From f99a062bedcf3bd8d666a82e8542afc908efaa14 Mon Sep 17 00:00:00 2001 From: Tigran Muradyan Date: Wed, 18 Sep 2024 12:17:08 +0400 Subject: [PATCH 1/3] fix(DMVP-5330): have option nameed 'cloudwatch_outputs_enabled' in fluent_bit_config variable to controll whether default cloudwatch log outputs/exports are enabled, it is enabled by default --- README.md | 2 +- fluent-bit.tf | 7 ++-- modules/fluent-bit/README.md | 2 +- modules/fluent-bit/locals.tf | 25 +++++++------- modules/fluent-bit/tests/advanced/0-setup.tf | 4 --- modules/fluent-bit/tests/advanced/2-assert.tf | 9 ----- modules/fluent-bit/tests/advanced/README.md | 8 ++--- modules/fluent-bit/tests/basic/0-setup.tf | 4 --- modules/fluent-bit/tests/basic/2-assert.tf | 9 ----- modules/fluent-bit/tests/basic/README.md | 8 ++--- .../cloudwatch-export-disable/0-setup.tf | 17 ++++++++++ .../cloudwatch-export-disable/1-example.tf | 20 +++++++++++ .../tests/cloudwatch-export-disable/README.md | 33 +++++++++++++++++++ .../templates/outputs.yaml.tpl | 7 ++++ .../tests/own-values-yaml/0-setup.tf | 4 --- .../tests/own-values-yaml/2-assert.tf | 9 ----- .../tests/own-values-yaml/README.md | 8 ++--- modules/fluent-bit/values.yaml.tpl | 5 +++ modules/fluent-bit/variables.tf | 7 ++-- tests/basic/README.md | 2 +- variables.tf | 14 ++++---- 21 files changed, 120 insertions(+), 84 deletions(-) delete mode 100644 modules/fluent-bit/tests/advanced/2-assert.tf delete mode 100644 modules/fluent-bit/tests/basic/2-assert.tf create mode 100644 modules/fluent-bit/tests/cloudwatch-export-disable/0-setup.tf create mode 100644 modules/fluent-bit/tests/cloudwatch-export-disable/1-example.tf create mode 100644 modules/fluent-bit/tests/cloudwatch-export-disable/README.md create mode 100644 modules/fluent-bit/tests/cloudwatch-export-disable/templates/outputs.yaml.tpl delete mode 100644 modules/fluent-bit/tests/own-values-yaml/2-assert.tf diff --git a/README.md b/README.md index 1458834..4590c00 100644 --- a/README.md +++ b/README.md @@ -268,7 +268,7 @@ worker_groups = { | [enable\_sso\_rbac](#input\_enable\_sso\_rbac) | Enable SSO RBAC integration or not | `bool` | `false` | no | | [enable\_waf\_for\_alb](#input\_enable\_waf\_for\_alb) | Enables WAF and WAF V2 addons for ALB | `bool` | `false` | no | | [external\_secrets\_namespace](#input\_external\_secrets\_namespace) | The namespace of external-secret operator | `string` | `"kube-system"` | no | -| [fluent\_bit\_configs](#input\_fluent\_bit\_configs) | Fluent Bit configs | 
object({
    fluent_bit_name       = optional(string, "")
    log_group_name        = optional(string, "")
    system_log_group_name = optional(string, "")
    log_retention_days    = optional(number, 90)
    values_yaml           = optional(string, "")
    configs = optional(object({
      inputs  = optional(string, "")
      filters = optional(string, "")
      outputs = optional(string, "")
    }), {})
    drop_namespaces        = optional(list(string), [])
    log_filters            = optional(list(string), [])
    additional_log_filters = optional(list(string), [])
    kube_namespaces        = optional(list(string), [])
  })
| 
{
  "additional_log_filters": [
    "ELB-HealthChecker",
    "Amazon-Route53-Health-Check-Service"
  ],
  "configs": {
    "filters": "",
    "inputs": "",
    "outputs": ""
  },
  "drop_namespaces": [
    "kube-system",
    "opentelemetry-operator-system",
    "adot",
    "cert-manager",
    "opentelemetry.*",
    "meta.*"
  ],
  "fluent_bit_name": "",
  "kube_namespaces": [
    "kube.*",
    "meta.*",
    "adot.*",
    "devops.*",
    "cert-manager.*",
    "git.*",
    "opentelemetry.*",
    "stakater.*",
    "renovate.*"
  ],
  "log_filters": [
    "kube-probe",
    "health",
    "prometheus",
    "liveness"
  ],
  "log_group_name": "",
  "log_retention_days": 90,
  "system_log_group_name": "",
  "values_yaml": ""
}
| no | +| [fluent\_bit\_configs](#input\_fluent\_bit\_configs) | Fluent Bit configs | 
object({
    fluent_bit_name       = optional(string, "")
    log_group_name        = optional(string, "")
    system_log_group_name = optional(string, "")
    log_retention_days    = optional(number, 90)
