add opentelemetry collector (#13)

* add opentelemetry collector * add otel to controlplane * fix role reference * boost memory and cpu of control plane max CPU is showing 100% when syncing resources in an internal deployment
common-fate · Jan 18, 2024 · 95f059a · 95f059a
1 parent f6a522a
commit 95f059a
Show file tree

Hide file tree

Showing 8 changed files with 378 additions and 246 deletions.
diff --git a/main.tf b/main.tf
@@ -52,6 +52,10 @@ module "ecs" {
   default_capacity_provider_use_fargate = true
 }
 
+module "ecs_base" {
+  source = "./modules/ecs-base"
+}
+
 
 module "cognito" {
   source                = "./modules/cognito"
@@ -104,6 +108,8 @@ module "control_plane" {
   log_level                           = var.control_plane_log_level
   grant_assume_on_role_arns           = var.control_plane_grant_assume_on_role_arns
   oidc_control_plane_issuer           = module.cognito.auth_issuer
+  otel_log_group_name                 = module.ecs_base.otel_log_group_name
+  otel_writer_iam_policy_arn          = module.ecs_base.otel_writer_iam_policy_arn
 }
 
 
@@ -146,6 +152,8 @@ module "access_handler" {
   oidc_access_handler_service_client_id     = module.cognito.access_handler_service_client_id
   oidc_access_handler_service_client_secret = module.cognito.access_handler_service_client_secret
   oidc_access_handler_service_issuer        = module.cognito.auth_issuer
+  otel_log_group_name                       = module.ecs_base.otel_log_group_name
+  otel_writer_iam_policy_arn                = module.ecs_base.otel_writer_iam_policy_arn
 }
 
 module "authz" {

diff --git a/modules/access/main.tf b/modules/access/main.tf
@@ -20,7 +20,6 @@ resource "aws_security_group" "ecs_access_handler_sg" {
 resource "aws_cloudwatch_log_group" "access_handler_log_group" {
   name              = "${var.namespace}-${var.stage}-access-handler"
   retention_in_days = var.log_retention_in_days
-
 }
 
 
@@ -40,8 +39,8 @@ resource "aws_iam_role" "access_handler_ecs_execution_role" {
       }
     ]
   })
-
 }
+
 resource "aws_iam_role_policy_attachment" "access_handler_ecs_execution_role_policy_attach" {
   role       = aws_iam_role.access_handler_ecs_execution_role.name
   policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
@@ -82,12 +81,18 @@ resource "aws_iam_policy" "eventbus_put_events" {
       }
     ]
   })
+}
 
+resource "aws_iam_role_policy_attachment" "otel" {
+  role       = aws_iam_role.access_handler_ecs_task_role.name
+  policy_arn = var.otel_writer_iam_policy_arn
 }
+
 resource "aws_iam_role_policy_attachment" "access_handler_eventbus_put_events_attach" {
   role       = aws_iam_role.access_handler_ecs_task_role.name
   policy_arn = aws_iam_policy.eventbus_put_events.arn
 }
+
 resource "aws_ecs_task_definition" "access_handler_task" {
   family                   = "${var.namespace}-${var.stage}-access-handler"
   network_mode             = "awsvpc"
@@ -98,68 +103,91 @@ resource "aws_ecs_task_definition" "access_handler_task" {
   execution_role_arn = aws_iam_role.access_handler_ecs_execution_role.arn
   task_role_arn      = aws_iam_role.access_handler_ecs_task_role.arn
 
