Skip to content

Add EKS observability infra and demo Helm chart#7

Closed
TerminalsandCoffee wants to merge 1 commit intomainfrom
codex/create-infra-and-charts-for-eks-demo
Closed

Add EKS observability infra and demo Helm chart#7
TerminalsandCoffee wants to merge 1 commit intomainfrom
codex/create-infra-and-charts-for-eks-demo

Conversation

@TerminalsandCoffee
Copy link
Copy Markdown
Owner

@TerminalsandCoffee TerminalsandCoffee commented Nov 27, 2025
edited by cursor bot
Loading

Summary

  • add Terraform configuration for a demo EKS cluster, managed node group, and IRSA role for an observability collector
  • add a Helm chart that deploys frontend and API services with standard labels, resources, and optional mesh annotations

Testing

  • not run (not requested)

Codex Task

Note

Adds Terraform EKS/VPC with IRSA for an OTEL collector and a Helm chart deploying frontend and API services with optional mesh annotations.

  • Infrastructure (Terraform):
    • Provision EKS cluster via terraform-aws-modules/eks, VPC/subnets via terraform-aws-modules/vpc in 02-eks-observability-stack/infra.
    • Managed node group (SPOT), cluster autoscaler tags, public API endpoint, IRSA enabled.
    • Create IAM policy/role and attach for OTEL collector service account; export cluster and IRSA outputs.
  • Helm Chart (charts/observability-app):
    • Chart scaffolding (Chart.yaml, helpers) with standard labels/selectors.
    • Deployments and Services for frontend and api with configurable images, resources, env, and service types.
    • Global imagePullPolicy; optional mesh injector annotations via values.yaml.

Written by Cursor Bugbot for commit d1b96a6. This will update automatically on new commits. Configure here.

github-advanced-security[bot]
github-advanced-security bot found potential problems Nov 27, 2025
View reviewed changes
02-eks-observability-stack/infra/main.tf
Comment on lines +32 to +55
module "vpc" {
source = "terraform-aws-modules/vpc/aws"
version = "~> 5.0"

name = "${var.cluster_name}-vpc"
cidr = var.vpc_cidr

azs = local.azs
private_subnets = [for idx, az in local.azs : cidrsubnet(var.vpc_cidr, 4, idx)]
public_subnets = [for idx, az in local.azs : cidrsubnet(var.vpc_cidr, 4, idx + 8)]

enable_nat_gateway = true
single_nat_gateway = true

public_subnet_tags = {
"kubernetes.io/role/elb" = "1"
}

private_subnet_tags = {
"kubernetes.io/role/internal-elb" = "1"
}

tags = local.tags
}

Check failure

Code scanning / defsec

An ingress Network ACL rule allows ALL ports. Error

Network ACL rule allows access using ALL ports.
02-eks-observability-stack/infra/main.tf
Comment on lines +32 to +55
module "vpc" {
source = "terraform-aws-modules/vpc/aws"
version = "~> 5.0"

name = "${var.cluster_name}-vpc"
cidr = var.vpc_cidr

azs = local.azs
private_subnets = [for idx, az in local.azs : cidrsubnet(var.vpc_cidr, 4, idx)]
public_subnets = [for idx, az in local.azs : cidrsubnet(var.vpc_cidr, 4, idx + 8)]

enable_nat_gateway = true
single_nat_gateway = true

public_subnet_tags = {
"kubernetes.io/role/elb" = "1"
}

private_subnet_tags = {
"kubernetes.io/role/internal-elb" = "1"
}

tags = local.tags
}

Check failure

Code scanning / defsec

An ingress Network ACL rule allows ALL ports. Error

Network ACL rule allows access using ALL ports.
02-eks-observability-stack/infra/main.tf
Comment on lines +32 to +55
module "vpc" {
source = "terraform-aws-modules/vpc/aws"
version = "~> 5.0"

name = "${var.cluster_name}-vpc"
cidr = var.vpc_cidr

azs = local.azs
private_subnets = [for idx, az in local.azs : cidrsubnet(var.vpc_cidr, 4, idx)]
public_subnets = [for idx, az in local.azs : cidrsubnet(var.vpc_cidr, 4, idx + 8)]

