forked from lentidas/devops-stack-test-eks-cluster
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathcsi_drivers.tf
133 lines (114 loc) · 4.17 KB
/
csi_drivers.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
resource "aws_efs_file_system" "eks" {
creation_token = module.eks.cluster_name
tags = {
Name = module.eks.cluster_name
}
}
resource "aws_security_group" "efs_eks" {
name = "efs-devops-stack"
description = "Security group for EFS"
vpc_id = module.vpc.vpc_id
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
ingress {
from_port = 2049
to_port = 2049
protocol = "tcp"
security_groups = [module.eks.node_security_group_id]
}
}
resource "aws_efs_mount_target" "eks" {
count = length(local.vpc_private_subnets)
file_system_id = resource.aws_efs_file_system.eks.id
subnet_id = element(module.vpc.private_subnets, count.index)
security_groups = [resource.aws_security_group.efs_eks.id]
}
module "efs" {
source = "git::https://github.com/camptocamp/devops-stack-module-efs-csi-driver.git?ref=v1.0.0"
cluster_name = local.cluster_name
argocd_namespace = module.argocd_bootstrap.argocd_namespace
efs_file_system_id = resource.aws_efs_file_system.eks.id
create_role = true
cluster_oidc_issuer_url = module.eks.cluster_oidc_issuer_url
# iam_role_arn = module.iam_assumable_role_efs.iam_role_arn
depends_on = [module.argocd_bootstrap]
}
module "ebs" {
source = "git::https://github.com/camptocamp/devops-stack-module-ebs-csi-driver.git?ref=v1.0.0"
cluster_name = local.cluster_name
argocd_namespace = module.argocd_bootstrap.argocd_namespace
create_role = true
cluster_oidc_issuer_url = module.eks.cluster_oidc_issuer_url
# iam_role_arn = module.iam_assumable_role_ebs.iam_role_arn
depends_on = [module.argocd_bootstrap]
}
# module "iam_assumable_role_ebs" {
# source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
# version = "~> 5.0"
# create_role = true
# number_of_role_policy_arns = 1
# role_name = format("ebs-csi-driver-%s", local.cluster_name)
# provider_url = replace(module.eks.cluster_oidc_issuer_url, "https://", "")
# role_policy_arns = ["arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy"] # Use the default IAM policy provided by AWS
# # List of ServiceAccounts that have permission to attach to this IAM role
# oidc_fully_qualified_subjects = [
# "system:serviceaccount:kube-system:ebs-csi-controller-sa",
# ]
# }
# resource "aws_iam_policy" "efs" {
# name_prefix = "efs-csi-driver-"
# policy = jsonencode({
# Version = "2012-10-17"
# Statement = [
# {
# Effect = "Allow"
# Action = [
# "elasticfilesystem:DescribeAccessPoints",
# "elasticfilesystem:DescribeFileSystems",
# "elasticfilesystem:DescribeMountTargets",
# "ec2:DescribeAvailabilityZones"
# ]
# Resource = "*"
# },
# {
# Effect = "Allow"
# Action = [
# "elasticfilesystem:CreateAccessPoint"
# ]
# Resource = "*"
# Condition = {
# StringLike = {
# "aws:RequestTag/efs.csi.aws.com/cluster" = "true"
# }
# }
# },
# {
# Effect = "Allow"
# Action = "elasticfilesystem:DeleteAccessPoint"
# Resource = "*"
# Condition = {
# StringEquals = {
# "aws:ResourceTag/efs.csi.aws.com/cluster" = "true"
# }
# }
# }
# ]
# })
# }
# module "iam_assumable_role_efs" {
# source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
# version = "~> 5.0"
# create_role = true
# number_of_role_policy_arns = 1
# role_name = format("efs-csi-driver-%s", local.cluster_name)
# provider_url = replace(module.eks.cluster_oidc_issuer_url, "https://", "")
# role_policy_arns = [resource.aws_iam_policy.efs.arn]
# # List of ServiceAccounts that have permission to attach to this IAM role
# oidc_fully_qualified_subjects = [
# "system:serviceaccount:kube-system:efs-csi-controller-sa",
# ]
# }