IRSA for AWS for Fluent Bit Add-on (#186)

* IRSA for AWS for Fluent Bit module * terraform-docs: automated action Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

IRSA for AWS for Fluent Bit Add-on (#186)
* IRSA for AWS for Fluent Bit module * terraform-docs: automated action Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
df29288b · Vara Bonthu · GitHub · 14c92737 · df29288b · df29288b
Unverified Commit df29288b authored 3 years ago by Vara Bonthu Committed by GitHub 3 years ago
--- a/README.md
+++ b/README.md
@@ -141,9 +141,9 @@ SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 3.71.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.66.0 |
 | <a name="provider_http"></a> [http](#provider\_http) | 2.4.1 |
-| <a name="provider_kubernetes"></a> [kubernetes](#provider\_kubernetes) | 2.7.1 |
+| <a name="provider_kubernetes"></a> [kubernetes](#provider\_kubernetes) | >= 2.7.1 |
 ## Modules

--- a/docs/add-ons/aws-for-fluent-bit.md
+++ b/docs/add-ons/aws-for-fluent-bit.md
@@ -10,6 +10,9 @@ AWS provides a Fluent Bit image with plugins for both CloudWatch Logs and Kinesi
 [aws-for-fluent-bit](../../modules/kubernetes-addons/aws-for-fluent-bit/README.md) can be deployed by enabling the add-on via the following.
+This add-on is configured to stream the worker node logs to CloudWatch Logs by default. It can further be configured to stream the logs to additional destinations like Kinesis Data Firehose, Kinesis Data Streams and Amazon OpenSearch Service by passing the custom `values.yaml`.
+See this [Helm Chart](https://github.com/aws/eks-charts/tree/master/stable/aws-for-fluent-bit) for more details.
 ```hcl
 enable_aws_for_fluentbit = true
 ```
@@ -18,6 +21,7 @@ You can optionally customize the Helm chart that deploys `aws_for_fluentbit` via
 ```hcl
  enable_aws_for_fluentbit = true
+  aws_for_fluentbit_irsa_policies = ["IAM Policies"] # Add list of additional policies to IRSA to enable access to Kinesis, OpenSearch etc.
  aws_for_fluentbit_helm_config = {
    name                                      = "aws-for-fluent-bit"
    chart                                     = "aws-for-fluent-bit"

--- a/examples/1-eks-cluster-with-new-vpc/README.md
+++ b/examples/1-eks-cluster-with-new-vpc/README.md
@@ -88,7 +88,7 @@ terraform destroy
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 3.71.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.66.0 |
 ## Modules

--- a/main.tf
+++ b/main.tf
@@ -67,8 +67,7 @@ module "aws_eks" {
  cluster_log_retention_in_days        = var.cluster_log_retention_in_days
  # IRSA
-  enable_irsa            = var.enable_irsa
+  enable_irsa = var.enable_irsa
-  kubeconfig_output_path = "./kubeconfig/"
  # TAGS
  tags = module.eks_tags.tags

--- a/modules/aws-eks-managed-node-groups/README.md
+++ b/modules/aws-eks-managed-node-groups/README.md
@@ -172,9 +172,7 @@ No modules.
 |------|------|
 | [aws_eks_node_group.managed_ng](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_node_group) | resource |
 | [aws_iam_instance_profile.managed_ng](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_instance_profile) | resource |
-| [aws_iam_policy.cwlogs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_role.managed_ng](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
-| [aws_iam_role_policy_attachment.cwlogs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.managed_ng_AmazonEC2ContainerRegistryReadOnly](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.managed_ng_AmazonEKSWorkerNodePolicy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.managed_ng_AmazonEKS_CNI_Policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
@@ -190,7 +188,6 @@ No modules.