    values_yaml           = optional(string, "")
    configs = optional(object({
      inputs                     = optional(string, "")
      filters                    = optional(string, "")
      outputs                    = optional(string, "")
      cloudwatch_outputs_enabled = optional(bool, true)
    }), {})
    drop_namespaces        = optional(list(string), [])
    log_filters            = optional(list(string), [])
    additional_log_filters = optional(list(string), [])
    kube_namespaces        = optional(list(string), [])
  })
| 
{
  "additional_log_filters": [
    "ELB-HealthChecker",
    "Amazon-Route53-Health-Check-Service"
  ],
  "configs": {
    "cloudwatch_outputs_enabled": true,
    "filters": "",
    "inputs": "",
    "outputs": ""
  },
  "drop_namespaces": [
    "kube-system",
    "opentelemetry-operator-system",
    "adot",
    "cert-manager",
    "opentelemetry.*",
    "meta.*"
  ],
  "fluent_bit_name": "",
  "kube_namespaces": [
    "kube.*",
    "meta.*",
    "adot.*",
    "devops.*",
    "cert-manager.*",
    "git.*",
    "opentelemetry.*",
    "stakater.*",
    "renovate.*"
  ],
  "log_filters": [
    "kube-probe",
    "health",
    "prometheus",
    "liveness"
  ],
  "log_group_name": "",
  "log_retention_days": 90,
  "system_log_group_name": "",
  "values_yaml": ""
}
| no | | [manage\_aws\_auth](#input\_manage\_aws\_auth) | n/a | `bool` | `true` | no | | [map\_roles](#input\_map\_roles) | Additional IAM roles to add to the aws-auth configmap. | 
list(object({
    rolearn  = string
    username = string
    groups   = list(string)
  }))
| `[]` | no | | [metrics\_exporter](#input\_metrics\_exporter) | Metrics Exporter, can use cloudwatch or adot | `string` | `"adot"` | no | diff --git a/fluent-bit.tf b/fluent-bit.tf index 6645218..c6fb423 100644 --- a/fluent-bit.tf +++ b/fluent-bit.tf @@ -51,9 +51,10 @@ module "fluent-bit" { ]) fluent_bit_config = try(var.fluent_bit_configs.configs, { - inputs = "" - outputs = "" - filters = "" + inputs = "" + outputs = "" + filters = "" + cloudwatch_outputs_enabled = true }) depends_on = [ diff --git a/modules/fluent-bit/README.md b/modules/fluent-bit/README.md index e5ebbb5..10d2fbf 100644 --- a/modules/fluent-bit/README.md +++ b/modules/fluent-bit/README.md @@ -53,7 +53,7 @@ No modules. | [create\_namespace](#input\_create\_namespace) | Wether or no to create namespace. | `bool` | `false` | no | | [drop\_namespaces](#input\_drop\_namespaces) | Flunt bit doesn't send logs for this namespaces | `list(string)` | 
[
  "kube-system",
  "opentelemetry-operator-system",
  "adot",
  "cert-manager",
  "opentelemetry.*",
  "meta.*"
]
| no | | [eks\_oidc\_root\_ca\_thumbprint](#input\_eks\_oidc\_root\_ca\_thumbprint) | n/a | `string` | n/a | yes | -| [fluent\_bit\_config](#input\_fluent\_bit\_config) | You can add other inputs,outputs and filters which module doesn't have by default | `any` | 
{
  "filters": "",
  "inputs": "",
  "outputs": ""
}
| no | +| [fluent\_bit\_config](#input\_fluent\_bit\_config) | You can add other inputs,outputs and filters which module doesn't have by default | `any` | 
{
  "cloudwatch_outputs_enabled": true,
  "filters": "",
  "inputs": "",
  "outputs": ""
}
| no | | [fluent\_bit\_name](#input\_fluent\_bit\_name) | Container resource name. | `string` | `"fluent-bit"` | no | | [kube\_namespaces](#input\_kube\_namespaces) | Kubernates namespaces | `list(string)` | 
[
  "kube.*",
  "meta.*",
  "adot.*",
  "devops.*",
  "cert-manager.*",
  "git.*",
  "opentelemetry.*",
  "stakater.*",
  "renovate.*"
]
| no | | [log\_filters](#input\_log\_filters) | Fluent bit doesn't send logs if message consists of this values | `list(string)` | 
[
  "kube-probe",
  "health",
  "prometheus",
  "liveness"
]
