From 2933a7bdaa4d6a404cc4e597a376e1c430d0d7b5 Mon Sep 17 00:00:00 2001
From: Zachary Winnerman <98712682+zwinnerman-fleetdm@users.noreply.github.com>
Date: Fri, 3 Mar 2023 13:50:48 -0500
Subject: [PATCH] Add ability to use sidecars (#10287)
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [ ] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [ ] Documented any API changes (docs/Using-Fleet/REST-API.md or
docs/Contributing/API-for-contributors.md)
- [ ] Documented any permissions changes
- [ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.
- [ ] Added/updated tests
- [ ] Manual QA for all new/changed functionality
- For Orbit and Fleet Desktop changes:
- [ ] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.
- [ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).
---
terraform/.gitignore | 1 +
terraform/addons/xrays-sidecar/.header.md | 2 +
.../addons/xrays-sidecar/.terraform-docs.yml | 1 +
terraform/addons/xrays-sidecar/README.md | 36 ++++++++++++++++++
terraform/addons/xrays-sidecar/main.tf | 35 +++++++++++++++++
terraform/addons/xrays-sidecar/outputs.tf | 38 +++++++++++++++++++
terraform/addons/xrays-sidecar/variables.tf | 1 +
terraform/byo-vpc/byo-db/byo-ecs/main.tf | 4 +-
terraform/byo-vpc/byo-db/byo-ecs/variables.tf | 2 +
terraform/byo-vpc/byo-db/variables.tf | 2 +
terraform/byo-vpc/variables.tf | 2 +
terraform/variables.tf | 2 +
12 files changed, 124 insertions(+), 2 deletions(-)
create mode 100644 terraform/.gitignore
create mode 100644 terraform/addons/xrays-sidecar/.header.md
create mode 100644 terraform/addons/xrays-sidecar/.terraform-docs.yml
create mode 100644 terraform/addons/xrays-sidecar/README.md
create mode 100644 terraform/addons/xrays-sidecar/main.tf
create mode 100644 terraform/addons/xrays-sidecar/outputs.tf
create mode 100644 terraform/addons/xrays-sidecar/variables.tf
diff --git a/terraform/.gitignore b/terraform/.gitignore
new file mode 100644
index 0000000000..8e782a8e2d
--- /dev/null
+++ b/terraform/.gitignore
@@ -0,0 +1 @@
+.external_modules
diff --git a/terraform/addons/xrays-sidecar/.header.md b/terraform/addons/xrays-sidecar/.header.md
new file mode 100644
index 0000000000..de177fcad4
--- /dev/null
+++ b/terraform/addons/xrays-sidecar/.header.md
@@ -0,0 +1,2 @@
+# AWS Xrays ECS Sidecar
+This addon provides a sidecar for AWS Xrays Opentelemetry to allow Fleet to send traces to AWS Xrays.
diff --git a/terraform/addons/xrays-sidecar/.terraform-docs.yml b/terraform/addons/xrays-sidecar/.terraform-docs.yml
new file mode 100644
index 0000000000..1d139ddb40
--- /dev/null
+++ b/terraform/addons/xrays-sidecar/.terraform-docs.yml
@@ -0,0 +1 @@
+header-from: .header.md
diff --git a/terraform/addons/xrays-sidecar/README.md b/terraform/addons/xrays-sidecar/README.md
new file mode 100644
index 0000000000..8f81f3c197
--- /dev/null
+++ b/terraform/addons/xrays-sidecar/README.md
@@ -0,0 +1,36 @@
+# AWS Xrays ECS Sidecar
+This addon provides a sidecar for AWS Xrays Opentelemetry to allow Fleet to send traces to AWS Xrays.
+
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| [aws](#provider\_aws) | n/a |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_iam_policy.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_policy_document.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+
+## Inputs
+
+No inputs.
