Xray EKS Terraform IAM

[P0NDER0SA]

Summary | Résumé

Adding the IAM work for K8s/EKS to allow XRay to connect and monitor our clusters. This wont work yet without a Daemon pod deployed.

Related Issues | Cartes liées

Tracing / correlate requests through the Notify components (AWS X-Ray)

Test instructions | Instructions pour tester la modification

Watch the Terraform Plans and Applys. We can't know if this actually works until we have a daemon.

Release Instructions | Instructions pour le déploiement

None.

Reviewer checklist | Liste de vérification du réviseur

• [ ] This PR does not break existing functionality.
• [ ] This PR does not violate GCNotify's privacy policies.
• [ ] This PR does not raise new security concerns. Refer to our GC Notify Risk Register document on our Google drive.
• [ ] This PR does not significantly alter performance.
• [ ] Additional required documentation resulting of these changes is covered (such as the README, setup instructions, a related ADR or the technical documentation).

⚠ If boxes cannot be checked off before merging the PR, they should be moved to the "Release Instructions" section with appropriate steps required to verify before release. For example, changes to celery code may require tests on staging to verify that performance has not been affected.

[github-actions[bot]]

Staging: eks

✅   Terraform Init: success ✅   Terraform Validate: success ✅   Terraform Format: success ✅   Terraform Plan: success ✅   Conftest: success

Plan: 4 to add, 0 to change, 0 to destroy

Show summary

| CHANGE | NAME | |--------|-------------------------------------------------------| | add | `aws_iam_instance_profile.nodes_k8s_instance_profile` | | | `aws_iam_policy.xray_policy` | | | `aws_iam_role.nodes_k8s_role` | | | `aws_iam_role_policy_attachment.attach_xray_policy` |

Show plan

```terraform Resource actions are indicated with the following symbols: + create Terraform will perform the following actions: # aws_iam_instance_profile.nodes_k8s_instance_profile will be created + resource "aws_iam_instance_profile" "nodes_k8s_instance_profile" { + arn = (known after apply) + create_date = (known after apply) + id = (known after apply) + name = "nodes.k8s.cluster.staging" + name_prefix = (known after apply) + path = "/" + role = "nodes.k8s.cluster.staging" + tags_all = (known after apply) + unique_id = (known after apply) } # aws_iam_policy.xray_policy will be created + resource "aws_iam_policy" "xray_policy" { + arn = (known after apply) + description = "Policy to allow XRay tracing" + id = (known after apply) + name = "XRayPolicy" + name_prefix = (known after apply) + path = "/" + policy = jsonencode( { + Statement = [ + { + Action = [ + "xray:PutTraceSegments", + "xray:PutTelemetryRecords", ] + Effect = "Allow" + Resource = [ + "arn:aws:iam::239043911459:instance-profile/nodes.k8s.cluster.staging", ] }, ] + Version = "2012-10-17" } ) + policy_id = (known after apply) + tags_all = (known after apply) } # aws_iam_role.nodes_k8s_role will be created + resource "aws_iam_role" "nodes_k8s_role" { + arn = (known after apply) + assume_role_policy = jsonencode( { + Statement = [ + { + Action = "sts:AssumeRole" + Effect = "Allow" + Principal = { + Service = "ec2.amazonaws.com" } }, ] + Version = "2012-10-17" } ) + create_date = (known after apply) + force_detach_policies = false + id = (known after apply) + managed_policy_arns = (known after apply) + max_session_duration = 3600 + name = "nodes.k8s.cluster.staging" + name_prefix = (known after apply) + path = "/" + tags_all = (known after apply) + unique_id = (known after apply) } # aws_iam_role_policy_attachment.attach_xray_policy will be created + resource "aws_iam_role_policy_attachment" "attach_xray_policy" { + id = (known after apply) + policy_arn = (known after apply) + role = "eks-worker-role" } Plan: 4 to add, 0 to change, 0 to destroy. ───────────────────────────────────────────────────────────────────────────── Saved the plan to: plan.tfplan To perform exactly these actions, run the following command to apply: terraform apply "plan.tfplan" ```

Show Conftest results

```sh WARN - plan.json - main - Missing Common Tags: ["aws_acm_certificate.client_vpn"] WARN - plan.json - main - Missing Common Tags: ["aws_acm_certificate.notification-canada-ca"] WARN - plan.json - main - Missing Common Tags: ["aws_acm_certificate.notification-canada-ca-alt[0]"] WARN - plan.json - main - Missing Common Tags: ["aws_alb.notification-canada-ca"] WARN - plan.json - main - Missing Common Tags: ["aws_alb_listener.internal_alb_tls"] WARN - plan.json - main - Missing Common Tags: ["aws_alb_listener.notification-canada-ca"] WARN - plan.json - main - Missing Common Tags: ["aws_alb_target_group.internal_nginx_http"] WARN - plan.json - main - Missing Common Tags: ["aws_alb_target_group.notification-canada-ca-admin"] WARN - plan.json - main - Missing Common Tags: ["aws_alb_target_group.notification-canada-ca-api"] WARN - plan.json - main - Missing Common Tags: ["aws_alb_target_group.notification-canada-ca-document"] WARN - plan.json - main - Missing Common Tags: ["aws_alb_target_group.notification-canada-ca-document-api"] WARN - plan.json - main - Missing Common Tags: ["aws_alb_target_group.notification-canada-ca-documentation"] WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.notification-canada-ca-eks-application-logs[0]"] WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.notification-canada-ca-eks-cluster-logs[0]"] WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.notification-canada-ca-eks-prometheus-logs[0]"] WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.admin-evicted-pods[0]"] WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.admin-pods-high-cpu-warning[0]"] WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.admin-pods-high-memory-warning[0]"] WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_metric_alarm.admin-replicas-unavailable[0]"] WARN - plan.json - main - Missing Common Tags:... ```