diff --git a/README.adoc b/README.adoc index 904172d..3668c44 100644 --- a/README.adoc +++ b/README.adoc @@ -1,19 +1,139 @@ += devops-stack-module-efs-csi-driver +// Document attributes to replace along the document +:chart-version: 2.3.8 +:original-repo-url: https://github.com/kubernetes-sigs/aws-efs-csi-driver/tree/386eda75f4d32d134737b35db7e43a1bf3277416 + +A https://devops-stack.io[DevOps Stack] module to deploy an Amazon EFS Container Storage Interface (CSI) driver. + +The EFS CSI Driver chart used by this module is shipped in this repository as well, in order to avoid any unwanted behaviors caused by unsupported versions. + +[cols="1,1,1",options="autowidth,header"] +|=== +|Current Chart Version |Original Repository |Default Values +|*{chart-version}* |{original-repo-url}/charts/aws-efs-csi-driver[Chart] |{original-repo-url}/charts/aws-efs-csi-driver/values.yaml[`values.yaml`] +|=== + +== Usage + +This module can be declared by adding the following block on your Terraform configuration: + +[source,terraform] +---- +module "efs" { + source = "git::https://github.com/camptocamp/devops-stack-module-efs-csi-driver.git?ref=" + + cluster_name = local.cluster_name + argocd_namespace = local.argocd_namespace + efs_file_system_id = resource.aws_efs_file_system.eks.id + create_role = true + cluster_oidc_issuer_url = module.eks.cluster_oidc_issuer_url + + depends_on = [ + module.argocd_bootstrap, + ] +} +---- + +In case you want to create an OIDC assumable IAM role on your own, you'll need to provide the ARN for that role and disable the creation of the role inside of the module as follows: + +[source,terraform] +---- +module "efs" { + source = "git::https://github.com/camptocamp/devops-stack-module-efs-csi-driver.git?ref=" + + cluster_name = local.cluster_name + argocd_namespace = local.argocd_namespace + efs_file_system_id = resource.aws_efs_file_system.eks.id + create_role = false + iam_role_arn = module.iam_assumable_role_efs.iam_role_arn + + depends_on = [ + module.argocd_bootstrap, + ] +} +---- + +IMPORTANT: The `create_role` variable is required. If passing `iam_role_arn` it should be set as false, otherwise you will need to specify the variable `cluster_oidc_issuer_url` and set it as true. + +This module needs to have other resources created externally. You can follow the example bellow: + +[source,terraform] +---- +resource "aws_efs_file_system" "eks" { + creation_token = module.eks.cluster_name + + tags = { + Name = module.eks.cluster_name + } +} + +resource "aws_security_group" "efs_eks" { + name = "efs-devops-stack" + description = "Security group for EFS." + vpc_id = module.vpc.vpc_id + + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } + + ingress { + from_port = 2049 + to_port = 2049 + protocol = "tcp" + security_groups = [module.eks.node_security_group_id] + } +} + +resource "aws_efs_mount_target" "eks" { + count = length(local.private_subnets) + + file_system_id = resource.aws_efs_file_system.eks.id + subnet_id = element(module.vpc.private_subnets, count.index) + security_groups = [resource.aws_security_group.efs_eks.id] +} +---- + +== Technical Reference + +=== Dependencies + +==== `module.argocd_bootstrap` + +This module must be one of the first ones to be deployed and consequently it needs to be deployed after the module `argocd_bootstrap`. + // BEGIN_TF_DOCS === Requirements -No requirements. +The following requirements are needed by this module: + +- [[requirement_argocd]] <> (>= 4) + +- [[requirement_utils]] <> (>= 1) === Providers The following providers are used by this module: -- [[provider_argocd]] <> +- [[provider_argocd]] <> (>= 4) + +- [[provider_aws]] <> + +- [[provider_null]] <> -- [[provider_utils]] <> +- [[provider_utils]] <> (>= 1) === Modules -No modules. +The following Modules are called: + +==== [[module_iam_assumable_role_efs]] <> + +Source: terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc + +Version: ~> 5.0 === Resources @@ -21,6 +141,9 @@ The following resources are used by this module: - https://registry.terraform.io/providers/oboukili/argocd/latest/docs/resources/application[argocd_application.this] (resource) - https://registry.terraform.io/providers/oboukili/argocd/latest/docs/resources/project[argocd_project.this] (resource) +- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy[aws_iam_policy.efs] (resource) +- https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource[null_resource.dependencies] (resource) +- https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource[null_resource.this] (resource) - https://registry.terraform.io/providers/cloudposse/utils/latest/docs/data-sources/deep_merge_yaml[utils_deep_merge_yaml.values] (data source) === Required Inputs @@ -29,13 +152,19 @@ The following input variables are required: ==== [[input_argocd_namespace]] <> -Description: n/a +Description: Namespace used by Argo CD where the Application and AppProject resources should be created. Type: `string` +==== [[input_create_role]] <> + +Description: Boolean to indicate that the OIDC assumable IAM role should be created. **If passing `iam_role_arn` this should be false, otherwise if you want to create the OIDC assumable IAM role provided by this module, you will need to specify the variable `cluster_oidc_issuer_url`.** + +Type: `bool` + ==== [[input_efs_file_system_id]] <> -Description: EFS Filesystem ID to use by the CSI driver to create volumes +Description: EFS Filesystem ID to use by the CSI driver to create volumes. Type: `string` @@ -43,45 +172,77 @@ Type: `string` The following input variables are optional (have default values): -==== [[input_destination_namespace]] <> +==== [[input_app_autosync]] <> -Description: n/a +Description: Automated sync options for the Argo CD Application resource. -Type: `string` +Type: +[source,hcl] +---- +object({ + allow_empty = optional(bool) + prune = optional(bool) + self_heal = optional(bool) + }) +---- -Default: `"efs-csi-driver"` +Default: +[source,json] +---- +{ + "allow_empty": false, + "prune": true, + "self_heal": true +} +---- -==== [[input_helm_values_overrides]] <> +==== [[input_cluster_name]] <> -Description: n/a +Description: Name given to the cluster. Value used for naming some the resources created by the module. -Type: `any` +Type: `string` -Default: `{}` +Default: `"cluster"` -==== [[input_iam_role_arn]] <> +==== [[input_cluster_oidc_issuer_url]] <> -Description: ARN of an OIDC assumable IAM role that has access to the EFS filesystem (optional). When specified, this is added as an annotation to the EFS CSI driver controller ServiceAccount, to allow the driver to manage EFS access points for dynamic volumes provisioning. +Description: Cluster OIDC issuer URL used to create the OIDC assumable IAM role. This variable is required to create a IAM role if you set `create_role` as true. Type: `string` Default: `""` -==== [[input_name]] <> +==== [[input_dependency_ids]] <> + +Description: IDs of the other modules on which this module depends on. + +Type: `map(string)` + +Default: `{}` + +==== [[input_helm_values]] <> -Description: n/a +Description: Helm chart value overrides. They should be passed as a list of HCL structures. + +Type: `any` + +Default: `[]` + +==== [[input_iam_role_arn]] <> + +Description: ARN of an OIDC assumable IAM role that has access to the EFS filesystem. When specified, this is added as an annotation to the EFS CSI driver controller ServiceAccount, to allow the driver to manage EFS access points for dynamic volumes provisioning. Type: `string` -Default: `"efs-csi-driver"` +Default: `null` -==== [[input_source_repository_url]] <> +==== [[input_name]] <> -Description: n/a +Description: Name used to override the chart name on deployment. Type: `string` -Default: `"https://github.com/camptocamp/devops-stack-module-efs-csi-driver.git"` +Default: `"efs-csi-driver"` ==== [[input_target_revision]] <> @@ -89,22 +250,49 @@ Description: Override of target revision of the application chart. Type: `string` -Default: `"v1.0.0-alpha.1"` +Default: `"v1.0.0-alpha.2"` === Outputs -No outputs. +The following outputs are exported: + +==== [[output_id]] <> + +Description: ID to pass other modules in order to refer to this module as a dependency. // END_TF_DOCS + +=== Reference in table format + +.Show tables +[%collapsible] +==== // BEGIN_TF_TABLES += Requirements +[cols="a,a",options="header,autowidth"] +|=== +|Name |Version +|[[requirement_argocd]] <> |>= 4 +|[[requirement_utils]] <> |>= 1 +|=== = Providers [cols="a,a",options="header,autowidth"] |=== |Name |Version -|[[provider_argocd]] <> |n/a -|[[provider_utils]] <> |n/a +|[[provider_argocd]] <> |>= 4 +|[[provider_aws]] <> |n/a +|[[provider_null]] <> |n/a +|[[provider_utils]] <> |>= 1 +|=== + += Modules + +[cols="a,a,a",options="header,autowidth"] +|=== +|Name |Source |Version +|[[module_iam_assumable_role_efs]] <> |terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc |~> 5.0 |=== = Resources @@ -114,6 +302,9 @@ No outputs. |Name |Type |https://registry.terraform.io/providers/oboukili/argocd/latest/docs/resources/application[argocd_application.this] |resource |https://registry.terraform.io/providers/oboukili/argocd/latest/docs/resources/project[argocd_project.this] |resource +|https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy[aws_iam_policy.efs] |resource +|https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource[null_resource.dependencies] |resource +|https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource[null_resource.this] |resource |https://registry.terraform.io/providers/cloudposse/utils/latest/docs/data-sources/deep_merge_yaml[utils_deep_merge_yaml.values] |data source |=== @@ -122,53 +313,100 @@ No outputs. [cols="a,a,a,a,a",options="header,autowidth"] |=== |Name |Description |Type |Default |Required +|[[input_app_autosync]] <> +|Automated sync options for the Argo CD Application resource. +| + +[source] +---- +object({ + allow_empty = optional(bool) + prune = optional(bool) + self_heal = optional(bool) + }) +---- + +| + +[source] +---- +{ + "allow_empty": false, + "prune": true, + "self_heal": true +} +---- + +|no + |[[input_argocd_namespace]] <> -|n/a +|Namespace used by Argo CD where the Application and AppProject resources should be created. |`string` |n/a |yes -|[[input_destination_namespace]] <> -|n/a +|[[input_cluster_name]] <> +|Name given to the cluster. Value used for naming some the resources created by the module. |`string` -|`"efs-csi-driver"` +|`"cluster"` |no -|[[input_efs_file_system_id]] <> -|EFS Filesystem ID to use by the CSI driver to create volumes +|[[input_cluster_oidc_issuer_url]] <> +|Cluster OIDC issuer URL used to create the OIDC assumable IAM role. This variable is required to create a IAM role if you set `create_role` as true. |`string` +|`""` +|no + +|[[input_create_role]] <> +|Boolean to indicate that the OIDC assumable IAM role should be created. **If passing `iam_role_arn` this should be false, otherwise if you want to create the OIDC assumable IAM role provided by this module, you will need to specify the variable `cluster_oidc_issuer_url`.