diff --git a/CHANGELOG.md b/CHANGELOG.md index 3a9a335..2deabb0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,7 @@ - replaced terraform-aws-eks-blueprint addon efs csi driver with module `modules/k8s_eks_addons/efs-csi.tf` - replaced terraform-aws-eks-blueprint addon kube_proxy with module `modules/k8s_eks_addons/kube-proxy.tf` - replaced terraform-aws-eks-blueprint addon ebs-csi-driver with module `modules/k8s_eks_addons/ebs-csi.tf` +- added addon aws-mountpoint-s3-csi-driver with module `modules/k8s_eks_addons/s3-csi.tf` ## v0.2.0 diff --git a/README.md b/README.md index 274f102..aa12f6f 100644 --- a/README.md +++ b/README.md @@ -591,6 +591,7 @@ Encryption is enabled at all AWS resources that are created by Terraform: | [private\_subnet\_ids](#input\_private\_subnet\_ids) | List of IDs for the private subnets. | `list(any)` | `[]` | no | | [public\_subnet\_ids](#input\_public\_subnet\_ids) | List of IDs for the public subnets. | `list(any)` | `[]` | no | | [rtMaps\_link](#input\_rtMaps\_link) | Download link for RTMaps license server. | `string` | `"http://dl.intempora.com/RTMaps4/rtmaps_4.9.0_ubuntu1804_x86_64_release.tar.bz2"` | no | +| [s3\_csi\_config](#input\_s3\_csi\_config) | Input configuration for AWS EKS add-on aws-mountpoint-s3-csi-driver. By setting key 'enable' to 'true', aws-mountpoint-s3-csi-driver add-on is deployed. Key 'configuration\_values' is used to change add-on configuration. Its content should follow add-on configuration schema (see https://aws.amazon.com/blogs/containers/amazon-eks-add-ons-advanced-configuration/). | 
object({
    enable = optional(bool, false)
    configuration_values = optional(string, <<-YAML
node:
    tolerateAllTaints: true
YAML
    )
  })
| 
{
  "enable": false
}
| no | | [scan\_schedule](#input\_scan\_schedule) | 6-field Cron expression describing the scan maintenance schedule. Must not overlap with variable install\_schedule. | `string` | `"cron(0 0 * * ? *)"` | no | | [simpheraInstances](#input\_simpheraInstances) | A list containing the individual SIMPHERA instances, such as 'staging' and 'production'. | 
map(object({
    name                         = string
    postgresqlApplyImmediately   = bool
    postgresqlVersion            = string
    postgresqlStorage            = number
    postgresqlMaxStorage         = number
    db_instance_type_simphera    = string
    enable_keycloak              = bool
    postgresqlStorageKeycloak    = number
    postgresqlMaxStorageKeycloak = number
    db_instance_type_keycloak    = string
    k8s_namespace                = string
    secretname                   = string
    enable_backup_service        = bool
    backup_retention             = number
    enable_deletion_protection   = bool

  }))
| 
{
  "production": {
    "backup_retention": 35,
    "db_instance_type_keycloak": "db.t4g.large",
    "db_instance_type_simphera": "db.t4g.large",
    "enable_backup_service": true,
    "enable_deletion_protection": true,
    "enable_keycloak": true,
    "k8s_namespace": "simphera",
    "name": "production",
    "postgresqlApplyImmediately": false,
    "postgresqlMaxStorage": 100,
    "postgresqlMaxStorageKeycloak": 100,
    "postgresqlStorage": 20,
    "postgresqlStorageKeycloak": 20,
    "postgresqlVersion": "16",
    "secretname": "aws-simphera-dev-production"
  }
}
| no | | [tags](#input\_tags) | The tags to be added to all resources. | `map(any)` | `{}` | no | diff --git a/k8s-eks-addons.tf b/k8s-eks-addons.tf index ce789c0..71e0c43 100644 --- a/k8s-eks-addons.tf +++ b/k8s-eks-addons.tf @@ -4,6 +4,7 @@ module "k8s_eks_addons" { ingress_nginx_config = merge(var.ingress_nginx_config, { subnets_ids = local.public_subnets }) cluster_autoscaler_config = var.cluster_autoscaler_config coredns_config = var.coredns_config + s3_csi_config = var.s3_csi_config addon_context = { aws_caller_identity_account_id = data.aws_caller_identity.current.account_id diff --git a/modules/k8s_eks_addons/s3-csi.tf b/modules/k8s_eks_addons/s3-csi.tf new file mode 100644 index 0000000..f19f7ce --- /dev/null +++ b/modules/k8s_eks_addons/s3-csi.tf @@ -0,0 +1,96 @@ +locals { + aws_s3_csi_addon_name = "aws-mountpoint-s3-csi-driver" + aws_s3_csi_namespace = "kube-system" + aws_s3_csi_service_account = "s3-csi-driver-sa" +} + +data "aws_eks_addon_version" "aws-mountpoint-s3-csi-driver" { + count = var.s3_csi_config.enable ? 1 : 0 + addon_name = local.aws_s3_csi_addon_name + kubernetes_version = var.addon_context.eks_cluster_version +} + +resource "aws_eks_addon" "aws-mountpoint-s3-csi-driver" { + count = var.s3_csi_config.enable ? 