feat: Add permissions for S3 write on FluentBit addons; add dependency on EKS addon for generic helm_releases (#203)

Author: bryantbiggs

.pre-commit-config.yaml

@@ -10,7 +10,7 @@ repos:
       - id: detect-aws-credentials
         args: ['--allow-missing-credentials']
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.80.0
+    rev: v1.81.0
     hooks:
       - id: terraform_fmt
       - id: terraform_docs

helm.tf

@@ -68,4 +68,9 @@ resource "helm_release" "this" {
       type  = try(set_sensitive.value.type, null)
     }
   }
+
+  depends_on = [
+    # Wait for EBS CSI, etc. to be installed first
+    aws_eks_addon.this,
+  ]
 }

main.tf

@@ -512,34 +512,60 @@ resource "aws_cloudwatch_log_group" "aws_for_fluentbit" {
 }
 
 data "aws_iam_policy_document" "aws_for_fluentbit" {
-  count = try(var.aws_for_fluentbit_cw_log_group.create, true) && var.enable_aws_for_fluentbit ? 1 : 0
+  count = (try(var.aws_for_fluentbit_cw_log_group.create, true) || length(lookup(var.aws_for_fluentbit, "s3_bucket_arns", [])) > 0) && var.enable_aws_for_fluentbit ? 1 : 0
 
-  statement {
-    sid    = "PutLogEvents"
-    effect = "Allow"
-    resources = [
-      "arn:${local.partition}:logs:${local.region}:${local.account_id}:log-group:${try(var.aws_for_fluentbit_cw_log_group.name, "*")}:log-stream:*",
-    ]
+  dynamic "statement" {
+    for_each = try(var.aws_for_fluentbit_cw_log_group.create, true) ? [1] : []
 
-    actions = [
-      "logs:PutLogEvents"
-    ]
+    content {
+      sid    = "PutLogEvents"
+      effect = "Allow"
+      resources = [
+        "arn:${local.partition}:logs:${local.region}:${local.account_id}:log-group:${try(var.aws_for_fluentbit_cw_log_group.name, "*")}:log-stream:*",
+      ]
+
+      actions = [
+        "logs:PutLogEvents"
+      ]
+    }
   }
 
-  statement {
-    sid    = "CreateCWLogs"
-    effect = "Allow"
-    resources = [
-      "arn:${local.partition}:logs:${local.region}:${local.account_id}:log-group:${try(var.aws_for_fluentbit_cw_log_group.name, "*")}",
-    ]
+  dynamic "statement" {
+    for_each = try(var.aws_for_fluentbit_cw_log_group.create, true) ? [1] : []
 
-    actions = [
-      "logs:CreateLogGroup",
-      "logs:CreateLogStream",
-      "logs:DescribeLogGroups",
-      "logs:DescribeLogStreams",
-      "logs:PutRetentionPolicy",
-    ]
+    content {
+      sid    = "CreateCWLogs"
+      effect = "Allow"
+      resources = [
+        "arn:${local.partition}:logs:${local.region}:${local.account_id}:log-group:${try(var.aws_for_fluentbit_cw_log_group.name, "*")}",
+      ]
+
+      actions = [
+        "logs:CreateLogGroup",
+        "logs:CreateLogStream",
+        "logs:DescribeLogGroups",
+        "logs:DescribeLogStreams",
+        "logs:PutRetentionPolicy",
+      ]
+    }
+  }
+
+  dynamic "statement" {
+    for_each = length(lookup(var.aws_for_fluentbit, "s3_bucket_arns", [])) > 0 ? [1] : []
+
+    content {
+      sid = "S3Write"
+      actions = [
+        "s3:ListBucket",
+        "s3:PutObject",
+        "s3:PutObjectAcl",
+        "s3:GetObject",
+        "s3:GetObjectAcl",
+        "s3:DeleteObject",
+        "s3:DeleteObjectVersion",
+      ]
+      resources = var.aws_for_fluentbit.s3_bucket_arns
+    }
   }
 }
 
@@ -2113,21 +2139,42 @@ resource "aws_iam_policy" "fargate_fluentbit" {
 }
 
 data "aws_iam_policy_document" "fargate_fluentbit" {
-  count = try(var.fargate_fluentbit_cw_log_group.create, true) && var.enable_fargate_fluentbit ? 1 : 0
+  count = (try(var.fargate_fluentbit_cw_log_group.create, true) || length(lookup(var.fargate_fluentbit, "s3_bucket_arns", [])) > 0) && var.enable_fargate_fluentbit ? 1 : 0
 