** +|`bool` |n/a |yes -|[[input_helm_values_overrides]] <> +|[[input_dependency_ids]] <> +|IDs of the other modules on which this module depends on. +|`map(string)` +|`{}` +|no + +|[[input_efs_file_system_id]] <> +|EFS Filesystem ID to use by the CSI driver to create volumes. +|`string` |n/a +|yes + +|[[input_helm_values]] <> +|Helm chart value overrides. They should be passed as a list of HCL structures. |`any` -|`{}` +|`[]` |no |[[input_iam_role_arn]] <> -|ARN of an OIDC assumable IAM role that has access to the EFS filesystem (optional). When specified, this is added as an annotation to the EFS CSI driver controller ServiceAccount, to allow the driver to manage EFS access points for dynamic volumes provisioning. +|ARN of an OIDC assumable IAM role that has access to the EFS filesystem. When specified, this is added as an annotation to the EFS CSI driver controller ServiceAccount, to allow the driver to manage EFS access points for dynamic volumes provisioning. |`string` -|`""` +|`null` |no |[[input_name]] <> -|n/a +|Name used to override the chart name on deployment. |`string` |`"efs-csi-driver"` |no -|[[input_source_repository_url]] <> -|n/a -|`string` -|`"https://github.com/camptocamp/devops-stack-module-efs-csi-driver.git"` -|no - |[[input_target_revision]] <> |Override of target revision of the application chart. |`string` -|`"v1.0.0-alpha.1"` +|`"v1.0.0-alpha.2"` |no |=== -// END_TF_TABLES \ No newline at end of file + += Outputs + +[cols="a,a",options="header,autowidth"] +|=== +|Name |Description +|[[output_id]] <> |ID to pass other modules in order to refer to this module as a dependency. +|=== +// END_TF_TABLES +==== diff --git a/README.md b/README.md deleted file mode 100644 index 253650a..0000000 --- a/README.md +++ /dev/null @@ -1,2 +0,0 @@ -# devops-stack-module-efs-csi-driver -A DevOps Stack module to deploy an Amazon EFS Container Storage Interface (CSI) driver diff --git a/charts/efs-csi-driver/Chart.lock b/charts/efs-csi-driver/Chart.lock new file mode 100644 index 0000000..93a54c5 --- /dev/null +++ b/charts/efs-csi-driver/Chart.lock @@ -0,0 +1,6 @@ +dependencies: +- name: aws-efs-csi-driver + repository: https://kubernetes-sigs.github.io/aws-efs-csi-driver/ + version: 2.3.8 +digest: sha256:9523cdb94ec469269f4bfd7e2ebaa8ce16ea87640f3c30bd11224af4d459b590 +generated: "2023-02-24T15:16:18.919117844+01:00" diff --git a/helm/Chart.yaml b/charts/efs-csi-driver/Chart.yaml similarity index 100% rename from helm/Chart.yaml rename to charts/efs-csi-driver/Chart.yaml diff --git a/charts/efs-csi-driver/charts/aws-efs-csi-driver-2.3.8.tgz b/charts/efs-csi-driver/charts/aws-efs-csi-driver-2.3.8.tgz new file mode 100644 index 0000000..d3459d0 Binary files /dev/null and b/charts/efs-csi-driver/charts/aws-efs-csi-driver-2.3.8.tgz differ diff --git a/charts/efs-csi-driver/values.yaml b/charts/efs-csi-driver/values.yaml new file mode 100644 index 0000000..ed97d53 --- /dev/null +++ b/charts/efs-csi-driver/values.yaml @@ -0,0 +1 @@ +--- diff --git a/helm/Chart.lock b/helm/Chart.lock deleted file mode 100644 index 6411e9d..0000000 --- a/helm/Chart.lock +++ /dev/null @@ -1,6 +0,0 @@ -dependencies: -- name: aws-efs-csi-driver - repository: https://kubernetes-sigs.github.io/aws-efs-csi-driver/ - version: 2.2.7 -digest: sha256:0bc7dd715abe0fe31f1edcf6ce6fbaae3bfa5f95a39cfe5d095d617eaacffed6 -generated: "2022-07-11T15:35:37.291315097+02:00" diff --git a/helm/charts/aws-efs-csi-driver-2.2.7.tgz b/helm/charts/aws-efs-csi-driver-2.2.7.tgz deleted file mode 100644 index 954cc76..0000000 Binary files a/helm/charts/aws-efs-csi-driver-2.2.7.tgz and /dev/null differ diff --git a/local.tf b/locals.tf similarity index 64% rename from local.tf rename to locals.tf index b08d57d..d3ce9e6 100644 --- a/local.tf +++ b/locals.tf @@ -1,5 +1,5 @@ locals { - helm_values = { + helm_values = [{ "aws-efs-csi-driver" = { nameOverride = var.name storageClasses = [{ @@ -12,9 +12,11 @@ locals { }] controller = { serviceAccount = { - annotations = var.iam_role_arn != "" ? { "eks.amazonaws.com/role-arn" = var.iam_role_arn } : {} + annotations = { + "eks.amazonaws.com/role-arn" = var.iam_role_arn != null ? var.iam_role_arn : module.iam_assumable_role_efs.iam_role_arn + } } } } - } + }] } diff --git a/main.tf b/main.tf index 455bad9..08d3a16 100644 --- a/main.tf +++ b/main.tf @@ -1,3 +1,7 @@ +resource "null_resource" "dependencies" { + triggers = var.dependency_ids +} + resource "argocd_project" "this" { metadata { name = "efs-csi-driver" @@ -13,7 +17,7 @@ resource "argocd_project" "this" { destination { name = "in-cluster" - namespace = var.destination_namespace + namespace = "kube-system" } orphaned_resources { @@ -28,9 +32,63 @@ resource "argocd_project" "this" { } data "utils_deep_merge_yaml" "values" { - input = [ - yamlencode(local.helm_values), - yamlencode(var.helm_values_overrides) + input = [for i in concat(local.helm_values, var.helm_values) : yamlencode(i)] +} + +resource "aws_iam_policy" "efs" { + name_prefix = "efs-csi-driver-" + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Effect = "Allow" + Action = [ + "elasticfilesystem:DescribeAccessPoints", + "elasticfilesystem:DescribeFileSystems", + "elasticfilesystem:DescribeMountTargets", + "ec2:DescribeAvailabilityZones" + ] + Resource = "*" + }, + { + Effect = "Allow" + Action = [ + "elasticfilesystem:CreateAccessPoint" + ] + Resource = "*" + Condition = { + StringLike = { + "aws:RequestTag/efs.csi.aws.com/cluster" = "true" + } + } + }, + { + Effect = "Allow" + Action = "elasticfilesystem:DeleteAccessPoint" + Resource = "*" + Condition = { + StringEquals = { + "aws:ResourceTag/efs.csi.aws.com/cluster" = "true" + } + } + } + ] + }) +} + +module "iam_assumable_role_efs" { + source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc" + version = "~> 5.0" + create_role = var.create_role + number_of_role_policy_arns = 1 + role_name_prefix = format("efs-csi-driver-%s-", var.cluster_name) + provider_url = replace(var.cluster_oidc_issuer_url, "https://", "") + role_policy_arns = [resource.aws_iam_policy.efs.arn] + + # List of ServiceAccounts that have permission to attach to this IAM role + oidc_fully_qualified_subjects = [ + "system:serviceaccount:kube-system:efs-csi-controller-sa", ] } @@ -40,12 +98,19 @@ resource "argocd_application" "this" { namespace = var.argocd_namespace } + timeouts { + create = "15m" + delete = "15m" + } + + wait = var.app_autosync == { "allow_empty" = tobool(null), "prune" = tobool(null), "self_heal" = tobool(null) } ? false : true + spec { project = argocd_project.this.metadata.0.name source { - repo_url = var.source_repository_url - path = "helm" + repo_url = "https://github.com/camptocamp/devops-stack-module-efs-csi-driver.git" + path = "charts/efs-csi-driver" target_revision = var.target_revision helm { values = data.utils_deep_merge_yaml.values.output @@ -54,13 +119,18 @@ resource "argocd_application" "this" { destination { name = "in-cluster" - namespace = var.destination_namespace + namespace = "kube-system" } sync_policy { - automated = { - prune = true - self_heal = true + automated = var.app_autosync + + retry { + backoff = { + duration = "" + max_duration = "" + } + limit = "0" } sync_options = [ @@ -68,4 +138,14 @@ resource "argocd_application" "this" { ] } } + + depends_on = [ + resource.null_resource.dependencies, + ] +} + +resource "null_resource" "this" { + depends_on = [ + resource.argocd_application.this, + ] } diff --git a/output.tf b/output.tf new file mode 100644 index 0000000..c9048fe --- /dev/null +++ b/output.tf @@ -0,0 +1,4 @@ +output "id" { + description = "ID to pass other modules in order to refer to this module as a dependency." + value = resource.null_resource.this.id +} diff --git a/terraform.tf b/terraform.tf index 2f07758..73dcaea 100644 --- a/terraform.tf +++ b/terraform.tf @@ -1,11 +1,12 @@ terraform { required_providers { argocd = { - source = "oboukili/argocd" + source = "oboukili/argocd" + version = ">= 4" } - utils = { - source = "cloudposse/utils" + source = "cloudposse/utils" + version = ">= 1" } } } diff --git a/variables.tf b/variables.tf index 537db7a..16299c6 100644 --- a/variables.tf +++ b/variables.tf @@ -1,13 +1,16 @@ -variable "name" { - type = string +####################### +## Standard variables +####################### - default = "efs-csi-driver" +variable "cluster_name" { + description = "Name given to the cluster. Value used for naming some the resources created by the module." + type = string + default = "cluster" } -variable "source_repository_url" { - type = string - - default = "https://github.com/camptocamp/devops-stack-module-efs-csi-driver.git" +variable "argocd_namespace" { + description = "Namespace used by Argo CD where the Application and AppProject resources should be created." + type = string } variable "target_revision" { @@ -15,29 +18,61 @@ variable "target_revision" { type = string default = "v1.0.0-alpha.2" # x-release-please-version } -variable "destination_namespace" { - type = string - default = "efs-csi-driver" +variable "helm_values" { + description = "Helm chart value overrides. They should be passed as a list of HCL structures." + type = any + default = [] } -variable "helm_values_overrides" { - type = any +variable "app_autosync" { + description = "Automated sync options for the Argo CD Application resource." + type = object({ + allow_empty = optional(bool) + prune = optional(bool) + self_heal = optional(bool) + }) + default = { + allow_empty = false + prune = true + self_heal = true + } +} - default = {} +variable "dependency_ids" { + description = "IDs of the other modules on which this module depends on." + type = map(string) + default = {} } -variable "argocd_namespace" { - type = string +####################### +## Module variables +####################### + +variable "name" { + description = "Name used to override the chart name on deployment." + type = string + default = "efs-csi-driver" } variable "efs_file_system_id" { + description = "EFS Filesystem ID to use by the CSI driver to create volumes." type = string - description = "EFS Filesystem ID to use by the CSI driver to create volumes" +} + +variable "create_role" { + description = "Boolean to indicate that the OIDC assumable IAM role should be created. **If passing `iam_role_arn` this should be false, otherwise if you want to create the OIDC assumable IAM role provided by this module, you will need to specify the variable `cluster_oidc_issuer_url`.**" + type = bool } variable "iam_role_arn" { + description = "ARN of an OIDC assumable IAM role that has access to the EFS filesystem. When specified, this is added as an annotation to the EFS CSI driver controller ServiceAccount, to allow the driver to manage EFS access points for dynamic volumes provisioning." + type = string + default = null +} + +variable "cluster_oidc_issuer_url" { + description = "Cluster OIDC issuer URL used to create the OIDC assumable IAM role. This variable is required to create a IAM role if you set `create_role` as true." type = string - default = "" - description = "ARN of an OIDC assumable IAM role that has access to the EFS filesystem (optional). When specified, this is added as an annotation to the EFS CSI driver controller ServiceAccount, to allow the driver to manage EFS access points for dynamic volumes provisioning." + default = "" # Use empty string instead of null because of the replace() that uses this variable. }