enable_nat_gateway = true
single_nat_gateway = true

public_subnet_tags = {
"kubernetes.io/role/elb" = "1"
}

private_subnet_tags = {
"kubernetes.io/role/internal-elb" = "1"
}

tags = local.tags
}

Check failure

Code scanning / defsec

An ingress Network ACL rule allows ALL ports. Error

Network ACL rule allows access using ALL ports.
02-eks-observability-stack/infra/main.tf
Comment on lines +32 to +55
module "vpc" {
source = "terraform-aws-modules/vpc/aws"
version = "~> 5.0"

name = "${var.cluster_name}-vpc"
cidr = var.vpc_cidr

azs = local.azs
private_subnets = [for idx, az in local.azs : cidrsubnet(var.vpc_cidr, 4, idx)]
public_subnets = [for idx, az in local.azs : cidrsubnet(var.vpc_cidr, 4, idx + 8)]

enable_nat_gateway = true
single_nat_gateway = true

public_subnet_tags = {
"kubernetes.io/role/elb" = "1"
}

private_subnet_tags = {
"kubernetes.io/role/internal-elb" = "1"
}

tags = local.tags
}

Check failure

Code scanning / defsec

An ingress Network ACL rule allows ALL ports. Error

Network ACL rule allows access using ALL ports.
02-eks-observability-stack/infra/main.tf
Comment on lines +32 to +55
module "vpc" {
source = "terraform-aws-modules/vpc/aws"
version = "~> 5.0"

name = "${var.cluster_name}-vpc"
cidr = var.vpc_cidr

azs = local.azs
private_subnets = [for idx, az in local.azs : cidrsubnet(var.vpc_cidr, 4, idx)]
public_subnets = [for idx, az in local.azs : cidrsubnet(var.vpc_cidr, 4, idx + 8)]

enable_nat_gateway = true
single_nat_gateway = true

public_subnet_tags = {
"kubernetes.io/role/elb" = "1"
}

private_subnet_tags = {
"kubernetes.io/role/internal-elb" = "1"
}

tags = local.tags
}

Check failure

Code scanning / defsec

An ingress Network ACL rule allows specific ports from /0. Error

Network ACL rule allows ingress from public internet.
02-eks-observability-stack/infra/main.tf
Comment on lines +89 to +113
resource "aws_iam_policy" "otel_collector" {
name = "${var.cluster_name}-otel"
description = "Minimal permissions for the OpenTelemetry collector to publish metrics and logs"

policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Effect = "Allow"
Action = ["cloudwatch:PutMetricData"]
Resource = "*"
},
{
Effect = "Allow"
Action = ["logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents"]
Resource = "*"
},
{
Effect = "Allow"
Action = ["xray:PutTraceSegments", "xray:PutTelemetryRecords"]
Resource = "*"
}
]
})
}

Check failure

Code scanning / defsec

IAM policy should avoid use of wildcards and instead apply the principle of least privilege Error

IAM policy document uses sensitive action 'logs:CreateLogGroup' on wildcarded resource '*'
02-eks-observability-stack/infra/main.tf
Comment on lines +89 to +113
resource "aws_iam_policy" "otel_collector" {
name = "${var.cluster_name}-otel"
description = "Minimal permissions for the OpenTelemetry collector to publish metrics and logs"

policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Effect = "Allow"
Action = ["cloudwatch:PutMetricData"]
Resource = "*"
},
{
Effect = "Allow"
Action = ["logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents"]
Resource = "*"
},
{
Effect = "Allow"
Action = ["xray:PutTraceSegments", "xray:PutTelemetryRecords"]
Resource = "*"
}
]
})
}

Check failure

Code scanning / defsec

IAM policy should avoid use of wildcards and instead apply the principle of least privilege Error

IAM policy document uses sensitive action 'logs:CreateLogGroup' on wildcarded resource '*'
02-eks-observability-stack/infra/main.tf
Comment on lines +32 to +55
module "vpc" {
source = "terraform-aws-modules/vpc/aws"
version = "~> 5.0"

name = "${var.cluster_name}-vpc"
cidr = var.vpc_cidr

azs = local.azs
private_subnets = [for idx, az in local.azs : cidrsubnet(var.vpc_cidr, 4, idx)]
public_subnets = [for idx, az in local.azs : cidrsubnet(var.vpc_cidr, 4, idx + 8)]

enable_nat_gateway = true
single_nat_gateway = true

public_subnet_tags = {
"kubernetes.io/role/elb" = "1"
}

private_subnet_tags = {
"kubernetes.io/role/internal-elb" = "1"
}

tags = local.tags
}

Check warning

Code scanning / defsec

VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. After you've created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs. It is recommended that VPC Flow Logs be enabled for packet "Rejects" for VPCs. Warning

