2

I'm trying to set up FluentBit for my EKS cluster in Terraform, via this module, and I have couple of questions:

cluster_identity_oidc_issuer - what is this? Frankly, I was just told to set this up, so I have very little knowledge about FluentBit, but I assume this "issuer" provides an identity with needed permissions. For example, Okta? We use Okta, so what would I use as a value in here?

cluster_identity_oidc_issuer_arn - no idea what this value is supposed to be.

worker_iam_role_name - as in the role with autoscaling capabilities (oidc)?

This is what eks.tf looks like:

module "eks" {
  source = "terraform-aws-modules/eks/aws"

  cluster_name                    = "DevOpsLabs"
  cluster_version                 = "1.19"
  cluster_endpoint_private_access = true
  cluster_endpoint_public_access  = true

  cluster_addons = {
    coredns = {
      resolve_conflicts = "OVERWRITE"
    }
    kube-proxy = {}
    vpc-cni = {
      resolve_conflicts = "OVERWRITE"
    }
  }

  vpc_id     = "xxx"
  subnet_ids = ["xxx","xxx", "xxx", "xxx"  ]


  self_managed_node_groups = {
    bottlerocket = {
      name = "bottlerocket-self-mng"

      platform      = "bottlerocket"
      ami_id        = "xxx"
      instance_type = "t2.small"
      desired_size  = 2

      iam_role_additional_policies = ["arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"]

      pre_bootstrap_user_data = <<-EOT
      echo "foo"
      export FOO=bar
      EOT

      bootstrap_extra_args = "--kubelet-extra-args '--node-labels=node.kubernetes.io/lifecycle=spot'"

      post_bootstrap_user_data = <<-EOT
      cd /tmp
      sudo yum install -y https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm
      sudo systemctl enable amazon-ssm-agent
      sudo systemctl start amazon-ssm-agent
      EOT
    }
  }
}

And for the role.tf:

data "aws_iam_policy_document" "cluster_autoscaler" {
  statement {
    effect = "Allow"

    actions = [
      "autoscaling:DescribeAutoScalingGroups",
      "autoscaling:DescribeAutoScalingInstances",
      "autoscaling:DescribeLaunchConfigurations",
      "autoscaling:DescribeTags",
      "autoscaling:SetDesiredCapacity",
      "autoscaling:TerminateInstanceInAutoScalingGroup",
      "ec2:DescribeLaunchTemplateVersions",
    ]

    resources = ["*"]
  }
}

module "config" {
  source  = "github.com/ahmad-hamade/terraform-eks-config/modules/eks-iam-role-with-oidc"
  cluster_name     = module.eks.cluster_id
  role_name        = "cluster-autoscaler"
  service_accounts = ["kube-system/cluster-autoscaler"]
  policies         = [data.aws_iam_policy_document.cluster_autoscaler.json]

  tags = {
    Terraform = "true"
    Environment = "dev-test"
  }
}
TFaws
  • 193
  • 2
  • 4
  • 15

1 Answers1

2

Since you are using a Terraform EKS module, you can access attributes of the created resources by looking at the Outputs tab [1]. There you can find the following outputs:

  • cluster_id
  • cluster_oidc_issuer_url
  • oidc_provider_arn

They are accessible by using the following syntax:

module.<module_name>.<output_id>

In your case, you would get the values you need using the following syntax:

  • cluster_id -> module.eks.cluster_id
  • cluster_oidc_issuer_url -> module.eks.cluster_oidc_issuer_url
  • oidc_provider_arn -> module.eks.oidc_provider_arn

and assign them to the inputs from the FluentBit module:

  cluster_name                     = module.eks.cluster_id
  cluster_identity_oidc_issuer     = module.eks.cluster_oidc_issuer_url
  cluster_identity_oidc_issuer_arn = module.eks.oidc_provider_arn

For the worker role I didn't see an output from the eks module, so I think that could be an output of the config module [2]:

worker_iam_role_name = module.config.iam_role_name

The OIDC parts of configuration are coming from the EKS cluster [3]. Another blog post going in details can be found here [4].

[1] https://registry.terraform.io/modules/terraform-aws-modules/eks/aws/latest?tab=outputs

[2] https://github.com/ahmad-hamade/terraform-eks-config/blob/master/modules/eks-iam-role-with-oidc/outputs.tf

[3] https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html

[4] https://aws.amazon.com/blogs/containers/introducing-oidc-identity-provider-authentication-amazon-eks/

Marko E
  • 13,362
  • 2
  • 19
  • 28