feat: support loki bucket for aws BYOC poolmebers (#167)

ignacioli · web-flow · commit ee192f30425a · 2025-07-31T14:59:38.000+08:00
*(If this PR fixes a github issue, please add `Fixes #<xyz>`.)* Fixes #<xyz> *(or if this PR is one task of a github issue, please add `Master Issue: #<xyz>` to link to the master issue.)* Master Issue: #<xyz> ### Motivation *Explain here the context, and why you're making that change. What is the problem you're trying to solve.* ### Modifications *Describe the modifications you've done.* ### Verifying this change - [ ] Make sure that the change passes the CI checks. *(Please pick either of the following options)* This change is a trivial rework / code cleanup without any test coverage. *(or)* This change is already covered by existing tests, such as *(please describe tests)*. *(or)* This change added tests and can be verified as follows: *(example:)* - *Added integration tests for end-to-end deployment with large payloads (10MB)* - *Extended integration test for recovery after broker failure* ### Documentation Check the box below. Need to update docs? - [ ] `doc-required` (If you need help on updating docs, create a doc issue) - [ ] `no-need-doc` (Please explain why) - [ ] `doc` (If this PR contains doc changes)
diff --git a/modules/dns-bucket/README.md b/modules/dns-bucket/README.md
@@ -28,9 +28,9 @@ A basic module used to create Route53 Zone and S3 Buckets.
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.76.0 |
-| <a name="provider_aws.source"></a> [aws.source](#provider\_aws.source) | 5.76.0 |
-| <a name="provider_aws.target"></a> [aws.target](#provider\_aws.target) | 5.76.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.75.0 |
+| <a name="provider_aws.source"></a> [aws.source](#provider\_aws.source) | 5.75.0 |
+| <a name="provider_aws.target"></a> [aws.target](#provider\_aws.target) | 5.75.0 |
 
 ## Modules
 
@@ -42,6 +42,7 @@ No modules.
 |------|------|
 | [aws_route53_record.delegate](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
 | [aws_route53_zone.zone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone) | resource |
+| [aws_s3_bucket.loki](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
 | [aws_s3_bucket.tiered_storage](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
 | [aws_s3_bucket.velero](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
 | [aws_s3_bucket_server_side_encryption_configuration.velero](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |
@@ -52,11 +53,14 @@ No modules.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_bucket_location"></a> [bucket\_location](#input\_bucket\_location) | The location of the bucket | `string` | n/a | yes |
 | <a name="input_custom_dns_zone_id"></a> [custom\_dns\_zone\_id](#input\_custom\_dns\_zone\_id) | if specified, then a streamnative zone will not be created, and this zone will be used instead. Otherwise, we will provision a new zone and delegate access | `string` | `""` | no |
 | <a name="input_custom_dns_zone_name"></a> [custom\_dns\_zone\_name](#input\_custom\_dns\_zone\_name) | must be passed if custom\_dns\_zone\_id is passed, this is the zone name to use | `string` | `""` | no |
+| <a name="input_enable_loki"></a> [enable\_loki](#input\_enable\_loki) | Enable loki storage bucket creation | `bool` | `false` | no |
 | <a name="input_extra_aws_tags"></a> [extra\_aws\_tags](#input\_extra\_aws\_tags) | Additional to apply to the resources. Note that this module sets the tags Name, Type, and Vendor by default. They can be overwritten, but it is not recommended. | `map(string)` | `{}` | no |
 | <a name="input_parent_zone_name"></a> [parent\_zone\_name](#input\_parent\_zone\_name) | The parent zone in which we create the delegation records | `string` | n/a | yes |
 | <a name="input_pm_name"></a> [pm\_name](#input\_pm\_name) | The name of the poolmember, for new clusters, this should be like `pm-<xxxxx>` | `string` | n/a | yes |
+| <a name="input_pm_namespace"></a> [pm\_namespace](#input\_pm\_namespace) | The namespace of the poolmember | `string` | n/a | yes |
 | <a name="input_s3_encryption_kms_key_arn"></a> [s3\_encryption\_kms\_key\_arn](#input\_s3\_encryption\_kms\_key\_arn) | KMS key ARN to use for S3 encryption. If not set, the default AWS S3 key will be used. | `string` | `""` | no |
 
