From 8c289505b074cb02ab02bbb9ef1ede8ba30e3d9c Mon Sep 17 00:00:00 2001 From: Apoorva Kulkarni Date: Thu, 17 Nov 2022 21:57:42 -0800 Subject: [PATCH 1/2] fix: EFS CSI driver IRSA policy update --- examples/stateful/main.tf | 12 ++ .../aws-efs-csi-driver/data.tf | 40 ------- .../aws-efs-csi-driver/locals.tf | 53 -------- .../aws-efs-csi-driver/main.tf | 113 ++++++++++++++++-- .../aws-efs-csi-driver/outputs.tf | 5 +- 5 files changed, 121 insertions(+), 102 deletions(-) delete mode 100644 modules/kubernetes-addons/aws-efs-csi-driver/data.tf delete mode 100644 modules/kubernetes-addons/aws-efs-csi-driver/locals.tf diff --git a/examples/stateful/main.tf b/examples/stateful/main.tf index 5700eb6f30..a653d3a398 100644 --- a/examples/stateful/main.tf +++ b/examples/stateful/main.tf @@ -208,6 +208,10 @@ resource "kubernetes_storage_class_v1" "gp3" { fsType = "ext4" type = "gp3" } + + depends_on = [ + module.eks_blueprints_kubernetes_addons + ] } resource "kubernetes_storage_class_v1" "efs" { @@ -221,4 +225,12 @@ resource "kubernetes_storage_class_v1" "efs" { fileSystemId = module.efs.id directoryPerms = "700" } + + mount_options = [ + "iam" + ] + + depends_on = [ + module.eks_blueprints_kubernetes_addons + ] } diff --git a/modules/kubernetes-addons/aws-efs-csi-driver/data.tf b/modules/kubernetes-addons/aws-efs-csi-driver/data.tf deleted file mode 100644 index 29261c1079..0000000000 --- a/modules/kubernetes-addons/aws-efs-csi-driver/data.tf +++ /dev/null @@ -1,40 +0,0 @@ -data "aws_iam_policy_document" "aws_efs_csi_driver" { - statement { - sid = "" - effect = "Allow" - resources = ["*"] - - actions = [ - "ec2:DescribeAvailabilityZones", - "elasticfilesystem:DescribeAccessPoints", - "elasticfilesystem:DescribeFileSystems", - "elasticfilesystem:DescribeMountTargets" - ] - } - - statement { - sid = "" - effect = "Allow" - resources = ["*"] - actions = ["elasticfilesystem:CreateAccessPoint"] - - condition { - test = "StringLike" - variable = "aws:RequestTag/efs.csi.aws.com/cluster" - values = ["true"] - } - } - - statement { - sid = "" - effect = "Allow" - resources = ["*"] - actions = ["elasticfilesystem:DeleteAccessPoint"] - - condition { - test = "StringLike" - variable = "aws:ResourceTag/efs.csi.aws.com/cluster" - values = ["true"] - } - } -} diff --git a/modules/kubernetes-addons/aws-efs-csi-driver/locals.tf b/modules/kubernetes-addons/aws-efs-csi-driver/locals.tf deleted file mode 100644 index 807a0ea39b..0000000000 --- a/modules/kubernetes-addons/aws-efs-csi-driver/locals.tf +++ /dev/null @@ -1,53 +0,0 @@ -locals { - name = "aws-efs-csi-driver" - service_account_name = "efs-csi-sa" - namespace = "kube-system" - - # https://github.com/kubernetes-sigs/aws-efs-csi-driver/blob/master/charts/aws-efs-csi-driver/Chart.yaml - default_helm_config = { - name = local.name - chart = local.name - repository = "https://kubernetes-sigs.github.io/aws-efs-csi-driver/" - version = "2.2.9" - namespace = local.namespace - description = "The AWS EFS CSI driver Helm chart deployment configuration" - } - - helm_config = merge( - local.default_helm_config, - var.helm_config - ) - - set_values = [ - { - name = "controller.serviceAccount.name" - value = local.service_account_name - }, - { - name = "controller.serviceAccount.create" - value = false - }, - { - name = "node.serviceAccount.name" - value = local.service_account_name - }, - { - name = "node.serviceAccount.create" - value = false - } - ] - - irsa_config = { - kubernetes_namespace = local.helm_config["namespace"] - kubernetes_service_account = local.service_account_name - create_kubernetes_namespace = try(var.helm_config.create_namespace, false) - create_kubernetes_service_account = true - irsa_iam_policies = concat([aws_iam_policy.aws_efs_csi_driver.arn], var.irsa_policies) - tags = var.addon_context.tags - } - - argocd_gitops_config = { - enable = true - serviceAccountName = local.service_account_name - } -} diff --git a/modules/kubernetes-addons/aws-efs-csi-driver/main.tf b/modules/kubernetes-addons/aws-efs-csi-driver/main.tf index 8610e1690a..edfb68ea19 100644 --- a/modules/kubernetes-addons/aws-efs-csi-driver/main.tf +++ b/modules/kubernetes-addons/aws-efs-csi-driver/main.tf @@ -1,15 +1,112 @@ -#------------------------------------------------- -# EFS CSI Driver Helm Add-on -#------------------------------------------------- +locals { + name = try(var.helm_config.name, "aws-efs-csi-driver") + namespace = try(var.helm_config.namespace, "kube-system") + service_account_name = "${local.name}-sa" +} + module "helm_addon" { - source = "../helm-addon" + source = "../helm-addon" + manage_via_gitops = var.manage_via_gitops - set_values = local.set_values - helm_config = local.helm_config - irsa_config = local.irsa_config - addon_context = var.addon_context + + # https://github.com/kubernetes-sigs/aws-efs-csi-driver/blob/master/charts/aws-efs-csi-driver/Chart.yaml + helm_config = merge({ + name = local.name + chart = local.name + repository = "https://kubernetes-sigs.github.io/aws-efs-csi-driver/" + version = "2.3.2" + namespace = local.namespace + description = "The AWS EFS CSI driver Helm chart deployment configuration" + }, + var.helm_config + ) + + irsa_config = { + kubernetes_namespace = local.namespace + kubernetes_service_account = local.service_account_name + create_kubernetes_namespace = try(var.helm_config.create_namespace, false) + create_kubernetes_service_account = true + irsa_iam_policies = concat([aws_iam_policy.aws_efs_csi_driver.arn], var.irsa_policies) + } + + set_values = [ + { + name = "controller.serviceAccount.name" + value = local.service_account_name + }, + { + name = "controller.serviceAccount.create" + value = false + }, + { + name = "node.serviceAccount.name" + value = local.service_account_name + }, + { + name = "node.serviceAccount.create" + value = false + } + ] + + addon_context = var.addon_context } +data "aws_iam_policy_document" "aws_efs_csi_driver" { + statement { + sid = "" + effect = "Allow" + resources = ["*"] + + actions = [ + "ec2:DescribeAvailabilityZones", + "elasticfilesystem:DescribeAccessPoints", + "elasticfilesystem:DescribeFileSystems", + "elasticfilesystem:DescribeMountTargets" + ] + } + + statement { + sid = "" + effect = "Allow" + resources = ["*"] + actions = ["elasticfilesystem:CreateAccessPoint"] + + condition { + test = "StringLike" + variable = "aws:RequestTag/efs.csi.aws.com/cluster" + values = ["true"] + } + } + + statement { + sid = "" + effect = "Allow" + resources = ["*"] + actions = ["elasticfilesystem:DeleteAccessPoint"] + + condition { + test = "StringLike" + variable = "aws:ResourceTag/efs.csi.aws.com/cluster" + values = ["true"] + } + } + + statement { + actions = [ + "elasticfilesystem:ClientRootAccess", + "elasticfilesystem:ClientWrite", + "elasticfilesystem:ClientMount", + ] + resources = ["*"] + condition { + test = "Bool" + variable = "elasticfilesystem:AccessedViaMountTarget" + values = ["true"] + } + } +} + + resource "aws_iam_policy" "aws_efs_csi_driver" { name = "${var.addon_context.eks_cluster_id}-efs-csi-policy" description = "IAM Policy for AWS EFS CSI Driver" diff --git a/modules/kubernetes-addons/aws-efs-csi-driver/outputs.tf b/modules/kubernetes-addons/aws-efs-csi-driver/outputs.tf index 0776dcd7ef..4bfbd5e242 100644 --- a/modules/kubernetes-addons/aws-efs-csi-driver/outputs.tf +++ b/modules/kubernetes-addons/aws-efs-csi-driver/outputs.tf @@ -1,6 +1,9 @@ output "argocd_gitops_config" { description = "Configuration used for managing the add-on with ArgoCD" - value = var.manage_via_gitops ? local.argocd_gitops_config : null + value = var.manage_via_gitops ? { + enable = true + serviceAccountName = local.service_account_name + } : null } output "release_metadata" { From 94e134a53bc9eb68ea0cfcc59d59fafe3a75f40d Mon Sep 17 00:00:00 2001 From: Apoorva Kulkarni Date: Thu, 17 Nov 2022 22:06:32 -0800 Subject: [PATCH 2/2] pre-commit fixes --- .../kubernetes-addons/aws-efs-csi-driver/main.tf | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/modules/kubernetes-addons/aws-efs-csi-driver/main.tf b/modules/kubernetes-addons/aws-efs-csi-driver/main.tf index edfb68ea19..7c6c60e232 100644 --- a/modules/kubernetes-addons/aws-efs-csi-driver/main.tf +++ b/modules/kubernetes-addons/aws-efs-csi-driver/main.tf @@ -3,7 +3,7 @@ locals { namespace = try(var.helm_config.namespace, "kube-system") service_account_name = "${local.name}-sa" } - + module "helm_addon" { source = "../helm-addon" @@ -11,12 +11,12 @@ module "helm_addon" { # https://github.com/kubernetes-sigs/aws-efs-csi-driver/blob/master/charts/aws-efs-csi-driver/Chart.yaml helm_config = merge({ - name = local.name - chart = local.name - repository = "https://kubernetes-sigs.github.io/aws-efs-csi-driver/" - version = "2.3.2" - namespace = local.namespace - description = "The AWS EFS CSI driver Helm chart deployment configuration" + name = local.name + chart = local.name + repository = "https://kubernetes-sigs.github.io/aws-efs-csi-driver/" + version = "2.3.2" + namespace = local.namespace + description = "The AWS EFS CSI driver Helm chart deployment configuration" }, var.helm_config )