Implement EFS CSI driver in a separated file outside of blueprints

CHANGELOG.md

@@ -1,7 +1,9 @@
 ## v0.3.0
+
 - replaced terraform-aws-eks-blueprint addon ingress-nginx with module `modules/k8s_eks_addons/ingress-nginx.tf`
 - replaced terraform-aws-eks-blueprint addon cluster-autoscaler with module `modules/k8s_eks_addons/cluster-autoscaler.tf`
 - replaced terraform-aws-eks-blueprint addon coredns with module `modules/k8s_eks_addons/coredns.tf`
+- replaced terraform-aws-eks-blueprint addon efs csi driver with module `modules/k8s_eks_addons/efs-csi.tf`
 - replaced terraform-aws-eks-blueprint addon kube_proxy with module `modules/k8s_eks_addons/kube-proxy.tf`
 - replaced terraform-aws-eks-blueprint addon ebs-csi-driver with module `modules/k8s_eks_addons/ebs-csi.tf`
 

MAINTENANCE.md

@@ -4,7 +4,8 @@ This procedure explains how to migrate AWS RDS databases, deployed with referenc
 private subnets already deployed with VPC. This only applies to already existing deployments, new deployments are not affected.
 The change was introduced with v0.2.0 of SIMPHERA AWS reference architecture.
 
-## Steps:
+## Steps
+
 1. Check your existing deployment and make sure everything works etc.
 2. Delete "keycloak" and "simphera" databases, making sure that final snapshot is created. When deleting the databases via the AWS Management Console, the option to create a final snapshot is selected by default.
 3. After DBs are deleted, update DB subnet group, remove DB specific subnets and add VPC private subnets
@@ -30,6 +31,7 @@ Important: During credentials rotation, SIMPHERA will not be available for a sho
 # Updating CA certificate
 
