diff --git a/README.md b/README.md
index 7579872..2580550 100644
--- a/README.md
+++ b/README.md
@@ -1,4 +1,4 @@
-# AWS EKS <$addon-name> Terraform module
+# AWS EKS EBS CSI driver Terraform module
[](https://lablabs.io/)
@@ -6,12 +6,12 @@ We help companies build, run, deploy and scale software and infrastructure by em
---
-[](https://github.com/lablabs/terraform-aws-eks-<$addon-name>/actions/workflows/validate.yaml)
-[](https://github.com/lablabs/terraform-aws-eks-<$addon-name>/actions/workflows/pre-commit.yml)
+[](https://github.com/lablabs/terraform-aws-eks-ebs-csi-driver/actions/workflows/validate.yaml)
+[](https://github.com/lablabs/terraform-aws-eks-ebs-csi-driver/actions/workflows/pre-commit.yml)
## Description
-A terraform module to deploy the <$addon-name> on Amazon EKS cluster.
+A terraform module to deploy the AWS EBS CSI driver on Amazon EKS cluster.
## Related Projects
@@ -32,14 +32,9 @@ To overcome this issue, the module deploys the ArgoCD application object using t
Create helm release resource and deploy it as argo application (set `enabled = true`, `argo_enabled = true` and `argo_helm_enabled = true`)
-
-
-
+To disable of creation IRSA role and IRSA policy, set `irsa_role_create = false` and `irsa_policy_enabled = false`, respectively
## Examples
@@ -73,7 +68,6 @@ No modules.
| [helm_release.this](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
| [kubernetes_manifest.this](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/manifest) | resource |
| [aws_iam_policy_document.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
-| [aws_iam_policy_document.this_assume](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_iam_policy_document.this_irsa](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [utils_deep_merge_yaml.argo_helm_values](https://registry.terraform.io/providers/cloudposse/utils/latest/docs/data-sources/deep_merge_yaml) | data source |
| [utils_deep_merge_yaml.values](https://registry.terraform.io/providers/cloudposse/utils/latest/docs/data-sources/deep_merge_yaml) | data source |
@@ -101,8 +95,8 @@ No modules.
| [argo\_sync\_policy](#input\_argo\_sync\_policy) | ArgoCD syncPolicy manifest parameter | `map` | `{}` | no |
| [enabled](#input\_enabled) | Variable indicating whether deployment is enabled | `bool` | `true` | no |
| [helm\_atomic](#input\_helm\_atomic) | If set, installation process purges chart on fail. The wait flag will be set automatically if atomic is used | `bool` | `false` | no |
-| [helm\_chart\_name](#input\_helm\_chart\_name) | Helm chart name to be installed | `string` | `"<$addon-name>"` | no |
-| [helm\_chart\_version](#input\_helm\_chart\_version) | Version of the Helm chart | `string` | `""` | no |
+| [helm\_chart\_name](#input\_helm\_chart\_name) | Helm chart name to be installed | `string` | `"aws-ebs-csi-driver"` | no |
+| [helm\_chart\_version](#input\_helm\_chart\_version) | Version of the Helm chart | `string` | `"2.10.1"` | no |
| [helm\_cleanup\_on\_fail](#input\_helm\_cleanup\_on\_fail) | Allow deletion of new resources created in this helm upgrade when upgrade fails | `bool` | `false` | no |
| [helm\_create\_namespace](#input\_helm\_create\_namespace) | Create the namespace if it does not yet exist | `bool` | `true` | no |
| [helm\_dependency\_update](#input\_helm\_dependency\_update) | Runs helm dependency update before installing the chart | `bool` | `false` | no |
@@ -117,14 +111,14 @@ No modules.
