feat: merge 0.2.3

kubernetes/aws/eks/README.md

@@ -6,6 +6,7 @@
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
 | <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.3.0 |
 | <a name="requirement_helm"></a> [helm](#requirement\_helm) | >= 2.10.1 |
+| <a name="requirement_kubernetes"></a> [kubernetes](#requirement\_kubernetes) | >= 2.13.0 |
 | <a name="requirement_null"></a> [null](#requirement\_null) | >= 3.2.1 |
 | <a name="requirement_random"></a> [random](#requirement\_random) | >= 3.5.1 |
 
@@ -15,6 +16,7 @@
 |------|---------|
 | <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.3.0 |
 | <a name="provider_helm"></a> [helm](#provider\_helm) | >= 2.10.1 |
+| <a name="provider_kubernetes"></a> [kubernetes](#provider\_kubernetes) | >= 2.13.0 |
 | <a name="provider_null"></a> [null](#provider\_null) | >= 3.2.1 |
 | <a name="provider_random"></a> [random](#provider\_random) | >= 3.5.1 |
 
@@ -34,11 +36,17 @@
 | [aws_cloudwatch_event_rule.aws_node_termination_handler_asg](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_rule) | resource |
 | [aws_cloudwatch_event_rule.aws_node_termination_handler_spot](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_rule) | resource |
 | [aws_iam_policy.aws_node_termination_handler](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_policy.efs_csi_driver](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.worker_autoscaling](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy_attachment.workers_autoscaling](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy_attachment) | resource |
+| [aws_iam_role.efs_csi_driver](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role_policy_attachment.efs_csi_driver](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [helm_release.aws_node_termination_handler](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
 | [helm_release.cluster_autoscaler](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [helm_release.efs_csi](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
 | [helm_release.eni_config](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [kubernetes_service_account.efs_csi_driver_controller](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/service_account) | resource |
+| [kubernetes_service_account.efs_csi_driver_node](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/service_account) | resource |
 | [null_resource.change_cni_label](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
 | [null_resource.patch_coredns](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
 | [null_resource.update_kubeconfig](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
@@ -47,6 +55,7 @@
 | [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_iam_policy_document.aws_node_termination_handler](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.efs_csi_driver](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.worker_autoscaling](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
 
@@ -83,6 +92,19 @@
 | <a name="input_cluster_log_retention_in_days"></a> [cluster\_log\_retention\_in\_days](#input\_cluster\_log\_retention\_in\_days) | Logs retention in days | `number` | n/a | yes |
 | <a name="input_cluster_version"></a> [cluster\_version](#input\_cluster\_version) | Kubernetes version to use for the EKS cluster | `string` | n/a | yes |
 | <a name="input_ebs_kms_key_id"></a> [ebs\_kms\_key\_id](#input\_ebs\_kms\_key\_id) | KMS key id to encrypt/decrypt EBS | `string` | n/a | yes |
+| <a name="input_efs_csi_external_provisioner_image"></a> [efs\_csi\_external\_provisioner\_image](#input\_efs\_csi\_external\_provisioner\_image) | EFS CSI external provisioner image name | `string` | n/a | yes |
+| <a name="input_efs_csi_external_provisioner_tag"></a> [efs\_csi\_external\_provisioner\_tag](#input\_efs\_csi\_external\_provisioner\_tag) | EFS CSI external provisioner image tag | `string` | n/a | yes |
+| <a name="input_efs_csi_image"></a> [efs\_csi\_image](#input\_efs\_csi\_image) | EFS CSI image name | `string` | n/a | yes |
+| <a name="input_efs_csi_image_pull_secrets"></a> [efs\_csi\_image\_pull\_secrets](#input\_efs\_csi\_image\_pull\_secrets) | Image pull secret used to pull EFS CSI images | `string` | `null` | no |
+| <a name="input_efs_csi_liveness_probe_image"></a> [efs\_csi\_liveness\_probe\_image](#input\_efs\_csi\_liveness\_probe\_image) | EFS CSI liveness probe image name | `string` | n/a | yes |
+| <a name="input_efs_csi_liveness_probe_tag"></a> [efs\_csi\_liveness\_probe\_tag](#input\_efs\_csi\_liveness\_probe\_tag) | EFS CSI liveness probe image tag | `string` | n/a | yes |
+| <a name="input_efs_csi_name"></a> [efs\_csi\_name](#input\_efs\_csi\_name) | EFS CSI name | `string` | `null` | no |
+| <a name="input_efs_csi_namespace"></a> [efs\_csi\_namespace](#input\_efs\_csi\_namespace) | EFS CSI namespace | `string` | `null` | no |
+| <a name="input_efs_csi_node_driver_registrar_image"></a> [efs\_csi\_node\_driver\_registrar\_image](#input\_efs\_csi\_node\_driver\_registrar\_image) | EFS CSI node driver registrar image name | `string` | n/a | yes |
+| <a name="input_efs_csi_node_driver_registrar_tag"></a> [efs\_csi\_node\_driver\_registrar\_tag](#input\_efs\_csi\_node\_driver\_registrar\_tag) | EFS CSI node driver registrar image tag | `string` | n/a | yes |
+| <a name="input_efs_csi_repository"></a> [efs\_csi\_repository](#input\_efs\_csi\_repository) | EFS CSI helm repository | `string` | n/a | yes |
+| <a name="input_efs_csi_tag"></a> [efs\_csi\_tag](#input\_efs\_csi\_tag) | EFS CSI image tag | `string` | n/a | yes |
+| <a name="input_efs_csi_version"></a> [efs\_csi\_version](#input\_efs\_csi\_version) | EFS CSI helm version | `string` | n/a | yes |
 | <a name="input_eks_managed_node_groups"></a> [eks\_managed\_node\_groups](#input\_eks\_managed\_node\_groups) | List of EKS managed node groups | `any` | `null` | no |
 | <a name="input_fargate_profiles"></a> [fargate\_profiles](#input\_fargate\_profiles) | List of fargate profiles | `any` | `null` | no |
 | <a name="input_instance_refresh_image"></a> [instance\_refresh\_image](#input\_instance\_refresh\_image) | Instance refresh image name | `string` | n/a | yes |

