Cost monitoring with kubecost and AMP

bin/single-new-eks-awsnative-cost-monitoring.ts

@@ -0,0 +1,6 @@
+import SingleNewEksCostMonitoringPattern from '../lib/single-new-eks-cost-monitoring-pattern';
+import { configureApp } from '../lib/common/construct-utils';
+
+const app = configureApp();
+
+new SingleNewEksCostMonitoringPattern(app, "single-new-eks-awsnative-cost");

bin/single-new-eks-cost-monitoring.ts

@@ -0,0 +1,11 @@
+import { configureApp, errorHandler } from '../lib/common/construct-utils';
+import SingleNewEksCostMonitoringPattern from '../lib/single-new-eks-cost-monitoring-pattern';
+
+const app = configureApp();
+
+new SingleNewEksCostMonitoringPattern()
+    .buildAsync(app, 'single-new-eks-cost-monitoring')
+    .catch((e) => {
+        errorHandler(app, "Secure Ingress Auth pattern is not setup due to missing secrets for ArgoCD admin pwd. \
+            See Secure Ingress Auth in the readme for instructions", e);
+    });

lib/common/resources/otel-collector-config.yml

@@ -44,6 +44,17 @@ spec:
             external_labels:
               cluster: "{{clusterName}}"
           scrape_configs:
+            - job_name: kubecost
+                honor_labels: true
+                scrape_interval: 1m
+                scrape_timeout: 10s
+                metrics_path: /metrics
+                scheme: http
+                dns_sd_configs:
+                - names:
+                  - dashboard.kubecost.avt.eks.aws.dev
+                  type: 'A'
+                  port: 9003
             {{ start enableAdotMetricsCollectionJob}}
             - job_name: otel-collector-metrics
               scrape_interval: 10s

lib/single-new-eks-cost-monitoring-pattern/cognito-idp-stack.ts

@@ -0,0 +1,129 @@
+import * as cdk from 'aws-cdk-lib';
+import * as blueprints from '@aws-quickstart/eks-blueprints';
+import { Construct } from 'constructs';
+import * as cognito from 'aws-cdk-lib/aws-cognito';
+import * as lambda from 'aws-cdk-lib/aws-lambda';
+import * as iam from 'aws-cdk-lib/aws-iam';
+
+export default class CognitoIdpStack extends cdk.Stack {
+
+    public readonly userPoolOut: cognito.UserPool;
+    public readonly userPoolClientOut: cognito.UserPoolClient;
+    public readonly userPoolDomainOut: cognito.UserPoolDomain;
+
+    constructor(scope: Construct, id: string, subDomain: string, props?: cdk.StackProps) {
+        super(scope, id, props);
+
+        const lambdaExecutionRole = new iam.Role(this, 'Lambda Execution Role', {
+            assumedBy: new iam.ServicePrincipal('lambda.amazonaws.com'),
+        });
+
+        lambdaExecutionRole.addManagedPolicy(iam.ManagedPolicy.fromAwsManagedPolicyName("service-role/AWSLambdaBasicExecutionRole"));
+        lambdaExecutionRole.addManagedPolicy(iam.ManagedPolicy.fromAwsManagedPolicyName("AmazonSSMReadOnlyAccess"));     
+
+        const authChallengeFn = new lambda.Function(this, 'authChallengeFn', {
+            runtime: lambda.Runtime.PYTHON_3_12,
+            code: lambda.Code.fromAsset('./lib/single-new-eks-cost-monitoring-pattern/lambda'),
+            handler: 'lambda_function.lambda_handler',
+            role: lambdaExecutionRole,
+            environment: {
+                "ALLOWED_DOMAINS_LIST": blueprints.utils.valueFromContext(scope, "allowed.domains.list", "example.com")
+            }
+        });
+
+
+        // Cognito User Pool
+        const userPool = new cognito.UserPool(this, 'CognitoIDPUserPool', {
+            userPoolName: 'CognitoIDPUserPool',
+            selfSignUpEnabled: true,
+            signInAliases: {
+                email: true,
+                username: true
+            },
+            standardAttributes: {
+                email: {
+                    mutable: true,
+                    required: true
+                },
+                givenName: {
+                    mutable: true,
+                    required: true
+                },
+                familyName: {
+                    mutable: true,
+                    required: true
+                }
+            },
+            lambdaTriggers: {
+                preSignUp: authChallengeFn,
+                preAuthentication: authChallengeFn,
+            },            
+        });
+
+
+        // Output the User Pool ID
+
+        this.userPoolOut = userPool;
+
+        new cdk.CfnOutput(this, 'CognitoIDPUserPoolOut', {
+            value: userPool.userPoolId,
+            exportName: 'CognitoIDPUserPoolId'
+        });
+
+        new cdk.CfnOutput(this, 'CognitoIDPUserPoolArnOut', {
+            value: userPool.userPoolArn,
+            exportName: 'CognitoIDPUserPoolArn'
+        });
+
+
+        // We will ask the IDP to redirect back to our domain's index page
+        const redirectUri = `https://${subDomain}/oauth2/idpresponse`;
+
+        // Configure the user pool client application 
+        const userPoolClient = new cognito.UserPoolClient(this, 'CognitoAppClient', {
+            userPool,
+            authFlows: {
+                userPassword: true
+            },
+            oAuth: {
+                flows: {
+                    authorizationCodeGrant: true
+                },
+                scopes: [
+                    cognito.OAuthScope.OPENID
+                ],
+                callbackUrls: [redirectUri]
+                // TODO - What about logoutUrls?
+            },
+            generateSecret: true,
+            userPoolClientName: 'Web',
+            supportedIdentityProviders: [cognito.UserPoolClientIdentityProvider.COGNITO]
+        });
+
+        // Output the User Pool App Client ID
+        this.userPoolClientOut = userPoolClient;
+
+        new cdk.CfnOutput(this, 'CognitoIDPUserPoolClientOut', {
+            value: userPoolClient.userPoolClientId,
+            exportName: 'CognitoIDPUserPoolClientId'
+        });
+
+        // Add the domain to the user pool
+        const randomText = (Math.random() + 1).toString(36).substring(7);
+        const userPoolDomain = userPool.addDomain('CognitoDomain', {
+            cognitoDomain: {
+                domainPrefix: `my-cdk-blueprint-${randomText}`,
+            },
+        });
+
+        // Output the User Pool App Client ID
+
+        this.userPoolDomainOut = userPoolDomain;
+
+        new cdk.CfnOutput(this, 'CognitoIDPUserPoolDomainOut', {
+            value: userPoolDomain.domainName,
+            exportName: 'CognitoIDPUserPoolDomain'
+        });
+
+    }
+}