-  container_definitions = jsonencode([{
-    name  = "access-handler-container",
-    image = "commonfate/common-fate-cloud-access-handler:${var.release_tag}",
+  container_definitions = jsonencode([
+    {
+      name  = "access-handler-container",
+      image = "commonfate/common-fate-cloud-access-handler:${var.release_tag}",
+
+      portMappings = [{
+        containerPort = 9090,
+      }],
+      environment = [
+        {
+          name  = "CF_OIDC_AUTHORITY_URL",
+          value = var.auth_authority_url
+        },
+        {
+          name  = "CF_EVENT_BRIDGE_ARN",
+          value = var.eventbus_arn
+        },
+        {
+          name  = "CF_AUTHZ_URL",
+          value = var.app_url
+        },
+        {
+          name  = "CF_OIDC_TRUSTED_ISSUER_COGNITO",
+          value = var.auth_issuer
+        },
+        { name  = "CF_CORS_ALLOWED_ORIGINS"
+          value = join(",", [var.app_url])
+        },
+        {
+          name  = "LOG_LEVEL"
+          value = var.log_level
+        },
+        {
+          name  = "CF_ACCESS_SERVICE_CLIENT_ID",
+          value = var.oidc_access_handler_service_client_id
+        },
+        {
+          name  = "CF_ACCESS_SERVICE_CLIENT_SECRET",
+          value = var.oidc_access_handler_service_client_secret
+        },
+        {
+          name  = "CF_ACCESS_SERVICE_OIDC_ISSUER",
+          value = var.oidc_access_handler_service_issuer
+        }
+      ],
+      secrets = [
 
-    portMappings = [{
-      containerPort = 9090,
-    }],
-    environment = [
-      {
-        name  = "CF_OIDC_AUTHORITY_URL",
-        value = var.auth_authority_url
-      },
-      {
-        name  = "CF_EVENT_BRIDGE_ARN",
-        value = var.eventbus_arn
-      },
-      {
-        name  = "CF_AUTHZ_URL",
-        value = var.app_url
-      },
-      {
-        name  = "CF_OIDC_TRUSTED_ISSUER_COGNITO",
-        value = var.auth_issuer
-      },
-      { name  = "CF_CORS_ALLOWED_ORIGINS"
-        value = join(",", [var.app_url])
-      },
-      {
-        name  = "LOG_LEVEL"
-        value = var.log_level
-      },
-      {
-        name  = "CF_ACCESS_SERVICE_CLIENT_ID",
-        value = var.oidc_access_handler_service_client_id
-      },
-      {
-        name  = "CF_ACCESS_SERVICE_CLIENT_SECRET",
-        value = var.oidc_access_handler_service_client_secret
-      },
-      {
-        name  = "CF_ACCESS_SERVICE_OIDC_ISSUER",
-        value = var.oidc_access_handler_service_issuer
-      }
-    ],
-    secrets = [
+      ]
 
-    ]
+      logConfiguration = {
+        logDriver = "awslogs",
+        options = {
+          "awslogs-group"         = aws_cloudwatch_log_group.access_handler_log_group.name,
+          "awslogs-region"        = var.aws_region,
+          "awslogs-stream-prefix" = "access-handler"
+        }
+      },
 
-    logConfiguration = {
-      logDriver = "awslogs",
-      options = {
-        "awslogs-group"         = aws_cloudwatch_log_group.access_handler_log_group.name,
-        "awslogs-region"        = var.aws_region,
-        "awslogs-stream-prefix" = "access-handler"
+      # Link to the security group
+      linuxParameters = {
+        securityGroupIds = [aws_security_group.ecs_access_handler_sg.id]
       }
     },
-
-    # Link to the security group
-    linuxParameters = {
-      securityGroupIds = [aws_security_group.ecs_access_handler_sg.id]
+    {
+      name      = "aws-otel-collector",
+      image     = "amazon/aws-otel-collector",
+      command   = ["--config=/etc/ecs/ecs-default-config.yaml"],
+      essential = true,
+      logConfiguration = {
+        logDriver = "awslogs",
+        options = {
+          "awslogs-group"         = var.otel_log_group_name,
+          "awslogs-region"        = var.aws_region,
+          "awslogs-stream-prefix" = "access-handler"
+        }
+      },
+      healthCheck = {
+        "command"     = ["/healthcheck"],
+        "interval"    = 5,
+        "timeout"     = 6,
+        "retries"     = 5,
+        "startPeriod" = 1
+      }
     }
-  }])
+  ])
 
 }
 

diff --git a/modules/access/variables.tf b/modules/access/variables.tf
@@ -106,3 +106,13 @@ variable "oidc_access_handler_service_issuer" {
   description = "OIDC issuer for the Access Handler Service"
   type        = string
 }
+
+variable "otel_log_group_name" {
+  description = "Log group for OTel collector"
+  type        = string
+}
+
+variable "otel_writer_iam_policy_arn" {
+  description = "IAM policy for OpenTelemetry"
+  type        = string
+}