Ready logstash with template

kvvit · kvvit · commit 4550672249e7 · 2025-03-20T16:37:35.000+03:00
diff --git a/terraform/modules/k8s-addons/eks-filebeat.tf b/terraform/modules/k8s-addons/eks-filebeat.tf
@@ -32,119 +32,3 @@ resource "helm_release" "filebeat" {
   ]
 }
 
-resource "kubectl_manifest" "elk_external_secrets" {
-  count = local.elk.enabled ? 1 : 0
-  yaml_body = <<-EOF
-    apiVersion: external-secrets.io/v1beta1
-    kind: ExternalSecret
-    metadata:
-      name: elastic-credentials
-      namespace: elk
-    spec:
-      refreshInterval: 1m
-      secretStoreRef:
-        name: elastic-credentials
-        kind: SecretStore
-      target:
-        name: elastic-credentials
-        creationPolicy: Owner
-      dataFrom:
-        - extract:
-            key: "/${var.name}/infra/elk"
-    EOF
-  depends_on = [
-    helm_release.external_secrets
-  ]
-}
-
-resource "kubectl_manifest" "elk_secretstore" {
-  count = local.elk.enabled ? 1 : 0
-  yaml_body = <<-EOF
-    apiVersion: external-secrets.io/v1beta1
-    kind: SecretStore
-    metadata:
-      name: elastic-credentials
-      namespace: elk
-    spec:
-      provider:
-        aws:
-          service: SecretsManager
-          region: us-east-1
-          auth:
-            jwt:
-              serviceAccountRef:
-                name: sa-filebeat
-    EOF
-  depends_on = [
-    helm_release.external_secrets
-  ]
-}
-
-resource "kubectl_manifest" "kibana_service_account" {
-  count = local.elk.enabled ? 1 : 0
-  yaml_body = <<-EOF
-    apiVersion: v1
-    kind: ServiceAccount
-    metadata:
-      annotations:
-        eks.amazonaws.com/role-arn: ${aws_iam_role.elk_service_account_role[count.index].arn}
-      name: sa-filebeat
-      namespace: elk
-    EOF
-  depends_on = [
-    aws_iam_role.elk_service_account_role
-  ]
-}
-
-resource "aws_iam_role" "elk_service_account_role" {
-  count              = local.elk.enabled ? 1 : 0
-  name               = "elk-service-account-role"
-  assume_role_policy = <<EOF
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Effect": "Allow",
-      "Principal": {
-        "Federated": "${var.eks_oidc_provider_arn}"
-      },
-      "Action": "sts:AssumeRoleWithWebIdentity",
-      "Condition": {
-        "StringEquals": {
-          "oidc.eks.${var.region}.amazonaws.com/id/${regex("[A-Z0-9]{32}", var.eks_oidc_provider_arn)}:aud": "sts.amazonaws.com"
-        }
-      }
-    }
-  ]
-}
-EOF
-}
-
-resource "aws_iam_policy" "elk_secret_manager_policy" {
-  count = local.elk.enabled ? 1 : 0
-  name  = "elk-secret-manager-policy"
-
-  policy = jsonencode({
-    Version = "2012-10-17",
-    Statement = [
-      {
-        Action : [
-          "secretsmanager:GetSecretValue",
-          "secretsmanager:DescribeSecret",
-          "secretsmanager:ListSecretVersionIds",
-          "secretsmanager:UpdateSecret",
-          "secretsmanager:PutSecretValue"
-        ],
-        Effect   = "Allow",
-        Resource = "arn:aws:secretsmanager:${var.region}:${data.aws_caller_identity.current.account_id}:secret:/${var.name}/infra/elk*"
-      }
-    ]
-  })
-}
-
-resource "aws_iam_policy_attachment" "elk_secret_manager_policy_attachment" {
-  count      = local.elk.enabled ? 1 : 0
-  name       = "elk-secret-manager-policy-attachment"
-  roles      = [aws_iam_role.elk_service_account_role[count.index].name]
-  policy_arn = aws_iam_policy.elk_secret_manager_policy[count.index].arn
-}
diff --git a/terraform/modules/k8s-addons/eks-logstash.tf b/terraform/modules/k8s-addons/eks-logstash.tf
@@ -29,3 +29,119 @@ resource "helm_release" "logstash" {
   ])
 }
 
