feat: Add support for EFS CSI driver to iam-role-for-service-accounts-eks (#215)

Author: bryantbiggs

.pre-commit-config.yaml

@@ -1,6 +1,6 @@
 repos:
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.64.0
+    rev: v1.64.1
     hooks:
       - id: terraform_fmt
       - id: terraform_validate

examples/iam-role-for-service-accounts-eks/README.md

@@ -33,6 +33,7 @@ No providers.
 | <a name="module_cluster_autoscaler_irsa_role"></a> [cluster\_autoscaler\_irsa\_role](#module\_cluster\_autoscaler\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
 | <a name="module_disabled"></a> [disabled](#module\_disabled) | ../../modules/iam-role-for-service-accounts-eks | n/a |
 | <a name="module_ebs_csi_irsa_role"></a> [ebs\_csi\_irsa\_role](#module\_ebs\_csi\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
+| <a name="module_efs_csi_irsa_role"></a> [efs\_csi\_irsa\_role](#module\_efs\_csi\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
 | <a name="module_eks"></a> [eks](#module\_eks) | terraform-aws-modules/eks/aws | ~> 18.6 |
 | <a name="module_external_dns_irsa_role"></a> [external\_dns\_irsa\_role](#module\_external\_dns\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
 | <a name="module_irsa_role"></a> [irsa\_role](#module\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |

examples/iam-role-for-service-accounts-eks/main.tf

@@ -84,7 +84,7 @@ module "external_dns_irsa_role" {
 module "ebs_csi_irsa_role" {
   source = "../../modules/iam-role-for-service-accounts-eks"
 
-  role_name             = "ebs_csi"
+  role_name             = "ebs-csi"
   attach_ebs_csi_policy = true
 
   oidc_providers = {
@@ -97,10 +97,26 @@ module "ebs_csi_irsa_role" {
   tags = local.tags
 }
 
+module "efs_csi_irsa_role" {
+  source = "../../modules/iam-role-for-service-accounts-eks"
+
+  role_name             = "efs-csi"
+  attach_efs_csi_policy = true
+
+  oidc_providers = {
+    ex = {
+      provider_arn               = module.eks.oidc_provider_arn
+      namespace_service_accounts = ["kube-system:efs-csi-controller-sa"]
+    }
+  }
+
+  tags = local.tags
+}
+
 module "vpc_cni_ipv4_irsa_role" {
   source = "../../modules/iam-role-for-service-accounts-eks"
 
-  role_name             = "vpc_cni_ipv4"
+  role_name             = "vpc-cni-ipv4"
   attach_vpc_cni_policy = true
   vpc_cni_enable_ipv4   = true
 
@@ -117,7 +133,7 @@ module "vpc_cni_ipv4_irsa_role" {
 module "vpc_cni_ipv6_irsa_role" {
   source = "../../modules/iam-role-for-service-accounts-eks"
 
-  role_name             = "vpc_cni_ipv6"
+  role_name             = "vpc-cni-ipv6"
   attach_vpc_cni_policy = true
   vpc_cni_enable_ipv6   = true
 
@@ -134,7 +150,7 @@ module "vpc_cni_ipv6_irsa_role" {
 module "node_termination_handler_irsa_role" {
   source = "../../modules/iam-role-for-service-accounts-eks"
 
-  role_name                              = "node_termination_handler"
+  role_name                              = "node-termination-handler"
   attach_node_termination_handler_policy = true
 
   oidc_providers = {
@@ -150,7 +166,7 @@ module "node_termination_handler_irsa_role" {
 module "karpenter_controller_irsa_role" {
   source = "../../modules/iam-role-for-service-accounts-eks"
 
-  role_name                          = "karpenter_controller"
+  role_name                          = "karpenter-controller"
   attach_karpenter_controller_policy = true
 
   karpenter_controller_cluster_id         = module.eks.cluster_id
@@ -169,7 +185,7 @@ module "karpenter_controller_irsa_role" {
 module "load_balancer_controller_irsa_role" {
   source = "../../modules/iam-role-for-service-accounts-eks"
 
