From 7e93867c4723f1a804e78d742eab6652678a8dcc Mon Sep 17 00:00:00 2001
From: Ted O'Connor <ted.oconnor@useparagon.com>
Date: Tue, 23 Jul 2024 16:51:44 -0400
Subject: [PATCH 1/3] feat(monitoring): added openobserve support

---
 terraform/workspaces/infra/s3/s3-logs.tf      | 29 +++++++++++++++++--
 terraform/workspaces/paragon/helm/helm.tf     | 27 ++++++++++++++++-
 .../workspaces/paragon/helm/openobserve.tf    |  7 +++++
 terraform/workspaces/paragon/helm/outputs.tf  | 11 ++++++-
 .../workspaces/paragon/helm/variables.tf      |  6 ++++
 terraform/workspaces/paragon/outputs.tf       |  9 ++++++
 6 files changed, 84 insertions(+), 5 deletions(-)
 create mode 100644 terraform/workspaces/paragon/helm/openobserve.tf

diff --git a/terraform/workspaces/infra/s3/s3-logs.tf b/terraform/workspaces/infra/s3/s3-logs.tf
index e257221..65c851d 100644
--- a/terraform/workspaces/infra/s3/s3-logs.tf
+++ b/terraform/workspaces/infra/s3/s3-logs.tf
@@ -28,19 +28,42 @@ data "aws_iam_policy_document" "logs_bucket_policy" {
   count = var.disable_logs ? 0 : 1
 
   statement {
-    sid     = "AllowPutObjects"
+    sid     = "AllowAccessLogs"
     actions = ["s3:PutObject"]
     effect  = "Allow"
     resources = [
       "${aws_s3_bucket.logs[count.index].arn}",
       "${aws_s3_bucket.logs[count.index].arn}/access_logs/AWSLogs/${data.aws_caller_identity.current.account_id}/*",
     ]
-
     principals {
       type        = "AWS"
       identifiers = [data.aws_elb_service_account.main.arn]
     }
   }
+
+  statement {
+    sid = "AllowAppLogs"
+    actions = [
+      "s3:DeleteObject",
+      "s3:GetObject",
+      "s3:ListBucket",
+      "s3:PutObject"
+    ]
+    effect = "Allow"
+    resources = [
+      "${aws_s3_bucket.logs[count.index].arn}",
+      "${aws_s3_bucket.logs[count.index].arn}/*",
+    ]
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+    condition {
+      test     = "StringEquals"
+      variable = "aws:PrincipalAccount"
+      values   = [data.aws_caller_identity.current.account_id]
+    }
+  }
 }
 
 resource "aws_s3_bucket_policy" "logs_bucket" {
@@ -69,7 +92,7 @@ resource "aws_s3_bucket_lifecycle_configuration" "logs" {
     status = "Enabled"
 
     transition {
-      days          = 7
+      days          = 30
       storage_class = "GLACIER"
     }
   }
diff --git a/terraform/workspaces/paragon/helm/helm.tf b/terraform/workspaces/paragon/helm/helm.tf
index 07f5285..ab66ee2 100644
--- a/terraform/workspaces/paragon/helm/helm.tf
+++ b/terraform/workspaces/paragon/helm/helm.tf
@@ -262,7 +262,7 @@ module "helm_hash_logging" {
   chart_directory = "./charts/paragon-logging"
 }
 
-# paragon logging stack fluent bit , kibana , elasticsearch
+# paragon logging stack fluent bit and openobserve
 resource "helm_release" "paragon_logging" {
   name             = "paragon-logging"
   description      = "Paragon logging services"
@@ -286,6 +286,31 @@ resource "helm_release" "paragon_logging" {
     }))
   ]
 
+  set {
+    name  = "global.env.ZO_S3_PROVIDER"
+    value = "s3"
+  }
+
+  set {
+    name  = "global.env.ZO_S3_BUCKET_NAME"
+    value = var.logs_bucket
+  }
+
+  set {
+    name  = "global.env.ZO_S3_REGION_NAME"
+    value = var.aws_region
+  }
+
+  set {
+    name  = "global.env.ZO_ROOT_USER_EMAIL"
+    value = var.openobserve_email
+  }
+
+  set_sensitive {
+    name  = "global.env.ZO_ROOT_USER_PASSWORD"
+    value = random_password.openobserve.result
+  }
+
   depends_on = [
     helm_release.ingress,
     kubernetes_secret.docker_login,
diff --git a/terraform/workspaces/paragon/helm/openobserve.tf b/terraform/workspaces/paragon/helm/openobserve.tf
new file mode 100644
index 0000000..a478cce
--- /dev/null
+++ b/terraform/workspaces/paragon/helm/openobserve.tf
@@ -0,0 +1,7 @@
+resource "random_password" "openobserve" {
+  length  = 32
+  lower   = true
+  numeric = true
+  special = false
+  upper   = true
+}
diff --git a/terraform/workspaces/paragon/helm/outputs.tf b/terraform/workspaces/paragon/helm/outputs.tf
index 468c3cc..a3ccd61 100644
--- a/terraform/workspaces/paragon/helm/outputs.tf
+++ b/terraform/workspaces/paragon/helm/outputs.tf
@@ -4,4 +4,13 @@ output "release_ingress" {
 
