Merge branch 'main' into Karpenter-auto

abhiyerra · web-flow · commit af113832bb51 · 2025-01-21T21:49:36.000-08:00
diff --git a/README.md b/README.md
@@ -216,6 +216,7 @@ the PSP to the [equivalent new standard](https://kubernetes.io/docs/tasks/config
 | <a name="input_cidr_block"></a> [cidr\_block](#input\_cidr\_block) | The CIDR block used by the VPC | `string` | `"10.2.0.0/16"` | no |
 | <a name="input_cidr_block_private_subnet"></a> [cidr\_block\_private\_subnet](#input\_cidr\_block\_private\_subnet) | The CIDR block used by the private subnet | `list` | <pre>[<br/>  "10.2.2.0/24",<br/>  "10.2.3.0/24"<br/>]</pre> | no |
 | <a name="input_cidr_block_public_subnet"></a> [cidr\_block\_public\_subnet](#input\_cidr\_block\_public\_subnet) | The CIDR block used by the private subnet | `list` | <pre>[<br/>  "10.2.0.0/24",<br/>  "10.2.1.0/24"<br/>]</pre> | no |
+| <a name="input_cloudwatch_observability_enabled"></a> [cloudwatch\_observability\_enabled](#input\_cloudwatch\_observability\_enabled) | Enable or disable the CloudWatch Observability Add-on for EKS | `bool` | `false` | no |
 | <a name="input_cloudwatch_pod_logs_enabled"></a> [cloudwatch\_pod\_logs\_enabled](#input\_cloudwatch\_pod\_logs\_enabled) | Stream EKS pod logs to cloudwatch | `bool` | `false` | no |
 | <a name="input_cloudwatch_retention_in_days"></a> [cloudwatch\_retention\_in\_days](#input\_cloudwatch\_retention\_in\_days) | How long to keep CloudWatch logs in days | `number` | `30` | no |
 | <a name="input_cluster_authentication_mode"></a> [cluster\_authentication\_mode](#input\_cluster\_authentication\_mode) | Desired Kubernetes authentication. API or API\_AND\_CONFIG\_MAP | `string` | `"API"` | no |
@@ -325,6 +326,7 @@ the PSP to the [equivalent new standard](https://kubernetes.io/docs/tasks/config
 | [aws_iam_role.vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role_policy.vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [aws_iam_role_policy_attachment.alb](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.cloudwatch_observability](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.cluster-AmazonEKSClusterPolicy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.cluster-AmazonEKSServicePolicy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.csi](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
diff --git a/alb.tf b/alb.tf
@@ -1,6 +1,6 @@
 module "iam_assumable_role_alb" {
   source           = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
-  version          = "5.48.0"
+  version          = "5.52.2"
   create_role      = true
   role_name        = "${var.environment_name}-${local.alb_name}"
   provider_url     = replace(aws_iam_openid_connect_provider.cluster.url, "https://", "")
diff --git a/cluster.tf b/cluster.tf
@@ -88,6 +88,7 @@ resource "aws_eks_addon" "core" {
     "aws-ebs-csi-driver",
     var.s3_csi_driver_enabled ? ["aws-mountpoint-s3-csi-driver"] : [],
     var.efs_enabled ? ["aws-efs-csi-driver"] : [],
+    var.cloudwatch_observability_enabled ? ["amazon-cloudwatch-observability"] : [],
   ]))
 
   cluster_name                = aws_eks_cluster.cluster.name
diff --git a/efs.tf b/efs.tf
@@ -2,7 +2,7 @@
 module "iam_assumable_role_efs_csi" {
   count            = var.efs_enabled ? 1 : 0
   source           = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
-  version          = "5.48.0"
+  version          = "5.52.2"
   create_role      = true
   role_name        = "${var.environment_name}-AmazonEFSCSIDriverPolicy"
   provider_url     = replace(aws_iam_openid_connect_provider.cluster.url, "https://", "")
diff --git a/iam.tf b/iam.tf
@@ -425,3 +425,14 @@ resource "aws_iam_role_policy_attachment" "csi" {
   policy_arn = join("", aws_iam_policy.s3_policy.*.arn)
   role       = aws_iam_role.node.name
 }
+
+# Attach the AWS-managed CloudWatchAgentServerPolicy to the node IAM role.
+# We may want to harden this down a bit later, but it's essentially scoped
+# to a few read-only calls and the ability to write logs, metrics, and traces
+# to CloudWatch (metrics), CloudWatch Logs (logs), and X-Ray (traces).
+resource "aws_iam_role_policy_attachment" "cloudwatch_observability" {
+  count = var.cloudwatch_observability_enabled ? 1 : 0
+
+  policy_arn = "arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy"
+  role       = aws_iam_role.node.name
+}
diff --git a/karpenter.tf b/karpenter.tf
@@ -6,7 +6,7 @@ module "karpenter" {
   count = var.karpenter_enabled ? 1 : 0
 
   source  = "terraform-aws-modules/eks/aws//modules/karpenter"
-  version = "20.31.0"
+  version = "20.33.0"
 
   cluster_name = var.environment_name
 
diff --git a/variables.tf b/variables.tf
@@ -466,3 +466,9 @@ variable "eks_auto_mode_enabled" {
   type        = bool
   default     = true
 }
+
+variable "cloudwatch_observability_enabled" {
+  description = "Enable or disable the CloudWatch Observability Add-on for EKS"
+  type        = bool
+  default     = false
+}