+resource "kubectl_manifest" "elk_external_secrets" {
+  count = local.logstash.enabled ? 1 : 0
+  yaml_body = <<-EOF
+    apiVersion: external-secrets.io/v1beta1
+    kind: ExternalSecret
+    metadata:
+      name: elastic-credentials
+      namespace: elk
+    spec:
+      refreshInterval: 1m
+      secretStoreRef:
+        name: elastic-credentials
+        kind: SecretStore
+      target:
+        name: elastic-credentials
+        creationPolicy: Owner
+      dataFrom:
+        - extract:
+            key: "/${var.name}/infra/elk"
+    EOF
+  depends_on = [
+    helm_release.external_secrets
+  ]
+}
+
+resource "kubectl_manifest" "elk_secretstore" {
+  count = local.logstash.enabled ? 1 : 0
+  yaml_body = <<-EOF
+    apiVersion: external-secrets.io/v1beta1
+    kind: SecretStore
+    metadata:
+      name: elastic-credentials
+      namespace: elk
+    spec:
+      provider:
+        aws:
+          service: SecretsManager
+          region: us-east-1
+          auth:
+            jwt:
+              serviceAccountRef:
+                name: sa-filebeat
+    EOF
+  depends_on = [
+    helm_release.external_secrets
+  ]
+}
+
+resource "kubectl_manifest" "kibana_service_account" {
+  count = local.logstash.enabled ? 1 : 0
+  yaml_body = <<-EOF
+    apiVersion: v1
+    kind: ServiceAccount
+    metadata:
+      annotations:
+        eks.amazonaws.com/role-arn: ${aws_iam_role.elk_service_account_role[count.index].arn}
+      name: sa-filebeat
+      namespace: elk
+    EOF
+  depends_on = [
+    aws_iam_role.elk_service_account_role
+  ]
+}
+
+resource "aws_iam_role" "elk_service_account_role" {
+  count              = local.logstash.enabled ? 1 : 0
+  name               = "elk-service-account-role"
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "Federated": "${var.eks_oidc_provider_arn}"
+      },
+      "Action": "sts:AssumeRoleWithWebIdentity",
+      "Condition": {
+        "StringEquals": {
+          "oidc.eks.${var.region}.amazonaws.com/id/${regex("[A-Z0-9]{32}", var.eks_oidc_provider_arn)}:aud": "sts.amazonaws.com"
+        }
+      }
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_policy" "elk_secret_manager_policy" {
+  count = local.logstash.enabled ? 1 : 0
+  name  = "elk-secret-manager-policy"
+
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Action : [
+          "secretsmanager:GetSecretValue",
+          "secretsmanager:DescribeSecret",
+          "secretsmanager:ListSecretVersionIds",
+          "secretsmanager:UpdateSecret",
+          "secretsmanager:PutSecretValue"
+        ],
+        Effect   = "Allow",
+        Resource = "arn:aws:secretsmanager:${var.region}:${data.aws_caller_identity.current.account_id}:secret:/${var.name}/infra/elk*"
+      }
+    ]
+  })
+}
+
+resource "aws_iam_policy_attachment" "elk_secret_manager_policy_attachment" {
+  count      = local.logstash.enabled ? 1 : 0
+  name       = "elk-secret-manager-policy-attachment"
+  roles      = [aws_iam_role.elk_service_account_role[count.index].name]
+  policy_arn = aws_iam_policy.elk_secret_manager_policy[count.index].arn
+}
diff --git a/terraform/modules/k8s-addons/elk-templates/filebeat-values.yaml b/terraform/modules/k8s-addons/elk-templates/filebeat-values.yaml
@@ -24,8 +24,6 @@ filebeatConfig:
       - drop_event.when.and:
           - equals.k8s-app: "coredns"
           - regexp.message: ".*NOERROR.*"
-    setup.template.name: "filebeat"
-    setup.template.pattern: "filebeat-*"
     setup.ilm.enabled: false
     output.logstash:
       hosts: ["logstash-logstash.elk.svc:5044"]
diff --git a/terraform/modules/k8s-addons/elk-templates/logstash-values.yaml b/terraform/modules/k8s-addons/elk-templates/logstash-values.yaml
@@ -8,9 +8,6 @@ resources:
     memory: 2Gi
 
 
-# persistence:
-  # enabled: true
-
 logstashConfig:
   logstash.yml: |
     http.host: 0.0.0.0
@@ -33,38 +30,43 @@ logstashPipeline:
         hosts => ["$${ELASTICSEARCH_HOST}:9200"]
         user => '$${ELASTICSEARCH_USERNAME}'
         password => '$${ELASTICSEARCH_PASSWORD}'
-        index => "filebeat-%%{+yyyy.MM.dd}-000001"
-        manage_template => false
+        index => "filebeat-${env}-%%{+yyyy.MM.dd}-000001"
+        manage_template => true
+        template => '/etc/elk/logstash-index-template.json'
+        template_name => 'filebeat-${env}'
+        template_overwrite => true
+        action => "create"
         ssl => true
         ssl_certificate_verification => false
         cacert => '/etc/logstash/certificates/ca.crt'
       }
       stdout { codec => rubydebug }
     }
 
-# https://www.elastic.co/guide/en/logstash/current/plugins-outputs-elasticsearch.html
+secrets:
+  - name: "index-template"
+    value:
+      logstash-index-template.json: |
+        {
+          "index_patterns": ["filebeat-${env}-*"],
+          "template": {
+            "aliases": {
+              "filebeat-${env}": {}
+            },
+            "settings": {
+              "index.mapping.total_fields.limit": 5000,
+              "index.lifecycle.name": "delete_old_${env}_indicies",
+              "index.lifecycle.rollover_alias": "filebeat-${env}",
+              "number_of_shards": 1,
+              "number_of_replicas": 1
+            }
+          }
+        }
 
-    #secrets:
-    #  - name: "index-template"
-    #    value:
-    #      logstash-index-template.json: |
-    #        {
-    #          "index_patterns": ["filebeat-*"],
-    #          "template": {
-    #            "settings": {
-    #              "index.refresh_interval": "5s",
-    #              "index.mapping.total_fields.limit": 5000,
-    #              "index.lifecycle.name": "filebeat-policy",
-    #              "number_of_shards": 1,
-    #              "number_of_replicas": 1
-    #            }
-    #          }
-    #        }
-    #
-    #secretMounts:
-    #  - name: logstash-index-template
-    #    secretName: logstash-logstash-index-template
-    #    path: /etc/elk
+secretMounts:
+  - name: logstash-index-template
+    secretName: logstash-logstash-index-template
+    path: /etc/elk
 
 extraPorts:
   - name: beats