| [helm\_postrender](#input\_helm\_postrender) | Value block with a path to a binary file to run after helm renders the manifest which can alter the manifest contents | `map(any)` | `{}` | no |
| [helm\_recreate\_pods](#input\_helm\_recreate\_pods) | Perform pods restart during helm upgrade/rollback | `bool` | `false` | no |
| [helm\_release\_max\_history](#input\_helm\_release\_max\_history) | Maximum number of release versions stored per release | `number` | `0` | no |
-| [helm\_release\_name](#input\_helm\_release\_name) | Helm release name | `string` | `"<$addon-name>"` | no |
+| [helm\_release\_name](#input\_helm\_release\_name) | Helm release name | `string` | `"aws-ebs-csi-driver"` | no |
| [helm\_render\_subchart\_notes](#input\_helm\_render\_subchart\_notes) | If set, render helm subchart notes along with the parent | `bool` | `true` | no |
| [helm\_replace](#input\_helm\_replace) | Re-use the given name of helm release, only if that name is a deleted release which remains in the history. This is unsafe in production | `bool` | `false` | no |
| [helm\_repo\_ca\_file](#input\_helm\_repo\_ca\_file) | Helm repositories cert file | `string` | `""` | no |
| [helm\_repo\_cert\_file](#input\_helm\_repo\_cert\_file) | Helm repositories cert file | `string` | `""` | no |
| [helm\_repo\_key\_file](#input\_helm\_repo\_key\_file) | Helm repositories cert key file | `string` | `""` | no |
| [helm\_repo\_password](#input\_helm\_repo\_password) | Password for HTTP basic authentication against the helm repository | `string` | `""` | no |
-| [helm\_repo\_url](#input\_helm\_repo\_url) | Helm repository | `string` | `""` | no |
+| [helm\_repo\_url](#input\_helm\_repo\_url) | Helm repository | `string` | `"https://kubernetes-sigs.github.io/aws-ebs-csi-driver"` | no |
| [helm\_repo\_username](#input\_helm\_repo\_username) | Username for HTTP basic authentication against the helm repository | `string` | `""` | no |
| [helm\_reset\_values](#input\_helm\_reset\_values) | When upgrading, reset the values to the ones built into the helm chart | `bool` | `false` | no |
| [helm\_reuse\_values](#input\_helm\_reuse\_values) | When upgrading, reuse the last helm release's values and merge in any overrides. If 'helm\_reset\_values' is specified, this is ignored | `bool` | `false` | no |
@@ -134,18 +128,15 @@ No modules.
| [helm\_wait](#input\_helm\_wait) | Will wait until all helm release resources are in a ready state before marking the release as successful. It will wait for as long as timeout | `bool` | `false` | no |
| [helm\_wait\_for\_jobs](#input\_helm\_wait\_for\_jobs) | If wait is enabled, will wait until all helm Jobs have been completed before marking the release as successful. It will wait for as long as timeout | `bool` | `false` | no |
| [irsa\_additional\_policies](#input\_irsa\_additional\_policies) | Map of the additional policies to be attached to default role. Where key is arbitrary id and value is policy arn. | `map(string)` | `{}` | no |
-| [irsa\_assume\_role\_arn](#input\_irsa\_assume\_role\_arn) | Assume role arn. Assume role must be enabled. | `string` | `""` | no |
-| [irsa\_assume\_role\_enabled](#input\_irsa\_assume\_role\_enabled) | Whether IRSA is allowed to assume role defined by irsa\_assume\_role\_arn. | `bool` | `false` | no |
| [irsa\_policy\_enabled](#input\_irsa\_policy\_enabled) | Whether to create opinionated policy to allow operations on specified zones in `policy_allowed_zone_ids`. | `bool` | `true` | no |
| [irsa\_role\_create](#input\_irsa\_role\_create) | Whether to create IRSA role and annotate service account | `bool` | `true` | no |
-| [irsa\_role\_name\_prefix](#input\_irsa\_role\_name\_prefix) | The IRSA role name prefix for vector | `string` | `"<$addon-name>-irsa"` | no |
+| [irsa\_role\_name\_prefix](#input\_irsa\_role\_name\_prefix) | The IRSA role name prefix for AWS EBS CSI controller | `string` | `"ebs-csi-controller"` | no |
| [irsa\_tags](#input\_irsa\_tags) | IRSA resources tags | `map(string)` | `{}` | no |
-| [namespace](#input\_namespace) | The K8s namespace in which the <$addon-name> service account has been created | `string` | `"<$addon-name>"` | no |
-| [rbac\_create](#input\_rbac\_create) | Whether to create and use RBAC resources | `bool` | `true` | no |
+| [namespace](#input\_namespace) | The K8s namespace in which the AWS EBS CSI driver service account has been created | `string` | `"kube-system"` | no |
| [service\_account\_create](#input\_service\_account\_create) | Whether to create Service Account | `bool` | `true` | no |
-| [service\_account\_name](#input\_service\_account\_name) | The k8s <$addon-name> service account name | `string` | `"<$addon-name>"` | no |
-| [settings](#input\_settings) | Additional helm sets which will be passed to the Helm chart values, see https://hub.helm.sh/charts/stable/<$addon-name> | `map(any)` | `{}` | no |
-| [values](#input\_values) | Additional yaml encoded values which will be passed to the Helm chart, see https://hub.helm.sh/charts/stable/<$addon-name> | `string` | `""` | no |
+| [service\_account\_name](#input\_service\_account\_name) | The k8s EBS CSI driver service account name | `string` | `"aws-ebs-csi-driver"` | no |
+| [settings](#input\_settings) | Additional helm sets which will be passed to the Helm chart values, see https://github.com/kubernetes-sigs/aws-ebs-csi-driver/tree/master/charts/aws-ebs-csi-driver | `map(any)` | `{}` | no |
+| [values](#input\_values) | Additional yaml encoded values which will be passed to the Helm chart, see https://github.com/kubernetes-sigs/aws-ebs-csi-driver/tree/master/charts/aws-ebs-csi-driver | `string` | `""` | no |
## Outputs
@@ -153,7 +144,7 @@ No modules.
