[PFMENG-3035] enable s3 as an output in fluentbit config (#167)

* [PFMENG-3035] enable s3 as an output in fluentbit config

* [PFMENG-3035] enable s3 as an output in fluentbit config

* [PFMENG-3035] enable s3 as an output in fluentbit config

* [PFMENG-3035] enable s3 as an output in fluentbit config

* [PFMENG-3035] enable s3 as an output in fluentbit config

* [PFMENG-3035] enable s3 as an output in fluentbit config

* [PFMENG-3035] enable s3 as an output in fluentbit config

* [PFMENG-3035] enable s3 as an output in fluentbit config

* [PFMENG-3035] enable s3 as an output in fluentbit config

* [PFMENG-3035] enable s3 as an output in fluentbit config

Author: zodilib

modules/essentials/data.tf

@@ -38,3 +38,35 @@ data "aws_iam_policy_document" "fluent_bit" {
     ]
   }
 }
+
+data "aws_iam_policy_document" "fluent_bit_cw_and_s3" {
+
+  for_each = var.fluent_bit_s3_bucket_enable ? { "enabled" = 1 } : {}
+
+  statement {
+    sid       = "PutLogEvents"
+    effect    = "Allow"
+    resources = ["arn:aws:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:log-group:*:log-stream:*"]
+    actions   = ["logs:PutLogEvents"]
+  }
+
+  statement {
+    sid       = "CreateCWLogs"
+    effect    = "Allow"
+    resources = ["arn:aws:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:log-group:*"]
+
+    actions = [
+      "logs:CreateLogGroup",
+      "logs:CreateLogStream",
+      "logs:DescribeLogGroups",
+      "logs:DescribeLogStreams",
+      "logs:PutRetentionPolicy",
+    ]
+  }
+  statement {
+    sid       = "S3"
+    effect    = "Allow"
+    resources = ["${module.fluentbit_s3_bucket[0].s3_bucket_arn}/*"]
+    actions   = ["s3:PutObject"]
+  }
+}

modules/essentials/fluent_bit.tf

@@ -37,7 +37,8 @@ locals {
     resources            = jsonencode(var.fluent_bit_resources),
     tolerations          = jsonencode(var.fluent_bit_tolerations),
     affinity             = jsonencode(local.affinity),
-    excluded_namespaces  = var.fluent_bit_excluded_namespaces
+    excluded_namespaces  = var.fluent_bit_excluded_namespaces,
+    s3_bucket_name       = var.fluent_bit_s3_bucket_enable ? module.fluentbit_s3_bucket[0].s3_bucket_id : null,
   })
 
   fluent_bit_helm_config = merge(
@@ -92,7 +93,7 @@ resource "aws_iam_policy" "fluent_bit_irsa" {
 
   name        = "${var.cluster_name}-fluentbit"
   description = "IAM Policy for AWS for FluentBit IRSA"
-  policy      = data.aws_iam_policy_document.fluent_bit.json
+  policy      = var.fluent_bit_s3_bucket_enable ? data.aws_iam_policy_document.fluent_bit_cw_and_s3["enabled"].json : data.aws_iam_policy_document.fluent_bit.json
 }
 
 moved {

modules/essentials/fluent_bit_s3.tf

@@ -0,0 +1,41 @@
+module "fluentbit_s3_bucket" {
+  count = var.fluent_bit_s3_bucket_enable ? 1 : 0
+
+  source  = "terraform-aws-modules/s3-bucket/aws"
+  version = "~> 4.6.1"
+
+  bucket = "fluentbit-log-bucket-${random_string.s3_suffix.result}"
+
+  versioning = {
+    enabled = false
+  }
+
+  lifecycle_rule = [
+    {
+      id                                     = "log-expiration"
+      enabled                                = true
+      abort_incomplete_multipart_upload_days = 7
+
+      expiration = {
+        days = 90
+      }
+
+      transitions = [
+        {
+          days          = 30
+          storage_class = "STANDARD_IA"
+        },
+        {
+          days          = 60
+          storage_class = "ONEZONE_IA"
+        }
+      ]
+    }
+  ]
+}
+
+resource "random_string" "s3_suffix" {
+  length  = 8
+  special = false
+  upper   = false
+}

modules/essentials/templates/fluent_bit.yaml

@@ -75,6 +75,18 @@ config:
         Mem_Buf_Limit 5MB
         Skip_Long_Lines On
 
+%{if s3_bucket_name != null}
+    [INPUT]
+        Name tail
+        Tag kube_s3.*
+        Path /var/log/containers/*.log
+        DB /var/log/flb_kube_s3.db
+        multiline.parser docker, cri
+        Docker_Mode On
+        Mem_Buf_Limit 5MB
+        Skip_Long_Lines On
+%{ endif }
+
   ## https://docs.fluentbit.io/manual/pipeline/filters
   filters: |
     [FILTER]
@@ -103,6 +115,24 @@ config:
 %{ endfor ~}
 %{ endif }
 
+%{if s3_bucket_name != null}
+    [FILTER]
+        Name kubernetes
+        Match kube_s3.*
+        Kube_URL https://kubernetes.default.svc.cluster.local:443
+        Merge_Log On
+        Keep_Log Off
+        K8S-Logging.Parser On
+        Buffer_Size 31k
+
+    [FILTER]
+        Name parser
+        Match kube_s3.*
+        Key_Name log
+        Parser custom_apache
+        Reserve_Data true
+%{ endif }
+
   ## https://docs.fluentbit.io/manual/pipeline/outputs
   outputs: |
     [OUTPUT]
@@ -114,6 +144,17 @@ config:
         log_stream_prefix fluentbit-
         auto_create_group false
 
+%{if s3_bucket_name != null}
+    [OUTPUT]
+        Name s3
+        Match kube_s3.*
+        region ap-southeast-1
+        bucket ${s3_bucket_name}
+        compression gzip
+        storage_class REDUCED_REDUNDANCY
+        retry_limit 2
+%{ endif }
+
 #  extraFiles: {}
 #     upstream.conf: |
 #       [UPSTREAM]

modules/essentials/variables.tf

@@ -1564,3 +1564,9 @@ variable "fluent_bit_excluded_namespaces" {
   type        = list(string)
   default     = []
 }
+
+variable "fluent_bit_s3_bucket_enable" {
+  description = "S3 bucket name to store fluentbit logs"
+  type        = bool
+  default     = false
+}

modules/essentials/versions.tf

@@ -14,5 +14,9 @@ terraform {
       source  = "hashicorp/kubernetes"
       version = ">= 2.33"
     }
+    random = {
+      source  = "hashicorp/random"
+      version = ">= 3.5"
+    }
   }
 }