 output "release_paragon_on_prem" {
   value = helm_release.paragon_on_prem
-}
\ No newline at end of file
+}
+
+output "openobserve_email" {
+  value = var.openobserve_email
+}
+
+output "openobserve_password" {
+  value     = random_password.openobserve.result
+  sensitive = true
+}
diff --git a/terraform/workspaces/paragon/helm/variables.tf b/terraform/workspaces/paragon/helm/variables.tf
index d563a28..10dd4af 100644
--- a/terraform/workspaces/paragon/helm/variables.tf
+++ b/terraform/workspaces/paragon/helm/variables.tf
@@ -33,6 +33,12 @@ variable "docker_email" {
   type        = string
 }
 
+variable "openobserve_email" {
+  description = "Email for OpenObserve admin account."
+  type        = string
+  default     = "services@useparagon.com"
+}
+
 variable "logs_bucket" {
   description = "Bucket to store system logs."
   type        = string
diff --git a/terraform/workspaces/paragon/outputs.tf b/terraform/workspaces/paragon/outputs.tf
index fa9949a..34a4b95 100644
--- a/terraform/workspaces/paragon/outputs.tf
+++ b/terraform/workspaces/paragon/outputs.tf
@@ -47,3 +47,12 @@ output "uptime_microservices" {
   description = "Uptime enabled microservices"
   value       = module.uptime.microservices
 }
+
+output "openobserve_email" {
+  value = module.helm.openobserve_email
+}
+
+output "openobserve_password" {
+  value     = module.helm.openobserve_password
+  sensitive = true
+}

From 1c04bcda87c716857b901af90f48353f23e1664d Mon Sep 17 00:00:00 2001
From: Ted O'Connor <ted.oconnor@useparagon.com>
Date: Mon, 12 Aug 2024 16:22:55 -0400
Subject: [PATCH 2/3] fix(logging): addressed pr feedback

---
 terraform/workspaces/paragon/helm/helm.tf     |  4 ++--
 .../workspaces/paragon/helm/openobserve.tf    | 19 ++++++++++++++++++-
 terraform/workspaces/paragon/helm/outputs.tf  |  4 ++--
 .../workspaces/paragon/helm/variables.tf      | 10 ++++++++--
 terraform/workspaces/paragon/modules.tf       |  2 ++
 terraform/workspaces/paragon/variables.tf     | 14 +++++++++++++-
 6 files changed, 45 insertions(+), 8 deletions(-)

diff --git a/terraform/workspaces/paragon/helm/helm.tf b/terraform/workspaces/paragon/helm/helm.tf
index ab66ee2..1499918 100644
--- a/terraform/workspaces/paragon/helm/helm.tf
+++ b/terraform/workspaces/paragon/helm/helm.tf
@@ -303,12 +303,12 @@ resource "helm_release" "paragon_logging" {
 
   set {
     name  = "global.env.ZO_ROOT_USER_EMAIL"
-    value = var.openobserve_email
+    value = local.openobserve_email
   }
 
   set_sensitive {
     name  = "global.env.ZO_ROOT_USER_PASSWORD"
-    value = random_password.openobserve.result
+    value = local.openobserve_password
   }
 
   depends_on = [
diff --git a/terraform/workspaces/paragon/helm/openobserve.tf b/terraform/workspaces/paragon/helm/openobserve.tf
index a478cce..825d4f7 100644
--- a/terraform/workspaces/paragon/helm/openobserve.tf
+++ b/terraform/workspaces/paragon/helm/openobserve.tf
@@ -1,7 +1,24 @@
-resource "random_password" "openobserve" {
+resource "random_string" "openobserve_email" {
+  count = var.openobserve_email == null ? 1 : 0
+
+  length  = 12
+  lower   = true
+  numeric = true
+  special = false
+  upper   = false
+}
+
+resource "random_password" "openobserve_password" {
+  count = var.openobserve_password == null ? 1 : 0
+
   length  = 32
   lower   = true
   numeric = true
   special = false
   upper   = true
 }
+
+locals {
+  openobserve_email    = var.openobserve_email != null ? var.openobserve_email : "${random_string.openobserve_email[0].result}@useparagon.com"
+  openobserve_password = var.openobserve_password != null ? var.openobserve_password : random_password.openobserve_password[0].result
+}
diff --git a/terraform/workspaces/paragon/helm/outputs.tf b/terraform/workspaces/paragon/helm/outputs.tf
index a3ccd61..4ba361d 100644
--- a/terraform/workspaces/paragon/helm/outputs.tf
+++ b/terraform/workspaces/paragon/helm/outputs.tf
@@ -7,10 +7,10 @@ output "release_paragon_on_prem" {
 }
 