|------|-------------|
| [helm\_release\_application\_metadata](#output\_helm\_release\_application\_metadata) | Argo application helm release attributes |
| [helm\_release\_metadata](#output\_helm\_release\_metadata) | Helm release attributes |
-| [iam\_role\_attributes](#output\_iam\_role\_attributes) | <$addon-name> IAM role atributes |
+| [iam\_role\_attributes](#output\_iam\_role\_attributes) | EBS CSI driver IAM role atributes |
| [kubernetes\_application\_attributes](#output\_kubernetes\_application\_attributes) | Argo kubernetes manifest attributes |
diff --git a/examples/basic/README.md b/examples/basic/README.md
index b676807..9a7c801 100644
--- a/examples/basic/README.md
+++ b/examples/basic/README.md
@@ -11,10 +11,12 @@ No requirements.
| Name | Source | Version |
|------|--------|---------|
-| [addon\_installation\_argo\_helm](#module\_addon\_installation\_argo\_helm) | ../../ | n/a |
-| [addon\_installation\_argo\_kubernetes](#module\_addon\_installation\_argo\_kubernetes) | ../../ | n/a |
-| [addon\_installation\_disabled](#module\_addon\_installation\_disabled) | ../../ | n/a |
-| [addon\_installation\_helm](#module\_addon\_installation\_helm) | ../../ | n/a |
+| [ebs\_csi\_argo\_helm](#module\_ebs\_csi\_argo\_helm) | ../../ | n/a |
+| [ebs\_csi\_argo\_kubernetes](#module\_ebs\_csi\_argo\_kubernetes) | ../../ | n/a |
+| [ebs\_csi\_disabled](#module\_ebs\_csi\_disabled) | ../../ | n/a |
+| [ebs\_csi\_helm](#module\_ebs\_csi\_helm) | ../../ | n/a |
+| [ebs\_without\_irsa\_policy](#module\_ebs\_without\_irsa\_policy) | ../../ | n/a |
+| [ebs\_without\_irsa\_role](#module\_ebs\_without\_irsa\_role) | ../../ | n/a |
| [eks\_cluster](#module\_eks\_cluster) | cloudposse/eks-cluster/aws | 2.3.0 |
| [eks\_node\_group](#module\_eks\_node\_group) | cloudposse/eks-node-group/aws | 2.4.0 |
| [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | 3.14.2 |
diff --git a/examples/basic/base.tf b/examples/basic/base.tf
new file mode 100644
index 0000000..ab6e026
--- /dev/null
+++ b/examples/basic/base.tf
@@ -0,0 +1,33 @@
+module "vpc" {
+ source = "terraform-aws-modules/vpc/aws"
+ version = "3.14.2"
+
+ name = "cluster-autoscaler-vpc"
+ cidr = "10.0.0.0/16"
+ azs = ["eu-central-1a", "eu-central-1b"]
+ public_subnets = ["10.0.101.0/24", "10.0.102.0/24"]
+ enable_nat_gateway = true
+}
+
+module "eks_cluster" {
+ source = "cloudposse/eks-cluster/aws"
+ version = "2.3.0"
+
+ region = "eu-central-1"
+ subnet_ids = module.vpc.public_subnets
+ vpc_id = module.vpc.vpc_id
+ name = "basic-example"
+}
+
+module "eks_node_group" {
+ source = "cloudposse/eks-node-group/aws"
+ version = "2.4.0"
+
+ cluster_name = module.eks_cluster.eks_cluster_id
+ instance_types = ["t3.medium"]
+ subnet_ids = module.vpc.public_subnets
+ min_size = 1
+ desired_size = 1
+ max_size = 2
+ depends_on = [module.eks_cluster.kubernetes_config_map_id]
+}
diff --git a/examples/basic/main.tf b/examples/basic/main.tf
index d28191c..a0b227d 100644
--- a/examples/basic/main.tf
+++ b/examples/basic/main.tf
@@ -1,47 +1,33 @@
-module "vpc" {
- source = "terraform-aws-modules/vpc/aws"
- version = "3.14.2"
-
- name = "cluster-autoscaler-vpc"
- cidr = "10.0.0.0/16"
- azs = ["eu-central-1a", "eu-central-1b"]
