fix(DMVP-5330): have option named 'cloudwatch_outputs_enabled' in fluent_bit_config variable to control whether default cloudwatch log outputs/exports are enabled, it is enabled by default

README.md

@@ -268,7 +268,7 @@ worker_groups = {
 | <a name="input_enable_sso_rbac"></a> [enable\_sso\_rbac](#input\_enable\_sso\_rbac) | Enable SSO RBAC integration or not | `bool` | `false` | no |
 | <a name="input_enable_waf_for_alb"></a> [enable\_waf\_for\_alb](#input\_enable\_waf\_for\_alb) | Enables WAF and WAF V2 addons for ALB | `bool` | `false` | no |
 | <a name="input_external_secrets_namespace"></a> [external\_secrets\_namespace](#input\_external\_secrets\_namespace) | The namespace of external-secret operator | `string` | `"kube-system"` | no |
-| <a name="input_fluent_bit_configs"></a> [fluent\_bit\_configs](#input\_fluent\_bit\_configs) | Fluent Bit configs | <pre>object({<br>    fluent_bit_name       = optional(string, "")<br>    log_group_name        = optional(string, "")<br>    system_log_group_name = optional(string, "")<br>    log_retention_days    = optional(number, 90)<br>    values_yaml           = optional(string, "")<br>    configs = optional(object({<br>      inputs  = optional(string, "")<br>      filters = optional(string, "")<br>      outputs = optional(string, "")<br>    }), {})<br>    drop_namespaces        = optional(list(string), [])<br>    log_filters            = optional(list(string), [])<br>    additional_log_filters = optional(list(string), [])<br>    kube_namespaces        = optional(list(string), [])<br>  })</pre> | <pre>{<br>  "additional_log_filters": [<br>    "ELB-HealthChecker",<br>    "Amazon-Route53-Health-Check-Service"<br>  ],<br>  "configs": {<br>    "filters": "",<br>    "inputs": "",<br>    "outputs": ""<br>  },<br>  "drop_namespaces": [<br>    "kube-system",<br>    "opentelemetry-operator-system",<br>    "adot",<br>    "cert-manager",<br>    "opentelemetry.*",<br>    "meta.*"<br>  ],<br>  "fluent_bit_name": "",<br>  "kube_namespaces": [<br>    "kube.*",<br>    "meta.*",<br>    "adot.*",<br>    "devops.*",<br>    "cert-manager.*",<br>    "git.*",<br>    "opentelemetry.*",<br>    "stakater.*",<br>    "renovate.*"<br>  ],<br>  "log_filters": [<br>    "kube-probe",<br>    "health",<br>    "prometheus",<br>    "liveness"<br>  ],<br>  "log_group_name": "",<br>  "log_retention_days": 90,<br>  "system_log_group_name": "",<br>  "values_yaml": ""<br>}</pre> | no |
+| <a name="input_fluent_bit_configs"></a> [fluent\_bit\_configs](#input\_fluent\_bit\_configs) | Fluent Bit configs | <pre>object({<br>    fluent_bit_name       = optional(string, "")<br>    log_group_name        = optional(string, "")<br>    system_log_group_name = optional(string, "")<br>    log_retention_days    = optional(number, 90)<br>    values_yaml           = optional(string, "")<br>    configs = optional(object({<br>      inputs                     = optional(string, "")<br>      filters                    = optional(string, "")<br>      outputs                    = optional(string, "")<br>      cloudwatch_outputs_enabled = optional(bool, true)<br>    }), {})<br>    drop_namespaces        = optional(list(string), [])<br>    log_filters            = optional(list(string), [])<br>    additional_log_filters = optional(list(string), [])<br>    kube_namespaces        = optional(list(string), [])<br>    image_pull_secrets     = optional(list(string), [])<br>  })</pre> | <pre>{<br>  "additional_log_filters": [<br>    "ELB-HealthChecker",<br>    "Amazon-Route53-Health-Check-Service"<br>  ],<br>  "configs": {<br>    "cloudwatch_outputs_enabled": true,<br>    "filters": "",<br>    "inputs": "",<br>    "outputs": ""<br>  },<br>  "drop_namespaces": [<br>    "kube-system",<br>    "opentelemetry-operator-system",<br>    "adot",<br>    "cert-manager",<br>    "opentelemetry.*",<br>    "meta.*"<br>  ],<br>  "fluent_bit_name": "",<br>  "image_pull_secrets": [],<br>  "kube_namespaces": [<br>    "kube.*",<br>    "meta.*",<br>    "adot.*",<br>    "devops.*",<br>    "cert-manager.*",<br>    "git.*",<br>    "opentelemetry.*",<br>    "stakater.*",<br>    "renovate.*"<br>  ],<br>  "log_filters": [<br>    "kube-probe",<br>    "health",<br>    "prometheus",<br>    "liveness"<br>  ],<br>  "log_group_name": "",<br>  "log_retention_days": 90,<br>  "system_log_group_name": "",<br>  "values_yaml": ""<br>}</pre> | no |
 | <a name="input_manage_aws_auth"></a> [manage\_aws\_auth](#input\_manage\_aws\_auth) | n/a | `bool` | `true` | no |
 | <a name="input_map_roles"></a> [map\_roles](#input\_map\_roles) | Additional IAM roles to add to the aws-auth configmap. | <pre>list(object({<br>    rolearn  = string<br>    username = string<br>    groups   = list(string)<br>  }))</pre> | `[]` | no |
 | <a name="input_metrics_exporter"></a> [metrics\_exporter](#input\_metrics\_exporter) | Metrics Exporter, can use cloudwatch or adot | `string` | `"adot"` | no |