 ## Outputs
@@ -65,6 +69,7 @@ No modules.
 |------|-------------|
 | <a name="output_backup_bucket"></a> [backup\_bucket](#output\_backup\_bucket) | n/a |
 | <a name="output_backup_bucket_kms_key_id"></a> [backup\_bucket\_kms\_key\_id](#output\_backup\_bucket\_kms\_key\_id) | n/a |
+| <a name="output_loki_bucket"></a> [loki\_bucket](#output\_loki\_bucket) | n/a |
 | <a name="output_tiered_storage_bucket"></a> [tiered\_storage\_bucket](#output\_tiered\_storage\_bucket) | n/a |
 | <a name="output_zone_id"></a> [zone\_id](#output\_zone\_id) | n/a |
 | <a name="output_zone_name"></a> [zone\_name](#output\_zone\_name) | n/a |
diff --git a/modules/dns-bucket/bucket.tf b/modules/dns-bucket/bucket.tf
@@ -13,27 +13,25 @@
 # limitations under the License.
 
 resource "aws_s3_bucket" "velero" {
+  provider      = aws.target
   bucket        = format("%s-cluster-backup-snc", var.pm_name)
   tags          = merge({ "Attributes" = "backup", "Name" = "velero-backups" }, local.tags)
   force_destroy = true
-
-  lifecycle {
-    ignore_changes = [
-      bucket,
-    ]
-  }
 }
 
 resource "aws_s3_bucket" "tiered_storage" {
+  provider      = aws.target
   bucket        = format("%s-tiered-storage-snc", var.pm_name)
   tags          = merge({ "Attributes" = "tiered-storage" }, local.tags)
   force_destroy = true
+}
 
-  lifecycle {
-    ignore_changes = [
-      bucket,
-    ]
-  }
+resource "aws_s3_bucket" "loki" {
+  count         = var.enable_loki ? 1 : 0
+  provider      = aws.source
+  bucket        = format("loki-%s-%s", var.pm_namespace, var.pm_name)
+  tags          = merge({ "Attributes" = "loki", "Name" = "logs-byoc" }, local.tags)
+  force_destroy = true
 }
 
 data "aws_kms_key" "s3_default" {
diff --git a/modules/dns-bucket/outputs.tf b/modules/dns-bucket/outputs.tf
@@ -30,4 +30,8 @@ output "backup_bucket_kms_key_id" {
 
 output "tiered_storage_bucket" {
   value = aws_s3_bucket.tiered_storage.bucket
+}
+
+output "loki_bucket" {
+  value = var.enable_loki ? aws_s3_bucket.loki[0].bucket : ""
 }
diff --git a/modules/dns-bucket/variables.tf b/modules/dns-bucket/variables.tf
@@ -12,6 +12,11 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+variable "pm_namespace" {
+  type        = string
+  description = "The namespace of the poolmember"
+}
+
 variable "pm_name" {
   description = "The name of the poolmember, for new clusters, this should be like `pm-<xxxxx>`"
   type        = string
@@ -51,3 +56,9 @@ locals {
     "Vendor" = "StreamNative"
   }, var.extra_aws_tags)
 }
+
+variable "enable_loki" {
+  type        = bool
+  default     = false
+  description = "Enable loki storage bucket creation"
+}

Original file line number	Diff line number	Diff line change
`@@ -30,4 +30,8 @@ output "backup_bucket_kms_key_id" {`
`30`	`30`
`31`	`31`	`output "tiered_storage_bucket" {`
`32`	`32`	`value = aws_s3_bucket.tiered_storage.bucket`
	`33`	`+}`
	`34`	`+`
	`35`	`+output "loki_bucket" {`
	`36`	`+ value = var.enable_loki ? aws_s3_bucket.loki[0].bucket : ""`
`33`	`37`	`}`