search

terraform-aws-modules / terraform-aws-iam

Terraform module to create AWS IAM resources 🇺🇦
https://registry.terraform.io/modules/terraform-aws-modules/iam/aws
Apache License 2.0
779 stars 985 forks source link

VPC CNI CloudWatch Policy For Logs #503

Closed shaunofneuron closed 1 month ago

shaunofneuron commented 1 month ago

Is your request related to a new offering from AWS?

Is this functionality available in the AWS provider for Terraform? See CHANGELOG.md, too.

Is your request related to a problem? Please describe.

The VPC CNI Policy in policies.tf is missing permissions when AWS VPC CNI Network Policy logs are enabled. When enabled, a second container is added to the aws-node pod for a node agent, which requires CloudWatch logs permissions. Without these permissions, aws-node enters a CrashLoopBackOff state.

Describe the solution you'd like.

Add the following CloudWatch Logs permissions to the policy file:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "logs:DescribeLogGroups",
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ],
            "Resource": "*"
        }
    ]
}

Describe alternatives you've considered.

There are no viable alternatives that allow the aws-node pod to function correctly without the required permissions for CloudWatch Logs.

Additional context

I am creating the EKS cluster using the AWS EKS Terraform module 20.8.5. Here’s an example configuration:

module "eks" {
  source  = "terraform-aws-modules/eks/aws"
  version = "20.8.5"

  cluster_addons = {
    coredns = {
      addon_version = var.cluster_addons_versions.coredns
    }
    kube-proxy = {
      addon_version = var.cluster_addons_versions.kube_proxy
    }
    vpc-cni = {
      before_compute           = true
      addon_version            = var.cluster_addons_versions.vpc_cni
      service_account_role_arn = module.vpc_cni_irsa.iam_role_arn

      configuration_values = jsonencode({
        "enableNetworkPolicy" : "true",
        "nodeAgent" : {
          "enablePolicyEventLogs" : "true",
          "enableCloudWatchLogs" : "true"
        }
      })
    }
  }
}

module "vpc_cni_irsa" {
  source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
  version = "5.39.0"

  role_name             = "${local.resource_prefix}-vpc-cni-irsa-role"
  attach_vpc_cni_policy = true
  vpc_cni_enable_ipv4   = true

  oidc_providers = {
    main = {
      provider_arn               = module.eks.oidc_provider_arn
      namespace_service_accounts = var.irsa_service_accounts.namespace_service_account_vpc_cni
    }
  }
}

This other related but closed issue contained most of what I included in this, perhaps it can get some traction this time since I am unable to re-open closed issues.

shaunofneuron commented 1 month ago

cc: @jmgalvez thanks for the original issue

antonbabenko commented 1 month ago

This issue has been resolved in version 5.42.0 :tada:

github-actions[bot] commented 1 week ago

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.