fluent-bit.tf

@@ -14,6 +14,7 @@ module "fluent-bit" {
   log_group_name        = try(var.fluent_bit_configs.log_group_name, "") != "" ? var.fluent_bit_configs.log_group_name : "fluent-bit-cloudwatch-${module.eks-cluster[0].cluster_id}"
   system_log_group_name = try(var.fluent_bit_configs.system_log_group_name, "")
   log_retention_days    = try(var.fluent_bit_configs.log_retention_days, 90)
+  image_pull_secrets    = try(var.fluent_bit_configs.image_pull_secrets, [])
 
   values_yaml = try(var.fluent_bit_configs.values_yaml, "")
 
@@ -51,9 +52,10 @@ module "fluent-bit" {
   ])
 
   fluent_bit_config = try(var.fluent_bit_configs.configs, {
-    inputs  = ""
-    outputs = ""
-    filters = ""
+    inputs                     = ""
+    outputs                    = ""
+    filters                    = ""
+    cloudwatch_outputs_enabled = true
   })
 
   depends_on = [

modules/fluent-bit/README.md

@@ -53,8 +53,9 @@ No modules.
 | <a name="input_create_namespace"></a> [create\_namespace](#input\_create\_namespace) | Wether or no to create namespace. | `bool` | `false` | no |
 | <a name="input_drop_namespaces"></a> [drop\_namespaces](#input\_drop\_namespaces) | Flunt bit doesn't send logs for this namespaces | `list(string)` | <pre>[<br>  "kube-system",<br>  "opentelemetry-operator-system",<br>  "adot",<br>  "cert-manager",<br>  "opentelemetry.*",<br>  "meta.*"<br>]</pre> | no |
 | <a name="input_eks_oidc_root_ca_thumbprint"></a> [eks\_oidc\_root\_ca\_thumbprint](#input\_eks\_oidc\_root\_ca\_thumbprint) | n/a | `string` | n/a | yes |
-| <a name="input_fluent_bit_config"></a> [fluent\_bit\_config](#input\_fluent\_bit\_config) | You can add other inputs,outputs and filters which module doesn't have by default | `any` | <pre>{<br>  "filters": "",<br>  "inputs": "",<br>  "outputs": ""<br>}</pre> | no |
+| <a name="input_fluent_bit_config"></a> [fluent\_bit\_config](#input\_fluent\_bit\_config) | You can add other inputs,outputs and filters which module doesn't have by default | `any` | <pre>{<br>  "cloudwatch_outputs_enabled": true,<br>  "filters": "",<br>  "inputs": "",<br>  "outputs": ""<br>}</pre> | no |
 | <a name="input_fluent_bit_name"></a> [fluent\_bit\_name](#input\_fluent\_bit\_name) | Container resource name. | `string` | `"fluent-bit"` | no |
+| <a name="input_image_pull_secrets"></a> [image\_pull\_secrets](#input\_image\_pull\_secrets) | Secret name which can we use for download image | `list(string)` | `[]` | no |
 | <a name="input_kube_namespaces"></a> [kube\_namespaces](#input\_kube\_namespaces) | Kubernates namespaces | `list(string)` | <pre>[<br>  "kube.*",<br>  "meta.*",<br>  "adot.*",<br>  "devops.*",<br>  "cert-manager.*",<br>  "git.*",<br>  "opentelemetry.*",<br>  "stakater.*",<br>  "renovate.*"<br>]</pre> | no |
 | <a name="input_log_filters"></a> [log\_filters](#input\_log\_filters) | Fluent bit doesn't send logs if message consists of this values | `list(string)` | <pre>[<br>  "kube-probe",<br>  "health",<br>  "prometheus",<br>  "liveness"<br>]</pre> | no |
 | <a name="input_log_group_name"></a> [log\_group\_name](#input\_log\_group\_name) | Log group name fluent-bit will be streaming logs into. | `string` | `"fluentbit-default-log-group"` | no |

