feat: Add CloudWatch Exporter IRSA role support

Add optional IRSA role for prometheus-cloudwatch-exporter to enable
scraping ElastiCache, RDS, and other AWS managed service metrics via
CloudWatch. Gated by `enable_cloudwatch_exporter` variable (default: false).

Needed to support ElastiCache/RDS alerting on single-tenant clusters (DND-442).

Author: jms200

main.tf

@@ -256,6 +256,9 @@ module "comet_eks" {
   enable_loki        = var.enable_loki_bucket
   loki_s3_bucket_arn = var.enable_s3 && var.enable_loki_bucket ? module.comet_s3[0].comet_loki_bucket_arn : null
 
+  # CloudWatch Exporter IRSA for scraping AWS managed service metrics
+  enable_cloudwatch_exporter = var.enable_cloudwatch_exporter
+
   # Monitoring namespace and Grafana credentials
   enable_monitoring_setup = var.enable_monitoring_setup
   monitoring_namespace    = var.monitoring_namespace

modules/comet_eks/main.tf

@@ -718,6 +718,70 @@ module "loki_irsa_role" {
   )
 }
 
+##################################################
+#### CloudWatch Exporter IRSA Role and Policy ####
+##################################################
+data "aws_iam_policy_document" "cloudwatch_exporter" {
+  count = var.enable_cloudwatch_exporter ? 1 : 0
+
+  statement {
+    actions = [
+      "cloudwatch:Describe*",
+      "cloudwatch:Get*",
+      "cloudwatch:List*",
+    ]
+    resources = ["*"]
+  }
+}
+
+resource "aws_iam_policy" "cloudwatch_exporter" {
+  count = var.enable_cloudwatch_exporter ? 1 : 0
+
+  name_prefix = "${var.environment}-cloudwatch-exporter-"
+  description = "Provides CloudWatch read access for prometheus-cloudwatch-exporter on ${var.environment} cluster"
+  policy      = data.aws_iam_policy_document.cloudwatch_exporter[0].json
+
+  tags = merge(
+    var.common_tags,
+    {
+      Name = "${var.environment}-cloudwatch-exporter"
+    }
+  )
+}
+
+module "cloudwatch_exporter_irsa_role" {
+  source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
+  version = "~> 5.39"
+
+  count = var.enable_cloudwatch_exporter ? 1 : 0
+
+  role_name = "${var.environment}-cloudwatch-exporter"
+
+  role_policy_arns = {
+    cloudwatch_exporter = aws_iam_policy.cloudwatch_exporter[0].arn
+  }
+
+  oidc_providers = {
+    ex = {
+      provider_arn               = module.eks.oidc_provider_arn
+      namespace_service_accounts = ["monitoring:monitoring-prometheus-cloudwatch-exporter"]
+    }
+  }
+
+  depends_on = [
+    module.eks,
+    aws_iam_policy.cloudwatch_exporter
+  ]
+
+  tags = merge(
+    var.common_tags,
+    {
+      Name        = "${var.environment}-cloudwatch-exporter"
+      Description = "IRSA role for prometheus-cloudwatch-exporter to scrape CloudWatch metrics"
+    }
+  )
+}
+
 #########################################
 #### Monitoring Namespace and Secrets ####
 #########################################

modules/comet_eks/outputs.tf

@@ -43,6 +43,16 @@ output "loki_irsa_role_name" {
   value       = var.enable_loki ? module.loki_irsa_role[0].iam_role_name : null
 }
 
+output "cloudwatch_exporter_irsa_role_arn" {
+  description = "ARN of the CloudWatch Exporter IRSA role"
+  value       = var.enable_cloudwatch_exporter ? module.cloudwatch_exporter_irsa_role[0].iam_role_arn : null
+}
+
+output "cloudwatch_exporter_irsa_role_name" {
+  description = "Name of the CloudWatch Exporter IRSA role"
+  value       = var.enable_cloudwatch_exporter ? module.cloudwatch_exporter_irsa_role[0].iam_role_name : null
+}
+
 output "karpenter_irsa_role_arn" {
   description = "ARN of the Karpenter controller IRSA role"
   value       = var.enable_karpenter ? module.karpenter_irsa[0].iam_role_arn : null

modules/comet_eks/variables.tf

@@ -257,6 +257,12 @@ variable "enable_loki" {
   default     = false
 }
 
+variable "enable_cloudwatch_exporter" {
+  description = "Enable CloudWatch Exporter IRSA role for scraping ElastiCache, RDS, and other AWS managed service metrics"
+  type        = bool
+  default     = false
+}
+
 variable "loki_s3_bucket_arn" {
   description = "ARN of the S3 bucket for Loki log storage"
   type        = string

outputs.tf

@@ -153,6 +153,16 @@ output "loki_irsa_role_name" {
   value       = var.enable_eks && var.enable_loki_bucket ? module.comet_eks[0].loki_irsa_role_name : null
 }
 
+output "cloudwatch_exporter_irsa_role_arn" {
+  description = "ARN of the CloudWatch Exporter IRSA role"
+  value       = var.enable_eks && var.enable_cloudwatch_exporter ? module.comet_eks[0].cloudwatch_exporter_irsa_role_arn : null
+}
+
+output "cloudwatch_exporter_irsa_role_name" {
+  description = "Name of the CloudWatch Exporter IRSA role"
+  value       = var.enable_eks && var.enable_cloudwatch_exporter ? module.comet_eks[0].cloudwatch_exporter_irsa_role_name : null
+}
+
 output "karpenter_irsa_role_arn" {
   description = "ARN of the Karpenter controller IRSA role — annotate the karpenter ServiceAccount with this"
   value       = var.enable_eks && var.eks_enable_karpenter ? module.comet_eks[0].karpenter_irsa_role_arn : null

variables.tf

@@ -55,6 +55,12 @@ variable "eks_enable_karpenter" {
   default     = false
 }
 
+variable "enable_cloudwatch_exporter" {
+  description = "Enable CloudWatch Exporter IRSA role for scraping ElastiCache, RDS, and other AWS managed service metrics (used by comet_eks module)"
+  type        = bool
+  default     = false
+}
+
 variable "enable_monitoring_setup" {
   description = "Enable monitoring namespace and Grafana credentials secret in EKS (used by comet_eks module)"
   type        = bool