-
Notifications
You must be signed in to change notification settings - Fork 25
/
grafana.tf
148 lines (130 loc) · 4.78 KB
/
grafana.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
locals {
grafana_db_name = "grafana-${module.eks.cluster_name}"
grafana_service_account = "kube-prometheus-stack-grafana"
}
module "grafana_iam_role" {
source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
version = "~> 5.0"
create_role = true
role_name = "${local.grafana_service_account}-${module.eks.cluster_name}"
role_description = "Role for Grafana to access AWS data sources. Corresponds to ${local.grafana_service_account} k8s ServiceAccount."
provider_url = module.eks.oidc_provider
role_policy_arns = [aws_iam_policy.grafana.arn]
oidc_fully_qualified_subjects = ["system:serviceaccount:${local.monitoring_namespace}:${local.grafana_service_account}"]
}
data "aws_iam_policy_document" "grafana" {
statement {
sid = "AllowReadingMetricsFromCloudWatch"
effect = "Allow"
actions = [
"cloudwatch:DescribeAlarmsForMetric",
"cloudwatch:DescribeAlarmHistory",
"cloudwatch:DescribeAlarms",
"cloudwatch:ListMetrics",
"cloudwatch:GetMetricData",
"cloudwatch:GetInsightRuleReport"
]
resources = ["*"]
}
statement {
sid = "AllowReadingLogsFromCloudWatch"
effect = "Allow"
actions = [
"logs:DescribeLogGroups",
"logs:GetLogGroupFields",
"logs:StartQuery",
"logs:StopQuery",
"logs:GetQueryResults",
"logs:GetLogEvents"
]
resources = ["*"]
}
statement {
sid = "AllowReadingTagsInstancesRegionsFromEC2"
effect = "Allow"
actions = [
"ec2:DescribeTags",
"ec2:DescribeInstances",
"ec2:DescribeRegions"
]
resources = ["*"]
}
statement {
sid = "AllowReadingResourcesForTags"
effect = "Allow"
actions = [
"tag:GetResources"
]
resources = ["*"]
}
}
resource "aws_iam_policy" "grafana" {
name = "grafana-${module.eks.cluster_name}"
description = "Allows Grafana to access AWS data sources."
# Values was obtained from
# https://grafana.com/docs/grafana/latest/datasources/aws-cloudwatch/ (v8.4).
policy = data.aws_iam_policy_document.grafana.json
}
data "aws_rds_engine_version" "postgresql" {
engine = "aurora-postgresql"
version = "13"
filter {
name = "engine-mode"
values = ["serverless"]
}
}
resource "random_password" "grafana_db" { length = 20 }
module "grafana_db" {
source = "terraform-aws-modules/rds-aurora/aws"
version = "~> 9.0"
name = local.grafana_db_name
database_name = "grafana"
engine = "aurora-postgresql"
engine_mode = "serverless"
engine_version = data.aws_rds_engine_version.postgresql.version
storage_encrypted = true
allow_major_version_upgrade = true
vpc_id = data.terraform_remote_state.infra_networking.outputs.vpc_id
subnets = data.terraform_remote_state.infra_networking.outputs.private_subnet_rds_ids
create_db_subnet_group = true
create_security_group = true
security_group_rules = {
from_cluster = { source_security_group_id = module.eks.cluster_primary_security_group_id }
}
manage_master_user_password = false
master_password = random_password.grafana_db.result
scaling_configuration = {
auto_pause = var.grafana_db_auto_pause
min_capacity = var.grafana_db_min_capacity
max_capacity = var.grafana_db_max_capacity
seconds_until_auto_pause = var.grafana_db_seconds_until_auto_pause
timeout_action = "ForceApplyCapacityChange"
}
apply_immediately = var.rds_apply_immediately
backup_retention_period = var.rds_backup_retention_period
skip_final_snapshot = var.rds_skip_final_snapshot
preferred_maintenance_window = "sun:02:00-sun:03:00"
}
resource "aws_route53_record" "grafana_db" {
zone_id = data.terraform_remote_state.infra_root_dns_zones.outputs.internal_root_zone_id
# TODO: consider removing EKS suffix once the old EC2 environments are gone.
name = "${local.grafana_db_name}-db.eks"
type = "CNAME"
ttl = 300
records = [module.grafana_db.cluster_endpoint]
}
resource "aws_secretsmanager_secret" "grafana_db" {
name = "${module.eks.cluster_name}/grafana/database"
recovery_window_in_days = var.secrets_recovery_window_in_days
}
resource "aws_secretsmanager_secret_version" "grafana_db" {
secret_id = aws_secretsmanager_secret.grafana_db.id
secret_string = jsonencode({
"engine" = "aurora"
"host" = aws_route53_record.grafana_db.fqdn
"username" = module.grafana_db.cluster_master_username
"password" = module.grafana_db.cluster_master_password
"dbname" = local.grafana_db_name
"port" = module.grafana_db.cluster_port
})
}