modules/fluent-bit/locals.tf

@@ -3,18 +3,20 @@ locals {
   log_group_name = var.log_group_name != "" ? var.log_group_name : "fluent-bit-cloudwatch"
   region         = var.region
   config_settings = {
-    log_group_name         = local.log_group_name
-    system_log_group_name  = var.system_log_group_name == "" ? "${local.log_group_name}-kube" : "${var.system_log_group_name}"
-    region                 = local.region
-    log_retention_days     = var.log_retention_days
-    auto_create_group      = var.create_log_group ? "On" : "Off"
-    drop_namespaces        = "(${join("|", var.drop_namespaces)})"
-    log_filters            = "(${join("|", var.log_filters)})"
-    additional_log_filters = "(${join("|", var.additional_log_filters)})"
-    inputs                 = try(var.fluent_bit_config.inputs, "")
-    outputs                = try(var.fluent_bit_config.outputs, "")
-    filters                = try(var.fluent_bit_config.filters, "")
-    kube_namespaces        = var.kube_namespaces
+    log_group_name             = local.log_group_name
+    system_log_group_name      = var.system_log_group_name == "" ? "${local.log_group_name}-kube" : "${var.system_log_group_name}"
+    region                     = local.region
+    log_retention_days         = var.log_retention_days
+    auto_create_group          = var.create_log_group ? "On" : "Off"
+    drop_namespaces            = "(${join("|", var.drop_namespaces)})"
+    log_filters                = "(${join("|", var.log_filters)})"
+    additional_log_filters     = "(${join("|", var.additional_log_filters)})"
+    inputs                     = try(var.fluent_bit_config.inputs, "")
+    outputs                    = try(var.fluent_bit_config.outputs, "")
+    filters                    = try(var.fluent_bit_config.filters, "")
+    cloudwatch_outputs_enabled = try(var.fluent_bit_config.cloudwatch_outputs_enabled, true)
+    kube_namespaces            = var.kube_namespaces
+    imagePullSecrets           = [for item in var.image_pull_secrets : { name : item }]
   }
 
   values = var.values_yaml == "" ? templatefile("${path.module}/values.yaml.tpl", local.config_settings) : var.values_yaml

modules/fluent-bit/tests/advanced/0-setup.tf

@@ -1,9 +1,5 @@
 terraform {
   required_providers {
-    test = {
-      source = "terraform.io/builtin/test"
-    }
-
     aws = {
       source  = "hashicorp/aws"
       version = "~> 4.37"

modules/fluent-bit/tests/advanced/README.md

@@ -11,9 +11,7 @@
 
 ## Providers
 
-| Name | Version |
-|------|---------|
-| <a name="provider_test"></a> [test](#provider\_test) | n/a |
+No providers.
 
 ## Modules
 
@@ -23,9 +21,7 @@
 
 ## Resources
 
-| Name | Type |
-|------|------|
-| test_assertions.api_url | resource |
+No resources.
 
 ## Inputs
 

modules/fluent-bit/tests/basic/0-setup.tf

@@ -1,9 +1,5 @@
 terraform {
   required_providers {
-    test = {
-      source = "terraform.io/builtin/test"
-    }
-
     aws = {
       source  = "hashicorp/aws"
       version = "~> 4.37"

modules/fluent-bit/tests/basic/README.md

@@ -11,9 +11,7 @@
 
 ## Providers
 
-| Name | Version |
-|------|---------|
-| <a name="provider_test"></a> [test](#provider\_test) | n/a |
+No providers.
 
 ## Modules
 
@@ -23,9 +21,7 @@
 
 ## Resources
 
-| Name | Type |
-|------|------|
-| test_assertions.api_url | resource |
+No resources.
 
