feat: Add cloudwatch logs policy to vpc-cni for networkpolicy logging

shaunofneuron commented 2 months ago

Description

Creates additional policy to satisfy the newly available aws-vpc-cni feature to send logs to CloudWatch.

Motivation and Context

Additional details in issue https://github.com/terraform-aws-modules/terraform-aws-iam/issues/503 and https://github.com/terraform-aws-modules/terraform-aws-iam/issues/482.

Resolves #482
Resolves #503

Breaking Changes

None that I am aware of, default behavior is disabled (set to false).

How Has This Been Tested?

[x] I have updated at least one of the examples/* to demonstrate and validate my change(s)
[x] I have tested and validated these changes using one or more of the provided examples/* projects
[x] I have executed pre-commit run -a on my pull request

Local plan shows the new policy when enabled:

  # module.vpc_cni_ipv4_irsa_role.aws_iam_policy.vpc_cni[0] will be created
    + resource "aws_iam_policy" "vpc_cni" {
      + policy           = jsonencode(
            {
              + Statement = [
                  + {
                      + Action   = [
                          + "ec2:UnassignPrivateIpAddresses",
                          + "ec2:ModifyNetworkInterfaceAttribute",
                          + "ec2:DetachNetworkInterface",
                          + "ec2:DescribeTags",
                          + "ec2:DescribeSubnets",
                          + "ec2:DescribeNetworkInterfaces",
                          + "ec2:DescribeInstances",
                          + "ec2:DescribeInstanceTypes",
                          + "ec2:DeleteNetworkInterface",
                          + "ec2:CreateNetworkInterface",
                          + "ec2:AttachNetworkInterface",
                          + "ec2:AssignPrivateIpAddresses",
                        ]
                      + Effect   = "Allow"
                      + Resource = "*"
                      + Sid      = "IPV4"
                    },
                  + {
                      + Action   = [
                          + "logs:PutLogEvents",
                          + "logs:DescribeLogGroups",
                          + "logs:CreateLogStream",
                          + "logs:CreateLogGroup",
                        ]
                      + Effect   = "Allow"
                      + Resource = "*"
                      + Sid      = "CloudWatchLogs"
                    },
                  + {
                      + Action   = "ec2:CreateTags"
                      + Effect   = "Allow"
                      + Resource = "arn:aws:ec2:*:*:network-interface/*"
                      + Sid      = "CreateTags"
                    },
                ]
              + Version   = "2012-10-17"
            }
        )

Note to reviewer, I am open to feedback especially on the naming of the feature flags.

antonbabenko commented 2 months ago

This PR is included in version 5.42.0 :tada:

github-actions[bot] commented 1 month ago

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

terraform-aws-modules / terraform-aws-iam