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| [fleet\_extra\_environment\_variables](#output\_fleet\_extra\_environment\_variables) | n/a |
+| [fleet\_extra\_iam\_policies](#output\_fleet\_extra\_iam\_policies) | n/a |
+| [fleet\_sidecars](#output\_fleet\_sidecars) | n/a |
diff --git a/terraform/addons/xrays-sidecar/main.tf b/terraform/addons/xrays-sidecar/main.tf
new file mode 100644
index 0000000000..001700b0a3
--- /dev/null
+++ b/terraform/addons/xrays-sidecar/main.tf
@@ -0,0 +1,35 @@
+data "aws_region" "current" {}
+
+data "aws_iam_policy_document" "main" {
+ statement {
+ actions = [
+ "xray:PutTraceSegments",
+ "xray:PutTelemetryRecords",
+ "xray:GetSamplingRules",
+ "xray:GetSamplingTargets",
+ "xray:GetSamplingStatisticSummaries",
+ "logs:PutLogEvents",
+ "logs:CreateLogStream",
+ ]
+ resources = ["*"]
+ }
+}
+
+resource "aws_iam_policy" "main" {
+ policy = data.aws_iam_policy_document.main.json
+}
+
+data "aws_iam_policy_document" "execution" {
+ statement {
+ actions = [
+ "logs:CreateLogStream",
+ "logs:PutLogEvents",
+ "logs:CreateLogGroup",
+ ]
+ resources = ["*"]
+ }
+}
+
+resource "aws_iam_policy" "execution" {
+ policy = data.aws_iam_policy_document.execution.json
+}
diff --git a/terraform/addons/xrays-sidecar/outputs.tf b/terraform/addons/xrays-sidecar/outputs.tf
new file mode 100644
index 0000000000..46339d3a27
--- /dev/null
+++ b/terraform/addons/xrays-sidecar/outputs.tf
@@ -0,0 +1,38 @@
+output "fleet_extra_iam_policies" {
+ value = [aws_iam_policy.main.arn]
+}
+
+output "fleet_extra_execution_iam_policies" {
+ value = [aws_iam_policy.execution.arn]
+}
+
+output "fleet_sidecars" {
+ value = [
+ {
+ "name" : "aws-otel-collector",
+ "image" : "public.ecr.aws/aws-observability/aws-otel-collector:v0.26.1",
+ "essential" : true,
+ "command" : [
+ "--config=/etc/ecs/ecs-default-config.yaml"
+ ],
+ "logConfiguration" : {
+ "logDriver" : "awslogs",
+ "options" : {
+ "awslogs-create-group" : "True",
+ "awslogs-group" : "/ecs/ecs-aws-otel-sidecar-collector",
+ "awslogs-region" : data.aws_region.current.name,
+ "awslogs-stream-prefix" : "ecs"
+ }
+ }
+ }
+ ]
+}
+
+output "fleet_extra_environment_variables" {
+ value = {
+ FLEET_LOGGING_TRACING_ENABLED = "true"
+ FLEET_LOGGING_TRACING_TYPE = "opentelemetry"
+ OTEL_SERVICE_NAME = "fleet"
+ OTEL_EXPORTER_OTLP_ENDPOINT = "http://localhost:4317"
+ }
+}
diff --git a/terraform/addons/xrays-sidecar/variables.tf b/terraform/addons/xrays-sidecar/variables.tf
new file mode 100644
index 0000000000..8b13789179
--- /dev/null
+++ b/terraform/addons/xrays-sidecar/variables.tf
@@ -0,0 +1 @@
+
diff --git a/terraform/byo-vpc/byo-db/byo-ecs/main.tf b/terraform/byo-vpc/byo-db/byo-ecs/main.tf
index 588819e3b8..546757222d 100644
--- a/terraform/byo-vpc/byo-db/byo-ecs/main.tf
+++ b/terraform/byo-vpc/byo-db/byo-ecs/main.tf
@@ -46,7 +46,7 @@ resource "aws_ecs_task_definition" "backend" {
cpu = var.fleet_config.cpu
memory = var.fleet_config.mem
container_definitions = jsonencode(
- [
+ concat([
{
name = "fleet"
image = var.fleet_config.image
@@ -127,7 +127,7 @@ resource "aws_ecs_task_definition" "backend" {
},
], local.environment)
}
- ])