| no | diff --git a/modules/fluent-bit/locals.tf b/modules/fluent-bit/locals.tf index 0dae146..876ec2e 100644 --- a/modules/fluent-bit/locals.tf +++ b/modules/fluent-bit/locals.tf @@ -3,18 +3,19 @@ locals { log_group_name = var.log_group_name != "" ? var.log_group_name : "fluent-bit-cloudwatch" region = var.region config_settings = { - log_group_name = local.log_group_name - system_log_group_name = var.system_log_group_name == "" ? "${local.log_group_name}-kube" : "${var.system_log_group_name}" - region = local.region - log_retention_days = var.log_retention_days - auto_create_group = var.create_log_group ? "On" : "Off" - drop_namespaces = "(${join("|", var.drop_namespaces)})" - log_filters = "(${join("|", var.log_filters)})" - additional_log_filters = "(${join("|", var.additional_log_filters)})" - inputs = try(var.fluent_bit_config.inputs, "") - outputs = try(var.fluent_bit_config.outputs, "") - filters = try(var.fluent_bit_config.filters, "") - kube_namespaces = var.kube_namespaces + log_group_name = local.log_group_name + system_log_group_name = var.system_log_group_name == "" ? "${local.log_group_name}-kube" : "${var.system_log_group_name}" + region = local.region + log_retention_days = var.log_retention_days + auto_create_group = var.create_log_group ? "On" : "Off" + drop_namespaces = "(${join("|", var.drop_namespaces)})" + log_filters = "(${join("|", var.log_filters)})" + additional_log_filters = "(${join("|", var.additional_log_filters)})" + inputs = try(var.fluent_bit_config.inputs, "") + outputs = try(var.fluent_bit_config.outputs, "") + filters = try(var.fluent_bit_config.filters, "") + cloudwatch_outputs_enabled = try(var.fluent_bit_config.cloudwatch_outputs_enabled, true) + kube_namespaces = var.kube_namespaces } values = var.values_yaml == "" ? templatefile("${path.module}/values.yaml.tpl", local.config_settings) : var.values_yaml diff --git a/modules/fluent-bit/tests/advanced/0-setup.tf b/modules/fluent-bit/tests/advanced/0-setup.tf index 72a3014..4857ca2 100644 --- a/modules/fluent-bit/tests/advanced/0-setup.tf +++ b/modules/fluent-bit/tests/advanced/0-setup.tf @@ -1,9 +1,5 @@ terraform { required_providers { - test = { - source = "terraform.io/builtin/test" - } - aws = { source = "hashicorp/aws" version = "~> 4.37" diff --git a/modules/fluent-bit/tests/advanced/2-assert.tf b/modules/fluent-bit/tests/advanced/2-assert.tf deleted file mode 100644 index 414ed51..0000000 --- a/modules/fluent-bit/tests/advanced/2-assert.tf +++ /dev/null @@ -1,9 +0,0 @@ -resource "test_assertions" "api_url" { - component = "Basic-Setup" - - equal "scheme" { - description = "As module does not have any output and data just make sure the case runs. Probably can be thrown away." - got = "all good" - want = "all good" - } -} diff --git a/modules/fluent-bit/tests/advanced/README.md b/modules/fluent-bit/tests/advanced/README.md index b9d2940..8de83f1 100644 --- a/modules/fluent-bit/tests/advanced/README.md +++ b/modules/fluent-bit/tests/advanced/README.md @@ -11,9 +11,7 @@ ## Providers -| Name | Version | -|------|---------| -| [test](#provider\_test) | n/a | +No providers. ## Modules @@ -23,9 +21,7 @@ ## Resources -| Name | Type | -|------|------| -| test_assertions.api_url | resource | +No resources. ## Inputs diff --git a/modules/fluent-bit/tests/basic/0-setup.tf b/modules/fluent-bit/tests/basic/0-setup.tf index 72a3014..4857ca2 100644 --- a/modules/fluent-bit/tests/basic/0-setup.tf +++ b/modules/fluent-bit/tests/basic/0-setup.tf @@ -1,9 +1,5 @@ terraform { required_providers { - test = { - source = "terraform.io/builtin/test" - } - aws = { source = "hashicorp/aws" version = "~> 4.37" diff --git a/modules/fluent-bit/tests/basic/2-assert.tf b/modules/fluent-bit/tests/basic/2-assert.tf deleted file mode 100644 index 414ed51..0000000 --- a/modules/fluent-bit/tests/basic/2-assert.tf +++ /dev/null @@ -1,9 +0,0 @@ -resource "test_assertions" "api_url" { - component = "Basic-Setup" - - equal "scheme" { - description = "As module does not have any output and data just make sure the case runs. Probably can be thrown away." - got = "all good" - want = "all good" - } -} diff --git a/modules/fluent-bit/tests/basic/README.md b/modules/fluent-bit/tests/basic/README.md index ba15240..f21aca4 100644 --- a/modules/fluent-bit/tests/basic/README.md +++ b/modules/fluent-bit/tests/basic/README.md @@ -11,9 +11,7 @@ ## Providers -| Name | Version | -|------|---------| -| [test](#provider\_test) | n/a | +No providers. ## Modules @@ -23,9 +21,7 @@ ## Resources -| Name | Type | -|------|------| -| test_assertions.api_url | resource | +No resources. ## Inputs diff --git a/modules/fluent-bit/tests/cloudwatch-export-disable/0-setup.tf b/modules/fluent-bit/tests/cloudwatch-export-disable/0-setup.tf new file mode 100644 index 0000000..4857ca2 --- /dev/null +++ b/modules/fluent-bit/tests/cloudwatch-export-disable/0-setup.tf @@ -0,0 +1,17 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 4.37" + } + kubernetes = { + source = "hashicorp/kubernetes" + version = "~>2.23" + } + helm = ">= 2.0" + } +} + +provider "aws" {} +provider "helm" {} +provider "kubernetes" {} diff --git a/modules/fluent-bit/tests/cloudwatch-export-disable/1-example.tf b/modules/fluent-bit/tests/cloudwatch-export-disable/1-example.tf new file mode 100644 index 0000000..ee5e71a --- /dev/null +++ b/modules/fluent-bit/tests/cloudwatch-export-disable/1-example.tf @@ -0,0 +1,20 @@ +locals { + oidc_provider_arn = "arn:aws:iam::000000000000:oidc-provider/oidc.eks.eu-central-1.amazonaws.com/id/6F40EA94327Dh8956DDB9S0AE7907CFD" +} + +module "fluent-bit" { + source = "../../" + + cluster_name = "Test" + oidc_provider_arn = local.oidc_provider_arn + eks_oidc_root_ca_thumbprint = replace(local.oidc_provider_arn, "/.*id//", "") + region = "eu-central-1" + account_id = 000000000000 + log_retention_days = 7 + + fluent_bit_config = { + outputs = templatefile("${path.module}/templates/outputs.yaml.tpl", {}) # some custom output/exporter for logs + cloudwatch_outputs_enabled = false # whether to disable default cloudwatch exporter/output + } + +} diff --git a/modules/fluent-bit/tests/cloudwatch-export-disable/README.md b/modules/fluent-bit/tests/cloudwatch-export-disable/README.md new file mode 100644 index 0000000..f21aca4 --- /dev/null +++ b/modules/fluent-bit/tests/cloudwatch-export-disable/README.md @@ -0,0 +1,33 @@ +# basic + + +## Requirements + +| Name | Version | +|------|---------| +| [aws](#requirement\_aws) | ~> 4.37 | +| [helm](#requirement\_helm) | >= 2.0 | +| [kubernetes](#requirement\_kubernetes) | ~>2.23 | + +## Providers + +No providers. + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [fluent-bit](#module\_fluent-bit) | ../../ | n/a | + +## Resources + +No resources. + +## Inputs + +No inputs. + +## Outputs + +No outputs. + diff --git a/modules/fluent-bit/tests/cloudwatch-export-disable/templates/outputs.yaml.tpl b/modules/fluent-bit/tests/cloudwatch-export-disable/templates/outputs.yaml.tpl new file mode 100644 index 0000000..4c1378a --- /dev/null +++ b/modules/fluent-bit/tests/cloudwatch-export-disable/templates/outputs.yaml.tpl @@ -0,0 +1,7 @@ +[OUTPUT] + Name s3 + Match test.* + bucket s3-bucket + region eu-central-1 + total_file_size 250M + s3_key_format /%Y/%m/%d/%H_%M_%S.gz diff --git a/modules/fluent-bit/tests/own-values-yaml/0-setup.tf b/modules/fluent-bit/tests/own-values-yaml/0-setup.tf index 72a3014..4857ca2 100644 --- a/modules/fluent-bit/tests/own-values-yaml/0-setup.tf +++ b/modules/fluent-bit/tests/own-values-yaml/0-setup.tf @@ -1,9 +1,5 @@ terraform { required_providers { - test = { - source = "terraform.io/builtin/test" - } - aws = { source = "hashicorp/aws" version = "~> 4.37" diff --git a/modules/fluent-bit/tests/own-values-yaml/2-assert.tf b/modules/fluent-bit/tests/own-values-yaml/2-assert.tf deleted file mode 100644 index 33c30a7..0000000 --- a/modules/fluent-bit/tests/own-values-yaml/2-assert.tf +++ /dev/null @@ -1,9 +0,0 @@ -resource "test_assertions" "api_url" { - component = "supply_own_yaml_file" - - equal "scheme" { - description = "As module does not have any output and data just make sure the case runs. Probably can be thrown away." - got = "all good" - want = "all good" - } -} diff --git a/modules/fluent-bit/tests/own-values-yaml/README.md b/modules/fluent-bit/tests/own-values-yaml/README.md index a8dfff9..5577108 100644 --- a/modules/fluent-bit/tests/own-values-yaml/README.md +++ b/modules/fluent-bit/tests/own-values-yaml/README.md @@ -11,9 +11,7 @@ ## Providers -| Name | Version | -|------|---------| -| [test](#provider\_test) | n/a | +No providers. ## Modules @@ -23,9 +21,7 @@ ## Resources -| Name | Type | -|------|------| -| test_assertions.api_url | resource | +No resources. ## Inputs diff --git a/modules/fluent-bit/values.yaml.tpl b/modules/fluent-bit/values.yaml.tpl index 9661fd6..6fc956c 100644 --- a/modules/fluent-bit/values.yaml.tpl +++ b/modules/fluent-bit/values.yaml.tpl @@ -53,6 +53,9 @@ config: ${indent(4, filters)} outputs: | + + %{ if cloudwatch_outputs_enabled } + [OUTPUT] Name cloudwatch_logs Match kube.