Add s3 mountpoint addon

README.md

@@ -591,6 +591,7 @@ Encryption is enabled at all AWS resources that are created by Terraform:
 | <a name="input_private_subnet_ids"></a> [private\_subnet\_ids](#input\_private\_subnet\_ids) | List of IDs for the private subnets. | `list(any)` | `[]` | no |
 | <a name="input_public_subnet_ids"></a> [public\_subnet\_ids](#input\_public\_subnet\_ids) | List of IDs for the public subnets. | `list(any)` | `[]` | no |
 | <a name="input_rtMaps_link"></a> [rtMaps\_link](#input\_rtMaps\_link) | Download link for RTMaps license server. | `string` | `"http://dl.intempora.com/RTMaps4/rtmaps_4.9.0_ubuntu1804_x86_64_release.tar.bz2"` | no |
+| <a name="input_s3_csi_config"></a> [s3\_csi\_config](#input\_s3\_csi\_config) | Input configuration for AWS EKS add-on aws-mountpoint-s3-csi-driver. By setting key 'enable' to 'true', aws-mountpoint-s3-csi-driver add-on is deployed. Key 'configuration\_values' is used to change add-on configuration. Its content should follow add-on configuration schema (see https://aws.amazon.com/blogs/containers/amazon-eks-add-ons-advanced-configuration/). | <pre>object({<br>    enable = optional(bool, false)<br>    configuration_values = optional(string, <<-YAML<br>node:<br>    tolerateAllTaints: true<br>YAML<br>    )<br>  })</pre> | <pre>{<br>  "enable": false<br>}</pre> | no |
 | <a name="input_scan_schedule"></a> [scan\_schedule](#input\_scan\_schedule) | 6-field Cron expression describing the scan maintenance schedule. Must not overlap with variable install\_schedule. | `string` | `"cron(0 0 * * ? *)"` | no |
 | <a name="input_simpheraInstances"></a> [simpheraInstances](#input\_simpheraInstances) | A list containing the individual SIMPHERA instances, such as 'staging' and 'production'. | <pre>map(object({<br>    name                         = string<br>    postgresqlApplyImmediately   = bool<br>    postgresqlVersion            = string<br>    postgresqlStorage            = number<br>    postgresqlMaxStorage         = number<br>    db_instance_type_simphera    = string<br>    enable_keycloak              = bool<br>    postgresqlStorageKeycloak    = number<br>    postgresqlMaxStorageKeycloak = number<br>    db_instance_type_keycloak    = string<br>    k8s_namespace                = string<br>    secretname                   = string<br>    enable_backup_service        = bool<br>    backup_retention             = number<br>    enable_deletion_protection   = bool<br><br>  }))</pre> | <pre>{<br>  "production": {<br>    "backup_retention": 35,<br>    "db_instance_type_keycloak": "db.t4g.large",<br>    "db_instance_type_simphera": "db.t4g.large",<br>    "enable_backup_service": true,<br>    "enable_deletion_protection": true,<br>    "enable_keycloak": true,<br>    "k8s_namespace": "simphera",<br>    "name": "production",<br>    "postgresqlApplyImmediately": false,<br>    "postgresqlMaxStorage": 100,<br>    "postgresqlMaxStorageKeycloak": 100,<br>    "postgresqlStorage": 20,<br>    "postgresqlStorageKeycloak": 20,<br>    "postgresqlVersion": "16",<br>    "secretname": "aws-simphera-dev-production"<br>  }<br>}</pre> | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | The tags to be added to all resources. | `map(any)` | `{}` | no |

k8s-eks-addons.tf

@@ -4,6 +4,7 @@ module "k8s_eks_addons" {
   ingress_nginx_config      = merge(var.ingress_nginx_config, { subnets_ids = local.public_subnets })
   cluster_autoscaler_config = var.cluster_autoscaler_config
   coredns_config            = var.coredns_config
+  s3_csi_config             = var.s3_csi_config
 
   addon_context = {
     aws_caller_identity_account_id = data.aws_caller_identity.current.account_id