 ## Updating by using AWS CLI
+
 To use the AWS CLI to change the CA from rds-ca-2019 to rds-ca-rsa2048-g1 for a DB instancer, call the modify-db-instance command. Specify the DB instance identifier and the --ca-certificate-identifier option along with the AWS profile and its region.
 
 ```
@@ -50,11 +52,13 @@ To update your CA certificate by applying maintenance:
 4. You are prompted to confirm the CA certificate rotation. Pick rds-ca-rsa2048-g1 and click Schedule/Confirm.
 
 # Migrate ingress-nginx addon to the module
+
 To migrate from terraform-aws-eks-blueprint addon ingress-nginx to custom module `modules/k8s_eks_addons/ingress-nginx.tf` follow steps:
 
 1. Enable ingress-nginx in terraform.tfvars
 2. create 'move.tf' in repository root
 3. Add following code:
+
 ```
 moved {
   from = module.eks-addons.module.ingress_nginx[0].module.helm_addon.helm_release.helm_addon[0]
@@ -65,17 +69,22 @@ moved {
   to   = module.k8s_eks_addons.kubernetes_namespace_v1.ingress_nginx[0]
 }
 ```
+
 4. Run command:
+
 ```
 terraform apply
 ```
+
 5. Remove `move.tf` file
 
 # Migrate cluster-autoscaler addon to the module
+
 To migrate from terraform-aws-eks-blueprint addon cluster-autoscaler to custom module `modules/k8s_eks_addons/cluster-autoscaler.tf` follow steps:
 
 1. create 'move.tf' in repository root
 2. Add following code:
+
 ```
 moved {
   from = module.eks-addons.module.cluster_autoscaler[0].data.aws_iam_policy_document.cluster_autoscaler
@@ -102,17 +111,22 @@ moved {
   to   = module.k8s_eks_addons.kubernetes_service_account_v1.cluster_autoscaler[0]
 }
 ```
+
 3. Run command:
+
 ```
 terraform apply
 ```
+
 4. Remove `move.tf` file
 
 # Migrate coredns addon to the module
-To migrate from terraform-aws-eks-blueprint addon cluster-autoscaler to custom module `modules/k8s_eks_addons/coredns.tf` follow steps:
+
+To migrate from terraform-aws-eks-blueprint addon coredns to custom module `modules/k8s_eks_addons/coredns.tf` follow steps:
 
 1. create 'move.tf' in repository root
 2. Add following code:
+
 ```
 moved {
   from = module.eks-addons.module.aws_coredns[0].data.aws_eks_addon_version.this
@@ -123,10 +137,39 @@ moved {
   to   = module.k8s_eks_addons.aws_eks_addon.coredns[0]
 }
 ```
+
 3. Run command:
+
 ```
 terraform apply
 ```
+
+4. Remove `move.tf` file
+
+# Migrate efs csi driver addon to the module
+
+To migrate from terraform-aws-eks-blueprint addon efs csi driver to custom module `modules/k8s_eks_addons/efs-csi.tf` follow steps:
+
+1. create 'move.tf' in repository root
+2. Add following code:
+
+```
+moved {
+  from = module.eks-addons.module.aws_efs_csi_driver[0].data.aws_eks_addon_version.this
+  to   = module.k8s_eks_addons.data.aws_eks_addon_version.aws_efs_csi_driver[0]
+}
+moved {
+  from = module.eks-addons.module.aws_efs_csi_driver[0].aws_eks_addon.aws_efs_csi_driver[0]
+  to   = module.k8s_eks_addons.aws_eks_addon.aws_efs_csi_driver[0]
+}
+```
+
+3. Run command:
+
+```
+terraform apply
+```
+
 4. Remove `move.tf` file
 
 # Migrate kube_proxy addon to the module

k8s.tf

@@ -19,10 +19,10 @@ module "eks-addons" {
   source                              = "git::https://github.com/aws-ia/terraform-aws-eks-blueprints.git//modules/kubernetes-addons?ref=v4.32.1"
   eks_cluster_id                      = module.eks.eks_cluster_id
   enable_amazon_eks_vpc_cni           = true
-  enable_aws_efs_csi_driver           = true
   enable_aws_load_balancer_controller = false
   enable_aws_for_fluentbit            = var.enable_aws_for_fluentbit
   tags                                = var.tags
+
   aws_for_fluentbit_helm_config = {
     values = [templatefile("${path.module}/templates/fluentbit_values.yaml", {
       aws_region           = data.aws_region.current.name,

modules/k8s_eks_addons/coredns.tf

@@ -18,5 +18,4 @@ resource "aws_eks_addon" "coredns" {
   resolve_conflicts_on_update = "OVERWRITE"
   configuration_values        = var.coredns_config.configuration_values
   tags                        = var.addon_context.tags
-
 }

modules/k8s_eks_addons/efs-csi.tf

@@ -0,0 +1,54 @@
+locals {
+  aws_efs_csi_addon_name      = "aws-efs-csi-driver"
+  aws_efs_csi_namespace       = "kube-system"
+  aws_efs_csi_service_account = "efs-csi-controller-sa"
+}
+
+data "aws_eks_addon_version" "aws_efs_csi_driver" {
+  addon_name         = local.aws_efs_csi_addon_name
+  kubernetes_version = var.addon_context.eks_cluster_version
+}
+
+resource "aws_eks_addon" "aws_efs_csi_driver" {
+  cluster_name                = var.addon_context.eks_cluster_id
+  addon_name                  = local.aws_efs_csi_addon_name
+  addon_version               = data.aws_eks_addon_version.aws_efs_csi_driver.version
+  service_account_role_arn    = aws_iam_role.efs_csi_driver_role.arn
+  preserve                    = true
+  resolve_conflicts_on_create = "OVERWRITE"
+  resolve_conflicts_on_update = "OVERWRITE"
+  tags                        = var.addon_context.tags
+}
+
+resource "aws_iam_role" "efs_csi_driver_role" {
+  name        = format("%s-%s-%s", var.addon_context.eks_cluster_id, trimsuffix(local.aws_efs_csi_service_account, "-sa"), "irsa")
+  description = "AWS IAM Role for the Kubernetes service account ${local.aws_efs_csi_service_account}."
+
+  assume_role_policy = jsonencode({
+    "Version" : "2012-10-17",
+    "Statement" : [
+      {
+        "Effect" : "Allow",
+        "Principal" : {
+          "Federated" : "arn:${var.addon_context.aws_partition_id}:iam::${var.addon_context.aws_caller_identity_account_id}:oidc-provider/${var.addon_context.eks_oidc_issuer_url}"
+        },
+        "Action" : "sts:AssumeRoleWithWebIdentity",
+        "Condition" : {
+          "StringLike" : {
+            "${var.addon_context.eks_oidc_issuer_url}:sub" : "system:serviceaccount:${local.aws_efs_csi_namespace}:${local.aws_efs_csi_service_account}",
+            "${var.addon_context.eks_oidc_issuer_url}:aud" : "sts.amazonaws.com"
+          }
+        }
+      }
+    ]
+  })
+
+  force_detach_policies = true
+
+  tags = var.addon_context.tags
+}
+
+resource "aws_iam_role_policy_attachment" "efs_csi_driver_policy_attachment" {
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEFSCSIDriverPolicy"
+  role       = aws_iam_role.efs_csi_driver_role.name
+}

storages.tf

@@ -63,6 +63,6 @@ resource "kubernetes_storage_class_v1" "efs" {
   ]
 
   depends_on = [
-    module.eks-addons
+    module.k8s_eks_addons
   ]
 }