 | [aws_security_group_rule.workers_ingress_cluster_primary_sgr](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
 | [aws_security_group_rule.workers_ingress_control_plane_sgr](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
-| [aws_iam_policy_document.cwlogs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.managed_ng_assume_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |

--- a/modules/aws-eks-managed-node-groups/data.tf
+++ b/modules/aws-eks-managed-node-groups/data.tf
@@ -16,18 +16,3 @@ data "aws_iam_policy_document" "managed_ng_assume_role_policy" {
    }
  }
 }
-data "aws_iam_policy_document" "cwlogs" {
-  statement {
-    sid       = ""
-    effect    = "Allow"
-    resources = ["*"]
-    actions = [
-      "logs:CreateLogStream",
-      "logs:CreateLogGroup",
-      "logs:DescribeLogStreams",
-      "logs:PutLogEvents",
-    ]
-  }
-}
--- a/modules/aws-eks-managed-node-groups/iam.tf
+++ b/modules/aws-eks-managed-node-groups/iam.tf
@@ -37,16 +37,3 @@ resource "aws_iam_role_policy_attachment" "managed_ng_AmazonSSMManagedInstanceCo
  policy_arn = "${local.policy_arn_prefix}/AmazonSSMManagedInstanceCore"
  role       = aws_iam_role.managed_ng.name
 }
-# CloudWatch Log access
-resource "aws_iam_policy" "cwlogs" {
-  name        = "${var.eks_cluster_id}-${local.managed_node_group["node_group_name"]}-cwlogs"
-  description = "IAM policy for CloudWatch Logs access"
-  path        = var.path
-  policy      = data.aws_iam_policy_document.cwlogs.json
-}
-resource "aws_iam_role_policy_attachment" "cwlogs" {
-  policy_arn = aws_iam_policy.cwlogs.arn
-  role       = aws_iam_role.managed_ng.name
-}
--- a/modules/aws-eks-self-managed-node-groups/README.md
+++ b/modules/aws-eks-self-managed-node-groups/README.md
@@ -195,10 +195,8 @@ No modules.
 |------|------|
 | [aws_autoscaling_group.self_managed_ng](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/autoscaling_group) | resource |
 | [aws_iam_instance_profile.self_managed_ng](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_instance_profile) | resource |
-| [aws_iam_policy.cwlogs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.eks_windows_cni](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_role.self_managed_ng](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
-| [aws_iam_role_policy_attachment.cwlogs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.eks_windows_cni](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.self_managed_AmazonEC2ContainerRegistryReadOnly](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.self_managed_AmazonEKSWorkerNodePolicy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
@@ -216,7 +214,6 @@ No modules.
 | [aws_security_group_rule.workers_ingress_control_plane_sgr](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
 | [aws_ami.predefined](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
-| [aws_iam_policy_document.cwlogs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.eks_windows_cni](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.self_managed_ng_assume_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |

--- a/modules/aws-eks-self-managed-node-groups/data.tf
+++ b/modules/aws-eks-self-managed-node-groups/data.tf
@@ -28,21 +28,6 @@ data "aws_ami" "predefined" {
  }
 }
-data "aws_iam_policy_document" "cwlogs" {
-  statement {
-    sid       = ""
-    effect    = "Allow"
-    resources = ["*"]
-    actions = [
-      "logs:CreateLogStream",
-      "logs:CreateLogGroup",
-      "logs:DescribeLogStreams",
-      "logs:PutLogEvents",
-    ]
-  }
-}
 data "aws_iam_policy_document" "eks_windows_cni" {
  statement {
    sid       = ""

--- a/modules/aws-eks-self-managed-node-groups/iam.tf
+++ b/modules/aws-eks-self-managed-node-groups/iam.tf
@@ -38,19 +38,6 @@ resource "aws_iam_role_policy_attachment" "self_managed_AmazonSSMManagedInstance
  role       = aws_iam_role.self_managed_ng.name
 }
-# CloudWatch Log access
-resource "aws_iam_policy" "cwlogs" {
-  name        = "${var.eks_cluster_id}-${local.self_managed_node_group["node_group_name"]}-cwlogs"
-  description = "IAM policy for CloudWatch Logs access"
-  path        = var.path
-  policy      = data.aws_iam_policy_document.cwlogs.json
-}
-resource "aws_iam_role_policy_attachment" "cwlogs" {
-  policy_arn = aws_iam_policy.cwlogs.arn
-  role       = aws_iam_role.self_managed_ng.name
-}
 # Windows nodes only need read-only access to EC2
 resource "aws_iam_policy" "eks_windows_cni" {
  count       = local.enable_windows_support ? 1 : 0

--- a/modules/aws-kms/README.md
+++ b/modules/aws-kms/README.md
@@ -34,6 +34,21 @@ module "kms" {
 ```
 <!--- BEGIN_TF_DOCS --->
+Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+SPDX-License-Identifier: MIT-0
+Permission is hereby granted, free of charge, to any person obtaining a copy of this
+software and associated documentation files (the "Software"), to deal in the Software
+without restriction, including without limitation the rights to use, copy, modify,
+merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so.
