Merge branch 'awslabs:main' into main

Author: devfloor9

infra/base/terraform/amp.tf

@@ -138,3 +138,25 @@ module "amp_ingest_pod_identity" {
   }
   tags = local.tags
 }
+
+module "grafana_pod_identity" {
+  count = var.enable_amazon_prometheus ? 1 : 0
+
+  source  = "terraform-aws-modules/eks-pod-identity/aws"
+  version = "~> 2.2"
+
+  name = "grafana"
+
+  additional_policy_arns = {
+    amp_policy = aws_iam_policy.grafana[0].arn
+  }
+
+  associations = {
+    grafana = {
+      cluster_name    = module.eks.cluster_name
+      namespace       = local.amp_namespace
+      service_account = "grafana-sa"
+    }
+  }
+  tags = local.tags
+}

infra/base/terraform/helm-values/kube-prometheus-amp-enable.yaml

@@ -2,9 +2,8 @@ prometheus:
   serviceAccount:
     create: true
     name: ${amp_sa}
-    annotations:
-      eks.amazonaws.com/role-arn: ${amp_irsa}
   prometheusSpec:
+    serviceAccountName: ${amp_sa}
     remoteWrite:
       - url: ${amp_remotewrite_url}
         sigv4:
@@ -22,7 +21,7 @@ prometheus:
         metadata:
           name: data
         spec:
-          storageClassName: gp2
+          storageClassName: gp3
           accessModes:
             - ReadWriteOnce
           resources:
@@ -47,19 +46,33 @@ alertmanager:
 grafana:
   enabled: true
   defaultDashboardsEnabled: true
-# Adding AMP datasource to Grafana config
+  adminPassword: null
+  admin:
+    existingSecret: "grafana-admin-secret"
+    userKey: admin-user
+    passwordKey: admin-password
+  service:
+    port: ${grafana_service_port}
   serviceAccount:
-    create: false
-    name: ${amp_sa}
+    create: true
+    name: grafana-sa
   grafana.ini:
-    auth:
-      sigv4_auth_enabled: true
+    aws:
+      allowed_auth_providers: ec2_iam_role
+      assume_role_enabled: true
+  sidecar:
+    datasources:
+      defaultDatasourceEnabled: false
+  plugins:
+    - grafana-amazonprometheus-datasource
   additionalDataSources:
-    - name: AMP
-      editable: true
+    - name: Amazon-Managed-Prometheus
+      type: grafana-amazonprometheus-datasource
+      access: proxy
+      url: ${amp_url}
+      isDefault: true
       jsonData:
-        sigV4Auth: true
+        authType: ec2_iam_role
+        defaultRegion: ${region}
         sigV4Region: ${region}
-      type: prometheus
-      isDefault: false
-      url: ${amp_url}
+      editable: true

infra/base/terraform/kube-prometheus-stack.tf

@@ -1,14 +1,21 @@
-# TODO: Currently we don't do anything with AMP
 locals {
-  kube_prometheus_values = templatefile("${path.module}/helm-values/kube-prometheus.yaml", {
-    # Add template variables if needed for AMP integration
-    region               = local.region
-    amp_sa               = local.amp_ingest_service_account
-    amp_remotewrite_url  = var.enable_amazon_prometheus ? "https://aps-workspaces.${local.region}.amazonaws.com/workspaces/${aws_prometheus_workspace.amp[0].id}/api/v1/remote_write" : ""
-    amp_url              = var.enable_amazon_prometheus ? "https://aps-workspaces.${local.region}.amazonaws.com/workspaces/${aws_prometheus_workspace.amp[0].id}" : ""
+  # Base kube-prometheus values (no AMP)
+  kube_prometheus_base_values = templatefile("${path.module}/helm-values/kube-prometheus.yaml", {
     storage_class_name   = "gp3"
     grafana_service_port = var.grafana_service_port
   })
+
+  # AMP overlay values (only when AMP is enabled)
+  kube_prometheus_amp_values = var.enable_amazon_prometheus ? templatefile("${path.module}/helm-values/kube-prometheus-amp-enable.yaml", {
+    region               = local.region
+    amp_sa               = local.amp_ingest_service_account
+    amp_remotewrite_url  = "https://aps-workspaces.${local.region}.amazonaws.com/workspaces/${aws_prometheus_workspace.amp[0].id}/api/v1/remote_write"
+    amp_url              = "https://aps-workspaces.${local.region}.amazonaws.com/workspaces/${aws_prometheus_workspace.amp[0].id}"
+    grafana_service_port = var.grafana_service_port
+  }) : ""
+
+  # Merge base and AMP values
+  kube_prometheus_values = var.enable_amazon_prometheus ? "${local.kube_prometheus_base_values}\n${local.kube_prometheus_amp_values}" : local.kube_prometheus_base_values
 }
 
 #TODO: Remove if not needed, need to validate namespace is created before secret
@@ -89,7 +96,8 @@ resource "kubectl_manifest" "kube_prometheus_stack" {
   wait = true
   depends_on = [
     helm_release.argocd,
-    module.amp_ingest_pod_identity
+    module.amp_ingest_pod_identity,
+    module.grafana_pod_identity
   ]
 }