kubernetes/aws/eks/efs-csi.tf

@@ -0,0 +1,224 @@
+locals {
+  # EFS CSI
+  efs_csi_name                          = coalesce(var.efs_csi_name, "efs-csi-driver")
+  oidc_arn                              = module.eks.oidc_provider_arn
+  oidc_url                              = trimprefix(module.eks.cluster_oidc_issuer_url, "https://")
+  efs_csi_namespace                     = coalesce(var.efs_csi_namespace, "kube-system")
+  kubernetes_service_account_controller = "efs-csi-controller-sa"
+  kubernetes_service_account_node       = "efs-csi-node-sa"
+  efs_csi_tolerations = [
+    for index in range(0, length(local.node_selector_keys)) : {
+      key      = local.node_selector_keys[index]
+      operator = "Equal"
+      value    = local.node_selector_values[index]
+      effect   = "NoSchedule"
+    }
+  ]
+  controller = {
+    controller = {
+      create                   = true
+      logLevel                 = 2
+      extraCreateMetadata      = true
+      tags                     = {}
+      deleteAccessPointRootDir = false
+      volMetricsOptIn          = false
+      podAnnotations           = {}
+      resources                = {}
+      nodeSelector             = var.node_selector
+      tolerations              = local.efs_csi_tolerations
+      affinity                 = {}
+      serviceAccount = {
+        create      = false
+        name        = kubernetes_service_account.efs_csi_driver_controller.metadata[0].name
+        annotations = {}
+      }
+      healthPort           = 9909
+      regionalStsEndpoints = false
+    }
+  }
+}
+
+# Allow EKS and the driver to interact with EFS
+data "aws_iam_policy_document" "efs_csi_driver" {
+  statement {
+    sid = "Describe"
+    actions = [
+      "elasticfilesystem:DescribeAccessPoints",
+      "elasticfilesystem:DescribeFileSystems",
+      "elasticfilesystem:DescribeMountTargets",
+      "ec2:DescribeAvailabilityZones"
+    ]
+    effect    = "Allow"
+    resources = ["*"]
+  }
+  statement {
+    sid = "Create"
+    actions = [
+      "elasticfilesystem:CreateAccessPoint"
+    ]
+    effect    = "Allow"
+    resources = ["*"]
+    condition {
+      test     = "StringLike"
+      values   = [true]
+      variable = "aws:RequestTag/efs.csi.aws.com/cluster"
+    }
+  }
+  statement {
+    sid = "Delete"
+    actions = [
+      "elasticfilesystem:DeleteAccessPoint"
+    ]
+    effect    = "Allow"
+    resources = ["*"]
+    condition {
+      test     = "StringEquals"
+      values   = [true]
+      variable = "aws:ResourceTag/efs.csi.aws.com/cluster"
+    }
+  }
+  statement {
+    sid = "TagResource"
+    actions = [
+      "elasticfilesystem:TagResource"
+    ]
+    effect    = "Allow"
+    resources = ["*"]
+    condition {
+      test     = "StringLike"
+      values   = [true]
+      variable = "aws:ResourceTag/efs.csi.aws.com/cluster"
+    }
+  }
+  statement {
+    sid = "Mount"
+    actions = [
+      "elasticfilesystem:ClientRootAccess",
+      "elasticfilesystem:ClientWrite",
+      "elasticfilesystem:ClientMount"
+    ]
+    effect    = "Allow"
+    resources = ["*"]
+  }
+}
+
+resource "aws_iam_policy" "efs_csi_driver" {
+  name_prefix = local.efs_csi_name
+  description = "Policy to allow EKS and the driver to interact with EFS"
