From 989db6bd253ac0aa28c9f07e3c49a504bbfa1b71 Mon Sep 17 00:00:00 2001
From: Zachary Winnerman <98712682+zwinnerman-fleetdm@users.noreply.github.com>
Date: Wed, 21 Sep 2022 13:44:49 -0400
Subject: [PATCH] Add fluentbit logging to sandbox EKS (#7880)

---
 .../sandbox/SharedInfrastructure/eks.tf       | 21 +++++++++++++++++--
 1 file changed, 19 insertions(+), 2 deletions(-)

diff --git a/infrastructure/sandbox/SharedInfrastructure/eks.tf b/infrastructure/sandbox/SharedInfrastructure/eks.tf
index defd927829..04db20a465 100644
--- a/infrastructure/sandbox/SharedInfrastructure/eks.tf
+++ b/infrastructure/sandbox/SharedInfrastructure/eks.tf
@@ -69,6 +69,23 @@ data "aws_iam_role" "admin" {
   name = "admin"
 }
 
+resource "aws_iam_policy" "fluentbit_logs" {
+  name   = "${var.prefix}-fluentbit"
+  policy = data.aws_iam_policy_document.fluentbit_logs.json
+}
+
+data "aws_iam_policy_document" "fluentbit_logs" {
+  statement {
+    actions = [
+      "logs:CreateLogStream",
+      "logs:CreateLogGroup",
+      "logs:DescribeLogStreams",
+      "logs:PutLogEvents",
+    ]
+    resources = ["*"]
+  }
+}
+
 module "aws-eks-accelerator-for-terraform" {
   source       = "github.com/aws-samples/aws-eks-accelerator-for-terraform.git"
   cluster_name = var.prefix
@@ -97,7 +114,7 @@ module "aws-eks-accelerator-for-terraform" {
 
   fargate_profiles = {
     default = {
-      additional_iam_policies = [aws_iam_policy.ecr.arn]
+      additional_iam_policies = [aws_iam_policy.ecr.arn, aws_iam_policy.fluentbit_logs.arn]
       fargate_profile_name    = "default"
       fargate_profile_namespaces = [
         {
@@ -149,7 +166,7 @@ module "kubernetes-addons" {
   enable_ingress_nginx                = false
   enable_aws_for_fluentbit            = false
   enable_argocd                       = false
-  enable_fargate_fluentbit            = false
+  enable_fargate_fluentbit            = true
   enable_argo_rollouts                = false
   enable_kubernetes_dashboard         = false
   enable_yunikorn                     = false