 ## Inputs
 

modules/fluent-bit/tests/cloudwatch-export-disable/0-setup.tf

@@ -0,0 +1,17 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 4.37"
+    }
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = "~>2.23"
+    }
+    helm = ">= 2.0"
+  }
+}
+
+provider "aws" {}
+provider "helm" {}
+provider "kubernetes" {}

modules/fluent-bit/tests/cloudwatch-export-disable/1-example.tf

@@ -0,0 +1,20 @@
+locals {
+  oidc_provider_arn = "arn:aws:iam::000000000000:oidc-provider/oidc.eks.eu-central-1.amazonaws.com/id/6F40EA94327Dh8956DDB9S0AE7907CFD"
+}
+
+module "fluent-bit" {
+  source = "../../"
+
+  cluster_name                = "Test"
+  oidc_provider_arn           = local.oidc_provider_arn
+  eks_oidc_root_ca_thumbprint = replace(local.oidc_provider_arn, "/.*id//", "")
+  region                      = "eu-central-1"
+  account_id                  = 000000000000
+  log_retention_days          = 7
+
+  fluent_bit_config = {
+    outputs                    = templatefile("${path.module}/templates/outputs.yaml.tpl", {}) # some custom output/exporter for logs
+    cloudwatch_outputs_enabled = false                                                         # whether to disable default cloudwatch exporter/output
+  }
+
+}

modules/fluent-bit/tests/cloudwatch-export-disable/README.md

@@ -0,0 +1,33 @@
+# basic
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 4.37 |
+| <a name="requirement_helm"></a> [helm](#requirement\_helm) | >= 2.0 |
+| <a name="requirement_kubernetes"></a> [kubernetes](#requirement\_kubernetes) | ~>2.23 |
+
+## Providers
+
+No providers.
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_fluent-bit"></a> [fluent-bit](#module\_fluent-bit) | ../../ | n/a |
+
+## Resources
+
+No resources.
+
+## Inputs
+
+No inputs.
+
+## Outputs
+
+No outputs.
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

modules/fluent-bit/tests/cloudwatch-export-disable/templates/outputs.yaml.tpl

@@ -0,0 +1,7 @@
+[OUTPUT]
+    Name s3
+    Match test.*
+    bucket s3-bucket
+    region eu-central-1
+    total_file_size 250M
+    s3_key_format /%Y/%m/%d/%H_%M_%S.gz

modules/fluent-bit/tests/own-values-yaml/0-setup.tf

@@ -1,9 +1,5 @@
 terraform {
   required_providers {
-    test = {
-      source = "terraform.io/builtin/test"
-    }
-
     aws = {
       source  = "hashicorp/aws"
       version = "~> 4.37"

modules/fluent-bit/tests/own-values-yaml/README.md

@@ -11,9 +11,7 @@
 
 ## Providers
 
-| Name | Version |
-|------|---------|
-| <a name="provider_test"></a> [test](#provider\_test) | n/a |
+No providers.
 
 ## Modules
 
@@ -23,9 +21,7 @@
 
 ## Resources
 
-| Name | Type |
-|------|------|
-| test_assertions.api_url | resource |
+No resources.
 
 ## Inputs
 

modules/fluent-bit/values.yaml.tpl

@@ -1,3 +1,4 @@
+imagePullSecrets: ${jsonencode(imagePullSecrets)}
 config:
   ## https://docs.fluentbit.io/manual/pipeline/inputs
   inputs: |
@@ -53,6 +54,9 @@ config:
 
     ${indent(4, filters)}
   outputs: |
+
+    %{ if cloudwatch_outputs_enabled }
+
     [OUTPUT]
         Name cloudwatch_logs
         Match  kube.*
@@ -80,4 +84,6 @@ config:
         auto_create_group ${auto_create_group}
         log_retention_days ${log_retention_days}
 
+    %{ endif ~}
+
     ${indent(4, outputs)}

modules/fluent-bit/variables.tf

@@ -76,9 +76,10 @@ variable "values_yaml" {
 variable "fluent_bit_config" {
   description = "You can add other inputs,outputs and filters which module doesn't have by default"
   default = {
-    inputs  = ""
-    outputs = ""
-    filters = ""
+    inputs                     = ""
+    outputs                    = ""
+    filters                    = ""
+    cloudwatch_outputs_enabled = true # whether to disable default cloudwatch exporter/output
   }
   type = any
 }
@@ -137,3 +138,9 @@ variable "additional_log_filters" {
   ]
   description = "Fluent bit doesn't send logs if message consists of this values"
 }
+
+variable "image_pull_secrets" {
+  type        = list(string)
+  default     = []
+  description = "Secret name which can we use for download image"
+}

tests/basic/README.md

@@ -9,7 +9,7 @@ No requirements.
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.67.0 |
 
 ## Modules
 

tests/eks-fluent-bit/0-setup.tf

@@ -1,16 +1,12 @@
 terraform {
   required_providers {
-    test = {
-      source = "terraform.io/builtin/test"
-    }
-
     aws = {
       source  = "hashicorp/aws"
       version = ">= 3.41"
     }
   }
 
-  required_version = ">= 1.3.0, < 1.6.0"
+  required_version = ">= 1.3.0, < 2.0.0"
 }
 
 /**