Switch to irsa-ebs-csi

MaterializeInc · Oct 31, 2024 · a043304 · a043304
1 parent 6a735ba
commit a043304
Show file tree

Hide file tree

Showing 6 changed files with 16 additions and 27 deletions.
diff --git a/README.md b/README.md
@@ -60,7 +60,6 @@ The module has been tested with:
 | <a name="input_db_multi_az"></a> [db\_multi\_az](#input\_db\_multi\_az) | Enable multi-AZ deployment for RDS | `bool` | `false` | no |
 | <a name="input_enable_bucket_encryption"></a> [enable\_bucket\_encryption](#input\_enable\_bucket\_encryption) | Enable server-side encryption for the S3 bucket | `bool` | `true` | no |
 | <a name="input_enable_bucket_versioning"></a> [enable\_bucket\_versioning](#input\_enable\_bucket\_versioning) | Enable versioning for the S3 bucket | `bool` | `true` | no |
-| <a name="input_enable_cluster_encryption"></a> [enable\_cluster\_encryption](#input\_enable\_cluster\_encryption) | Enable encryption for EKS cluster secrets | `bool` | `true` | no |
 | <a name="input_enable_monitoring"></a> [enable\_monitoring](#input\_enable\_monitoring) | Enable CloudWatch monitoring | `bool` | `true` | no |
 | <a name="input_environment"></a> [environment](#input\_environment) | Environment name (e.g., prod, staging, dev) | `string` | `"dev"` | no |
 | <a name="input_metrics_retention_days"></a> [metrics\_retention\_days](#input\_metrics\_retention\_days) | Number of days to retain CloudWatch metrics | `number` | `7` | no |

diff --git a/examples/simple/main.tf b/examples/simple/main.tf
@@ -23,7 +23,6 @@ module "materialize_infrastructure" {
   node_group_desired_size   = 2
   node_group_min_size       = 1
   node_group_max_size       = 3
-  enable_cluster_encryption = true
   node_group_capacity_type  = "ON_DEMAND"
 
   # Storage Configuration

diff --git a/main.tf b/main.tf
@@ -25,7 +25,6 @@ module "eks" {
   node_group_instance_types = var.node_group_instance_types
   tags                      = var.tags
   cluster_enabled_log_types = var.cluster_enabled_log_types
-  enable_cluster_encryption = var.enable_cluster_encryption
   node_group_capacity_type  = var.node_group_capacity_type
 }
 

diff --git a/modules/eks/main.tf b/modules/eks/main.tf
@@ -5,6 +5,12 @@ module "eks" {
   cluster_name    = var.cluster_name
   cluster_version = var.cluster_version
 
+  cluster_addons = {
+    aws-ebs-csi-driver = {
+      service_account_role_arn = module.irsa-ebs-csi.iam_role_arn
+    }
+  }
+
   vpc_id     = var.vpc_id
   subnet_ids = var.private_subnet_ids
 
@@ -32,19 +38,17 @@ module "eks" {
   tags = var.tags
 }
 
-resource "aws_kms_key" "eks" {
-  count = var.enable_cluster_encryption ? 1 : 0
-
-  description             = "EKS Cluster ${var.cluster_name} Encryption Config KMS Key"
-  deletion_window_in_days = 7
-  enable_key_rotation     = true
-
-  tags = var.tags
+data "aws_iam_policy" "ebs_csi_policy" {
+  arn = "arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy"
 }
 
-resource "aws_kms_alias" "eks" {
-  count = var.enable_cluster_encryption ? 1 : 0
+module "irsa-ebs-csi" {
+  source  = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
+  version = "5.39.0"
 
-  name          = "alias/eks-${var.cluster_name}"
-  target_key_id = aws_kms_key.eks[0].key_id
+  create_role                   = true
+  role_name                     = "AmazonEKSTFEBSCSIRole-${module.eks.cluster_name}"
+  provider_url                  = module.eks.oidc_provider
+  role_policy_arns              = [data.aws_iam_policy.ebs_csi_policy.arn]
+  oidc_fully_qualified_subjects = ["system:serviceaccount:kube-system:ebs-csi-controller-sa"]
 }
diff --git a/modules/eks/variables.tf b/modules/eks/variables.tf
@@ -38,12 +38,6 @@ variable "node_group_instance_types" {
   type        = list(string)
 }
 
-variable "enable_cluster_encryption" {
-  description = "Enable encryption for EKS cluster secrets"
-  type        = bool
-  default     = true
-}
-
 variable "cluster_enabled_log_types" {
   description = "List of desired control plane logging to enable"
   type        = list(string)

diff --git a/variables.tf b/variables.tf
@@ -95,12 +95,6 @@ variable "node_group_capacity_type" {
   default     = "ON_DEMAND"
 }
 
-variable "enable_cluster_encryption" {
-  description = "Enable encryption for EKS cluster secrets"
-  type        = bool
-  default     = true
-}
-
 variable "cluster_enabled_log_types" {
   description = "List of desired control plane logging to enable"
   type        = list(string)