Add helm chart to install AWS Cloudwatch adapter module

aws/platform/main.tf

@@ -24,6 +24,11 @@ module "common_platform" {
     var.cert_manager_values
   )
 
+  cloudwatch_adapter_values = concat(
+    local.cloudwatch_adapter_values,
+    var.cloudwatch_adapter_values
+  )
+
   cluster_autoscaler_values = concat(
     local.cluster_autoscaler_values,
     var.cluster_autoscaler_values
@@ -128,6 +133,15 @@ module "cloudwatch_logs" {
   skip_destroy      = var.logs_skip_destroy
 }
 
+module "cloudwatch_adapter_service_account_role" {
+  source = "./modules/cloudwatch-adapter-service-account-role"
+
+  aws_namespace = [module.cluster_name.full]
+  aws_tags      = var.aws_tags
+  k8s_namespace = var.k8s_namespace
+  oidc_issuer   = data.aws_ssm_parameter.oidc_issuer.value
+}
+
 module "cluster_autoscaler_service_account_role" {
   source = "./modules/cluster-autoscaler-service-account-role"
 
@@ -251,6 +265,16 @@ locals {
     })
   ]
 
+  cloudwatch_adapter_values = [
+    yamlencode({
+      serviceAccount = {
+        annotations = {
+          "eks.amazonaws.com/role-arn" = module.cloudwatch_adapter_service_account_role.arn
+        }
+      }
+    })
+  ]
+
   cluster_autoscaler_values = [
     yamlencode({
       autoDiscovery = {

aws/platform/modules/cloudwatch-adapter-service-account-role/README.md

@@ -0,0 +1,44 @@
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.14.8 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 4.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 4.0 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_cluster_autoscaler_service_account_role"></a> [cluster\_autoscaler\_service\_account\_role](#module\_cluster\_autoscaler\_service\_account\_role) | ../../../service-account-role | n/a |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_iam_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_role_policy_attachment.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_policy_document.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_aws_namespace"></a> [aws\_namespace](#input\_aws\_namespace) | Prefix to be applied to created AWS resources | `list(string)` | `[]` | no |
+| <a name="input_aws_tags"></a> [aws\_tags](#input\_aws\_tags) | Tags to be applied to created AWS resources | `map(string)` | `{}` | no |
+| <a name="input_k8s_namespace"></a> [k8s\_namespace](#input\_k8s\_namespace) | Kubernetes namespace in which resources should be created | `string` | n/a | yes |
+| <a name="input_oidc_issuer"></a> [oidc\_issuer](#input\_oidc\_issuer) | OIDC issuer of the Kubernetes cluster | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_arn"></a> [arn](#output\_arn) | The ARN of the created role |
+| <a name="output_service_account_role_arn"></a> [service\_account\_role\_arn](#output\_service\_account\_role\_arn) | ARN of the AWS IAM role created for service accounts |
+<!-- END_TF_DOCS -->

aws/platform/modules/cloudwatch-adapter-service-account-role/main.tf

@@ -0,0 +1,28 @@
+module "cloudwatch_adapter_service_account_role" {
+  source = "../../../service-account-role"
+
+  name             = "cloudwatch-adapter"
+  namespace        = var.aws_namespace
+  oidc_issuers     = [var.oidc_issuer]
+  service_accounts = ["${var.k8s_namespace}:cloudwatch-adapter"]
+  tags             = var.aws_tags
+}
+
+resource "aws_iam_policy" "this" {
+  name   = module.cloudwatch_adapter_service_account_role.name
+  policy = data.aws_iam_policy_document.this.json
+}
+
+resource "aws_iam_role_policy_attachment" "this" {
+  role       = module.cloudwatch_adapter_service_account_role.name
+  policy_arn = aws_iam_policy.this.arn
+}
+
+data "aws_iam_policy_document" "this" {
+  statement {
+    actions = [
+      "cloudwatch:GetMetricData"
+    ]
+    resources = ["*"]
+  }
+}