+  policy      = data.aws_iam_policy_document.efs_csi_driver.json
+  tags        = local.tags
+}
+
+resource "aws_iam_role" "efs_csi_driver" {
+  name = local.efs_csi_name
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Principal = {
+          Federated = local.oidc_arn
+        }
+        Action = "sts:AssumeRoleWithWebIdentity"
+        Condition = {
+          StringEquals = {
+            "${local.oidc_url}:aud" = "sts.amazonaws.com"
+            "${local.oidc_url}:sub" = [
+              "system:serviceaccount:${local.efs_csi_namespace}:${local.kubernetes_service_account_controller}",
+              "system:serviceaccount:${local.efs_csi_namespace}:${local.kubernetes_service_account_node}"
+            ]
+          }
+        }
+      }
+    ]
+  })
+  tags = local.tags
+}
+
+resource "aws_iam_role_policy_attachment" "efs_csi_driver" {
+  policy_arn = aws_iam_policy.efs_csi_driver.arn
+  role       = aws_iam_role.efs_csi_driver.name
+}
+
+resource "kubernetes_service_account" "efs_csi_driver_controller" {
+  metadata {
+    name = local.kubernetes_service_account_controller
+    annotations = {
+      "eks.amazonaws.com/role-arn" = aws_iam_role.efs_csi_driver.arn
+    }
+    namespace = local.efs_csi_namespace
+  }
+}
+
+resource "kubernetes_service_account" "efs_csi_driver_node" {
+  metadata {
+    name = local.kubernetes_service_account_node
+    annotations = {
+      "eks.amazonaws.com/role-arn" = aws_iam_role.efs_csi_driver.arn
+    }
+    namespace = local.efs_csi_namespace
+  }
+}
+
+resource "helm_release" "efs_csi" {
+  name       = "efs-csi"
+  namespace  = kubernetes_service_account.efs_csi_driver_controller.metadata[0].namespace
+  chart      = "aws-efs-csi-driver"
+  repository = var.efs_csi_repository
+  version    = var.efs_csi_version
+
+  set {
+    name  = "image.repository"
+    value = var.efs_csi_image
+  }
+  set {
+    name  = "image.tag"
+    value = var.efs_csi_tag
+  }
+  set {
+    name  = "sidecars.livenessProbe.image.repository"
+    value = var.efs_csi_liveness_probe_image
+  }
+  set {
+    name  = "sidecars.livenessProbe.image.tag"
+    value = var.efs_csi_liveness_probe_tag
+  }
+  set {
+    name  = "sidecars.nodeDriverRegistrar.image.repository"
+    value = var.efs_csi_node_driver_registrar_image
+  }
+  set {
+    name  = "sidecars.nodeDriverRegistrar.image.tag"
+    value = var.efs_csi_node_driver_registrar_tag
+  }
+  set {
+    name  = "sidecars.csiProvisioner.image.repository"
+    value = var.efs_csi_external_provisioner_image
+  }
+  set {
+    name  = "sidecars.csiProvisioner.image.tag"
+    value = var.efs_csi_external_provisioner_tag
+  }
+  dynamic "set" {
+    for_each = toset(compact([var.efs_csi_image_pull_secrets]))
+    content {
+      name  = "imagePullSecrets"
+      value = each.key
+    }
+  }
+  set {
+    name  = "node.serviceAccount.create"
+    value = false
+  }
+  set {
+    name  = "node.serviceAccount.name"
+    value = kubernetes_service_account.efs_csi_driver_node.metadata[0].name
+  }
+  values = [
+    yamlencode(local.controller)
+  ]
+  depends_on = [
+    kubernetes_service_account.efs_csi_driver_controller,
+    kubernetes_service_account.efs_csi_driver_node
+  ]
+}