 output "openobserve_email" {
-  value = var.openobserve_email
+  value = local.openobserve_email
 }
 
 output "openobserve_password" {
-  value     = random_password.openobserve.result
+  value     = local.openobserve_password
   sensitive = true
 }
diff --git a/terraform/workspaces/paragon/helm/variables.tf b/terraform/workspaces/paragon/helm/variables.tf
index 10dd4af..ea278d3 100644
--- a/terraform/workspaces/paragon/helm/variables.tf
+++ b/terraform/workspaces/paragon/helm/variables.tf
@@ -34,9 +34,15 @@ variable "docker_email" {
 }
 
 variable "openobserve_email" {
-  description = "Email for OpenObserve admin account."
+  description = "OpenObserve admin login email."
   type        = string
-  default     = "services@useparagon.com"
+  default     = null
+}
+
+variable "openobserve_password" {
+  description = "OpenObserve admin login password."
+  type        = string
+  default     = null
 }
 
 variable "logs_bucket" {
diff --git a/terraform/workspaces/paragon/modules.tf b/terraform/workspaces/paragon/modules.tf
index ae85f08..5a86196 100644
--- a/terraform/workspaces/paragon/modules.tf
+++ b/terraform/workspaces/paragon/modules.tf
@@ -32,6 +32,8 @@ module "helm" {
   monitor_version        = local.monitor_version
   monitors               = local.monitors
   monitors_enabled       = var.monitors_enabled
+  openobserve_email      = var.openobserve_email
+  openobserve_password   = var.openobserve_password
   public_monitors        = local.public_monitors
 
   acm_certificate_arn = module.alb.acm_certificate_arn
diff --git a/terraform/workspaces/paragon/variables.tf b/terraform/workspaces/paragon/variables.tf
index 4a10285..07576db 100644
--- a/terraform/workspaces/paragon/variables.tf
+++ b/terraform/workspaces/paragon/variables.tf
@@ -152,6 +152,18 @@ variable "uptime_company" {
   default     = null
 }
 
+variable "openobserve_email" {
+  description = "OpenObserve admin login email."
+  type        = string
+  default     = null
+}
+
+variable "openobserve_password" {
+  description = "OpenObserve admin login password."
+  type        = string
+  default     = null
+}
+
 locals {
   raw_helm_env = jsondecode(base64decode(var.helm_env))
   raw_helm_values = try(yamldecode(
@@ -458,7 +470,7 @@ locals {
             WORKER_TRIGGERS_PORT    = try(local.microservices["worker-triggers"].port, null)
             WORKER_WORKFLOWS_PORT   = try(local.microservices["worker-workflows"].port, null)
 
-            ACCOUNT_PRIVATE_URL  = try("http://account:${local.microservices.account.port}", null)
+            ACCOUNT_PRIVATE_URL   = try("http://account:${local.microservices.account.port}", null)
             CERBERUS_PRIVATE_URL  = try("http://cerberus:${local.microservices.cerberus.port}", null)
             CHRONOS_PRIVATE_URL   = try("http://chronos:${local.microservices.chronos.port}", null)
             CONNECT_PRIVATE_URL   = try("http://connect:${local.microservices.connect.port}", null)

From a6465f37b22b2b57e1a3a06b0131c760ca7c4dcc Mon Sep 17 00:00:00 2001
From: Ted O'Connor <ted.oconnor@useparagon.com>
Date: Mon, 12 Aug 2024 16:24:52 -0400
Subject: [PATCH 3/3] chore: bumped version

---
 package.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/package.json b/package.json
index 3acc267..e5a5a5d 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@useparagon/aws-on-prem",
-  "version": "2.4.0",
+  "version": "2.5.0",
   "description": "Deploy Paragon to your own AWS cloud.",
   "repository": "git@github.com:useparagon/aws-on-prem.git",
   "author": "Paragon Engineering",