aws/platform/modules/cloudwatch-adapter-service-account-role/makefile

@@ -0,0 +1,67 @@
+MODULEFILES := $(wildcard *.tf)
+TFLINTRC    ?= ../../.tflint.hcl
+TFDOCSRC    ?= ../../.terraform-docs.yml
+
+.PHONY: default
+default: checkfmt validate docs lint
+
+.PHONY: checkfmt
+checkfmt: .fmt
+
+.PHONY: fmt
+fmt: $(MODULEFILES)
+	terraform fmt
+	@touch .fmt
+
+.PHONY: validate
+validate: .validate
+
+.PHONY: docs
+docs: README.md
+
+.PHONY: lint
+lint: .lint
+
+.lint: $(MODULEFILES) .lintinit
+	tflint --config=$(TFLINTRC)
+	@touch .lint
+
+.lintinit: $(TFLINTRC)
+	tflint --init --config=$(TFLINTRC) --module
+	@touch .lintinit
+
+README.md: $(MODULEFILES)
+	terraform-docs --config "$(TFDOCSRC)" markdown table . --output-file README.md
+
+.fmt: $(MODULEFILES)
+	terraform fmt -check
+	@touch .fmt
+
+.PHONY: init
+init: .init
+
+.init: versions.tf .dependencies
+	terraform init -backend=false
+	@touch .init
+
+.validate: .init $(MODULEFILES) $(wildcard *.tf.example)
+	echo | cat - $(wildcard *.tf.example) > test.tf
+	if AWS_DEFAULT_REGION=us-east-1 terraform validate; then \
+		rm test.tf; \
+		touch .validate; \
+	else \
+		rm test.tf; \
+		false; \
+	fi
+
+.dependencies: *.tf
+	@grep -ohE \
+		"\b(backend|provider|resource|module) ['\"][[:alpha:]][[:alnum:]]*|\bsource  *=.*" *.tf | \
+		sed "s/['\"]//" | sort | uniq | \
+		tee /tmp/initdeps | \
+		diff -q .dependencies - >/dev/null 2>&1 || \
+		mv /tmp/initdeps .dependencies
+
+.PHONY: clean
+clean:
+	rm -rf .dependencies .fmt .init .lint .lintinit .terraform* .validate

aws/platform/modules/cloudwatch-adapter-service-account-role/outputs.tf

@@ -0,0 +1,9 @@
+output "arn" {
+  description = "The ARN of the created role"
+  value       = module.cloudwatch_adapter_service_account_role.instance.arn
+}
+
+output "service_account_role_arn" {
+  description = "ARN of the AWS IAM role created for service accounts"
+  value       = module.cloudwatch_adapter_service_account_role.instance.arn
+}

aws/platform/modules/cloudwatch-adapter-service-account-role/variables.tf

@@ -0,0 +1,21 @@
+variable "aws_namespace" {
+  type        = list(string)
+  default     = []
+  description = "Prefix to be applied to created AWS resources"
+}
+
+variable "aws_tags" {
+  type        = map(string)
+  description = "Tags to be applied to created AWS resources"
+  default     = {}
+}
+
+variable "k8s_namespace" {
+  type        = string
+  description = "Kubernetes namespace in which resources should be created"
+}
+
+variable "oidc_issuer" {
+  type        = string
+  description = "OIDC issuer of the Kubernetes cluster"
+}

aws/platform/modules/cloudwatch-adapter-service-account-role/versions.tf

@@ -0,0 +1,9 @@
+terraform {
+  required_version = ">= 0.14.8"
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 4.0"
+    }
+  }
+}

aws/platform/variables.tf

@@ -51,6 +51,12 @@ variable "certificate_issuer" {
   default     = null
 }
 
+variable "cloudwatch_adapter_values" {
+  description = "Overrides to pass to the Helm chart"
+  type        = list(string)
+  default     = []
+}
+
 variable "cluster_autoscaler_values" {
   description = "Overrides to pass to the Helm chart"
   type        = list(string)

platform/main.tf

@@ -60,6 +60,13 @@ module "cert_manager" {
   k8s_namespace = local.flightdeck_namespace
 }
 
+module "cloudwatch_adapter" {
+  source = "./modules/cloudwatch-adapter"
+
+  chart_values  = var.cloudwatch_adapter_values
+  k8s_namespace = local.flightdeck_namespace
+}
+
 module "cluster_autoscaler" {
   source = "./modules/cluster-autoscaler"
 

platform/modules/cloudwatch-adapter/README.md

@@ -0,0 +1,29 @@
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.14.8 |
+| <a name="requirement_helm"></a> [helm](#requirement\_helm) | ~> 2.4 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_helm"></a> [helm](#provider\_helm) | ~> 2.4 |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [helm_release.ingress_config](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_domain_names"></a> [domain\_names](#input\_domain\_names) | Domains which are allowed in this cluster | `list(string)` | `[]` | no |
+| <a name="input_issuer"></a> [issuer](#input\_issuer) | YAML spec for the cert-manager issuer | `string` | `null` | no |
+| <a name="input_k8s_namespace"></a> [k8s\_namespace](#input\_k8s\_namespace) | Kubernetes namespace in which secrets should be created | `string` | n/a | yes |
+| <a name="input_name"></a> [name](#input\_name) | Name for the Helm release | `string` | `"ingress-config"` | no |
+<!-- END_TF_DOCS -->

platform/modules/cloudwatch-adapter/chart/Chart.yaml

@@ -0,0 +1,9 @@
+apiVersion: v2
+name: cloudwatch-adapter
+description: Configuration for cloudwatch adapter to fetch AWS Cloudwatch metrics in kubernetes
+
+type: application
+
+version: 0.1.0
+
+appVersion: 1.0.0