Skip to content

Commit 5afe63f

Browse files
authored
feat: Add support for EFS CSI driver to iam-role-for-service-accounts-eks (#215)
1 parent 09609b1 commit 5afe63f

File tree

6 files changed

+97
-9
lines changed

6 files changed

+97
-9
lines changed

.pre-commit-config.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
repos:
22
- repo: https://github.com/antonbabenko/pre-commit-terraform
3-
rev: v1.64.0
3+
rev: v1.64.1
44
hooks:
55
- id: terraform_fmt
66
- id: terraform_validate

examples/iam-role-for-service-accounts-eks/README.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -33,6 +33,7 @@ No providers.
3333
| <a name="module_cluster_autoscaler_irsa_role"></a> [cluster\_autoscaler\_irsa\_role](#module\_cluster\_autoscaler\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
3434
| <a name="module_disabled"></a> [disabled](#module\_disabled) | ../../modules/iam-role-for-service-accounts-eks | n/a |
3535
| <a name="module_ebs_csi_irsa_role"></a> [ebs\_csi\_irsa\_role](#module\_ebs\_csi\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
36+
| <a name="module_efs_csi_irsa_role"></a> [efs\_csi\_irsa\_role](#module\_efs\_csi\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
3637
| <a name="module_eks"></a> [eks](#module\_eks) | terraform-aws-modules/eks/aws | ~> 18.6 |
3738
| <a name="module_external_dns_irsa_role"></a> [external\_dns\_irsa\_role](#module\_external\_dns\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |
3839
| <a name="module_irsa_role"></a> [irsa\_role](#module\_irsa\_role) | ../../modules/iam-role-for-service-accounts-eks | n/a |

examples/iam-role-for-service-accounts-eks/main.tf

Lines changed: 23 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -84,7 +84,7 @@ module "external_dns_irsa_role" {
8484
module "ebs_csi_irsa_role" {
8585
source = "../../modules/iam-role-for-service-accounts-eks"
8686

87-
role_name = "ebs_csi"
87+
role_name = "ebs-csi"
8888
attach_ebs_csi_policy = true
8989

9090
oidc_providers = {
@@ -97,10 +97,26 @@ module "ebs_csi_irsa_role" {
9797
tags = local.tags
9898
}
9999

100+
module "efs_csi_irsa_role" {
101+
source = "../../modules/iam-role-for-service-accounts-eks"
102+
103+
role_name = "efs-csi"
104+
attach_efs_csi_policy = true
105+
106+
oidc_providers = {
107+
ex = {
108+
provider_arn = module.eks.oidc_provider_arn
109+
namespace_service_accounts = ["kube-system:efs-csi-controller-sa"]
110+
}
111+
}
112+
113+
tags = local.tags
114+
}
115+
100116
module "vpc_cni_ipv4_irsa_role" {
101117
source = "../../modules/iam-role-for-service-accounts-eks"
102118

103-
role_name = "vpc_cni_ipv4"
119+
role_name = "vpc-cni-ipv4"
104120
attach_vpc_cni_policy = true
105121
vpc_cni_enable_ipv4 = true
106122

@@ -117,7 +133,7 @@ module "vpc_cni_ipv4_irsa_role" {
117133
module "vpc_cni_ipv6_irsa_role" {
118134
source = "../../modules/iam-role-for-service-accounts-eks"
119135

120-
role_name = "vpc_cni_ipv6"
136+
role_name = "vpc-cni-ipv6"
121137
attach_vpc_cni_policy = true
122138
vpc_cni_enable_ipv6 = true
123139

@@ -134,7 +150,7 @@ module "vpc_cni_ipv6_irsa_role" {
134150
module "node_termination_handler_irsa_role" {
135151
source = "../../modules/iam-role-for-service-accounts-eks"
136152

137-
role_name = "node_termination_handler"
153+
role_name = "node-termination-handler"
138154
attach_node_termination_handler_policy = true
139155

140156
oidc_providers = {
@@ -150,7 +166,7 @@ module "node_termination_handler_irsa_role" {
150166
module "karpenter_controller_irsa_role" {
151167
source = "../../modules/iam-role-for-service-accounts-eks"
152168

153-
role_name = "karpenter_controller"
169+
role_name = "karpenter-controller"
154170
attach_karpenter_controller_policy = true
155171

156172
karpenter_controller_cluster_id = module.eks.cluster_id
@@ -169,7 +185,7 @@ module "karpenter_controller_irsa_role" {
169185
module "load_balancer_controller_irsa_role" {
170186
source = "../../modules/iam-role-for-service-accounts-eks"
171187

