Allow custom IAM role & SA names (#238)

* Add custom IAM role name Pass custom service account name to otel-config chart * Doc update
aws-observability · Nov 13, 2023 · 1905343 · 1905343
1 parent 70405b9
commit 1905343
Show file tree

Hide file tree

Showing 7 changed files with 26 additions and 7 deletions.
diff --git a/modules/eks-monitoring/README.md b/modules/eks-monitoring/README.md
@@ -111,6 +111,7 @@ See examples using this Terraform modules in the **Amazon EKS** section of [this
 | <a name="input_helm_config"></a> [helm\_config](#input\_helm\_config) | Helm Config for Prometheus | `any` | `{}` | no |
 | <a name="input_irsa_iam_additional_policies"></a> [irsa\_iam\_additional\_policies](#input\_irsa\_iam\_additional\_policies) | IAM additional policies for IRSA roles | `list(string)` | `[]` | no |
 | <a name="input_irsa_iam_permissions_boundary"></a> [irsa\_iam\_permissions\_boundary](#input\_irsa\_iam\_permissions\_boundary) | IAM permissions boundary for IRSA roles | `string` | `null` | no |
+| <a name="input_irsa_iam_role_name"></a> [irsa\_iam\_role\_name](#input\_irsa\_iam\_role\_name) | IAM role name for IRSA roles | `string` | `""` | no |
 | <a name="input_irsa_iam_role_path"></a> [irsa\_iam\_role\_path](#input\_irsa\_iam\_role\_path) | IAM role path for IRSA roles | `string` | `"/"` | no |
 | <a name="input_istio_config"></a> [istio\_config](#input\_istio\_config) | Configuration object for ISTIO monitoring | <pre>object({<br>    enable_alerting_rules  = bool<br>    enable_recording_rules = bool<br>    enable_dashboards      = bool<br>    scrape_sample_limit    = number<br><br>    flux_gitrepository_name   = string<br>    flux_gitrepository_url    = string<br>    flux_gitrepository_branch = string<br>    flux_kustomization_name   = string<br>    flux_kustomization_path   = string<br><br>    managed_prometheus_workspace_id = string<br>    prometheus_metrics_endpoint     = string<br><br>    dashboards = object({<br>      cp          = string<br>      mesh        = string<br>      performance = string<br>      service     = string<br>    })<br>  })</pre> | `null` | no |
 | <a name="input_java_config"></a> [java\_config](#input\_java\_config) | Configuration object for Java/JMX monitoring | <pre>object({<br>    enable_alerting_rules  = bool<br>    enable_recording_rules = bool<br>    enable_dashboards      = bool<br>    scrape_sample_limit    = number<br><br><br>    flux_gitrepository_name   = string<br>    flux_gitrepository_url    = string<br>    flux_gitrepository_branch = string<br>    flux_kustomization_name   = string<br>    flux_kustomization_path   = string<br><br>    grafana_dashboard_url = string<br><br>    prometheus_metrics_endpoint = string<br>  })</pre> | `null` | no |

diff --git a/modules/eks-monitoring/locals.tf b/modules/eks-monitoring/locals.tf
@@ -9,8 +9,9 @@ data "aws_eks_cluster" "eks_cluster" {
 }
 
 locals {
-  name      = "adot-collector-kubeprometheus"
-  namespace = try(var.helm_config.namespace, local.name)
+  name                      = "adot-collector-kubeprometheus"
+  kube_service_account_name = try(var.helm_config.service_account, local.name)
+  namespace                 = try(var.helm_config.namespace, local.name)
 
   eks_oidc_issuer_url  = replace(data.aws_eks_cluster.eks_cluster.identity[0].oidc[0].issuer, "https://", "")
   eks_cluster_endpoint = data.aws_eks_cluster.eks_cluster.endpoint

diff --git a/modules/eks-monitoring/main.tf b/modules/eks-monitoring/main.tf
@@ -188,15 +188,23 @@ module "helm_addon" {
     {
       name  = "enableAdotcollectorMetrics"
       value = var.enable_adotcollector_metrics
+    },
+    {
+      name  = "serviceAccount"
+      value = local.kube_service_account_name
+    },
+    {
+      name  = "namespace"
+      value = local.namespace
     }
-
   ]
 
+  irsa_iam_role_name = var.irsa_iam_role_name
   irsa_config = {
     create_kubernetes_namespace       = true
     kubernetes_namespace              = local.namespace
     create_kubernetes_service_account = true
-    kubernetes_service_account        = try(var.helm_config.service_account, local.name)
+    kubernetes_service_account        = local.kube_service_account_name
     irsa_iam_policies = flatten([
       "arn:${data.aws_partition.current.partition}:iam::aws:policy/AmazonPrometheusRemoteWriteAccess",
       "arn:${data.aws_partition.current.partition}:iam::aws:policy/AWSXrayWriteOnlyAccess",

diff --git a/modules/eks-monitoring/otel-config/templates/clusterrolebinding.yaml b/modules/eks-monitoring/otel-config/templates/clusterrolebinding.yaml
@@ -8,5 +8,5 @@ roleRef:
   name: otel-prometheus-role
 subjects:
   - kind: ServiceAccount
-    name: adot-collector-kubeprometheus
-    namespace: adot-collector-kubeprometheus
+    name: {{ default "adot-collector-kubeprometheus" .Values.serviceAccount }}
+    namespace: {{ default "adot-collector-kubeprometheus" .Values.namespace }}
diff --git a/modules/eks-monitoring/otel-config/templates/opentelemetrycollector.yaml b/modules/eks-monitoring/otel-config/templates/opentelemetrycollector.yaml
@@ -4,7 +4,7 @@ metadata:
   name: adot
 spec:
   mode: deployment
-  serviceAccount: adot-collector-kubeprometheus
+  serviceAccount: {{ default "adot-collector-kubeprometheus" .Values.serviceAccount }}
   env:
     - name: "K8S_NODE_NAME"
       valueFrom:

diff --git a/modules/eks-monitoring/otel-config/values.yaml b/modules/eks-monitoring/otel-config/values.yaml
@@ -34,3 +34,6 @@ istioPrometheusMetricsEndpoint: ${istio_prometheus_metrics_endpoint}
 adotLoglevel: ${adot_loglevel}
 
 enableAdotcollectorMetrics: ${enable_adotcollector_metrics}
+
+serviceAccount: ${service_account}
+namespace: ${namespace}
diff --git a/modules/eks-monitoring/variables.tf b/modules/eks-monitoring/variables.tf
@@ -21,6 +21,12 @@ variable "helm_config" {
   default     = {}
 }
 
+variable "irsa_iam_role_name" {
+  description = "IAM role name for IRSA roles"
+  type        = string
+  default     = ""
+}
+
 variable "irsa_iam_role_path" {
   description = "IAM role path for IRSA roles"
   type        = string