* @@ -80,4 +83,6 @@ config: auto_create_group ${auto_create_group} log_retention_days ${log_retention_days} + %{ endif ~} + ${indent(4, outputs)} diff --git a/modules/fluent-bit/variables.tf b/modules/fluent-bit/variables.tf index 21cb6f5..964e029 100644 --- a/modules/fluent-bit/variables.tf +++ b/modules/fluent-bit/variables.tf @@ -76,9 +76,10 @@ variable "values_yaml" { variable "fluent_bit_config" { description = "You can add other inputs,outputs and filters which module doesn't have by default" default = { - inputs = "" - outputs = "" - filters = "" + inputs = "" + outputs = "" + filters = "" + cloudwatch_outputs_enabled = true # whether to disable default cloudwatch exporter/output } type = any } diff --git a/tests/basic/README.md b/tests/basic/README.md index 3f65220..bcd75fe 100644 --- a/tests/basic/README.md +++ b/tests/basic/README.md @@ -9,7 +9,7 @@ No requirements. | Name | Version | |------|---------| -| [aws](#provider\_aws) | n/a | +| [aws](#provider\_aws) | 4.67.0 | ## Modules diff --git a/variables.tf b/variables.tf index 139dc99..d377ed5 100644 --- a/variables.tf +++ b/variables.tf @@ -112,9 +112,10 @@ variable "fluent_bit_configs" { log_retention_days = optional(number, 90) values_yaml = optional(string, "") configs = optional(object({ - inputs = optional(string, "") - filters = optional(string, "") - outputs = optional(string, "") + inputs = optional(string, "") + filters = optional(string, "") + outputs = optional(string, "") + cloudwatch_outputs_enabled = optional(bool, true) }), {}) drop_namespaces = optional(list(string), []) log_filters = optional(list(string), []) @@ -128,9 +129,10 @@ variable "fluent_bit_configs" { log_retention_days = 90 values_yaml = "" configs = { - inputs = "" - outputs = "" - filters = "" + inputs = "" + outputs = "" + filters = "" + cloudwatch_outputs_enabled = true # whether to disable default cloudwatch exporter/output } drop_namespaces = [ "kube-system", From 793bdf51e0c397eeebbee646d867e753adebe375 Mon Sep 17 00:00:00 2001 From: Tigran Muradyan Date: Wed, 18 Sep 2024 17:45:15 +0400 Subject: [PATCH 2/3] fix(DMVP-5330): fix in main test for fluent-bit and have option to set image pull secrets for fluent-bit pods --- README.md | 2 +- fluent-bit.tf | 1 + modules/fluent-bit/README.md | 1 + modules/fluent-bit/locals.tf | 1 + modules/fluent-bit/values.yaml.tpl | 1 + modules/fluent-bit/variables.tf | 6 ++++++ tests/eks-fluent-bit/0-setup.tf | 6 +----- tests/eks-fluent-bit/1-example.tf | 18 +++++++----------- tests/eks-fluent-bit/2-assert.tf | 9 --------- tests/eks-fluent-bit/README.md | 6 ++---- .../eks-fluent-bit/templates/outputs.yaml.tpl | 2 +- variables.tf | 2 ++ 12 files changed, 24 insertions(+), 31 deletions(-) delete mode 100644 tests/eks-fluent-bit/2-assert.tf diff --git a/README.md b/README.md index 4590c00..ae3a3a2 100644 --- a/README.md +++ b/README.md @@ -268,7 +268,7 @@ worker_groups = { | [enable\_sso\_rbac](#input\_enable\_sso\_rbac) | Enable SSO RBAC integration or not | `bool` | `false` | no | | [enable\_waf\_for\_alb](#input\_enable\_waf\_for\_alb) | Enables WAF and WAF V2 addons for ALB | `bool` | `false` | no | | [external\_secrets\_namespace](#input\_external\_secrets\_namespace) | The namespace of external-secret operator | `string` | `"kube-system"` | no | -| [fluent\_bit\_configs](#input\_fluent\_bit\_configs) | Fluent Bit configs | 
object({
    fluent_bit_name       = optional(string, "")
    log_group_name        = optional(string, "")
    system_log_group_name = optional(string, "")
    log_retention_days    = optional(number, 90)
    values_yaml           = optional(string, "")
    configs = optional(object({
      inputs                     = optional(string, "")
      filters                    = optional(string, "")
      outputs                    = optional(string, "")