lib/single-new-eks-cost-monitoring-pattern/grafanaoperatorsecretaddon.ts

@@ -0,0 +1,102 @@
+import 'source-map-support/register';
+import * as blueprints from '@aws-quickstart/eks-blueprints';
+import * as eks from "aws-cdk-lib/aws-eks";
+import { ManagedPolicy } from "aws-cdk-lib/aws-iam";
+import { Construct } from 'constructs';
+import { createNamespace, dependable } from '@aws-quickstart/eks-blueprints/dist/utils';
+
+export class GrafanaOperatorSecretAddon implements blueprints.ClusterAddOn {
+    id?: string | undefined;
+    @dependable(blueprints.addons.ExternalsSecretsAddOn.name, blueprints.addons.GrafanaOperatorAddon.name)
+    deploy(clusterInfo: blueprints.ClusterInfo): void | Promise<Construct> {
+        const cluster = clusterInfo.cluster;
+
+        const policyRead = ManagedPolicy.fromAwsManagedPolicyName("AmazonPrometheusQueryAccess");
+        const policyWrite = ManagedPolicy.fromAwsManagedPolicyName("AmazonPrometheusRemoteWriteAccess");
+
+        const serviceAccount1 = cluster.addServiceAccount("kubecost-cost-analyzer-amp", {
+            name: "kubecost-cost-analyzer-amp",
+            namespace: "kubecost"
+        });
+
+
+        serviceAccount1.role.addManagedPolicy(policyRead);
+        serviceAccount1.role.addManagedPolicy(policyWrite);
+
+        const serviceAccount2 = cluster.addServiceAccount("kubecost-prometheus-server-amp", {
+            name: "kubecost-prometheus-server-amp",
+            namespace: "kubecost"
+        });
+
+        serviceAccount2.role.addManagedPolicy(policyRead);
+        serviceAccount2.role.addManagedPolicy(policyWrite);
+
+        const namespace = createNamespace("kubecost",cluster);
+
+        serviceAccount1.node.addDependency(namespace);
+        serviceAccount2.node.addDependency(namespace);
+
+        const secretStore = new eks.KubernetesManifest(clusterInfo.cluster.stack, "ClusterSecretStore", {
+            cluster: cluster,
+            manifest: [
+                {
+                    apiVersion: "external-secrets.io/v1beta1",
+                    kind: "ClusterSecretStore",
+                    metadata: {
+                        name: "ssm-parameter-store",
+                        namespace: "default"
+                    },
+                    spec: {
+                        provider: {
+                            aws: {
+                                service: "ParameterStore",
+                                region: clusterInfo.cluster.stack.region,
+                                auth: {
+                                    jwt: {
+                                        serviceAccountRef: {
+                                            name: "external-secrets-sa",
+                                            namespace: "external-secrets",
+                                        },
+                                    },
+                                },
+                            },
+                        },
+                    },
+                },
+            ],
+        });
+
+        const externalSecret = new eks.KubernetesManifest(clusterInfo.cluster.stack, "ExternalSecret", {
+            cluster: cluster,
+            manifest: [
+                {
+                    apiVersion: "external-secrets.io/v1beta1",
+                    kind: "ExternalSecret",
+                    metadata: {
+                        name: "external-grafana-admin-credentials",
+                        namespace: "grafana-operator"
+                    },
+                    spec: {
+                        secretStoreRef: {
+                            name: "ssm-parameter-store",
+                            kind: "ClusterSecretStore",
+                        },
+                        target: {
+                            name: "grafana-admin-credentials"
+                        },
+                        data: [
+                            {
+                                secretKey: "GF_SECURITY_ADMIN_APIKEY",
+                                remoteRef: {
+                                    key: "/cdk-accelerator/grafana-api-key"
+                                },
+                            },
+                        ],
+                    },
+                },
+            ],
+        });
+        externalSecret.node.addDependency(secretStore);
+        return Promise.resolve(secretStore);
+    }
+}