diff --git a/config/clusters/openscapes/support.values.yaml b/config/clusters/openscapes/support.values.yaml index 5390d780bc..758eb64705 100644 --- a/config/clusters/openscapes/support.values.yaml +++ b/config/clusters/openscapes/support.values.yaml @@ -31,9 +31,6 @@ grafana: - secretName: grafana-tls hosts: - grafana.openscapes.2i2c.cloud - serviceAccount: - annotations: - eks.amazonaws.com/role-arn: arn:aws:iam::783616723547:role/openscapeshub-grafana-athena-iam-role grafana.ini: server: root_url: https://grafana.openscapes.2i2c.cloud/ diff --git a/terraform/aws/grafana-athena-iam.tf b/terraform/aws/grafana-athena-iam.tf deleted file mode 100644 index d008c0ca5d..0000000000 --- a/terraform/aws/grafana-athena-iam.tf +++ /dev/null @@ -1,93 +0,0 @@ -# ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role -resource "aws_iam_role" "grafana_athena_role" { - count = var.enable_grafana_athena_iam ? 1 : 0 - - name = "${var.cluster_name}-grafana-athena-iam-role" - - assume_role_policy = jsonencode({ - Version = "2012-10-17" - Statement = [{ - - Effect = "Allow" - Principal = { - Federated = "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/${replace(data.aws_eks_cluster.cluster.identity[0].oidc[0].issuer, "https://", "")}" - }, - Action = "sts:AssumeRoleWithWebIdentity", - Condition = { - StringEquals = { - "${replace(data.aws_eks_cluster.cluster.identity[0].oidc[0].issuer, "https://", "")}:sub" = "system:serviceaccount:support:support-grafana" - } - } - }] - }) - - inline_policy { - name = "${var.cluster_name}-grafana-athena-iam-policy" - - # Terraform's "jsonencode" function converts a - # Terraform expression result to valid JSON syntax. - policy = jsonencode({ - Version = "2012-10-17" - Statement = [{ - Sid = "AthenaQueryAccess" - Effect = "Allow" - Action = [ - "athena:ListDatabases", - "athena:ListDataCatalogs", - "athena:ListWorkGroups", - "athena:GetDatabase", - "athena:GetDataCatalog", - "athena:GetQueryExecution", - "athena:GetQueryResults", - "athena:GetTableMetadata", - "athena:GetWorkGroup", - "athena:ListTableMetadata", - "athena:StartQueryExecution", - "athena:StopQueryExecution" - ] - Resource = ["*"] - }, - { - Sid = "GlueReadAccess" - Effect = "Allow" - Action = [ - "glue:GetDatabase", - "glue:GetDatabases", - "glue:GetTable", - "glue:GetTables", - "glue:GetPartition", - "glue:GetPartitions", - "glue:BatchGetPartition" - ] - Resource = ["*"] - }, - { - Sid = "AthenaS3WriteAccess" - Effect = "Allow" - Action = [ - "s3:GetBucketLocation", - "s3:GetObject", - "s3:ListBucket", - "s3:ListBucketMultipartUploads", - "s3:ListMultipartUploadParts", - "s3:AbortMultipartUpload", - "s3:PutObject" - ] - Resource = ["arn:aws:s3:::${var.athena_write_storage_bucket}*"] - }, - { - Sid = "AthenaS3ReadAccess" - Effect = "Allow" - Action = [ - "s3:GetObject", - "s3:ListBucket" - ] - Resource = ["arn:aws:s3:::${var.athena_read_storage_bucket}*"] - }] - }) - } -} - -output "grafana_athena_iam_annotation" { - value = var.enable_grafana_athena_iam ? "eks.amazonaws.com/role-arn: ${aws_iam_role.grafana_athena_role[0].arn}" : null -} diff --git a/terraform/aws/projects/openscapes.tfvars b/terraform/aws/projects/openscapes.tfvars index 0d93aeb087..7b176a8f82 100644 --- a/terraform/aws/projects/openscapes.tfvars +++ b/terraform/aws/projects/openscapes.tfvars @@ -6,10 +6,7 @@ default_budget_alert = { "enabled" : false, } -enable_grafana_athena_iam = true enable_aws_ce_grafana_backend_iam = true -athena_write_storage_bucket = "openscapes-cost-usage-report" -athena_read_storage_bucket = "openscapes-2i2c-cur" # The initial EFS is now used by the prod hub only # So we tag it appropriately for costs purposes diff --git a/terraform/aws/variables.tf b/terraform/aws/variables.tf index 89af456c5c..6508d5a06d 100644 --- a/terraform/aws/variables.tf +++ b/terraform/aws/variables.tf @@ -46,18 +46,6 @@ variable "user_buckets" { } -variable "athena_write_storage_bucket" { - type = string - description = "The name of the S3 bucket where Grafana query results from Athena will be stored" - default = "" -} - -variable "athena_read_storage_bucket" { - type = string - description = "The name of the S3 bucket where Athena tables and data is stored" - default = "" -} - variable "hub_cloud_permissions" { type = map( map( @@ -297,15 +285,6 @@ variable "active_cost_allocation_tags" { EOT } -variable "enable_grafana_athena_iam" { - type = bool - default = false - description = <<-EOT - Create an IAM role with attached policy to permit a connection between a - Grafana instance and AWS Athena service. - EOT -} - variable "enable_aws_ce_grafana_backend_iam" { type = bool default = false