chore(crossplane): add kinesis provider

Smana · Nov 4, 2023 · 7129c44 · 7129c44
1 parent 0b904ec
commit 7129c44
Show file tree

Hide file tree

Showing 9 changed files with 72 additions and 29 deletions.
diff --git a/infrastructure/base/crossplane/providers/kustomization.yaml b/infrastructure/base/crossplane/providers/kustomization.yaml
@@ -6,4 +6,5 @@ resources:
   - provider-cloudwatchlogs.yaml
   - provider-firehose.yaml
   - provider-iam.yaml
+  - provider-kinesis.yaml
   - provider-s3.yaml
diff --git a/infrastructure/base/crossplane/providers/provider-kinesis.yaml b/infrastructure/base/crossplane/providers/provider-kinesis.yaml
@@ -0,0 +1,8 @@
+apiVersion: pkg.crossplane.io/v1
+kind: Provider
+metadata:
+  name: provider-aws-kinesis
+spec:
+  package: xpkg.upbound.io/upbound/provider-aws-kinesis:v0.43.1
+  controllerConfigRef:
+    name: aws-config
diff --git a/observability/base/vector-cloudwatch/cloudwatch-destination.yaml b/observability/base/vector-cloudwatch/cloudwatch-destination.yaml
@@ -9,7 +9,7 @@ spec:
     region: ${region}
     roleArnSelector:
       matchLabels:
-        ogenki.io/id: "vector-stream"
+        ogenki.io/id: "vector-stream-firehose"
     targetArnSelector:
       matchLabels:
         ogenki.io/id: "vector-stream"
diff --git a/observability/base/vector-cloudwatch/firehose-iam-role.yaml b/observability/base/vector-cloudwatch/firehose-iam-role.yaml
@@ -25,30 +25,31 @@ spec:
       - name: xplane-firehose-vector-s3
         policy: |
           {
-            "Statement": [
-              {
-                "Effect": "Allow",
-                "Action": [
-                  "s3:AbortMultipartUpload",
-                  "s3:GetBucketLocation",
-                  "s3:GetObject",
-                  "s3:ListBucket",
-                  "s3:ListBucketMultipartUploads",
-                  "s3:PutObject"
-                ],
-                "Resource": [
-                  "arn:aws:s3:::${region}-ogenki-vector-stream",
-                  "arn:aws:s3:::${region}-ogenki-vector-stream/*"
-                ]
-              },
-              {
-                "Effect": "Allow",
-                "Action": [
-                  "logs:PutLogEvents"
-                ],
-                "Resource": [
-                  "arn:aws:logs:${region}:${aws_account_id}:log-group:vector:*"
-                ]
-              }
-            ]
+              "Version": "2012-10-17",
+              "Statement": [
+                  {
+                      "Effect": "Allow",
+                      "Action": [
+                          "s3:AbortMultipartUpload",
+                          "s3:GetBucketLocation",
+                          "s3:GetObject",
+                          "s3:ListBucket",
+                          "s3:ListBucketMultipartUploads",
+                          "s3:PutObject"
+                      ],
+                      "Resource": [
+                          "arn:aws:s3:::eu-west-3-ogenki-vector-stream",
+                          "arn:aws:s3:::eu-west-3-ogenki-vector-stream/*"
+                      ]
+                  },
+                  {
+                      "Effect": "Allow",
+                      "Action": [
+                          "logs:PutLogEvents"
+                      ],
+                      "Resource": [
+                          "arn:aws:logs:eu-west-3:396740644681:log-group:vector:*"
+                      ]
+                  }
+              ]
           }
diff --git a/terraform/eks/data.tf b/terraform/eks/data.tf
@@ -1,5 +1,8 @@
 data "aws_caller_identity" "this" {}
 
+# tflint-ignore: terraform_unused_declarations
+data "aws_ecr_authorization_token" "token" {}
+
 data "aws_vpc" "selected" {
   filter {
     name   = "tag:project"

diff --git a/terraform/eks/iam.tf b/terraform/eks/iam.tf
@@ -29,6 +29,7 @@ module "irsa_crossplane" {
 
   role_policy_arns = {
     cloudwatch = aws_iam_policy.crossplane_cloudwatch.arn,
+    kinesis    = aws_iam_policy.crossplane_kinesis.arn,
     firehose   = aws_iam_policy.crossplane_firehose.arn,
     irsa       = aws_iam_policy.crossplane_irsa.arn,
     s3         = aws_iam_policy.crossplane_s3.arn
@@ -59,6 +60,7 @@ resource "aws_iam_policy" "crossplane_irsa" {
                 "iam:TagRole",
                 "iam:CreateRole",
                 "iam:CreatePolicy",
+                "iam:PutRolePolicy",
                 "iam:DeletePolicy",
                 "iam:DeleteRole",
                 "iam:DetachRolePolicy",
@@ -196,3 +198,28 @@ resource "aws_iam_policy" "crossplane_firehose" {
 }
 EOF
 }
+
+
+#tfsec:ignore:aws-iam-no-policy-wildcards
+resource "aws_iam_policy" "crossplane_kinesis" {
+  name        = "crossplane_kinesis_${var.cluster_name}"
+  path        = "/"
+  description = "Policy for managing Kinesis on EKS"
+
+  policy = <<EOF
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": [
+                "kinesis:Describe*",
+                "kinesis:List*",
+                "kinesis:Get*"
+            ],
+            "Resource": "*"
+        }
+    ]
+}
+EOF
+}
diff --git a/terraform/eks/kubernetes.tf b/terraform/eks/kubernetes.tf
@@ -73,6 +73,9 @@ resource "kubernetes_job" "delete_aws_cni_ds" {
           effect = "NoExecute"
           value  = true
         }
+        toleration {
+          operator = "Exists"
+        }
       }
     }
     backoff_limit = 4

diff --git a/terraform/eks/main.tf b/terraform/eks/main.tf
@@ -3,7 +3,7 @@
 #tfsec:ignore:aws-eks-no-public-cluster-access-to-cidr
 module "eks" {
   source  = "terraform-aws-modules/eks/aws"
-  version = "~> 19.15"
+  version = "~> 19"
 
   cluster_name                   = var.cluster_name
   cluster_version                = var.cluster_version

diff --git a/terraform/eks/variables.tf b/terraform/eks/variables.tf
@@ -29,7 +29,7 @@ variable "cilium_version" {
 
 variable "karpenter_version" {
   description = "Karpenter version"
-  default     = "0.32.1"
+  default     = "v0.32.1"
   type        = string
 }