Add AWS EFS CSI Driver

Description: - Currently assets are stored in `assets_efs` EFS after scanning by ClamAV prior to upload to S3. These are transferred via an NFS mount in each of their pods. We want to move away from this as `nfs` volume type isn't compatible with PSS restricted - Install the EFS CSI Driver as a first step to migrate from NFS to PersistentVolumes - As part of alphagov/govuk-helm-charts#1883
alphagov · Dec 5, 2024 · cd7b571 · cd7b571
1 parent a46ba9c
commit cd7b571
Show file tree

Hide file tree

Showing 4 changed files with 49 additions and 0 deletions.
diff --git a/terraform/deployments/cluster-infrastructure/outputs.tf b/terraform/deployments/cluster-infrastructure/outputs.tf
@@ -18,6 +18,11 @@ output "aws_ebs_csi_driver_iam_role_arn" {
   value       = module.aws_ebs_csi_driver_iam_role.iam_role_arn
 }
 
+output "aws_efs_csi_driver_iam_role_arn" {
+  description = "IAM role ARN for AWS EFS CSI controller role"
+  value       = module.aws_efs_csi_driver_iam_role.iam_role_arn
+}
+
 output "control_plane_security_group_id" {
   description = "ID of the security group which contains the (AWS-owned) control plane nodes."
   value       = module.eks.cluster_primary_security_group_id
@@ -108,6 +113,11 @@ output "aws_ebs_csi_driver_controller_service_account_name" {
   value       = local.ebs_csi_driver_controller_service_account_name
 }
 
+output "aws_efs_csi_driver_controller_service_account_name" {
+  description = "Name of the k8s service account for the AWS EFS CSI Controller"
+  value       = local.efs_csi_driver_controller_service_account_name
+}
+
 output "grafana_iam_role_arn" {
   description = "IAM role ARN corresponding to the k8s service account for Grafana."
   value       = module.grafana_iam_role.iam_role_arn

diff --git a/terraform/deployments/cluster-services/aws_efs_csi_driver.tf b/terraform/deployments/cluster-services/aws_efs_csi_driver.tf
@@ -0,0 +1,29 @@
+resource "helm_release" "efs_csi_driver" {
+  chart      = "aws-efs-csi-driver"
+  name       = "aws-efs-csi-driver"
+  namespace  = "kube-system"
+  repository = "https://kubernetes-sigs.github.io/aws-efs-csi-driver"
+  version    = "3.1.1" # TODO: Dependabot or equivalent so this doesn't get neglected.
+
+  values = [yamlencode({
+    controller = {
+      serviceAccount = {
+        create = true
+        name   = data.tfe_outputs.cluster_infrastructure.nonsensitive_values.aws_efs_csi_driver_controller_service_account_name
+        annotations = {
+          "eks.amazonaws.com/role-arn" = data.tfe_outputs.cluster_infrastructure.nonsensitive_values.aws_efs_csi_driver_iam_role_arn
+        }
+      }
+    }
+    storageClasses = [{
+      name         = "assets_efs-efs-sc"
+      apiVersion   = "storage.k8s.io/v1"
+      mountOptions = ["tls"]
+      parameters = {
+        fileSystemId = data.tfe_outputs.govuk_publishing_infrastructure.nonsensitive_values.assets_efs_id
+      }
+      reclaimPolicy     = "Retain"
+      volumeBindingMode = "WaitForFirstConsumer"
+    }]
+  })]
+}
diff --git a/terraform/deployments/cluster-services/remote.tf b/terraform/deployments/cluster-services/remote.tf
@@ -11,3 +11,8 @@ data "tfe_outputs" "vpc" {
   organization = "govuk"
   workspace    = "vpc-${var.govuk_environment}"
 }
+
+data "tfe_outputs" "govuk_publishing_infrastructure" {
+  organization = "govuk"
+  workspace    = "govuk-publishing-infrastructure-${var.govuk_environment}"
+}
diff --git a/terraform/deployments/govuk-publishing-infrastructure/outputs.tf b/terraform/deployments/govuk-publishing-infrastructure/outputs.tf
@@ -1,3 +1,8 @@
 output "eks_ingress_www_origin_security_group_name" {
   value = aws_security_group.eks_ingress_www_origin.name
 }
+
+output "assets_efs_id" {
+  description = "EFS Filesystem ID for assets"
+  value       = aws_efs_file_system.assets_efs.id
+}