From 87db6a837503ea449ca7f0c76583712c94ed5a92 Mon Sep 17 00:00:00 2001
From: surendra-yelavarthi <syelavarthi@exactpay.com>
Date: Tue, 21 May 2024 15:34:31 -0500
Subject: [PATCH 1/2] Added IAM role for amazon-cloudwatch-observability add-on
 of eks cluster

---
 terraform-modules/aws/eks/main.tf | 28 +++++++++++++++++++++++++++-
 1 file changed, 27 insertions(+), 1 deletion(-)

diff --git a/terraform-modules/aws/eks/main.tf b/terraform-modules/aws/eks/main.tf
index e1b8621c8..27faadbe7 100644
--- a/terraform-modules/aws/eks/main.tf
+++ b/terraform-modules/aws/eks/main.tf
@@ -20,7 +20,7 @@ locals {
       resolve_conflicts_on_update   = v.resolve_conflicts_on_update
       preserve                      = v.preserve
       timeouts                      = v.timeouts
-      service_account_role_arn      = (k == "aws-ebs-csi-driver" ? data.aws_iam_role.eks_csi_driver.arn : k == "vpc-cni" ? data.aws_iam_role.eks_cni_driver.arn : null)
+      service_account_role_arn      = (k == "aws-ebs-csi-driver" ? data.aws_iam_role.eks_csi_driver.arn : k == "vpc-cni" ? data.aws_iam_role.eks_cni_driver.arn : k == "amazon-cloudwatch-observability" ? data.aws_iam_role.eks_cloudwatch_observability.arn : null)
     }
   }
 }
@@ -127,8 +127,34 @@ resource "aws_iam_role_policy_attachment" "amazon_cni_driver" {
   policy_arn = "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"
 }
 
+# IAM CloudWatch Observability Role
+data "aws_iam_policy_document" "cw" {
+  statement {
+    actions = ["sts:AssumeRoleWithWebIdentity"]
+    effect  = "Allow"
+
+    condition {
+      test     = "StringEquals"
+      variable = "${replace(module.eks.oidc_provider, "https://", "")}:aud"
+      values   = ["sts.amazonaws.com"]
+    }
+
+    principals {
+      identifiers = [module.eks.oidc_provider_arn]
+      type        = "Federated"
+    }
+  }
+}
 
+resource "aws_iam_role" "eks_cloudwatch_observability" {
+  assume_role_policy = data.aws_iam_policy_document.cw.json
+  name               = "eks-cloudwatch-observability"
+}
 
+resource "aws_iam_role_policy_attachment" "amazon_cloudwatch_observability" {
+  role       = aws_iam_role.eks_cloudwatch_observability.name
+  policy_arn = "arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy"
+}
 
 module "eks" {
   source           = "terraform-aws-modules/eks/aws"

From 0c3bed8a63131abe2222cf251c7a83b511cb5bd2 Mon Sep 17 00:00:00 2001
From: surendra-yelavarthi <syelavarthi@exactpay.com>
Date: Tue, 21 May 2024 16:15:27 -0500
Subject: [PATCH 2/2] Added IAM role for amazon-cloudwatch-observability add-on
 of eks cluster -- added datasource

---
 terraform-modules/aws/eks/main.tf | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/terraform-modules/aws/eks/main.tf b/terraform-modules/aws/eks/main.tf
index 27faadbe7..a8d4a0327 100644
--- a/terraform-modules/aws/eks/main.tf
+++ b/terraform-modules/aws/eks/main.tf
@@ -42,6 +42,10 @@ data "aws_iam_role" "eks_cni_driver" {
   name = aws_iam_role.eks_cni_driver.name
 }
 
+data "aws_iam_role" "eks_cloudwatch_observability" {
+  name = aws_iam_role.eks_cloudwatch_observability.name
+}
+
 provider "kubernetes" {
   host                   = data.aws_eks_cluster.cluster.endpoint
   cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority.0.data)