172-
role_name = "load_balancer_controller"
188+
role_name = "load-balancer-controller"
173189
attach_load_balancer_controller_policy = true
174190

175191
oidc_providers = {
@@ -185,7 +201,7 @@ module "load_balancer_controller_irsa_role" {
185201
module "load_balancer_controller_targetgroup_binding_only_irsa_role" {
186202
source = "../../modules/iam-role-for-service-accounts-eks"
187203

188-
role_name = "load_balancer_controller_targetgroup_binding_only"
204+
role_name = "load-balancer-controller-targetgroup-binding-only"
189205
attach_load_balancer_controller_targetgroup_binding_only_policy = true
190206

191207
oidc_providers = {

modules/iam-role-for-service-accounts-eks/README.md

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,10 +4,12 @@ Creates an IAM role which can be assumed by AWS EKS `ServiceAccount`s with optio
44
- [Cluster Autoscaler](https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/cloudprovider/aws/README.md)
55
- [External DNS](https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/aws.md#iam-policy)
66
- [EBS CSI Driver](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/blob/master/docs/example-iam-policy.json)
7+
- [EFS CSI Driver](https://github.com/kubernetes-sigs/aws-efs-csi-driver/blob/master/docs/iam-policy-example.json)
78
- [VPC CNI](https://docs.aws.amazon.com/eks/latest/userguide/cni-iam-role.html)
89
- [Node Termination Hanlder](https://github.com/aws/aws-node-termination-handler#5-create-an-iam-role-for-the-pods)
910
- [Karpenter](https://github.com/aws/karpenter/blob/main/website/content/en/preview/getting-started/cloudformation.yaml)
1011
- [Load Balancer Controller](https://github.com/kubernetes-sigs/aws-load-balancer-controller/blob/main/docs/install/iam_policy.json)
12+
- [Load Balancer Controller Target Group Binding Only](https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.4/deploy/installation/#iam-permission-subset-for-those-who-use-targetgroupbinding-only-and-dont-plan-to-use-the-aws-load-balancer-controller-to-manage-security-group-rules)
1113

1214
This module is intended to be used with AWS EKS. For details of how a `ServiceAccount` in EKS can assume an IAM role, see the [EKS documentation](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html).
1315

@@ -110,6 +112,7 @@ No modules.
110112
|------|------|
111113
| [aws_iam_policy.cluster_autoscaler](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
112114
| [aws_iam_policy.ebs_csi](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
115+
| [aws_iam_policy.efs_csi](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
113116
| [aws_iam_policy.external_dns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
114117
| [aws_iam_policy.karpenter_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
115118
| [aws_iam_policy.load_balancer_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
@@ -119,6 +122,7 @@ No modules.
119122
| [aws_iam_role.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
120123
| [aws_iam_role_policy_attachment.cluster_autoscaler](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
121124
| [aws_iam_role_policy_attachment.ebs_csi](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
125+
| [aws_iam_role_policy_attachment.efs_csi](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
122126
| [aws_iam_role_policy_attachment.external_dns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
123127
| [aws_iam_role_policy_attachment.karpenter_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
124128
| [aws_iam_role_policy_attachment.load_balancer_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
@@ -129,6 +133,7 @@ No modules.
129133
| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
130134
| [aws_iam_policy_document.cluster_autoscaler](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
131135
| [aws_iam_policy_document.ebs_csi](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
136+
| [aws_iam_policy_document.efs_csi](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
132137
| [aws_iam_policy_document.external_dns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
133138
| [aws_iam_policy_document.karpenter_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
134139
| [aws_iam_policy_document.load_balancer_controller](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
@@ -145,6 +150,7 @@ No modules.
145150
| <a name="input_assume_role_condition_test"></a> [assume\_role\_condition\_test](#input\_assume\_role\_condition\_test) | Name of the [IAM condition operator](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html) to evaluate when assuming the role | `string` | `"StringEquals"` | no |
146151
| <a name="input_attach_cluster_autoscaler_policy"></a> [attach\_cluster\_autoscaler\_policy](#input\_attach\_cluster\_autoscaler\_policy) | Determines whether to attach the Cluster Autoscaler IAM policy to the role | `bool` | `false` | no |
147152
| <a name="input_attach_ebs_csi_policy"></a> [attach\_ebs\_csi\_policy](#input\_attach\_ebs\_csi\_policy) | Determines whether to attach the EBS CSI IAM policy to the role | `bool` | `false` | no |
153+
| <a name="input_attach_efs_csi_policy"></a> [attach\_efs\_csi\_policy](#input\_attach\_efs\_csi\_policy) | Determines whether to attach the EFS CSI IAM policy to the role | `bool` | `false` | no |
148154
| <a name="input_attach_external_dns_policy"></a> [attach\_external\_dns\_policy](#input\_attach\_external\_dns\_policy) | Determines whether to attach the External DNS IAM policy to the role | `bool` | `false` | no |
149155
| <a name="input_attach_karpenter_controller_policy"></a> [attach\_karpenter\_controller\_policy](#input\_attach\_karpenter\_controller\_policy) | Determines whether to attach the Karpenter Controller policy to the role | `bool` | `false` | no |
150156
| <a name="input_attach_load_balancer_controller_policy"></a> [attach\_load\_balancer\_controller\_policy](#input\_attach\_load\_balancer\_controller\_policy) | Determines whether to attach the Load Balancer Controller policy to the role | `bool` | `false` | no |

