Skip to content

Commit

Permalink
feat: Add cloudwatch logs policy to vpc-cni for networkpolicy logging (
Browse files Browse the repository at this point in the history 
…#504)

Co-authored-by: Shaun Becker <shaun.becker@greenhouse.io>
Co-authored-by: Bryant Biggs <bryantbiggs@gmail.com>
  • Loading branch information
@shaunofneuron @bryantbiggs
3 people authored Jul 29, 2024
1 parent 88435a9 commit 88ee443
Show file tree
Hide file tree
Showing 21 changed files with 153 additions and 21 deletions.
5 changes: 2 additions & 3 deletions .pre-commit-config.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
repos:
- repo: https://github.com/antonbabenko/pre-commit-terraform
rev: v1.88.0
rev: v1.92.0
hooks:
- id: terraform_fmt
- id: terraform_wrapper_module_for_each
Expand All @@ -22,10 +22,9 @@ repos:
- '--args=--only=terraform_required_providers'
- '--args=--only=terraform_standard_module_structure'
- '--args=--only=terraform_workspace_remote'
- '--args=--only=terraform_unused_required_providers'
- id: terraform_validate
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v4.5.0
rev: v4.6.0
hooks:
- id: check-merge-conflict
- id: end-of-file-fixer
Expand Down
7 changes: 4 additions & 3 deletions examples/iam-role-for-service-accounts-eks/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -340,9 +340,10 @@ module "velero_irsa_role" {
module "vpc_cni_ipv4_irsa_role" {
source = "../../modules/iam-role-for-service-accounts-eks"

role_name = "vpc-cni-ipv4"
attach_vpc_cni_policy = true
vpc_cni_enable_ipv4 = true
role_name = "vpc-cni-ipv4"
attach_vpc_cni_policy = true
vpc_cni_enable_ipv4 = true
vpc_cni_enable_cloudwatch_logs = true

oidc_providers = {
ex = {
Expand Down
1 change: 1 addition & 0 deletions modules/iam-role-for-service-accounts-eks/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -246,6 +246,7 @@ No modules.
| <a name="input_role_policy_arns"></a> [role\_policy\_arns](#input\_role\_policy\_arns) | ARNs of any policies to attach to the IAM role | `map(string)` | `{}` | no |
| <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to add the the IAM role | `map(any)` | `{}` | no |
| <a name="input_velero_s3_bucket_arns"></a> [velero\_s3\_bucket\_arns](#input\_velero\_s3\_bucket\_arns) | List of S3 Bucket ARNs that Velero needs access to in order to backup and restore cluster resources | `list(string)` | <pre>[<br> "*"<br>]</pre> | no |
| <a name="input_vpc_cni_enable_cloudwatch_logs"></a> [vpc\_cni\_enable\_cloudwatch\_logs](#input\_vpc\_cni\_enable\_cloudwatch\_logs) | Determines whether to enable VPC CNI permission to create CloudWatch Log groups and publish network policy events | `bool` | `false` | no |
| <a name="input_vpc_cni_enable_ipv4"></a> [vpc\_cni\_enable\_ipv4](#input\_vpc\_cni\_enable\_ipv4) | Determines whether to enable IPv4 permissions for VPC CNI policy | `bool` | `false` | no |
| <a name="input_vpc_cni_enable_ipv6"></a> [vpc\_cni\_enable\_ipv6](#input\_vpc\_cni\_enable\_ipv6) | Determines whether to enable IPv6 permissions for VPC CNI policy | `bool` | `false` | no |

Expand Down
15 changes: 15 additions & 0 deletions modules/iam-role-for-service-accounts-eks/policies.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1480,6 +1480,21 @@ data "aws_iam_policy_document" "vpc_cni" {
}
}

# https://docs.aws.amazon.com/eks/latest/userguide/cni-network-policy.html#cni-network-policy-setup
dynamic "statement" {
for_each = var.vpc_cni_enable_cloudwatch_logs ? [1] : []
content {
sid = "CloudWatchLogs"
actions = [
"logs:DescribeLogGroups",
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
]
resources = ["*"]
}
}

statement {
sid = "CreateTags"
actions = ["ec2:CreateTags"]
Expand Down
6 changes: 6 additions & 0 deletions modules/iam-role-for-service-accounts-eks/variables.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -351,6 +351,12 @@ variable "attach_vpc_cni_policy" {
default = false
}

variable "vpc_cni_enable_cloudwatch_logs" {
description = "Determines whether to enable VPC CNI permission to create CloudWatch Log groups and publish network policy events"
type = bool
default = false
}