-  role_name                              = "load_balancer_controller"
+  role_name                              = "load-balancer-controller"
   attach_load_balancer_controller_policy = true
 
   oidc_providers = {
@@ -185,7 +201,7 @@ module "load_balancer_controller_irsa_role" {
 module "load_balancer_controller_targetgroup_binding_only_irsa_role" {
   source = "../../modules/iam-role-for-service-accounts-eks"
 
-  role_name                                                       = "load_balancer_controller_targetgroup_binding_only"
+  role_name                                                       = "load-balancer-controller-targetgroup-binding-only"
   attach_load_balancer_controller_targetgroup_binding_only_policy = true
 
   oidc_providers = {

modules/iam-role-for-service-accounts-eks/README.md

@@ -4,10 +4,12 @@ Creates an IAM role which can be assumed by AWS EKS `ServiceAccount`s with optio
 - [Cluster Autoscaler](https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/cloudprovider/aws/README.md)
 - [External DNS](https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/aws.md#iam-policy)
 - [EBS CSI Driver](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/blob/master/docs/example-iam-policy.json)
+- [EFS CSI Driver](https://github.com/kubernetes-sigs/aws-efs-csi-driver/blob/master/docs/iam-policy-example.json)
 - [VPC CNI](https://docs.aws.amazon.com/eks/latest/userguide/cni-iam-role.html)
 - [Node Termination Hanlder](https://github.com/aws/aws-node-termination-handler#5-create-an-iam-role-for-the-pods)
 - [Karpenter](https://github.com/aws/karpenter/blob/main/website/content/en/preview/getting-started/cloudformation.yaml)
 - [Load Balancer Controller](https://github.com/kubernetes-sigs/aws-load-balancer-controller/blob/main/docs/install/iam_policy.json)
+  - [Load Balancer Controller Target Group Binding Only](https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.4/deploy/installation/#iam-permission-subset-for-those-who-use-targetgroupbinding-only-and-dont-plan-to-use-the-aws-load-balancer-controller-to-manage-security-group-rules)
 
 This module is intended to be used with AWS EKS. For details of how a `ServiceAccount` in EKS can assume an IAM role, see the [EKS documentation](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html).
 
@@ -110,6 +112,7 @@ No modules.
 |------|------|
 | [aws_iam_policy.cluster_autoscaler](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.ebs_csi](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_policy.efs_csi](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.external_dns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.karpenter_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.load_balancer_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
@@ -119,6 +122,7 @@ No modules.
 | [aws_iam_role.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role_policy_attachment.cluster_autoscaler](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.ebs_csi](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.efs_csi](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.external_dns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.karpenter_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.load_balancer_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
@@ -129,6 +133,7 @@ No modules.
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_iam_policy_document.cluster_autoscaler](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.ebs_csi](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.efs_csi](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.external_dns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.karpenter_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.load_balancer_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
@@ -145,6 +150,7 @@ No modules.
 | <a name="input_assume_role_condition_test"></a> [assume\_role\_condition\_test](#input\_assume\_role\_condition\_test) | Name of the [IAM condition operator](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html) to evaluate when assuming the role | `string` | `"StringEquals"` | no |
 | <a name="input_attach_cluster_autoscaler_policy"></a> [attach\_cluster\_autoscaler\_policy](#input\_attach\_cluster\_autoscaler\_policy) | Determines whether to attach the Cluster Autoscaler IAM policy to the role | `bool` | `false` | no |
 | <a name="input_attach_ebs_csi_policy"></a> [attach\_ebs\_csi\_policy](#input\_attach\_ebs\_csi\_policy) | Determines whether to attach the EBS CSI IAM policy to the role | `bool` | `false` | no |
+| <a name="input_attach_efs_csi_policy"></a> [attach\_efs\_csi\_policy](#input\_attach\_efs\_csi\_policy) | Determines whether to attach the EFS CSI IAM policy to the role | `bool` | `false` | no |
 | <a name="input_attach_external_dns_policy"></a> [attach\_external\_dns\_policy](#input\_attach\_external\_dns\_policy) | Determines whether to attach the External DNS IAM policy to the role | `bool` | `false` | no |
 | <a name="input_attach_karpenter_controller_policy"></a> [attach\_karpenter\_controller\_policy](#input\_attach\_karpenter\_controller\_policy) | Determines whether to attach the Karpenter Controller policy to the role | `bool` | `false` | no |
 | <a name="input_attach_load_balancer_controller_policy"></a> [attach\_load\_balancer\_controller\_policy](#input\_attach\_load\_balancer\_controller\_policy) | Determines whether to attach the Load Balancer Controller policy to the role | `bool` | `false` | no |

