From 298fba124d6358addbbee6c81055cf4e23230f09 Mon Sep 17 00:00:00 2001
From: Kevin Lefevre <kevin@particule.io>
Date: Tue, 9 Nov 2021 14:25:52 +0100
Subject: [PATCH] fix: add missing velero monitoring policy

Signed-off-by: Kevin Lefevre <kevin@particule.io>
---
 modules/aws/README.md |  1 +
 modules/aws/velero.tf | 31 +++++++++++++++++++++++++++++++
 2 files changed, 32 insertions(+)

diff --git a/modules/aws/README.md b/modules/aws/README.md
index c46530791..f647b504d 100644
--- a/modules/aws/README.md
+++ b/modules/aws/README.md
@@ -284,6 +284,7 @@ This module can uses [IRSA](https://aws.amazon.com/blogs/opensource/introducing-
 | [kubernetes_network_policy.vault_allow_control_plane](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
 | [kubernetes_network_policy.vault_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
 | [kubernetes_network_policy.vault_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
+| [kubernetes_network_policy.velero_allow_monitoring](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
 | [kubernetes_network_policy.velero_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
 | [kubernetes_network_policy.velero_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
 | [kubernetes_network_policy.victoria-metrics-k8s-stack_allow_control_plane](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
diff --git a/modules/aws/velero.tf b/modules/aws/velero.tf
index 8431f57e3..a5be56c6f 100644
--- a/modules/aws/velero.tf
+++ b/modules/aws/velero.tf
@@ -266,3 +266,34 @@ resource "kubernetes_network_policy" "velero_allow_namespace" {
     policy_types = ["Ingress"]
   }
 }
+
+resource "kubernetes_network_policy" "velero_allow_monitoring" {
+  count = local.velero["enabled"] && local.velero["default_network_policy"] ? 1 : 0
+
+  metadata {
+    name      = "${kubernetes_namespace.velero.*.metadata.0.name[count.index]}-allow-monitoring"
+    namespace = kubernetes_namespace.velero.*.metadata.0.name[count.index]
+  }
+
+  spec {
+    pod_selector {
+    }
+
+    ingress {
+      ports {
+        port     = "8085"
+        protocol = "TCP"
+      }
+
+      from {
+        namespace_selector {
+          match_labels = {
+            "${local.labels_prefix}/component" = "monitoring"
+          }
+        }
+      }
+    }
+
+    policy_types = ["Ingress"]
+  }
+}