+ ], var.fleet_config.sidecars))
}
resource "aws_appautoscaling_target" "ecs_target" {
diff --git a/terraform/byo-vpc/byo-db/byo-ecs/variables.tf b/terraform/byo-vpc/byo-db/byo-ecs/variables.tf
index eb586d9164..eaddb9b6b5 100644
--- a/terraform/byo-vpc/byo-db/byo-ecs/variables.tf
+++ b/terraform/byo-vpc/byo-db/byo-ecs/variables.tf
@@ -15,6 +15,7 @@ variable "fleet_config" {
cpu = optional(number, 512)
image = optional(string, "fleetdm/fleet:v4.22.1")
family = optional(string, "fleet")
+ sidecars = optional(list(any), [])
extra_environment_variables = optional(map(string), {})
extra_iam_policies = optional(list(string), [])
extra_execution_iam_policies = optional(list(string), [])
@@ -92,6 +93,7 @@ variable "fleet_config" {
cpu = 256
image = "fleetdm/fleet:v4.22.1"
family = "fleet"
+ sidecars = []
extra_environment_variables = {}
extra_iam_policies = []
extra_execution_iam_policies = []
diff --git a/terraform/byo-vpc/byo-db/variables.tf b/terraform/byo-vpc/byo-db/variables.tf
index 9f42603cb3..c8aaa0059e 100644
--- a/terraform/byo-vpc/byo-db/variables.tf
+++ b/terraform/byo-vpc/byo-db/variables.tf
@@ -54,6 +54,7 @@ variable "fleet_config" {
cpu = optional(number, 512)
image = optional(string, "fleetdm/fleet:v4.22.1")
family = optional(string, "fleet")
+ sidecars = optional(list(any), [])
extra_environment_variables = optional(map(string), {})
extra_iam_policies = optional(list(string), [])
extra_execution_iam_policies = optional(list(string), [])
@@ -131,6 +132,7 @@ variable "fleet_config" {
cpu = 256
image = "fleetdm/fleet:v4.22.1"
family = "fleet"
+ sidecars = []
extra_environment_variables = {}
extra_iam_policies = []
extra_execution_iam_policies = []
diff --git a/terraform/byo-vpc/variables.tf b/terraform/byo-vpc/variables.tf
index 2974bafe4f..96cf0a6112 100644
--- a/terraform/byo-vpc/variables.tf
+++ b/terraform/byo-vpc/variables.tf
@@ -134,6 +134,7 @@ variable "fleet_config" {
cpu = optional(number, 512)
image = optional(string, "fleetdm/fleet:v4.22.1")
family = optional(string, "fleet")
+ sidecars = optional(list(any), [])
extra_environment_variables = optional(map(string), {})
extra_iam_policies = optional(list(string), [])
extra_execution_iam_policies = optional(list(string), [])
@@ -211,6 +212,7 @@ variable "fleet_config" {
cpu = 256
image = "fleetdm/fleet:v4.22.1"
family = "fleet"
+ sidecars = []
extra_environment_variables = {}
extra_iam_policies = []
extra_execution_iam_policies = []
diff --git a/terraform/variables.tf b/terraform/variables.tf
index bc1d6e9e77..1120d65dfa 100644
--- a/terraform/variables.tf
+++ b/terraform/variables.tf
@@ -189,6 +189,7 @@ variable "fleet_config" {
cpu = optional(number, 512)
image = optional(string, "fleetdm/fleet:v4.22.1")
family = optional(string, "fleet")
+ sidecars = optional(list(any), [])
extra_environment_variables = optional(map(string), {})
extra_iam_policies = optional(list(string), [])
extra_execution_iam_policies = optional(list(string), [])
@@ -280,6 +281,7 @@ variable "fleet_config" {
cpu = 256
image = "fleetdm/fleet:v4.22.1"
family = "fleet"
+ sidecars = []
extra_environment_variables = {}
extra_iam_policies = []
extra_execution_iam_policies = []