modules/iam-role-for-service-accounts-eks/policies.tf

Lines changed: 59 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -795,7 +795,7 @@ resource "aws_iam_policy" "load_balancer_controller_targetgroup_only" {
795795

796796
name_prefix = "AmazonEKS_AWS_Load_Balancer_Controller_TargetGroup_Only-"
797797
path = var.role_path
798-
description = "Provides permissions for AWS Load Balancer Controller addon in TargetGroup binding only scenario."
798+
description = "Provides permissions for AWS Load Balancer Controller addon in TargetGroup binding only scenario"
799799
policy = data.aws_iam_policy_document.load_balancer_controller_targetgroup_only[0].json
800800

801801
tags = var.tags
@@ -807,3 +807,61 @@ resource "aws_iam_role_policy_attachment" "load_balancer_controller_targetgroup_
807807
role = aws_iam_role.this[0].name
808808
policy_arn = aws_iam_policy.load_balancer_controller_targetgroup_only[0].arn
809809
}
810+
811+
################################################################################
812+
# EFS CSI Driver Policy
813+
################################################################################
814+
815+
# https://github.com/kubernetes-sigs/aws-efs-csi-driver/blob/master/docs/iam-policy-example.json
816+
data "aws_iam_policy_document" "efs_csi" {
817+
count = var.create_role && var.attach_efs_csi_policy ? 1 : 0
818+
819+
statement {
820+
actions = [
821+
"elasticfilesystem:DescribeAccessPoints",
822+
"elasticfilesystem:DescribeFileSystems",
823+
]
824+
825+
resources = ["*"]
826+
}
827+
828+
statement {
829+
actions = ["elasticfilesystem:CreateAccessPoint"]
830+
resources = ["*"]
831+
832+
condition {
833+
test = "StringLike"
834+
variable = "aws:RequestTag/efs.csi.aws.com/cluster"
835+
values = ["true"]
836+
}
837+
}
838+
839+
statement {
840+
actions = ["elasticfilesystem:DeleteAccessPoint"]
841+
resources = ["*"]
842+
843+
condition {
844+
test = "StringEquals"
845+
variable = "aws:ResourceTag/efs.csi.aws.com/cluster"
846+
values = ["true"]
847+
}
848+
}
849+
}
850+
851+
resource "aws_iam_policy" "efs_csi" {
852+
count = var.create_role && var.attach_efs_csi_policy ? 1 : 0
853+
854+
name_prefix = "AmazonEKS_EFS_CSI_Policy-"
855+
path = var.role_path
856+
description = "Provides permissions to manage EFS volumes via the container storage interface driver"
857+
policy = data.aws_iam_policy_document.efs_csi[0].json
858+
859+
tags = var.tags
860+
}
861+
862+
resource "aws_iam_role_policy_attachment" "efs_csi" {
863+
count = var.create_role && var.attach_efs_csi_policy ? 1 : 0
864+
865+
role = aws_iam_role.this[0].name
866+
policy_arn = aws_iam_policy.efs_csi[0].arn
867+
}

modules/iam-role-for-service-accounts-eks/variables.tf

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -113,6 +113,13 @@ variable "ebs_csi_kms_cmk_ids" {
113113
default = []
114114
}
115115

116+
# EFS CSI
117+
variable "attach_efs_csi_policy" {
118+
description = "Determines whether to attach the EFS CSI IAM policy to the role"
119+
type = bool
120+
default = false
121+
}
122+
116123
# VPC CNI
117124
variable "attach_vpc_cni_policy" {
118125
description = "Determines whether to attach the VPC CNI IAM policy to the role"

0 commit comments

Comments
 (0)