-  statement {
-    sid    = "PutLogEvents"
-    effect = "Allow"
-    actions = [
-      "logs:CreateLogStream",
-      "logs:CreateLogGroup",
-      "logs:DescribeLogStreams",
-      "logs:PutLogEvents"
-    ]
-    resources = [
-      try("${var.fargate_fluentbit.cwlog_arn}:*", "${aws_cloudwatch_log_group.fargate_fluentbit[0].arn}:*"),
-      try("${var.fargate_fluentbit.cwlog_arn}:logstream:*", "${aws_cloudwatch_log_group.fargate_fluentbit[0].arn}:logstream:*")
-    ]
+  dynamic "statement" {
+    for_each = try(var.fargate_fluentbit_cw_log_group.create, true) ? [1] : []
+
+    content {
+      sid = "PutLogEvents"
+      actions = [
+        "logs:CreateLogStream",
+        "logs:CreateLogGroup",
+        "logs:DescribeLogStreams",
+        "logs:PutLogEvents"
+      ]
+      resources = [
+        try("${var.fargate_fluentbit.cwlog_arn}:*", "${aws_cloudwatch_log_group.fargate_fluentbit[0].arn}:*"),
+        try("${var.fargate_fluentbit.cwlog_arn}:logstream:*", "${aws_cloudwatch_log_group.fargate_fluentbit[0].arn}:logstream:*")
+      ]
+    }
+  }
+
+  dynamic "statement" {
+    for_each = length(lookup(var.fargate_fluentbit, "s3_bucket_arns", [])) > 0 ? [1] : []
+
+    content {
+      sid = "S3Write"
+      actions = [
+        "s3:ListBucket",
+        "s3:PutObject",
+        "s3:PutObjectAcl",
+        "s3:GetObject",
+        "s3:GetObjectAcl",
+        "s3:DeleteObject",
+        "s3:DeleteObjectVersion",
+      ]
+      resources = var.fargate_fluentbit.s3_bucket_arns
+    }
   }
 }
 

tests/complete/README.md

@@ -38,8 +38,8 @@ Note that this example may create resources which will incur monetary charges on
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_adot_irsa"></a> [adot\_irsa](#module\_adot\_irsa) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | ~> 5.14 |
-| <a name="module_ebs_csi_driver_irsa"></a> [ebs\_csi\_driver\_irsa](#module\_ebs\_csi\_driver\_irsa) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | ~> 5.14 |
+| <a name="module_adot_irsa"></a> [adot\_irsa](#module\_adot\_irsa) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | ~> 5.20 |
+| <a name="module_ebs_csi_driver_irsa"></a> [ebs\_csi\_driver\_irsa](#module\_ebs\_csi\_driver\_irsa) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | ~> 5.20 |
 | <a name="module_eks"></a> [eks](#module\_eks) | terraform-aws-modules/eks/aws | ~> 19.13 |
 | <a name="module_eks_blueprints_addons"></a> [eks\_blueprints\_addons](#module\_eks\_blueprints\_addons) | ../../ | n/a |
 | <a name="module_velero_backup_s3_bucket"></a> [velero\_backup\_s3\_bucket](#module\_velero\_backup\_s3\_bucket) | terraform-aws-modules/s3-bucket/aws | ~> 3.0 |

tests/complete/main.tf

@@ -149,8 +149,14 @@ module "eks_blueprints_addons" {
   enable_aws_load_balancer_controller = true
   enable_metrics_server               = true
   enable_vpa                          = true
-  enable_aws_for_fluentbit            = true
   enable_fargate_fluentbit            = true
+  enable_aws_for_fluentbit            = true
+  aws_for_fluentbit = {
+    s3_bucket_arns = [
+      module.velero_backup_s3_bucket.s3_bucket_arn,
+      "${module.velero_backup_s3_bucket.s3_bucket_arn}/logs/*"
+    ]
+  }
 
   enable_aws_node_termination_handler   = true
   aws_node_termination_handler_asg_arns = [for asg in module.eks.self_managed_node_groups : asg.autoscaling_group_arn]
@@ -285,7 +291,7 @@ module "velero_backup_s3_bucket" {
 
 module "ebs_csi_driver_irsa" {
   source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
-  version = "~> 5.14"
+  version = "~> 5.20"
 
   role_name_prefix = "${local.name}-ebs-csi-driver-"
 
@@ -303,7 +309,7 @@ module "ebs_csi_driver_irsa" {
 
 module "adot_irsa" {
   source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
-  version = "~> 5.14"
+  version = "~> 5.20"
 
   role_name_prefix = "${local.name}-adot-"