From 249d1ef3f34a3b5082f9b5e2f8648d8ff5cb326b Mon Sep 17 00:00:00 2001
From: Chris Banks <chris.banks@digital.cabinet-office.gov.uk>
Date: Tue, 31 Oct 2023 14:47:19 +0000
Subject: [PATCH] Fix permissions for filebeat (log sender daemonset).

Recent versions of filebeat require get/list/watch on jobs.batch
API resources, and it fails in an ugly way if it lacks that permission:
it fails to label anything at all, not just stuff that comes from Jobs.
---
 .../deployments/cluster-services/logging.tf     | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/terraform/deployments/cluster-services/logging.tf b/terraform/deployments/cluster-services/logging.tf
index 3ecbf3b82..086bb687f 100644
--- a/terraform/deployments/cluster-services/logging.tf
+++ b/terraform/deployments/cluster-services/logging.tf
@@ -18,6 +18,23 @@ resource "helm_release" "filebeat" {
       "filebeat.yml" = yamlencode(yamldecode(file("${path.module}/filebeat.yml")))
     }
     imageTag = "8.10.4" # TODO: Dependabot or equivalent so this doesn't get neglected.
+    clusterRoleRules = [
+      {
+        apiGroups = [""]
+        resources = ["namespaces", "nodes", "pods"]
+        verbs     = ["get", "list", "watch"]
+      },
+      {
+        apiGroups = ["apps"]
+        resources = ["replicasets"]
+        verbs     = ["get", "list", "watch"]
+      },
+      {
+        apiGroups = ["batch"]
+        resources = ["jobs"]
+        verbs     = ["get", "list", "watch"]
+      }
+    ]
     extraEnvs = [
       {
         name = "LOGSTASH_HOST"