Added cluster role and iamidentitymapping for managed metric scraping

modules/eks-monitoring/main.tf

@@ -262,32 +262,35 @@ module "external_secrets" {
 resource "aws_prometheus_workspace" "this" {
 
   tags = {
-                AMPAgentlessScraper = ""
-        }
+    AMPAgentlessScraper = ""
+  }
 }
 
-
+resource "helm_release" "managed_prometheus__role" {
+  name  = "managed-prometheus-role"
+  chart = "${path.module}/managed-prometheus-scraper-config"
+}
 resource "aws_prometheus_scraper" "basic" {
   alias = "managed-prometheus-scraper"
 
   source {
-    eks{
+    eks {
       cluster_arn = data.aws_eks_cluster.eks_cluster.arn
-      subnet_ids = data.aws_eks_cluster.eks_cluster.vpc_config[0].subnet_ids
+      subnet_ids  = data.aws_eks_cluster.eks_cluster.vpc_config[0].subnet_ids
 
     }
 
   }
 
 
-   scrape_configuration= templatefile("${path.module}/prom_config.yaml",
-                         { global_scrape_interval = var.prometheus_config.global_scrape_interval,
-                           global_scrape_timeout = var.prometheus_config.global_scrape_timeout,
-                           enableAPIserver = var.enable_apiserver_monitoring,
-                           eks_cluster_id = var.eks_cluster_id,
-                           region = var.managed_prometheus_workspace_region,
-                           accountID = local.context.aws_caller_identity_account_id
-                          })
+  scrape_configuration = templatefile("${path.module}/prom_config.yaml",
+    { global_scrape_interval = var.prometheus_config.global_scrape_interval,
+      global_scrape_timeout  = var.prometheus_config.global_scrape_timeout,
+      enableAPIserver        = var.enable_apiserver_monitoring,
+      eks_cluster_id         = var.eks_cluster_id,
+      region                 = var.managed_prometheus_workspace_region,
+      accountID              = local.context.aws_caller_identity_account_id
+  })
 
   destination {
     amp {
@@ -297,9 +300,23 @@ resource "aws_prometheus_scraper" "basic" {
 
   tags = {
     CreatedBy = "Terraform"
-    Owner = "AWS Observability Accelerator"
+    Owner     = "AWS Observability Accelerator"
   }
 
 }
 
 
+
+resource "terraform_data" "managed-amp-scrapper-role" {
+  provisioner "local-exec" {
+    command = <<EOT
+        ROLE=$(echo ${aws_prometheus_scraper.basic.role_arn} | sed -e "s+/aws-service-role/scraper.aps.amazonaws.com/+/+g") &&
+        eksctl create iamidentitymapping  \
+             --cluster ${var.eks_cluster_id} \
+             --region ${var.managed_prometheus_workspace_region} \
+             --arn $ROLE \
+             --username aps-collector-user
+      EOT
+  }
+  depends_on = [resource.aws_prometheus_scraper.basic]
+}

modules/eks-monitoring/managed-prometheus-scraper-config/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

modules/eks-monitoring/managed-prometheus-scraper-config/Chart.yaml

@@ -0,0 +1,24 @@
+apiVersion: v2
+name: managed-prometheus-scraper-config
+description: A Helm chart for Kubernetes
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.1.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "1.16.0"

modules/eks-monitoring/managed-prometheus-scraper-config/templates/clusterrolebinding.yaml

@@ -0,0 +1,26 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: aps-collector-role
+rules:
+  - apiGroups: [""]
+    resources: ["nodes", "nodes/proxy", "nodes/metrics", "services", "endpoints", "pods", "ingresses", "configmaps"]
+    verbs: ["describe", "get", "list", "watch"]
+  - apiGroups: ["extensions", "networking.k8s.io"]
+    resources: ["ingresses/status", "ingresses"]
+    verbs: ["describe", "get", "list", "watch"]
+  - nonResourceURLs: ["/metrics"]
+    verbs: ["get"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: aps-collector-user-role-binding
+subjects:
+- kind: User
+  name: aps-collector-user
+  apiGroup: rbac.authorization.k8s.io
+roleRef:
+  kind: ClusterRole
+  name: aps-collector-role
+  apiGroup: rbac.authorization.k8s.io

modules/eks-monitoring/otel-config/templates/opentelemetrycollector.yaml

@@ -274,4 +274,3 @@ spec:
           address: 0.0.0.0:8888
           level: basic
       {{ end }}
-

modules/eks-monitoring/prom_config.yaml

@@ -1283,4 +1283,3 @@ scrape_configs:
       source_labels:
       - __meta_kubernetes_endpoint_node_name
       target_label: nodename
-