인프라 이것 저것 갱신 (#2838)

Author: devunt

.vscode/settings.json

@@ -14,5 +14,6 @@
   "svelte.enable-ts-plugin": true,
   "svelte.plugin.svelte.defaultScriptLanguage": "ts",
   "typescript.tsdk": "node_modules/typescript/lib",
-  "typescript.enablePromptUseWorkspaceTsdk": true
+  "typescript.enablePromptUseWorkspaceTsdk": true,
+  "workbench.activityBar.orientation": "vertical"
 }

apps/bedrock/pulumi/aws/iam.ts

@@ -87,6 +87,7 @@ const datadogIntegration = new aws.iam.Role('integration@datadog', {
   assumeRolePolicy: aws.iam.assumeRolePolicyForPrincipal({
     AWS: '417141415827',
   }),
+  managedPolicyArns: [aws.iam.ManagedPolicy.SecurityAudit],
 });
 
 new aws.iam.RolePolicy('integration@datadog', {
@@ -116,6 +117,8 @@ new aws.iam.RolePolicy('integration@datadog', {
           'dynamodb:List*',
           'dynamodb:Describe*',
           'ec2:Describe*',
+          'ec2:GetTransitGatewayPrefixListReferences',
+          'ec2:SearchTransitGatewayRoutes',
           'ecs:Describe*',
           'ecs:List*',
           'elasticache:Describe*',
@@ -129,12 +132,12 @@ new aws.iam.RolePolicy('integration@datadog', {
           'es:ListTags',
           'es:ListDomainNames',
           'es:DescribeElasticsearchDomains',
-          'events:CreateEventBus',
           'fsx:DescribeFileSystems',
           'fsx:ListTagsForResource',
           'health:DescribeEvents',
           'health:DescribeEventDetails',
           'health:DescribeAffectedEntities',
+          'iam:ListAccountAliases',
           'kinesis:List*',
           'kinesis:Describe*',
           'lambda:GetPolicy',
@@ -148,6 +151,8 @@ new aws.iam.RolePolicy('integration@datadog', {
           'logs:TestMetricFilter',
           'organizations:Describe*',
           'organizations:List*',
+          'pi:GetResourceMetrics',
+          'pi:DescribeDimensionKeys',
           'rds:Describe*',
           'rds:List*',
           'redshift:DescribeClusters',
@@ -169,6 +174,8 @@ new aws.iam.RolePolicy('integration@datadog', {
           's3:ListAllMyBuckets',
           's3:ListBucket',
           's3:PutBucketNotification',
+          'servicequotas:ListServiceQuotas',
+          'servicequotas:GetServiceQuota',
           'ses:Get*',
           'sns:List*',
           'sns:Publish',
@@ -177,6 +184,8 @@ new aws.iam.RolePolicy('integration@datadog', {
           'states:DescribeStateMachine',
           'support:DescribeTrustedAdvisor*',
           'support:RefreshTrustedAdvisorCheck',
+          'synthetics:DescribeCanaries',
+          'synthetics:GetCanaryRuns',
           'tag:GetResources',
           'tag:GetTagKeys',
           'tag:GetTagValues',
@@ -186,6 +195,43 @@ new aws.iam.RolePolicy('integration@datadog', {
         Effect: 'Allow',
         Resource: '*',
       },
+      {
+        Action: [
+          'application-autoscaling:DescribeScalingActivities',
+          'application-autoscaling:DescribeScalingPolicies',
+          'athena:ListWorkGroups',
+          'backup:ListRecoveryPointsByBackupVault',
+          'bcm-data-exports:GetExport',
+          'bcm-data-exports:ListExports',
+          'cassandra:Select',
+          'cur:DescribeReportDefinitions',
+          'ec2:GetSnapshotBlockPublicAccessState',
+          'glacier:GetVaultNotifications',
+          'glue:ListRegistries',
+          'iam:GenerateCredentialReport',
+          'iam:GetAccountAuthorizationDetails',
+          'iam:GetAccountSummary',
+          'iam:GetPolicyVersion',
+          'iam:ListVirtualMFADevices',
+          'kafka:ListClustersV2',
+          'lightsail:GetInstancePortStates',
+          's3:ListAccessGrants',
+          'savingsplans:DescribeSavingsPlanRates',
+          'savingsplans:DescribeSavingsPlans',
+          'sqs:getqueueattributes',
+          'timestream:DescribeEndpoints',
+          'timestream:ListTables',
+          'waf-regional:ListRuleGroups',
+          'waf-regional:ListRules',
+          'waf:ListRuleGroups',
+          'waf:ListRules',
+          'wafv2:GetIPSet',
+          'wafv2:GetRegexPatternSet',
+          'wafv2:GetRuleGroup',
+        ],
+        Effect: 'Allow',
+        Resource: '*',
+      },
     ],
   },
 });

apps/bedrock/pulumi/aws/rds.ts

@@ -57,7 +57,7 @@ const instance = new aws.rds.ClusterInstance('penxle-1', {
   identifier: 'penxle-1',
 
   engine: 'aurora-postgresql',
-  instanceClass: 'db.t4g.medium',
+  instanceClass: 'db.r7g.large',
 
   availabilityZone: subnets.private.az1.availabilityZone,
   caCertIdentifier: 'rds-ca-rsa2048-g1',

apps/bedrock/pulumi/k8s/infra/tailscale.ts

@@ -247,6 +247,7 @@ new k8s.apiextensions.CustomResource('default', {
           { key: 'karpenter.sh/capacity-type', operator: 'In', values: ['spot'] },
           { key: 'karpenter.k8s.aws/instance-category', operator: 'In', values: ['c', 'm', 'r'] },
           { key: 'karpenter.k8s.aws/instance-generation', operator: 'Gt', values: ['5'] },
+          { key: 'topology.kubernetes.io/zone', operator: 'In', values: ['ap-northeast-2a'] },
         ],
       },
     },

apps/bedrock/pulumi/k8s/kube-system/karpenter.ts

@@ -47,27 +47,9 @@ new k8s.apiextensions.CustomResource('datadog', {
     },
 
     features: {
-      apm: {
-        enabled: true,
-      },
-
       clusterChecks: {
         useClusterChecksRunners: true,
       },
-
-      prometheusScrape: {
-        enabled: true,
-      },
-
-      otlp: {
-        receiver: {
-          protocols: {
-            grpc: {
-              enabled: true,
-            },
-          },
-        },
-      },
     },
   },
 });

apps/bedrock/pulumi/k8s/monitoring/datadog.ts

@@ -115,6 +115,7 @@
     "vbank",
     "vcpu",
     "vite",
+    "wafv2",
     "wonka",
     "xlarge",
     "xvda",