kubernetes/aws/eks/examples/complete/main.tf

@@ -68,6 +68,18 @@ module "eks" {
   vpc_id                                                   = data.aws_vpc.default.id
   vpc_pods_subnet_ids                                      = data.aws_subnets.subnets.ids
   vpc_private_subnet_ids                                   = data.aws_subnets.subnets.ids
+
+  efs_csi_image                       = "amazon/aws-efs-csi-driver"
+  efs_csi_tag                         = "v1.5.1"
+  efs_csi_liveness_probe_image        = "public.ecr.aws/eks-distro/kubernetes-csi/livenessprobe"
+  efs_csi_liveness_probe_tag          = "v2.9.0-eks-1-22-19"
+  efs_csi_node_driver_registrar_image = "public.ecr.aws/eks-distro/kubernetes-csi/node-driver-registrar"
+  efs_csi_node_driver_registrar_tag   = "v2.7.0-eks-1-22-19"
+  efs_csi_external_provisioner_image  = "public.ecr.aws/eks-distro/kubernetes-csi/external-provisioner"
+  efs_csi_external_provisioner_tag    = "v3.4.0-eks-1-22-19"
+  efs_csi_repository                  = "https://kubernetes-sigs.github.io/aws-efs-csi-driver/"
+  efs_csi_version                     = "2.3.0"
+
   eks_managed_node_groups = {
     test = {
       name                        = "workers"

kubernetes/aws/eks/examples/simple/main.tf

@@ -69,6 +69,17 @@ module "eks" {
   vpc_pods_subnet_ids                                      = data.aws_subnets.subnets.ids
   vpc_private_subnet_ids                                   = data.aws_subnets.subnets.ids
 
+  efs_csi_image                       = "amazon/aws-efs-csi-driver"
+  efs_csi_tag                         = "v1.5.1"
+  efs_csi_liveness_probe_image        = "public.ecr.aws/eks-distro/kubernetes-csi/livenessprobe"
+  efs_csi_liveness_probe_tag          = "v2.9.0-eks-1-22-19"
+  efs_csi_node_driver_registrar_image = "public.ecr.aws/eks-distro/kubernetes-csi/node-driver-registrar"
+  efs_csi_node_driver_registrar_tag   = "v2.7.0-eks-1-22-19"
+  efs_csi_external_provisioner_image  = "public.ecr.aws/eks-distro/kubernetes-csi/external-provisioner"
+  efs_csi_external_provisioner_tag    = "v3.4.0-eks-1-22-19"
+  efs_csi_repository                  = "https://kubernetes-sigs.github.io/aws-efs-csi-driver/"
+  efs_csi_version                     = "2.3.0"
+
   eks_managed_node_groups = {
     test = {
       name                        = "workers"

kubernetes/aws/eks/variables.tf

@@ -235,6 +235,64 @@ variable "eks_managed_node_groups" {
   default     = null
 }
 
+# EFS
+variable "efs_csi_image" {
+  description = "EFS CSI image name"
+  type        = string
+}
+variable "efs_csi_tag" {
+  description = "EFS CSI image tag"
+  type        = string
+}
+variable "efs_csi_liveness_probe_image" {
+  description = "EFS CSI liveness probe image name"
+  type        = string
+}
+variable "efs_csi_liveness_probe_tag" {
+  description = "EFS CSI liveness probe image tag"
+  type        = string
+}
+variable "efs_csi_node_driver_registrar_image" {
+  description = "EFS CSI node driver registrar image name"
+  type        = string
+}
+variable "efs_csi_node_driver_registrar_tag" {
+  description = "EFS CSI node driver registrar image tag"
+  type        = string
+}
+variable "efs_csi_external_provisioner_image" {
+  description = "EFS CSI external provisioner image name"
+  type        = string
+}
+variable "efs_csi_external_provisioner_tag" {
+  description = "EFS CSI external provisioner image tag"
+  type        = string
+}
+
+variable "efs_csi_name" {
+  description = "EFS CSI name"
+  type        = string
+  default     = null
+}
+variable "efs_csi_namespace" {
+  description = "EFS CSI namespace"
+  type        = string
+  default     = null
+}
+variable "efs_csi_image_pull_secrets" {
+  description = "Image pull secret used to pull EFS CSI images"
+  type        = string
+  default     = null
+}
+variable "efs_csi_repository" {
+  description = "EFS CSI helm repository"
+  type        = string
+}
+variable "efs_csi_version" {
+  description = "EFS CSI helm version"
+  type        = string
+}
+
 # Encryption keys
 variable "cluster_log_kms_key_id" {
   description = "KMS id to encrypt/decrypt the cluster's logs"

kubernetes/aws/eks/versions.tf

@@ -5,6 +5,10 @@ terraform {
       source  = "hashicorp/aws"
       version = ">= 5.3.0"
     }
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = ">= 2.13.0"
+    }
     helm = {
       source  = "hashicorp/helm"
       version = ">= 2.10.1"