modules/k8s_eks_addons/s3-csi.tf

@@ -0,0 +1,96 @@
+locals {
+  aws_s3_csi_addon_name      = "aws-mountpoint-s3-csi-driver"
+  aws_s3_csi_namespace       = "kube-system"
+  aws_s3_csi_service_account = "s3-csi-driver-sa"
+}
+
+data "aws_eks_addon_version" "aws-mountpoint-s3-csi-driver" {
+  count              = var.s3_csi_config.enable ? 1 : 0
+  addon_name         = local.aws_s3_csi_addon_name
+  kubernetes_version = var.addon_context.eks_cluster_version
+}
+
+resource "aws_eks_addon" "aws-mountpoint-s3-csi-driver" {
+  count                       = var.s3_csi_config.enable ? 1 : 0
+  cluster_name                = var.addon_context.eks_cluster_id
+  addon_name                  = local.aws_s3_csi_addon_name
+  addon_version               = data.aws_eks_addon_version.aws-mountpoint-s3-csi-driver[0].version
+  service_account_role_arn    = aws_iam_role.s3_csi_driver_role[0].arn
+  preserve                    = true
+  resolve_conflicts_on_create = "OVERWRITE"
+  resolve_conflicts_on_update = "OVERWRITE"
+  configuration_values        = var.coredns_config.configuration_values
+  tags                        = var.addon_context.tags
+}
+
+resource "aws_iam_role" "s3_csi_driver_role" {
+  count       = var.s3_csi_config.enable ? 1 : 0
+  name        = format("%s-%s-%s", var.addon_context.eks_cluster_id, trimsuffix(local.aws_s3_csi_service_account, "-sa"), "irsa")
+  description = "AWS IAM Role for the Kubernetes service account ${local.aws_s3_csi_service_account}."
+
+  assume_role_policy = jsonencode({
+    "Version" : "2012-10-17",
+    "Statement" : [
+      {
+        "Effect" : "Allow",
+        "Principal" : {
+          "Federated" : "arn:${var.addon_context.aws_partition_id}:iam::${var.addon_context.aws_caller_identity_account_id}:oidc-provider/${var.addon_context.eks_oidc_issuer_url}"
+        },
+        "Action" : "sts:AssumeRoleWithWebIdentity",
+        "Condition" : {
+          "StringLike" : {
+            "${var.addon_context.eks_oidc_issuer_url}:sub" : "system:serviceaccount:${local.aws_s3_csi_namespace}:${local.aws_s3_csi_service_account}",
+            "${var.addon_context.eks_oidc_issuer_url}:aud" : "sts.amazonaws.com"
+          }
+        }
+      }
+    ]
+  })
+
+  force_detach_policies = true
+
+  tags = var.addon_context.tags
+}
+
+resource "aws_iam_policy" "Amazons3CSIDriverPolicy" {
+  count       = var.s3_csi_config.enable ? 1 : 0
+  name        = "Amazons3CSIDriverPolicy"
+  description = "Amazons3CSIDriverPolicy"
+
+  policy = jsonencode({
+    "Version" : "2012-10-17",
+    "Statement" : [
+      {
+        "Sid" : "MountpointFullBucketAccess",
+        "Effect" : "Allow",
+        "Action" : [
+          "s3:ListBucket"
+        ],
+        "Resource" : [
+          "arn:aws:s3:::*"
+        ]
+      },
+      {
+        "Sid" : "MountpointFullObjectAccess",
+        "Effect" : "Allow",
+        "Action" : [
+          "s3:GetObject",
+          "s3:PutObject",
+          "s3:AbortMultipartUpload",
+          "s3:DeleteObject"
+        ],
+        "Resource" : [
+          "arn:aws:s3:::*"
+        ]
+      }
+    ]
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "s3_csi_driver_policy_attachment" {
+  count      = var.s3_csi_config.enable ? 1 : 0
+  policy_arn = aws_iam_policy.Amazons3CSIDriverPolicy[0].arn
+  role       = aws_iam_role.s3_csi_driver_role[0].name
+
+  depends_on = [aws_iam_policy.Amazons3CSIDriverPolicy]
+}

modules/k8s_eks_addons/variables.tf

@@ -31,3 +31,11 @@ variable "coredns_config" {
   })
   description = "Input configuration for AWS EKS add-on coredns."
 }
+
+variable "s3_csi_config" {
+  type = object({
+    enable               = optional(bool, false)
+    configuration_values = optional(string, null)
+  })
+  description = "Input configuration for AWS EKS add-on aws-mountpoint-s3-csi-driver."
+}

terraform.json.example

@@ -65,6 +65,9 @@
   "private_subnet_ids": [],
   "public_subnet_ids": [],
   "rtMaps_link": "http://dl.intempora.com/RTMaps4/rtmaps_4.9.0_ubuntu1804_x86_64_release.tar.bz2",
+  "s3_csi_config": {
+    "enable": false
+  },
   "scan_schedule": "cron(0 0 * * ? *)",
   "simpheraInstances": {
     "production": {

terraform.tfvars.example

@@ -161,6 +161,14 @@ public_subnet_ids = []
 # Download link for RTMaps license server.
 rtMaps_link = "http://dl.intempora.com/RTMaps4/rtmaps_4.9.0_ubuntu1804_x86_64_release.tar.bz2"
 
+# Input configuration for AWS EKS add-on aws-mountpoint-s3-csi-driver.
+# By setting key 'enable' to 'true', aws-mountpoint-s3-csi-driver add-on is deployed.
+# Key 'configuration_values' is used to change add-on configuration.
+# Its content should follow add-on configuration schema (see https://aws.amazon.com/blogs/containers/amazon-eks-add-ons-advanced-configuration/).
+s3_csi_config = {
+  "enable": false
+}
+
 # 6-field Cron expression describing the scan maintenance schedule. Must not overlap with variable install_schedule.
 scan_schedule = "cron(0 0 * * ? *)"
 

variables.tf

@@ -350,3 +350,18 @@ variable "coredns_config" {
     enable = true
   }
 }
+
+variable "s3_csi_config" {
+  type = object({
+    enable = optional(bool, false)
+    configuration_values = optional(string, <<-YAML
+node:
+    tolerateAllTaints: true
+YAML
+    )
+  })
+  description = "Input configuration for AWS EKS add-on aws-mountpoint-s3-csi-driver. By setting key 'enable' to 'true', aws-mountpoint-s3-csi-driver add-on is deployed. Key 'configuration_values' is used to change add-on configuration. Its content should follow add-on configuration schema (see https://aws.amazon.com/blogs/containers/amazon-eks-add-ons-advanced-configuration/)."
+  default = {
+    enable = false
+  }
+}