      cloudwatch_outputs_enabled = optional(bool, true)
    }), {})
    drop_namespaces        = optional(list(string), [])
    log_filters            = optional(list(string), [])
    additional_log_filters = optional(list(string), [])
    kube_namespaces        = optional(list(string), [])
  })
| 
{
  "additional_log_filters": [
    "ELB-HealthChecker",
    "Amazon-Route53-Health-Check-Service"
  ],
  "configs": {
    "cloudwatch_outputs_enabled": true,
    "filters": "",
    "inputs": "",
    "outputs": ""
  },
  "drop_namespaces": [
    "kube-system",
    "opentelemetry-operator-system",
    "adot",
    "cert-manager",
    "opentelemetry.*",
    "meta.*"
  ],
  "fluent_bit_name": "",
  "kube_namespaces": [
    "kube.*",
    "meta.*",
    "adot.*",
    "devops.*",
    "cert-manager.*",
    "git.*",
    "opentelemetry.*",
    "stakater.*",
    "renovate.*"
  ],
  "log_filters": [
    "kube-probe",
    "health",
    "prometheus",
    "liveness"
  ],
  "log_group_name": "",
  "log_retention_days": 90,
  "system_log_group_name": "",
  "values_yaml": ""
}
| no | +| [fluent\_bit\_configs](#input\_fluent\_bit\_configs) | Fluent Bit configs | 
object({
    fluent_bit_name       = optional(string, "")
    log_group_name        = optional(string, "")
    system_log_group_name = optional(string, "")
    log_retention_days    = optional(number, 90)
    values_yaml           = optional(string, "")
    configs = optional(object({
      inputs                     = optional(string, "")
      filters                    = optional(string, "")
      outputs                    = optional(string, "")
      cloudwatch_outputs_enabled = optional(bool, true)
    }), {})
    drop_namespaces        = optional(list(string), [])
    log_filters            = optional(list(string), [])
    additional_log_filters = optional(list(string), [])
    kube_namespaces        = optional(list(string), [])
    image_pull_secrets     = optional(list(string), [])
  })
| 
{
  "additional_log_filters": [
    "ELB-HealthChecker",
    "Amazon-Route53-Health-Check-Service"
  ],
  "configs": {
    "cloudwatch_outputs_enabled": true,
    "filters": "",
    "inputs": "",
    "outputs": ""
  },
  "drop_namespaces": [
    "kube-system",
    "opentelemetry-operator-system",
    "adot",
    "cert-manager",
    "opentelemetry.*",
    "meta.*"
  ],
  "fluent_bit_name": "",
  "image_pull_secrets": [],
  "kube_namespaces": [
    "kube.*",
    "meta.*",
    "adot.*",
    "devops.*",
    "cert-manager.*",
    "git.*",
    "opentelemetry.*",
    "stakater.*",
    "renovate.*"
  ],
  "log_filters": [
    "kube-probe",
    "health",
    "prometheus",
    "liveness"
  ],
  "log_group_name": "",
  "log_retention_days": 90,
  "system_log_group_name": "",
  "values_yaml": ""
}
| no | | [manage\_aws\_auth](#input\_manage\_aws\_auth) | n/a | `bool` | `true` | no | | [map\_roles](#input\_map\_roles) | Additional IAM roles to add to the aws-auth configmap. | 
list(object({
    rolearn  = string
    username = string
    groups   = list(string)
  }))
| `[]` | no | | [metrics\_exporter](#input\_metrics\_exporter) | Metrics Exporter, can use cloudwatch or adot | `string` | `"adot"` | no | diff --git a/fluent-bit.tf b/fluent-bit.tf index c6fb423..74aa094 100644 --- a/fluent-bit.tf +++ b/fluent-bit.tf @@ -14,6 +14,7 @@ module "fluent-bit" { log_group_name = try(var.fluent_bit_configs.log_group_name, "") != "" ? var.fluent_bit_configs.log_group_name : "fluent-bit-cloudwatch-${module.eks-cluster[0].cluster_id}" system_log_group_name = try(var.fluent_bit_configs.system_log_group_name, "") log_retention_days = try(var.fluent_bit_configs.log_retention_days, 90) + image_pull_secrets = try(var.fluent_bit_configs.image_pull_secrets, []) values_yaml = try(var.fluent_bit_configs.values_yaml, "") diff --git a/modules/fluent-bit/README.md b/modules/fluent-bit/README.md index 10d2fbf..bcce4c6 100644 --- a/modules/fluent-bit/README.md +++ b/modules/fluent-bit/README.md @@ -55,6 +55,7 @@ No modules. | [eks\_oidc\_root\_ca\_thumbprint](#input\_eks\_oidc\_root\_ca\_thumbprint) | n/a | `string` | n/a | yes | | [fluent\_bit\_config](#input\_fluent\_bit\_config) | You can add other inputs,outputs and filters which module doesn't have by default | `any` | 