- public_subnets = ["10.0.101.0/24", "10.0.102.0/24"]
- enable_nat_gateway = true
-}
+module "ebs_csi_disabled" {
+ source = "../../"
-module "eks_cluster" {
- source = "cloudposse/eks-cluster/aws"
- version = "2.3.0"
+ enabled = false
- region = "eu-central-1"
- subnet_ids = module.vpc.public_subnets
- vpc_id = module.vpc.vpc_id
- name = "basic-example"
+ cluster_identity_oidc_issuer = module.eks_cluster.eks_cluster_identity_oidc_issuer
+ cluster_identity_oidc_issuer_arn = module.eks_cluster.eks_cluster_identity_oidc_issuer_arn
}
-module "eks_node_group" {
- source = "cloudposse/eks-node-group/aws"
- version = "2.4.0"
-
- cluster_name = module.eks_cluster.eks_cluster_id
- instance_types = ["t3.medium"]
- subnet_ids = module.vpc.public_subnets
- min_size = 1
- desired_size = 1
- max_size = 2
- depends_on = [module.eks_cluster.kubernetes_config_map_id]
+module "ebs_without_irsa_role" {
+ source = "../../"
+
+ enabled = true
+
+ irsa_role_create = false
+ cluster_identity_oidc_issuer = module.eks_cluster.eks_cluster_identity_oidc_issuer
+ cluster_identity_oidc_issuer_arn = module.eks_cluster.eks_cluster_identity_oidc_issuer_arn
}
-module "addon_installation_disabled" {
+module "ebs_without_irsa_policy" {
source = "../../"
- enabled = false
+ enabled = true
+ irsa_policy_enabled = false
cluster_identity_oidc_issuer = module.eks_cluster.eks_cluster_identity_oidc_issuer
cluster_identity_oidc_issuer_arn = module.eks_cluster.eks_cluster_identity_oidc_issuer_arn
}
-module "addon_installation_helm" {
+module "ebs_csi_helm" {
source = "../../"
enabled = true
@@ -51,12 +37,20 @@ module "addon_installation_helm" {
cluster_identity_oidc_issuer = module.eks_cluster.eks_cluster_identity_oidc_issuer
cluster_identity_oidc_issuer_arn = module.eks_cluster.eks_cluster_identity_oidc_issuer_arn
+ helm_release_name = "aws-ebs-csi-helm"
+ namespace = "aws-ebs-csi-helm"
+
values = yamlencode({
- # insert sample values here
+ "podLabels" : {
+ "app" : "aws-ebs-csi-helm"
+ }
})
+
+ helm_timeout = 240
+ helm_wait = true
}
-module "addon_installation_argo_kubernetes" {
+module "ebs_csi_argo_kubernetes" {
source = "../../"
enabled = true
@@ -66,9 +60,8 @@ module "addon_installation_argo_kubernetes" {
cluster_identity_oidc_issuer = module.eks_cluster.eks_cluster_identity_oidc_issuer
cluster_identity_oidc_issuer_arn = module.eks_cluster.eks_cluster_identity_oidc_issuer_arn
- values = yamlencode({
- # insert sample values here
- })
+ helm_release_name = "aws-ebs-csi-argo-kubernetes"
+ namespace = "aws-ebs-csi-argo-kubernetes"
argo_sync_policy = {
"automated" : {}
@@ -76,8 +69,7 @@ module "addon_installation_argo_kubernetes" {
}
}
-
-module "addon_installation_argo_helm" {
+module "ebs_csi_argo_helm" {
source = "../../"
enabled = true
@@ -87,6 +79,10 @@ module "addon_installation_argo_helm" {
cluster_identity_oidc_issuer = module.eks_cluster.eks_cluster_identity_oidc_issuer
cluster_identity_oidc_issuer_arn = module.eks_cluster.eks_cluster_identity_oidc_issuer_arn
+ helm_release_name = "aws-ebs-csi-argo-helm"
+ namespace = "aws-ebs-csi-argo-helm"
+
+ argo_namespace = "argo"
argo_sync_policy = {
"automated" : {}
"syncOptions" = ["CreateNamespace=true"]
diff --git a/iam.tf b/iam.tf
