From 90b1ac5c03b1fba521b37cddb0adf9caf8411822 Mon Sep 17 00:00:00 2001
From: michaeljguarino <mjg@plural.sh>
Date: Thu, 26 Sep 2024 15:10:40 -0400
Subject: [PATCH] add eks upgrade insights iam defaults

---
 terraform/clouds/aws/iam.tf           | 71 +++++++++++++++++++++++++++
 terraform/modules/clusters/aws/iam.tf | 25 ++++++++++
 2 files changed, 96 insertions(+)
 create mode 100644 terraform/modules/clusters/aws/iam.tf

diff --git a/terraform/clouds/aws/iam.tf b/terraform/clouds/aws/iam.tf
index c4e0f88..3116c7d 100644
--- a/terraform/clouds/aws/iam.tf
+++ b/terraform/clouds/aws/iam.tf
@@ -25,4 +25,75 @@ resource "aws_iam_policy" "stacks" {
       ]
     }
   POLICY
+}
+
+resource "aws_iam_role_policy_attachment" "eks_upgrade_insights" {
+  for_each   = module.eks.eks_managed_node_groups
+  role       = each.value.iam_role_name
+  policy_arn = aws_iam_policy.eks_upgrade_insights.arn
+}
+
+resource "aws_iam_policy" "eks_upgrade_insights" {
+  name_prefix = "eks-upgrade-insights"
+  description = "eks upgrade insights permissions for ${var.cluster_name}"
+  policy      = <<-POLICY
+    {
+      "Version": "2012-10-17",
+      "Statement": [
+        {
+          "Action": [
+            "eks:ListInsights",
+            "eks:DescribeInsight"
+          ],
+          "Effect": "Allow",
+          "Resource": "*"
+        }
+      ]
+    }
+  POLICY
+}
+
+module "assumable_role_cloudwatch_exporter" {
+  source           = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
+  version          = "5.39.1"
+  create_role      = true
+  role_name        = "${var.cluster_name}-cloudwatch-exporter"
+  provider_url     = replace(module.eks.cluster_oidc_issuer_url, "https://", "")
+  role_policy_arns = [aws_iam_policy.cloudwatch.arn]
+  oidc_fully_qualified_subjects = [
+    "system:serviceaccount:monitoring:cloudwatch-exporter",
+  ]
+}
+
+resource "aws_iam_policy" "cloudwatch" {
+  name_prefix = "cloudwatch-exporter"
+  description = "cloudwatch exporter permissions for ${var.cluster_name}"
+  policy      = <<-POLICY
+    {
+      "Version": "2012-10-17",
+      "Statement": [
+        {
+          "Action": [
+            "tag:GetResources",
+            "cloudwatch:GetMetricData",
+            "cloudwatch:GetMetricStatistics",
+            "cloudwatch:ListMetrics",
+            "apigateway:GET",
+            "aps:ListWorkspaces",
+            "autoscaling:DescribeAutoScalingGroups",
+            "dms:DescribeReplicationInstances",
+            "dms:DescribeReplicationTasks",
+            "ec2:DescribeTransitGatewayAttachments",
+            "ec2:DescribeSpotFleetRequests",
+            "shield:ListProtections",
+            "storagegateway:ListGateways",
+            "storagegateway:ListTagsForResource",
+            "iam:ListAccountAliases"
+          ],
+          "Effect": "Allow",
+          "Resource": "*"
+        }
+      ]
+    }
+  POLICY
 }
\ No newline at end of file
diff --git a/terraform/modules/clusters/aws/iam.tf b/terraform/modules/clusters/aws/iam.tf
new file mode 100644
index 0000000..e5e211a
--- /dev/null
+++ b/terraform/modules/clusters/aws/iam.tf
@@ -0,0 +1,25 @@
+resource "aws_iam_role_policy_attachment" "eks_upgrade_insights" {
+  for_each   = module.eks.eks_managed_node_groups
+  role       = each.value.iam_role_name
+  policy_arn = aws_iam_policy.eks_upgrade_insights.arn
+}
+
+resource "aws_iam_policy" "eks_upgrade_insights" {
+  name_prefix = "eks-upgrade-insights"
+  description = "eks upgrade insights permissions for ${var.cluster}"
+  policy      = <<-POLICY
+    {
+      "Version": "2012-10-17",
+      "Statement": [
+        {
+          "Action": [
+            "eks:ListInsights",
+            "eks:DescribeInsight"
+          ],
+          "Effect": "Allow",
+          "Resource": "*"
+        }
+      ]
+    }
+  POLICY
+}
\ No newline at end of file