EKS pod logs to cloudwatch (#361)

* EKS pod logs to cloudwatch

* Code review

cloudwatch_eks_pod_logs.tf

@@ -0,0 +1,47 @@
+resource "kubernetes_namespace" "amazon_cloudwatch" {
+  count = var.enable_pods_logs_to_cloudwatch ? 1 : 0
+
+  metadata {
+    name = "amazon-cloudwatch"
+  }
+}
+
+resource "kubernetes_config_map" "fluent_bit_cluster_info" {
+  count = var.enable_pods_logs_to_cloudwatch ? 1 : 0
+
+  metadata {
+    name      = "fluent-bit-cluster-info"
+    namespace = "amazon-cloudwatch"
+  }
+
+  data = {
+    "cluster.name" = "cluster-name"
+    "http.server"  = On
+    "http.port"    = 2020
+    "read.head"    = Off
+    "read.tail"    = On
+    "logs.region"  = "cluster-region"
+  }
+}
+
+data "http" "fluent_bit_yaml" {
+  url = "https://raw.githubusercontent.com/aws-samples/amazon-cloudwatch-container-insights/k8s/${local.eks_pod_logs_cloudwatch_fluent_bit_version}/k8s-deployment-manifest-templates/deployment-mode/daemonset/container-insights-monitoring/fluent-bit/fluent-bit.yaml"
+}
+
+
+resource "null_resource" "eks_pod_cloudwatch" {
+  count = var.enable_pods_logs_to_cloudwatch ? 1 : 0
+
+  triggers = {
+    manifest_sha1 = sha1(data.http.fluent_bit_yaml.body)
+  }
+
+  provisioner "local-exec" {
+    command = "kubectl replace -f https://raw.githubusercontent.com/aws-samples/amazon-cloudwatch-container-insights/k8s/${local.eks_pod_logs_cloudwatch_fluent_bit_version}/k8s-deployment-manifest-templates/deployment-mode/daemonset/container-insights-monitoring/fluent-bit/fluent-bit.yaml"
+  }
+
+  depends_on = [
+    kubernetes_namespace.amazon_cloudwatch,
+    kubernetes_config_map.fluent_bit_cluster_info
+  ]
+}

locals.tf

@@ -2,6 +2,8 @@ locals {
   alb_name   = "aws-load-balancer-controller"
   partition  = data.aws_partition.current.partition
   account_id = data.aws_caller_identity.current.account_id
+  # https://github.com/aws-samples/amazon-cloudwatch-container-insights/releases
+  eks_pod_logs_cloudwatch_fluent_bit_version = "1.3.19"
 
   tags = merge(var.tags, {
     "KubespotEnvironment" = var.environment_name

node_role.tf

@@ -36,6 +36,39 @@ resource "aws_iam_role_policy_attachment" "node_role_policies" {
   role       = aws_iam_role.node.name
 }
 
+
+resource "aws_iam_policy" "eks_pod_logs_to_cloudwatch" {
+  count       = var.eks_pod_logs_cloudwatch ? 1 : 0
+  name        = "nodeEksPodLogsToCloudwatch"
+  description = "Used by fluentbit agent to send eks pods logs to cloudwatch"
+
+  policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+          "logs:CreateLogStream",
+          "logs:DescribeLogGroups",
+          "logs:DescribeLogStreams",
+          "logs:CreateLogGroup",
+          "logs:PutLogEvents"
+      ],
+      "Resource": [*]
+    }
+  ]
+}
+EOF
+}
+
+
+resource "aws_iam_role_policy_attachment" "node_eks_pod_logs_to_cloudwatch" {
+  count      = var.eks_pod_logs_cloudwatch ? 1 : 0
+  policy_arn = aws_iam_policy.eks_pod_logs_to_cloudwatch.arn
+  role       = aws_iam_role.node.name
+}
+
 resource "aws_iam_instance_profile" "node" {
   name = "${var.environment_name}-node"
   role = aws_iam_role.node.name

variables.tf

@@ -402,3 +402,10 @@ variable "calico_version" {
   default     = "v3.26.1"
   description = "The version of the calico helm chart"
 }
+
+variable "enable_pods_logs_to_cloudwatch" {
+  default     = false
+  type        = bool
+  description = "Stream EKS pod logs to cloudwatch"
+}
+