authentication\_mode](#input\_cluster\_authentication\_mode) | Desired Kubernetes authentication. API or API\_AND\_CONFIG\_MAP | `string` | `"API"` | no |
@@ -325,6 +326,7 @@ the PSP to the [equivalent new standard](https://kubernetes.io/docs/tasks/config
325326
| [aws_iam_role.vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
326327
| [aws_iam_role_policy.vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
327328
| [aws_iam_role_policy_attachment.alb](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
329+
| [aws_iam_role_policy_attachment.cloudwatch_observability](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
328330
| [aws_iam_role_policy_attachment.cluster-AmazonEKSClusterPolicy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
329331
| [aws_iam_role_policy_attachment.cluster-AmazonEKSServicePolicy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
330332
| [aws_iam_role_policy_attachment.csi](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |

alb.tf

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
module "iam_assumable_role_alb" {
22
source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
3-
version = "5.48.0"
3+
version = "5.52.2"
44
create_role = true
55
role_name = "${var.environment_name}-${local.alb_name}"
66
provider_url = replace(aws_iam_openid_connect_provider.cluster.url, "https://", "")

cluster.tf

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -88,6 +88,7 @@ resource "aws_eks_addon" "core" {
8888
"aws-ebs-csi-driver",
8989
var.s3_csi_driver_enabled ? ["aws-mountpoint-s3-csi-driver"] : [],
9090
var.efs_enabled ? ["aws-efs-csi-driver"] : [],
91+
var.cloudwatch_observability_enabled ? ["amazon-cloudwatch-observability"] : [],
9192
]))
9293

9394
cluster_name = aws_eks_cluster.cluster.name

efs.tf

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22
module "iam_assumable_role_efs_csi" {
33
count = var.efs_enabled ? 1 : 0
44
source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
5-
version = "5.48.0"
5+
version = "5.52.2"
66
create_role = true
77
role_name = "${var.environment_name}-AmazonEFSCSIDriverPolicy"
88
provider_url = replace(aws_iam_openid_connect_provider.cluster.url, "https://", "")

iam.tf

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -425,3 +425,14 @@ resource "aws_iam_role_policy_attachment" "csi" {
425425
policy_arn = join("", aws_iam_policy.s3_policy.*.arn)
426426
role = aws_iam_role.node.name
427427
}
428+
429+
# Attach the AWS-managed CloudWatchAgentServerPolicy to the node IAM role.
430+
# We may want to harden this down a bit later, but it's essentially scoped
431+
# to a few read-only calls and the ability to write logs, metrics, and traces
432+
# to CloudWatch (metrics), CloudWatch Logs (logs), and X-Ray (traces).
433+
resource "aws_iam_role_policy_attachment" "cloudwatch_observability" {
434+
count = var.cloudwatch_observability_enabled ? 1 : 0
435+
436+
policy_arn = "arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy"
437+
role = aws_iam_role.node.name
438+
}

karpenter.tf

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@ module "karpenter" {
66
count = var.karpenter_enabled ? 1 : 0
77

88
source = "terraform-aws-modules/eks/aws//modules/karpenter"
9-
version = "20.31.0"
9+
version = "20.33.0"
1010

1111
cluster_name = var.environment_name
1212

variables.tf

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -466,3 +466,9 @@ variable "eks_auto_mode_enabled" {
466466
type = bool
467467
default = true
468468
}
469+
470+
variable "cloudwatch_observability_enabled" {
471+
description = "Enable or disable the CloudWatch Observability Add-on for EKS"
472+
type = bool
473+
default = false
474+
}

0 commit comments

Comments
 (0)