1 : 0 + cluster_name = var.addon_context.eks_cluster_id + addon_name = local.aws_s3_csi_addon_name + addon_version = data.aws_eks_addon_version.aws-mountpoint-s3-csi-driver[0].version + service_account_role_arn = aws_iam_role.s3_csi_driver_role[0].arn + preserve = true + resolve_conflicts_on_create = "OVERWRITE" + resolve_conflicts_on_update = "OVERWRITE" + configuration_values = var.coredns_config.configuration_values + tags = var.addon_context.tags +} + +resource "aws_iam_role" "s3_csi_driver_role" { + count = var.s3_csi_config.enable ? 1 : 0 + name = format("%s-%s-%s", var.addon_context.eks_cluster_id, trimsuffix(local.aws_s3_csi_service_account, "-sa"), "irsa") + description = "AWS IAM Role for the Kubernetes service account ${local.aws_s3_csi_service_account}." + + assume_role_policy = jsonencode({ + "Version" : "2012-10-17", + "Statement" : [ + { + "Effect" : "Allow", + "Principal" : { + "Federated" : "arn:${var.addon_context.aws_partition_id}:iam::${var.addon_context.aws_caller_identity_account_id}:oidc-provider/${var.addon_context.eks_oidc_issuer_url}" + }, + "Action" : "sts:AssumeRoleWithWebIdentity", + "Condition" : { + "StringLike" : { + "${var.addon_context.eks_oidc_issuer_url}:sub" : "system:serviceaccount:${local.aws_s3_csi_namespace}:${local.aws_s3_csi_service_account}", + "${var.addon_context.eks_oidc_issuer_url}:aud" : "sts.amazonaws.com" + } + } + } + ] + }) + + force_detach_policies = true + + tags = var.addon_context.tags +} + +resource "aws_iam_policy" "Amazons3CSIDriverPolicy" { + count = var.s3_csi_config.enable ? 1 : 0 + name = "Amazons3CSIDriverPolicy" + description = "Amazons3CSIDriverPolicy" + + policy = jsonencode({ + "Version" : "2012-10-17", + "Statement" : [ + { + "Sid" : "MountpointFullBucketAccess", + "Effect" : "Allow", + "Action" : [ + "s3:ListBucket" + ], + "Resource" : [ + "arn:aws:s3:::*" + ] + }, + { + "Sid" : "MountpointFullObjectAccess", + "Effect" : "Allow", + "Action" : [ + "s3:GetObject", + "s3:PutObject", + "s3:AbortMultipartUpload", + "s3:DeleteObject" + ], + "Resource" : [ + "arn:aws:s3:::*" + ] + } + ] + }) +} + +resource "aws_iam_role_policy_attachment" "s3_csi_driver_policy_attachment" { + count = var.s3_csi_config.enable ? 1 : 0 + policy_arn = aws_iam_policy.Amazons3CSIDriverPolicy[0].arn + role = aws_iam_role.s3_csi_driver_role[0].name + + depends_on = [aws_iam_policy.Amazons3CSIDriverPolicy] +} diff --git a/modules/k8s_eks_addons/variables.tf b/modules/k8s_eks_addons/variables.tf index 29c3070..03a06ad 100644 --- a/modules/k8s_eks_addons/variables.tf +++ b/modules/k8s_eks_addons/variables.tf @@ -31,3 +31,11 @@ variable "coredns_config" { }) description = "Input configuration for AWS EKS add-on coredns." } + +variable "s3_csi_config" { + type = object({ + enable = optional(bool, false) + configuration_values = optional(string, null) + }) + description = "Input configuration for AWS EKS add-on aws-mountpoint-s3-csi-driver." +} diff --git a/terraform.json.example b/terraform.json.example index 9807987..e75a25e 100644 --- a/terraform.json.example +++ b/terraform.json.example @@ -65,6 +65,9 @@ "private_subnet_ids": [], "public_subnet_ids": [], "rtMaps_link": "http://dl.intempora.com/RTMaps4/rtmaps_4.9.0_ubuntu1804_x86_64_release.tar.bz2", + "s3_csi_config": { + "enable": false + }, "scan_schedule": "cron(0 0 * * ? *)", "simpheraInstances": { "production": { diff --git a/terraform.tfvars.example b/terraform.tfvars.example index 7bd956a..af2105a 100644 --- a/terraform.tfvars.example +++ b/terraform.tfvars.example @@ -161,6 +161,14 @@ public_subnet_ids = [] # Download link for RTMaps license server. rtMaps_link = "http://dl.intempora.com/RTMaps4/rtmaps_4.9.0_ubuntu1804_x86_64_release.tar.bz2" +# Input configuration for AWS EKS add-on aws-mountpoint-s3-csi-driver. +# By setting key 'enable' to 'true', aws-mountpoint-s3-csi-driver add-on is deployed. +# Key 'configuration_values' is used to change add-on configuration. +# Its content should follow add-on configuration schema (see https://aws.amazon.com/blogs/containers/amazon-eks-add-ons-advanced-configuration/). +s3_csi_config = { + "enable": false +} + # 6-field Cron expression describing the scan maintenance schedule. Must not overlap with variable install_schedule. scan_schedule = "cron(0 0 * * ? *)" diff --git a/variables.tf b/variables.tf index 6497bb2..a52f14b 100644 --- a/variables.tf +++ b/variables.tf @@ -350,3 +350,18 @@ variable "coredns_config" { enable = true } } + +variable "s3_csi_config" { + type = object({ + enable = optional(bool, false) + configuration_values = optional(string, <<-YAML +node: + tolerateAllTaints: true +YAML + ) + }) + description = "Input configuration for AWS EKS add-on aws-mountpoint-s3-csi-driver. By setting key 'enable' to 'true', aws-mountpoint-s3-csi-driver add-on is deployed. Key 'configuration_values' is used to change add-on configuration. Its content should follow add-on configuration schema (see https://aws.amazon.com/blogs/containers/amazon-eks-add-ons-advanced-configuration/)." + default = { + enable = false + } +}