{
  "cloudwatch_outputs_enabled": true,
  "filters": "",
  "inputs": "",
  "outputs": ""
}
| no | | [fluent\_bit\_name](#input\_fluent\_bit\_name) | Container resource name. | `string` | `"fluent-bit"` | no | +| [image\_pull\_secrets](#input\_image\_pull\_secrets) | Secret name which can we use for download image | `list(string)` | `[]` | no | | [kube\_namespaces](#input\_kube\_namespaces) | Kubernates namespaces | `list(string)` | 
[
  "kube.*",
  "meta.*",
  "adot.*",
  "devops.*",
  "cert-manager.*",
  "git.*",
  "opentelemetry.*",
  "stakater.*",
  "renovate.*"
]
| no | | [log\_filters](#input\_log\_filters) | Fluent bit doesn't send logs if message consists of this values | `list(string)` | 
[
  "kube-probe",
  "health",
  "prometheus",
  "liveness"
]
| no | | [log\_group\_name](#input\_log\_group\_name) | Log group name fluent-bit will be streaming logs into. | `string` | `"fluentbit-default-log-group"` | no | diff --git a/modules/fluent-bit/locals.tf b/modules/fluent-bit/locals.tf index 876ec2e..c1f9201 100644 --- a/modules/fluent-bit/locals.tf +++ b/modules/fluent-bit/locals.tf @@ -16,6 +16,7 @@ locals { filters = try(var.fluent_bit_config.filters, "") cloudwatch_outputs_enabled = try(var.fluent_bit_config.cloudwatch_outputs_enabled, true) kube_namespaces = var.kube_namespaces + imagePullSecrets = [for item in var.image_pull_secrets : { name : item }] } values = var.values_yaml == "" ? templatefile("${path.module}/values.yaml.tpl", local.config_settings) : var.values_yaml diff --git a/modules/fluent-bit/values.yaml.tpl b/modules/fluent-bit/values.yaml.tpl index 6fc956c..1947f4e 100644 --- a/modules/fluent-bit/values.yaml.tpl +++ b/modules/fluent-bit/values.yaml.tpl @@ -1,3 +1,4 @@ +imagePullSecrets: ${jsonencode(imagePullSecrets)} config: ## https://docs.fluentbit.io/manual/pipeline/inputs inputs: | diff --git a/modules/fluent-bit/variables.tf b/modules/fluent-bit/variables.tf index 964e029..70ffae5 100644 --- a/modules/fluent-bit/variables.tf +++ b/modules/fluent-bit/variables.tf @@ -138,3 +138,9 @@ variable "additional_log_filters" { ] description = "Fluent bit doesn't send logs if message consists of this values" } + +variable "image_pull_secrets" { + type = list(string) + default = [] + description = "Secret name which can we use for download image" +} diff --git a/tests/eks-fluent-bit/0-setup.tf b/tests/eks-fluent-bit/0-setup.tf index ca00286..1b4b9d4 100644 --- a/tests/eks-fluent-bit/0-setup.tf +++ b/tests/eks-fluent-bit/0-setup.tf @@ -1,16 +1,12 @@ terraform { required_providers { - test = { - source = "terraform.io/builtin/test" - } - aws = { source = "hashicorp/aws" version = ">= 3.41" } } - required_version = ">= 1.3.0, < 1.6.0" + required_version = ">= 1.3.0, < 2.0.0" } /** diff --git a/tests/eks-fluent-bit/1-example.tf b/tests/eks-fluent-bit/1-example.tf index b570ee1..13afa6f 100644 --- a/tests/eks-fluent-bit/1-example.tf +++ b/tests/eks-fluent-bit/1-example.tf @@ -12,22 +12,21 @@ data "aws_subnet_ids" "subnets" { module "this" { source = "../.." - account_id = "0000000000" adot_config = { "accept_namespace_regex" : "(default|kube-system)", "additional_metrics" : [], "log_group_name" : "adot-logs" } cluster_enabled_log_types = ["audit"] - cluster_name = "eks-dev" + cluster_name = "test-eks-fluent-bit" cluster_version = "1.27" metrics_exporter = "adot" node_groups = { "dev_nodes" : { - "desired_size" : 2, - "max_capacity" : 5, - "max_size" : 5, - "min_size" : 2 + "desired_size" : 1, + "max_capacity" : 1, + "max_size" : 1, + "min_size" : 1 } } node_groups_default = { @@ -35,10 +34,6 @@ module "this" { "instance_types" : ["t3.medium"] } send_alb_logs_to_cloudwatch = false - users = [ - { "username" : "dasmeta" }, - ] - vpc = { link = { id = data.aws_vpcs.ids.ids[0] @@ -47,10 +42,11 @@ module "this" { } fluent_bit_configs = { - config = { + configs = { inputs = templatefile("${path.module}/templates/inputs.yaml.tpl", {}) outputs = templatefile("${path.module}/templates/outputs.yaml.tpl", {}) filters = templatefile("${path.module}/templates/filters.yaml.tpl", {}) + # cloudwatch_outputs_enabled = false # uncomment in case you want also to disable default cloudwatch log exporters/outputs } drop_namespaces = [ "kube-system", diff --git a/tests/eks-fluent-bit/2-assert.tf b/tests/eks-fluent-bit/2-assert.tf deleted file mode 100644 index 99458ca..0000000 --- a/tests/eks-fluent-bit/2-assert.tf +++ /dev/null @@ -1,9 +0,0 @@ -resource "test_assertions" "dummy" { - component = "this" - - equal "scheme" { - description = "As module does not have any output and data just make sure the case runs. Probably can be thrown away." - got = "all good" - want = "all good" - } -} diff --git a/tests/eks-fluent-bit/README.md b/tests/eks-fluent-bit/README.md index e8ab3f4..ee3b419 100644 --- a/tests/eks-fluent-bit/README.md +++ b/tests/eks-fluent-bit/README.md @@ -5,15 +5,14 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.3.0, < 1.6.0 | +| [terraform](#requirement\_terraform) | >= 1.3.0, < 2.0.0 | | [aws](#requirement\_aws) | >= 3.41 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 3.41 | -| [test](#provider\_test) | n/a | +| [aws](#provider\_aws) | 4.67.0 | ## Modules @@ -25,7 +24,6 @@ | Name | Type | |------|------| -| test_assertions.dummy | resource | | [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source | | [aws_subnet_ids.subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet_ids) | data source | | [aws_vpcs.ids](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpcs) | data source | diff --git a/tests/eks-fluent-bit/templates/outputs.yaml.tpl b/tests/eks-fluent-bit/templates/outputs.yaml.tpl index 4c1378a..ab5a602 100644 --- a/tests/eks-fluent-bit/templates/outputs.yaml.tpl +++ b/tests/eks-fluent-bit/templates/outputs.yaml.tpl @@ -1,7 +1,7 @@ [OUTPUT] Name s3 Match test.* - bucket s3-bucket + bucket test-eks-fluent-bit-dasmeta region eu-central-1 total_file_size 250M s3_key_format /%Y/%m/%d/%H_%M_%S.gz diff --git a/variables.tf b/variables.tf index d377ed5..a1008a7 100644 --- a/variables.tf +++ b/variables.tf @@ -121,6 +121,7 @@ variable "fluent_bit_configs" { log_filters = optional(list(string), []) additional_log_filters = optional(list(string), []) kube_namespaces = optional(list(string), []) + image_pull_secrets = optional(list(string), []) }) default = { fluent_bit_name = "" @@ -128,6 +129,7 @@ variable "fluent_bit_configs" { system_log_group_name = "" log_retention_days = 90 values_yaml = "" + image_pull_secrets = [] configs = { inputs = "" outputs = "" From 785820fdea4f073bd7a5f4a9bd58eddd933368de Mon Sep 17 00:00:00 2001 From: Tigran Muradyan Date: Thu, 19 Sep 2024 12:05:09 +0400 Subject: [PATCH 3/3] fix(DMVP-5330): have all eks native logs disabled including audit ones in eks-fluent-bit test --- tests/eks-fluent-bit/1-example.tf | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/tests/eks-fluent-bit/1-example.tf b/tests/eks-fluent-bit/1-example.tf index 13afa6f..c02921a 100644 --- a/tests/eks-fluent-bit/1-example.tf +++ b/tests/eks-fluent-bit/1-example.tf @@ -17,10 +17,9 @@ module "this" { "additional_metrics" : [], "log_group_name" : "adot-logs" } - cluster_enabled_log_types = ["audit"] - cluster_name = "test-eks-fluent-bit" - cluster_version = "1.27" - metrics_exporter = "adot" + cluster_name = "test-eks-fluent-bit" + cluster_version = "1.27" + metrics_exporter = "adot" node_groups = { "dev_nodes" : { "desired_size" : 1, @@ -43,10 +42,10 @@ module "this" { fluent_bit_configs = { configs = { - inputs = templatefile("${path.module}/templates/inputs.yaml.tpl", {}) - outputs = templatefile("${path.module}/templates/outputs.yaml.tpl", {}) - filters = templatefile("${path.module}/templates/filters.yaml.tpl", {}) - # cloudwatch_outputs_enabled = false # uncomment in case you want also to disable default cloudwatch log exporters/outputs + inputs = templatefile("${path.module}/templates/inputs.yaml.tpl", {}) + outputs = templatefile("${path.module}/templates/outputs.yaml.tpl", {}) + filters = templatefile("${path.module}/templates/filters.yaml.tpl", {}) + cloudwatch_outputs_enabled = false # have false in case you want also disable default cloudwatch log exporters/outputs } drop_namespaces = [ "kube-system",