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
+INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
+PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
+HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 ## Requirements

--- a/modules/kubernetes-addons/README.md
+++ b/modules/kubernetes-addons/README.md
@@ -82,6 +82,7 @@ No resources.
 | <a name="input_argocd_manage_add_ons"></a> [argocd\_manage\_add\_ons](#input\_argocd\_manage\_add\_ons) | Enable managing add-on configuration via ArgoCD | `bool` | `false` | no |
 | <a name="input_auto_scaling_group_names"></a> [auto\_scaling\_group\_names](#input\_auto\_scaling\_group\_names) | List of self-managed node groups autoscaling group names | `list` | `[]` | no |
 | <a name="input_aws_for_fluentbit_helm_config"></a> [aws\_for\_fluentbit\_helm\_config](#input\_aws\_for\_fluentbit\_helm\_config) | AWS for FluentBit Helm Chart config | `any` | `{}` | no |
+| <a name="input_aws_for_fluentbit_irsa_policies"></a> [aws\_for\_fluentbit\_irsa\_policies](#input\_aws\_for\_fluentbit\_irsa\_policies) | Additional IAM policies for a IAM role for service accounts | `list(string)` | `[]` | no |
 | <a name="input_aws_load_balancer_controller_helm_config"></a> [aws\_load\_balancer\_controller\_helm\_config](#input\_aws\_load\_balancer\_controller\_helm\_config) | AWS Load Balancer Controller Helm Chart config | `any` | `{}` | no |
 | <a name="input_aws_node_termination_handler_helm_config"></a> [aws\_node\_termination\_handler\_helm\_config](#input\_aws\_node\_termination\_handler\_helm\_config) | AWS Node Termination Handler Helm Chart config | `any` | `{}` | no |
 | <a name="input_aws_open_telemetry_addon_config"></a> [aws\_open\_telemetry\_addon\_config](#input\_aws\_open\_telemetry\_addon\_config) | AWS Open Telemetry Distro add-on config | `any` | `{}` | no |

--- a/modules/kubernetes-addons/aws-for-fluentbit/README.md
+++ b/modules/kubernetes-addons/aws-for-fluentbit/README.md
-# aws-for-fluent-bit Helm Chart
+# AWS for Fluent Bit
+Fluent Bit is an open source Log Processor and Forwarder which allows you to collect any data like metrics and logs from different sources, enrich them with filters and send them to multiple destinations.
+AWS provides a Fluent Bit image with plugins for CloudWatch Logs, Kinesis Data Firehose, Kinesis Data Stream and Amazon OpenSearch Service.
+This add-on is configured to stream the worker node logs to CloudWatch Logs by default. It can be configured to stream the logs to additional destinations like Kinesis Data Firehose, Kinesis Data Streams and Amazon OpenSearch Service by passing the custom `values.yaml`.
+See this [Helm Chart](https://github.com/aws/eks-charts/tree/master/stable/aws-for-fluent-bit) for more details.
-<!--- BEGIN_TF_DOCS --->
-Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
-SPDX-License-Identifier: MIT-0
-Permission is hereby granted, free of charge, to any person obtaining a copy of this
-software and associated documentation files (the "Software"), to deal in the Software
-without restriction, including without limitation the rights to use, copy, modify,
-merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
-permit persons to whom the Software is furnished to do so.
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
-INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
-PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
-HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
-OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
-SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+<!--- BEGIN_TF_DOCS --->
 ## Requirements
 No requirements.
@@ -30,14 +20,19 @@ No requirements.
 ## Modules
-No modules.
