fix: Update CloudWatch Observability permissions and add to example/R…

…EADME
terraform-aws-modules · Mar 18, 2024 · b75e8de · b75e8de
1 parent ffc8ede
commit b75e8de
Show file tree

Hide file tree

Showing 4 changed files with 33 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -83,6 +83,23 @@ module "cert_manager_pod_identity" {
 }
 ```
 
+### [AWS CloudWatch Observability](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/install-CloudWatch-Observability-EKS-addon.html)
+
+```hcl
+module "aws_cloudwatch_observability_pod_identity" {
+  source = "terraform-aws-modules/eks-pod-identity/aws"
+
+  name = "aws-cloudwatch-observability"
+
+  attach_aws_cloudwatch_observability_policy = true
+
+  tags = {
+    Environment = "dev"
+  }
+}
+```
+
+
 ### [Cluster Autoscaler](https://github.com/kubernetes/autoscaler)
 
 ```hcl

diff --git a/aws_cloudwatch_observability.tf b/aws_cloudwatch_observability.tf
@@ -3,8 +3,11 @@
 ################################################################################
 
 resource "aws_iam_role_policy_attachment" "aws_cloudwatch_observability" {
-  count = var.create && var.attach_aws_cloudwatch_observability_policy ? 1 : 0
+  for_each = { for k, v in {
+    CloudWatchAgentServerPolicy = "arn:${local.partition}:iam::aws:policy/CloudWatchAgentServerPolicy"
+    AWSXrayWriteOnlyAccess      = "arn:${local.partition}:iam::aws:policy/AWSXrayWriteOnlyAccess"
+  } : k => v if var.create && var.attach_aws_cloudwatch_observability_policy }
 
   role       = aws_iam_role.this[0].name
-  policy_arn = "arn:${local.partition}:iam::aws:policy/CloudWatchAgentServerPolicy"
+  policy_arn = each.value
 }
diff --git a/examples/complete/README.md b/examples/complete/README.md
@@ -35,6 +35,7 @@ Note that this example may create resources which will incur monetary charges on
 | <a name="module_amazon_managed_service_prometheus_pod_identity"></a> [amazon\_managed\_service\_prometheus\_pod\_identity](#module\_amazon\_managed\_service\_prometheus\_pod\_identity) | ../../ | n/a |
 | <a name="module_aws_appmesh_controller_pod_identity"></a> [aws\_appmesh\_controller\_pod\_identity](#module\_aws\_appmesh\_controller\_pod\_identity) | ../../ | n/a |
 | <a name="module_aws_appmesh_envoy_proxy_pod_identity"></a> [aws\_appmesh\_envoy\_proxy\_pod\_identity](#module\_aws\_appmesh\_envoy\_proxy\_pod\_identity) | ../../ | n/a |
+| <a name="module_aws_cloudwatch_observability_pod_identity"></a> [aws\_cloudwatch\_observability\_pod\_identity](#module\_aws\_cloudwatch\_observability\_pod\_identity) | ../../ | n/a |
 | <a name="module_aws_ebs_csi_pod_identity"></a> [aws\_ebs\_csi\_pod\_identity](#module\_aws\_ebs\_csi\_pod\_identity) | ../../ | n/a |
 | <a name="module_aws_efs_csi_pod_identity"></a> [aws\_efs\_csi\_pod\_identity](#module\_aws\_efs\_csi\_pod\_identity) | ../../ | n/a |
 | <a name="module_aws_fsx_lustre_csi_pod_identity"></a> [aws\_fsx\_lustre\_csi\_pod\_identity](#module\_aws\_fsx\_lustre\_csi\_pod\_identity) | ../../ | n/a |

diff --git a/examples/complete/main.tf b/examples/complete/main.tf
@@ -55,6 +55,16 @@ module "cert_manager_pod_identity" {
   tags = local.tags
 }
 
+module "aws_cloudwatch_observability_pod_identity" {
+  source = "../../"
+
+  name = "aws-cloudwatch-observability"
+
+  attach_aws_cloudwatch_observability_policy = true
+
+  tags = local.tags
+}
+
 module "cluster_autoscaler_pod_identity" {
   source = "../../"