Use these templates to create resources for a Foxglove Primary Site.
Once the resources are created, you'll be able to deploy the Helm charts into the created EKS cluster, and use the included S3 buckets for inbox and lake.
The Helm chart's service accounts need to be configured to use the IAM roles created by this template, allowing the services to connect to the inbox and lake buckets.
Terraform can derive credentials from several sources. Choose the method that's in line with your organization's policies, and ensure Terraform has sufficient access to modify your infrastructure.
You must configure the provider with the proper credentials before you can use it. For a quick start
with these examples, you can create a new IAM user with programmatic access on the AWS Console, and
then use the aws configure command in aws-cli
to get started:
- On the AWS Console navigate to IAM
- Select
Access key - Programmatic access - Attach the
AdministratorAccesspolicy directly - Record the credentials (or download them in a CSV) to be used in
aws-cli
It's also best practice for the AWS provider to store the Terraform state on S3. This will be used
to store the tfstate in the cloud, rather than keeping them locally. Create an S3 bucket, and make
sure to block all public access (the tfstate will contain secrets).
Before running Terraform for the first time, configure your local variables. Note that some of them you'll find on the Foxglove Settings page, under the Sites tab.
- Copy
terraform.tfvars-exampletoterraform.tfvars - Use the
inbox_notification_endpointvariable from the Foxglove site settings. - Change the other variables as needed
- Copy
backend.tfvars-exampletobackend.tfvars - Set the bucket name and region to what was created in the "Getting started" step; key can be any object key.
- Run
terraform init --backend-config backend.tfvars
You should now be able to run terraform plan and terraform apply.
-
iam: creates the IAM roles to be used by the service accounts. Make sure to configure the namespace correctly for the eks oidc provider, otherwise the workloads won't be able to use the roles to connect to thelakeandinboxS3 buckets. -
s3: creates an S3 bucket with private access. This module is used to create theinboxandlakebuckets. -
sns: creates an SNS topic with a https subscription, and attaches it to an S3 bucket'ss3:ObjectCreated:*events. Whenever a new object appears in the bucket, the webhookinbox_notification_endpointwill be notified.
This Terraform example creates all resources that are needed for a working Foxglove Primary Site deployment: the VPC, EKS cluster, IAM roles, S3 buckets and the SNS topic. For production use, consider the following:
By default, only the creator Terraform user will be able to connect to this EKS cluster.
Read the AWS docs about adding other IAM users and roles,
or set manage_aws_auth_configmap = true in the eks module (will require setting up the
"kubernetes" provider).
To provisions an AWS Application Load Balancer (ALB) when a Kubernetes Ingress is created, the AWS Load Balancer Controller needs to be installed in the cluster. Follow the AWS user guide to set up this add-on.
In the example, the EKS module is set up with both a managed node and Fargate profiles.
The Fargate profile assume that the Foxglove resources will be deployed in the foxglove
namespace, and therefore run on Fargate.
One corner case around nodes in EKS is that if the managed node is removed from the template, the default CoreDns service will need to be patched; see this guide for details.
Sending logs to CloudWatch from Fargate payloads requires setting up FluentBit as per this guide.