variable "vpc_cni_enable_ipv4" {
description = "Determines whether to enable IPv4 permissions for VPC CNI policy"
type = bool
Expand Down
9 changes: 8 additions & 1 deletion wrappers/iam-account/versions.tf
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,10 @@
terraform {
required_version = ">= 0.13.1"
required_version = ">= 1.0"

required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 4.0"
}
}
}
9 changes: 8 additions & 1 deletion wrappers/iam-assumable-role-with-oidc/versions.tf
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,10 @@
terraform {
required_version = ">= 0.13.1"
required_version = ">= 1.0"

required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 4.0"
}
}
}
9 changes: 8 additions & 1 deletion wrappers/iam-assumable-role-with-saml/versions.tf
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,10 @@
terraform {
required_version = ">= 0.13.1"
required_version = ">= 1.0"

required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 4.0"
}
}
}
9 changes: 8 additions & 1 deletion wrappers/iam-assumable-role/versions.tf
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,10 @@
terraform {
required_version = ">= 0.13.1"
required_version = ">= 1.0"

required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 4.0"
}
}
}
9 changes: 8 additions & 1 deletion wrappers/iam-assumable-roles-with-saml/versions.tf
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,10 @@
terraform {
required_version = ">= 0.13.1"
required_version = ">= 1.0"

required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 4.0"
}
}
}
9 changes: 8 additions & 1 deletion wrappers/iam-assumable-roles/versions.tf
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,10 @@
terraform {
required_version = ">= 0.13.1"
required_version = ">= 1.0"

required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 4.0"
}
}
}
9 changes: 8 additions & 1 deletion wrappers/iam-eks-role/versions.tf
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,10 @@
terraform {
required_version = ">= 0.13.1"
required_version = ">= 1.0"

required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 4.0"
}
}
}
13 changes: 12 additions & 1 deletion wrappers/iam-github-oidc-provider/versions.tf
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,14 @@
terraform {
required_version = ">= 0.13.1"
required_version = ">= 1.0"

required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 4.0"
}
tls = {
source = "hashicorp/tls"
version = ">= 3.0"
}
}
}
9 changes: 8 additions & 1 deletion wrappers/iam-github-oidc-role/versions.tf
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,10 @@
terraform {
required_version = ">= 0.13.1"
required_version = ">= 1.0"

required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 4.0"
}
}
}
9 changes: 8 additions & 1 deletion wrappers/iam-group-with-assumable-roles-policy/versions.tf
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,10 @@
terraform {
required_version = ">= 0.13.1"
required_version = ">= 1.0"

required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 4.0"
}
}
}
9 changes: 8 additions & 1 deletion wrappers/iam-group-with-policies/versions.tf
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,10 @@
terraform {
required_version = ">= 0.13.1"
required_version = ">= 1.0"

required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 4.0"
}
}
}
9 changes: 8 additions & 1 deletion wrappers/iam-policy/versions.tf
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,10 @@
terraform {
required_version = ">= 0.13.1"
required_version = ">= 1.0"

required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 4.0"
}
}
}
9 changes: 8 additions & 1 deletion wrappers/iam-read-only-policy/versions.tf
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,10 @@
terraform {
required_version = ">= 0.13.1"
required_version = ">= 1.0"

required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 4.0"
}
}
}
1 change: 1 addition & 0 deletions wrappers/iam-role-for-service-accounts-eks/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,7 @@ module "wrapper" {
role_policy_arns = try(each.value.role_policy_arns, var.defaults.role_policy_arns, {})
tags = try(each.value.tags, var.defaults.tags, {})
velero_s3_bucket_arns = try(each.value.velero_s3_bucket_arns, var.defaults.velero_s3_bucket_arns, ["*"])
vpc_cni_enable_cloudwatch_logs = try(each.value.vpc_cni_enable_cloudwatch_logs, var.defaults.vpc_cni_enable_cloudwatch_logs, false)
vpc_cni_enable_ipv4 = try(each.value.vpc_cni_enable_ipv4, var.defaults.vpc_cni_enable_ipv4, false)
vpc_cni_enable_ipv6 = try(each.value.vpc_cni_enable_ipv6, var.defaults.vpc_cni_enable_ipv6, false)
}
9 changes: 8 additions & 1 deletion wrappers/iam-role-for-service-accounts-eks/versions.tf
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,10 @@
terraform {
required_version = ">= 0.13.1"
required_version = ">= 1.0"

required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 4.0"
}
}
}
9 changes: 8 additions & 1 deletion wrappers/iam-user/versions.tf
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,10 @@
terraform {
required_version = ">= 0.13.1"
required_version = ">= 1.0"

required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 4.0"
}
}
}

0 comments on commit 88ee443

Please sign in to comment.