modules/iam-role-for-service-accounts-eks/policies.tf

@@ -795,7 +795,7 @@ resource "aws_iam_policy" "load_balancer_controller_targetgroup_only" {
 
   name_prefix = "AmazonEKS_AWS_Load_Balancer_Controller_TargetGroup_Only-"
   path        = var.role_path
-  description = "Provides permissions for AWS Load Balancer Controller addon in TargetGroup binding only scenario."
+  description = "Provides permissions for AWS Load Balancer Controller addon in TargetGroup binding only scenario"
   policy      = data.aws_iam_policy_document.load_balancer_controller_targetgroup_only[0].json
 
   tags = var.tags
@@ -807,3 +807,61 @@ resource "aws_iam_role_policy_attachment" "load_balancer_controller_targetgroup_
   role       = aws_iam_role.this[0].name
   policy_arn = aws_iam_policy.load_balancer_controller_targetgroup_only[0].arn
 }
+
+################################################################################
+# EFS CSI Driver Policy
+################################################################################
+
+# https://github.com/kubernetes-sigs/aws-efs-csi-driver/blob/master/docs/iam-policy-example.json
+data "aws_iam_policy_document" "efs_csi" {
+  count = var.create_role && var.attach_efs_csi_policy ? 1 : 0
+
+  statement {
+    actions = [
+      "elasticfilesystem:DescribeAccessPoints",
+      "elasticfilesystem:DescribeFileSystems",
+    ]
+
+    resources = ["*"]
+  }
+
+  statement {
+    actions   = ["elasticfilesystem:CreateAccessPoint"]
+    resources = ["*"]
+
+    condition {
+      test     = "StringLike"
+      variable = "aws:RequestTag/efs.csi.aws.com/cluster"
+      values   = ["true"]
+    }
+  }
+
+  statement {
+    actions   = ["elasticfilesystem:DeleteAccessPoint"]
+    resources = ["*"]
+
+    condition {
+      test     = "StringEquals"
+      variable = "aws:ResourceTag/efs.csi.aws.com/cluster"
+      values   = ["true"]
+    }
+  }
+}
+
+resource "aws_iam_policy" "efs_csi" {
+  count = var.create_role && var.attach_efs_csi_policy ? 1 : 0
+
+  name_prefix = "AmazonEKS_EFS_CSI_Policy-"
+  path        = var.role_path
+  description = "Provides permissions to manage EFS volumes via the container storage interface driver"
+  policy      = data.aws_iam_policy_document.efs_csi[0].json
+
+  tags = var.tags
+}
+
+resource "aws_iam_role_policy_attachment" "efs_csi" {
+  count = var.create_role && var.attach_efs_csi_policy ? 1 : 0
+
+  role       = aws_iam_role.this[0].name
+  policy_arn = aws_iam_policy.efs_csi[0].arn
+}

modules/iam-role-for-service-accounts-eks/variables.tf

@@ -113,6 +113,13 @@ variable "ebs_csi_kms_cmk_ids" {
   default     = []
 }
 
+# EFS CSI
+variable "attach_efs_csi_policy" {
+  description = "Determines whether to attach the EFS CSI IAM policy to the role"
+  type        = bool
+  default     = false
+}
+
 # VPC CNI
 variable "attach_vpc_cni_policy" {
   description = "Determines whether to attach the VPC CNI IAM policy to the role"