From cad3794e2ca0245fea29e3a7eabb4262e4d290f8 Mon Sep 17 00:00:00 2001
From: Ed <emalinowski@uchicago.edu>
Date: Tue, 24 Sep 2024 10:47:15 -0500
Subject: [PATCH] feat(gen3-module-updates): Added grafana role and updated
 values template

---
 .secrets.baseline                 |  4 +-
 tf_files/gen3/root.tf             |  3 ++
 tf_files/gen3/s3.tf               |  6 +++
 tf_files/gen3/service-accounts.tf | 67 +++++++++++++++++++++++++++++++
 tf_files/gen3/values.tftpl        |  9 +++++
 tf_files/gen3/variables.tf        |  7 ++++
 6 files changed, 94 insertions(+), 2 deletions(-)

diff --git a/.secrets.baseline b/.secrets.baseline
index e941562..07aaefc 100644
--- a/.secrets.baseline
+++ b/.secrets.baseline
@@ -3,7 +3,7 @@
     "files": "^.secrets.baseline$",
     "lines": null
   },
-  "generated_at": "2024-06-17T13:53:26Z",
+  "generated_at": "2024-09-24T15:47:09Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"
@@ -299,7 +299,7 @@
         "hashed_secret": "9b5925ea817163740dfb287a9894e8ab3aba2c18",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 129,
+        "line_number": 135,
         "type": "Secret Keyword"
       }
     ],
diff --git a/tf_files/gen3/root.tf b/tf_files/gen3/root.tf
index 62ec1a4..97d9f84 100644
--- a/tf_files/gen3/root.tf
+++ b/tf_files/gen3/root.tf
@@ -13,6 +13,9 @@ locals {
       aws-es-proxy_enabled = var.aws-es-proxy_enabled
       dbgap_enabled = var.dbgap_enabled
       dd_enabled = var.dd_enabled
+      deploy_external_secrets = var.deploy_external_secrets
+      deploy_grafana = var.deploy_grafana
+      deploy_s3_mountpoint = var.deploy_s3_mountpoint
       dicom-server_enabled = var.dicom-server_enabled
       dicom-viewer_enabled = var.dicom-viewer_enabled
       dictionary_url = var.dictionary_url
diff --git a/tf_files/gen3/s3.tf b/tf_files/gen3/s3.tf
index 64d7f27..4cc1b45 100644
--- a/tf_files/gen3/s3.tf
+++ b/tf_files/gen3/s3.tf
@@ -2,3 +2,9 @@ module "manifest-s3-bucket" {
   source = "../aws/modules/generic-bucket"
   bucket_name = "manifestservice-${var.vpc_name}-${var.namespace}"
 }
+
+module "grafana-s3-bucket" {
+  count = var.namespace == "default" && var.deploy_grafana  ? 1 : 0
+  source = "../aws/modules/generic-bucket"
+  bucket_name = "${var.vpc_name}-observability-bucket"
+}
\ No newline at end of file
diff --git a/tf_files/gen3/service-accounts.tf b/tf_files/gen3/service-accounts.tf
index b3834b9..3115c6d 100644
--- a/tf_files/gen3/service-accounts.tf
+++ b/tf_files/gen3/service-accounts.tf
@@ -696,5 +696,72 @@ resource "aws_iam_role_policy" "s3-mountpoint-role-policy" {
   })
 }
 
+resource "aws_iam_role" "grafana-role" {
+  count = var.namespace == "default" && var.deploy_grafana  ? 1 : 0
+  name = "${var.vpc_name}-observability-role"
+  description = "Role for grafana service account for ${var.vpc_name}"
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Principal = {
+          Service = "ec2.amazonaws.com"
+        }
+        Action = "sts:AssumeRole"
+      },
+      {
+        Sid = ""
+        Effect = "Allow"
+        Principal = {
+          Federated = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/${var.oidc_provider_arn}"
+        }
+        Action = "sts:AssumeRoleWithWebIdentity"
+        Condition = {
+          StringEquals = {
+            "${var.oidc_provider_arn}:sub" = [
+              "system:serviceaccount:monitoring:observability"
+            ]
+            "${var.oidc_provider_arn}:aud" = "sts.amazonaws.com"
+          }
+        }
+      }
+    ]
+  })
+
+  path = "/gen3-service/"
+}
+
+resource "aws_iam_role_policy" "grafana-role-policy" {
+  count = var.namespace == "default" && var.deploy_grafana  ? 1 : 0
+  name = "grafana-role-policy"
+  role = aws_iam_role.grafana-role[0].id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = [
+          "s3:AbortMultipartUpload",
+          "s3:DeleteObject",
+          "s3:GetObject",
+          "s3:ListBucket",
+          "s3:PutObject",
+          "s3:DeleteObjectVersion",
+          "s3:GetObjectVersion",
+          "s3:PutObjectAcl",
+          "s3:GetObjectAcl",
+          "s3:ListBucketMultipartUploads",
+          "s3:ListBucketVersions"
+        ]
+        Effect   = "Allow"
+        Resource = [
+          "arn:aws:s3:::${var.vpc_name}-observability-bucket",
+          "arn:aws:s3:::${var.vpc_name}-observability-bucket/*"
+        ]
+      },
+    ]
+  })
+}
 
 # TODO Add ssjdispatcher
diff --git a/tf_files/gen3/values.tftpl b/tf_files/gen3/values.tftpl
index 19846ed..1a78822 100644
--- a/tf_files/gen3/values.tftpl
+++ b/tf_files/gen3/values.tftpl
@@ -56,6 +56,9 @@ dicom-viewer:
   externalSecrets:
     dbcreds: "${vpc_name}_${namespace}-dicom-viewer-creds"
 
+external-secrets:
+  enabled: ${deploy_external_secrets}
+
 fence:
   enabled: ${fence_enabled}
   serviceAccount:
@@ -89,6 +92,9 @@ frontend-framework:
     repository: ${gen3ff_repo}
     tag: ${gen3ff_tag}
 
+grafana:
+  enabled: ${deploy_grafana}
+
 guppy:
   enabled: ${guppy_enabled}
 
@@ -183,6 +189,9 @@ requestor:
 revproxy:
   enabled: ${revproxy_enabled}
 
+s3-mountpoint:
+  enabled: ${deploy_s3_mountpoint}
+
 sheepdog:
   enabled: ${sheepdog_enabled}
   externalSecrets:
diff --git a/tf_files/gen3/variables.tf b/tf_files/gen3/variables.tf
index 7d74351..d362e80 100644
--- a/tf_files/gen3/variables.tf
+++ b/tf_files/gen3/variables.tf
@@ -61,6 +61,13 @@ variable "deploy_external_secrets" {
   default     = false
 }
 
+variable "deploy_grafana" {
+  description = "Deploy grafana"
+  type        = bool
+  default     = false
+  
+}
+
 variable "deploy_s3_mountpoint" {
   description = "Deploy s3 mountpoints"
   type        = bool