Skip to content

Commit b92230b

Browse files
authored
Merge branch 'awslabs:main' into main
2 parents ffd73b5 + 5ebc310 commit b92230b

File tree

3 files changed

+65
-22
lines changed

3 files changed

+65
-22
lines changed

infra/base/terraform/amp.tf

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -138,3 +138,25 @@ module "amp_ingest_pod_identity" {
138138
}
139139
tags = local.tags
140140
}
141+
142+
module "grafana_pod_identity" {
143+
count = var.enable_amazon_prometheus ? 1 : 0
144+
145+
source = "terraform-aws-modules/eks-pod-identity/aws"
146+
version = "~> 2.2"
147+
148+
name = "grafana"
149+
150+
additional_policy_arns = {
151+
amp_policy = aws_iam_policy.grafana[0].arn
152+
}
153+
154+
associations = {
155+
grafana = {
156+
cluster_name = module.eks.cluster_name
157+
namespace = local.amp_namespace
158+
service_account = "grafana-sa"
159+
}
160+
}
161+
tags = local.tags
162+
}

infra/base/terraform/helm-values/kube-prometheus-amp-enable.yaml

Lines changed: 27 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -2,9 +2,8 @@ prometheus:
22
serviceAccount:
33
create: true
44
name: ${amp_sa}
5-
annotations:
6-
eks.amazonaws.com/role-arn: ${amp_irsa}
75
prometheusSpec:
6+
serviceAccountName: ${amp_sa}
87
remoteWrite:
98
- url: ${amp_remotewrite_url}
109
sigv4:
@@ -22,7 +21,7 @@ prometheus:
2221
metadata:
2322
name: data
2423
spec:
25-
storageClassName: gp2
24+
storageClassName: gp3
2625
accessModes:
2726
- ReadWriteOnce
2827
resources:
@@ -47,19 +46,33 @@ alertmanager:
4746
grafana:
4847
enabled: true
4948
defaultDashboardsEnabled: true
50-
# Adding AMP datasource to Grafana config
49+
adminPassword: null
50+
admin:
51+
existingSecret: "grafana-admin-secret"
52+
userKey: admin-user
53+
passwordKey: admin-password
54+
service:
55+
port: ${grafana_service_port}
5156
serviceAccount:
52-
create: false
53-
name: ${amp_sa}
57+
create: true
58+
name: grafana-sa
5459
grafana.ini:
55-
auth:
56-
sigv4_auth_enabled: true
60+
aws:
61+
allowed_auth_providers: ec2_iam_role
62+
assume_role_enabled: true
63+
sidecar:
64+
datasources:
65+
defaultDatasourceEnabled: false
66+
plugins:
67+
- grafana-amazonprometheus-datasource
5768
additionalDataSources:
58-
- name: AMP
59-
editable: true
69+
- name: Amazon-Managed-Prometheus
70+
type: grafana-amazonprometheus-datasource
71+
access: proxy
72+
url: ${amp_url}
73+
isDefault: true
6074
jsonData:
61-
sigV4Auth: true
75+
authType: ec2_iam_role
76+
defaultRegion: ${region}
6277
sigV4Region: ${region}
63-
type: prometheus
64-
isDefault: false
65-
url: ${amp_url}
78+
editable: true

infra/base/terraform/kube-prometheus-stack.tf

Lines changed: 16 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -1,14 +1,21 @@
1-
# TODO: Currently we don't do anything with AMP
21
locals {
3-
kube_prometheus_values = templatefile("${path.module}/helm-values/kube-prometheus.yaml", {
4-
# Add template variables if needed for AMP integration
5-
region = local.region
6-
amp_sa = local.amp_ingest_service_account
7-
amp_remotewrite_url = var.enable_amazon_prometheus ? "https://aps-workspaces.${local.region}.amazonaws.com/workspaces/${aws_prometheus_workspace.amp[0].id}/api/v1/remote_write" : ""
8-
amp_url = var.enable_amazon_prometheus ? "https://aps-workspaces.${local.region}.amazonaws.com/workspaces/${aws_prometheus_workspace.amp[0].id}" : ""
2+
# Base kube-prometheus values (no AMP)
3+
kube_prometheus_base_values = templatefile("${path.module}/helm-values/kube-prometheus.yaml", {
94
storage_class_name = "gp3"
105
grafana_service_port = var.grafana_service_port
116
})
7+
8+
# AMP overlay values (only when AMP is enabled)
9+
kube_prometheus_amp_values = var.enable_amazon_prometheus ? templatefile("${path.module}/helm-values/kube-prometheus-amp-enable.yaml", {
10+
region = local.region
11+
amp_sa = local.amp_ingest_service_account
12+
amp_remotewrite_url = "https://aps-workspaces.${local.region}.amazonaws.com/workspaces/${aws_prometheus_workspace.amp[0].id}/api/v1/remote_write"
13+
amp_url = "https://aps-workspaces.${local.region}.amazonaws.com/workspaces/${aws_prometheus_workspace.amp[0].id}"
14+
grafana_service_port = var.grafana_service_port
15+
}) : ""
16+
17+
# Merge base and AMP values
18+
kube_prometheus_values = var.enable_amazon_prometheus ? "${local.kube_prometheus_base_values}\n${local.kube_prometheus_amp_values}" : local.kube_prometheus_base_values
1219
}
1320

1421
#TODO: Remove if not needed, need to validate namespace is created before secret
@@ -89,7 +96,8 @@ resource "kubectl_manifest" "kube_prometheus_stack" {
8996
wait = true
9097
depends_on = [
9198
helm_release.argocd,
92-
module.amp_ingest_pod_identity
99+
module.amp_ingest_pod_identity,
100+
module.grafana_pod_identity
93101
]
94102
}
95103

0 commit comments

Comments
 (0)