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_irsa_addon"></a> [irsa\_addon](#module\_irsa\_addon) | ../../../modules/irsa | n/a |
 ## Resources
 | Name | Type |
 |------|------|
-| [aws_cloudwatch_log_group.eks_worker_logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
+| [aws_cloudwatch_log_group.aws_for_fluent_bit](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
+| [aws_iam_policy.aws_for_fluent_bit](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [helm_release.aws_for_fluent_bit](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_iam_policy_document.aws_for_fluent_bit](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
 ## Inputs
@@ -46,7 +41,9 @@ No modules.
 |------|-------------|------|---------|:--------:|
 | <a name="input_eks_cluster_id"></a> [eks\_cluster\_id](#input\_eks\_cluster\_id) | EKS cluster Id | `string` | n/a | yes |
 | <a name="input_helm_config"></a> [helm\_config](#input\_helm\_config) | Helm provider config aws\_for\_fluent\_bit. | `any` | `{}` | no |
+| <a name="input_irsa_policies"></a> [irsa\_policies](#input\_irsa\_policies) | Additional IAM policies for a IAM role for service accounts | `list(string)` | `[]` | no |
 | <a name="input_manage_via_gitops"></a> [manage\_via\_gitops](#input\_manage\_via\_gitops) | Determines if the add-on should be managed via GitOps. | `bool` | `false` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | Common Tags for AWS resources | `map(string)` | n/a | yes |
 ## Outputs

--- a/modules/kubernetes-addons/aws-for-fluentbit/data.tf
+++ b/modules/kubernetes-addons/aws-for-fluentbit/data.tf
 data "aws_region" "current" {}
+data "aws_caller_identity" "current" {}
+data "aws_iam_policy_document" "aws_for_fluent_bit" {
+  statement {
+    sid       = "PutLogEvents"
+    effect    = "Allow"
+    resources = ["arn:aws:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:log-group:*:log-stream:*"]
+    actions   = ["logs:PutLogEvents"]
+  }
+  statement {
+    sid       = "CreateCWLogs"
+    effect    = "Allow"
+    resources = ["arn:aws:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:log-group:*"]
+    actions = [
+      "logs:CreateLogStream",
+      "logs:DescribeLogGroups",
+      "logs:DescribeLogStreams",
+      "logs:CreateLogGroup",
+    ]
+  }
+}
--- a/modules/kubernetes-addons/aws-for-fluentbit/locals.tf
+++ b/modules/kubernetes-addons/aws-for-fluentbit/locals.tf
 locals {
-  log_group_name      = "/${var.eks_cluster_id}/worker-fluentbit-logs"
+  log_group_name       = "/${var.eks_cluster_id}/worker-fluentbit-logs"
-  log_group_retention = 90
+  log_group_retention  = 90
+  namespace            = "fluent-bit"
+  service_account_name = "fluent-bit-sa"
-  default_helm_values = [templatefile("${path.module}/values.yaml", {
+  override_set_values = [{
-    aws_region     = data.aws_region.current.name,
+    name  = "serviceAccount.name"
-    log_group_name = local.log_group_name
+    value = local.service_account_name
-  })]
+    },
+    {
+      name  = "serviceAccount.create"
+      value = false
+  }]
  default_helm_config = {
    name                       = "aws-for-fluent-bit"
    chart                      = "aws-for-fluent-bit"
    repository                 = "https://aws.github.io/eks-charts"
    version                    = "0.1.11"
-    namespace                  = "kube-system"
+    namespace                  = local.namespace
-    timeout                    = "1200"
+    timeout                    = "300"
-    create_namespace           = true
+    create_namespace           = false
    values                     = local.default_helm_values
    set                        = []
    set_sensitive              = null
@@ -50,8 +56,15 @@ locals {
    var.helm_config
  )
+  default_helm_values = [templatefile("${path.module}/values.yaml", {
+    aws_region           = data.aws_region.current.name,
+    log_group_name       = local.log_group_name,
+    service_account_name = local.service_account_name
+  })]
  argocd_gitops_config = {
-    enable       = true
+    enable             = true
-    logGroupName = aws_cloudwatch_log_group.eks_worker_logs.name
+    logGroupName       = aws_cloudwatch_log_group.aws_for_fluent_bit.name
+    serviceAccountName = local.service_account_name
  }
 }
--- a/modules/kubernetes-addons/aws-for-fluentbit/main.tf