VPC Flow Logs is not enabled for VPC
02-eks-observability-stack/infra/main.tf
Comment on lines +57 to +87
module "eks" {
source = "terraform-aws-modules/eks/aws"
version = "~> 20.0"

cluster_name = var.cluster_name
cluster_version = var.cluster_version
cluster_endpoint_public_access = true
enable_irsa = true

vpc_id = module.vpc.vpc_id
subnet_ids = module.vpc.private_subnets
control_plane_subnet_ids = module.vpc.private_subnets

eks_managed_node_groups = {
default = {
instance_types = var.node_instance_types
desired_size = var.node_desired_capacity
max_size = var.node_max_size
min_size = var.node_min_size
capacity_type = "SPOT"

tags = {
"k8s.io/cluster-autoscaler/enabled" = "true"
"k8s.io/cluster-autoscaler/${var.cluster_name}" = "owned"
"eks.amazonaws.com/capacityType" = "SPOT"
}
}
}

tags = local.tags
}

Check warning

Code scanning / defsec

EKS Clusters should have cluster control plane logging turned on Warning

Control plane controller manager logging is not enabled.
02-eks-observability-stack/infra/main.tf
Comment on lines +57 to +87
module "eks" {
source = "terraform-aws-modules/eks/aws"
version = "~> 20.0"

cluster_name = var.cluster_name
cluster_version = var.cluster_version
cluster_endpoint_public_access = true
enable_irsa = true

vpc_id = module.vpc.vpc_id
subnet_ids = module.vpc.private_subnets
control_plane_subnet_ids = module.vpc.private_subnets

eks_managed_node_groups = {
default = {
instance_types = var.node_instance_types
desired_size = var.node_desired_capacity
max_size = var.node_max_size
min_size = var.node_min_size
capacity_type = "SPOT"

tags = {
"k8s.io/cluster-autoscaler/enabled" = "true"
"k8s.io/cluster-autoscaler/${var.cluster_name}" = "owned"
"eks.amazonaws.com/capacityType" = "SPOT"
}
}
}

tags = local.tags
}

Check warning

Code scanning / defsec

EKS Clusters should have cluster control plane logging turned on Warning

Control plane scheduler logging is not enabled.
chatgpt-codex-connector[bot]
chatgpt-codex-connector bot reviewed Nov 27, 2025
View reviewed changes
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

02-eks-observability-stack/infra/main.tf
Comment on lines +46 to +48
public_subnet_tags = {
"kubernetes.io/role/elb" = "1"
}
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector bot Nov 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Tag VPC subnets for EKS load balancers

The VPC subnets are only tagged with the ELB role keys and omit the required kubernetes.io/cluster/${var.cluster_name} tag on either the public or private subnet sets. When the cluster tries to create Kubernetes LoadBalancer services, the AWS cloud provider/ALB controller will skip untagged subnets, so no external load balancer can be provisioned with the defaults in this module. Please add the cluster tag to both subnet types so load balancers can be created.

Useful? React with 👍 / 👎.

cursor[bot]
cursor bot reviewed Nov 27, 2025
View reviewed changes
Copy link
Copy Markdown

@cursor cursor bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This PR is being reviewed by Cursor Bugbot

Details

You are on the Bugbot Free tier. On this plan, Bugbot will review limited PRs each billing cycle.

To receive Bugbot reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.

02-eks-observability-stack/charts/observability-app/values.yaml
cpu: 250m
memory: 256Mi
env:
API_BASE_URL: "http://observability-api"
Copy link
Copy Markdown

@cursor cursor bot Nov 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug: Frontend API URL doesn't match generated service name

The default API_BASE_URL is hardcoded to http://observability-api, but the actual API service name is generated dynamically using observability-app.fullname which produces ${ReleaseName}-observability-app-api (e.g., myrelease-observability-app-api). The frontend will fail to connect to the API service because the URL doesn't match the generated service name.

Additional Locations (1)

Fix in Cursor Fix in Web

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

@cursor cursor[bot] cursor[bot] left review comments

Assignees

No one assigned

Labels

codex

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@TerminalsandCoffee @github-advanced-security