Terraform module for configuring Amazon EKS to integrate with Expel Workbench.
Configures a CloudWatch subscription filter to send data to a Kinesis data stream that Expel Workbench consumes.
❗ Terraform state may contain sensitive information. Please follow best security practices when securing your state.
module "expel_aws_eks" {
source = "expel-io/k8s-control-plane/aws"
version = "1.1.0"
expel_customer_organization_guid = "Replace with your organization GUID from Expel Workbench"
region = "AWS region in which Kinesis data stream will be created"
eks_log_group_name = "The log group name for EKS logs to integration with Expel Workbench"
}Once you have configured your AWS environment, go to https://workbench.expel.io/settings/security-devices?setupIntegration=kubernetes_eks and create an AWS EKS security device to enable Expel to begin monitoring your AWS environment.
The permissions allocated by this module allow Expel Workbench to perform investigations and get a broad understanding of your AWS footprint.
- Only supports onboarding a single AWS account, not an entire AWS Organization.
- Will always create a new CloudWatch subscription filter (AWS has a limit of 2 subscription filters per CloudWatch log group)
- Will always create a new Kinesis data stream.
- Does not modify cluster configuration to grant Expel's IAM role read-only access (must be done separately)
See Expel's Getting Started Guide for Amazon EKS for options if you have an AWS Organization or already have a Kinesis data stream you want to re-use.
| Name | Version |
|---|---|
| terraform | >= 1.1.0 |
| aws | >= 4.0.0 |
| Name | Version |
|---|---|
| aws | 4.9.0 |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| eks_log_group_name | The EKS log group name to integrate with Expel Workbench. | string |
n/a | yes |
| expel_customer_organization_guid | Expel customer's organization GUID assigned to you by Expel. You can find it in your browser URL after navigating to Settings > My Organization in Workbench. | string |
n/a | yes |
| enable_stream_encryption | Optionally encrypt data in the Kinesis stream with a Kinesis-owned KMS key. | bool |
true |
no |
| expel_assume_role_session_name | The session name Expel will use when authenticating. | string |
"ExpelEKSServiceSession" |
no |
| expel_aws_account_arn | Expel's AWS Account ARN to allow assuming role to gain EKS access. | string |
"arn:aws:iam::012205512454:user/ExpelCloudService" |
no |
| prefix | A prefix to group all Expel integration resources. | string |
"expel-aws-eks" |
no |
| stream_capacity_mode | The data stream capacity mode: ON_DEMAND (recommended) or PROVISIONED. See: https://docs.aws.amazon.com/streams/latest/dev/how-do-i-size-a-stream.html | string |
"ON_DEMAND" |
no |
| stream_retention_hours | The number of hours data will be retained in the stream. See: https://docs.aws.amazon.com/streams/latest/dev/kinesis-extended-retention.html | number |
24 |
no |
| stream_shard_count | The number of shards for the Kinesis stream. Only required if stream_capacity_mode is PROVISIONED. See: https://docs.aws.amazon.com/streams/latest/dev/how-do-i-size-a-stream.html |
number |
null |
no |
| tags | A set of tags to group resources. | map |
{} |
no |
| Name | Description |
|---|---|
| aws_region | The AWS Region where the Kinesis resources exist |
| kinesis_stream_name | Name of the Kinesis data stream Expel will consume from |
| role_arn | IAM Role ARN of the role for Expel to assume to access Kinesis data |
| role_session_name | The session name Expel will use when authenticating |
| Name | Type |
|---|---|
| aws_cloudwatch_log_subscription_filter.eks_subscription_filter | resource |
| aws_iam_policy.eks_consumer_policy | resource |
| aws_iam_policy.eks_producer_policy | resource |
| aws_iam_role.cloudwatch_assume_role | resource |
| aws_iam_role.expel_assume_role | resource |
| aws_iam_role_policy_attachment.eks_consumer_policy_attachment | resource |
| aws_iam_role_policy_attachment.eks_producer_policy_attachment | resource |
| aws_kinesis_stream.kinesis_data_stream | resource |
| aws_caller_identity.current | data source |
| aws_iam_policy_document.assume_role_iam_document | data source |
| aws_iam_policy_document.cloudwatch_assume_role_iam_document | data source |
| aws_iam_policy_document.eks_consumer_iam_document | data source |
| aws_iam_policy_document.eks_producer_iam_document | data source |
| aws_region.current | data source |