+++ b/modules/kubernetes-addons/aws-for-fluentbit/main.tf
-/*
+resource "aws_cloudwatch_log_group" "aws_for_fluent_bit" {
- * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
- * SPDX-License-Identifier: MIT-0
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy of this
- * software and associated documentation files (the "Software"), to deal in the Software
- * without restriction, including without limitation the rights to use, copy, modify,
- * merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
- * permit persons to whom the Software is furnished to do so.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
- * INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
- * PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
- * HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
- * OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
- * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
- */
-resource "aws_cloudwatch_log_group" "eks_worker_logs" {
  name              = local.log_group_name
  retention_in_days = local.log_group_retention
 }
@@ -62,7 +44,7 @@ resource "helm_release" "aws_for_fluent_bit" {
  dynamic "set" {
    iterator = each_item
-    for_each = local.helm_config["set"] == null ? [] : local.helm_config["set"]
+    for_each = local.helm_config["set"] != null ? distinct(concat(local.override_set_values, local.helm_config["set"])) : local.helm_config["set"]
    content {
      name  = each_item.value.name
@@ -80,5 +62,20 @@ resource "helm_release" "aws_for_fluent_bit" {
    }
  }
-  depends_on = [aws_cloudwatch_log_group.eks_worker_logs]
+  depends_on = [aws_cloudwatch_log_group.aws_for_fluent_bit, module.irsa_addon]
+}
+resource "aws_iam_policy" "aws_for_fluent_bit" {
+  name        = "${var.eks_cluster_id}-fluentbit"
+  description = "IAM Policy for AWS for FluentBit"
+  policy      = data.aws_iam_policy_document.aws_for_fluent_bit.json
+}
+module "irsa_addon" {
+  source                     = "../../../modules/irsa"
+  eks_cluster_id             = var.eks_cluster_id
+  kubernetes_namespace       = local.helm_config["namespace"]
+  kubernetes_service_account = local.service_account_name
+  irsa_iam_policies          = concat([aws_iam_policy.aws_for_fluent_bit.arn], var.irsa_policies)
+  tags                       = var.tags
 }
--- a/modules/kubernetes-addons/aws-for-fluentbit/outputs.tf
+++ b/modules/kubernetes-addons/aws-for-fluentbit/outputs.tf
@@ -18,12 +18,12 @@
 output "cw_log_group_name" {
  description = "AWS Fluent Bit CloudWatch Log Group Name"
-  value       = aws_cloudwatch_log_group.eks_worker_logs.name
+  value       = aws_cloudwatch_log_group.aws_for_fluent_bit.name
 }
 output "cw_log_group_arn" {
  description = "AWS Fluent Bit CloudWatch Log Group ARN"
-  value       = aws_cloudwatch_log_group.eks_worker_logs.arn
+  value       = aws_cloudwatch_log_group.aws_for_fluent_bit.arn
 }
 output "argocd_gitops_config" {

--- a/modules/kubernetes-addons/aws-for-fluentbit/values.yaml
+++ b/modules/kubernetes-addons/aws-for-fluentbit/values.yaml
+serviceAccount:
+  create: false
+  name: ${service_account_name}
 cloudWatch:
+  enabled: true
  region: ${aws_region}
  logGroupName: ${log_group_name}
 firehose:
-  region: ${aws_region}
+  enabled: false
 kinesis:
-  region: ${aws_region}
+  enabled: false
+elasticsearch:
+  enabled: false
--- a/modules/kubernetes-addons/aws-for-fluentbit/variables.tf
+++ b/modules/kubernetes-addons/aws-for-fluentbit/variables.tf
@@ -32,3 +32,14 @@ variable "manage_via_gitops" {
  default     = false
  description = "Determines if the add-on should be managed via GitOps."
 }
+variable "tags" {
+  type        = map(string)
+  description = "Common Tags for AWS resources"
+}
+variable "irsa_policies" {
+  type        = list(string)
+  description = "Additional IAM policies for a IAM role for service accounts"
+  default     = []
+}
--- a/modules/kubernetes-addons/main.tf
+++ b/modules/kubernetes-addons/main.tf
@@ -73,6 +73,8 @@ module "aws_for_fluent_bit" {
  source            = "./aws-for-fluentbit"
  helm_config       = var.aws_for_fluentbit_helm_config
  eks_cluster_id    = var.eks_cluster_id
+  irsa_policies     = var.aws_for_fluentbit_irsa_policies
+  tags              = var.tags
  manage_via_gitops = var.argocd_manage_add_ons
 }