index bcb0e09..7aaea41 100644
--- a/iam.tf
+++ b/iam.tf
@@ -1,55 +1,167 @@
locals {
- irsa_role_create = var.enabled && var.rbac_create && var.service_account_create && var.irsa_role_create
+ irsa_role_create = var.enabled && var.service_account_create && var.irsa_role_create
}
data "aws_iam_policy_document" "this" {
- count = local.irsa_role_create && var.irsa_policy_enabled && !var.irsa_assume_role_enabled ? 1 : 0
+ count = local.irsa_role_create && var.irsa_policy_enabled ? 1 : 0
+
+ #checkov:skip=CKV_AWS_111 there is correct condition for existing Tags
+ # Official documentation https://raw.githubusercontent.com/kubernetes-sigs/aws-ebs-csi-driver/helm-chart-aws-ebs-csi-driver-2.10.1/docs/example-iam-policy.json
statement {
- sid = "Autoscaling"
+ effect = "Allow"
+ resources = ["*"]
actions = [
- "autoscaling:DescribeAutoScalingGroups",
- "autoscaling:DescribeAutoScalingInstances",
- "autoscaling:DescribeLaunchConfigurations",
- "autoscaling:DescribeTags",
- "autoscaling:SetDesiredCapacity",
- "autoscaling:TerminateInstanceInAutoScalingGroup",
- "ec2:DescribeLaunchTemplateVersions",
- "ec2:DescribeInstanceTypes"
- ] # checkov:skip=CKV_AWS_111
+ "ec2:CreateSnapshot",
+ "ec2:AttachVolume",
+ "ec2:DetachVolume",
+ "ec2:ModifyVolume",
+ "ec2:DescribeAvailabilityZones",
+ "ec2:DescribeInstances",
+ "ec2:DescribeSnapshots",
+ "ec2:DescribeTags",
+ "ec2:DescribeVolumes",
+ "ec2:DescribeVolumesModifications",
+ ]
+ }
+
+ statement {
+ effect = "Allow"
resources = [
- "*",
+ "arn:aws:ec2:*:*:volume/*",
+ "arn:aws:ec2:*:*:snapshot/*",
]
- effect = "Allow"
- }
+ actions = ["ec2:CreateTags"]
-}
+ condition {
+ test = "StringEquals"
+ variable = "ec2:CreateAction"
-data "aws_iam_policy_document" "this_assume" {
- count = local.irsa_role_create && var.irsa_assume_role_enabled ? 1 : 0
+ values = [
+ "CreateVolume",
+ "CreateSnapshot",
+ ]
+ }
+ }
statement {
- sid = "AllowAssume<$addon-name>Role"
effect = "Allow"
- actions = [
- "sts:AssumeRole"
- ]
+
resources = [
- var.irsa_assume_role_arn
+ "arn:aws:ec2:*:*:volume/*",
+ "arn:aws:ec2:*:*:snapshot/*",
]
+
+ actions = ["ec2:DeleteTags"]
+ }
+
+ statement {
+ effect = "Allow"
+ resources = ["*"]
+ actions = ["ec2:CreateVolume"]
+
+ condition {
+ test = "StringLike"
+ variable = "aws:RequestTag/ebs.csi.aws.com/cluster"
+ values = ["true"]
+ }
+ }
+
+ statement {
+ effect = "Allow"
+ resources = ["*"]
+ actions = ["ec2:CreateVolume"]
+
+ condition {
+ test = "StringLike"
+ variable = "aws:RequestTag/CSIVolumeName"
+ values = ["*"]
+ }
+ }
+
+ statement {
+ effect = "Allow"
+ resources = ["*"]
+ actions = ["ec2:CreateVolume"]
+
+ condition {
+ test = "StringLike"
+ variable = "aws:RequestTag/kubernetes.io/cluster/*"
+ values = ["owned"]
+ }
+ }
+
+ statement {
+ effect = "Allow"
+ resources = ["*"]
+ actions = ["ec2:DeleteVolume"]
+
+ condition {
+ test = "StringLike"
+ variable = "ec2:ResourceTag/ebs.csi.aws.com/cluster"
+ values = ["true"]
+ }
+ }
+
+ statement {
+ effect = "Allow"
+ resources = ["*"]
+ actions = ["ec2:DeleteVolume"]
+
+ condition {
+ test = "StringLike"
+ variable = "ec2:ResourceTag/CSIVolumeName"
+ values = ["*"]
+ }
+ }
+
+ statement {
+ effect = "Allow"
+ resources = ["*"]
+ actions = ["ec2:DeleteVolume"]
+
+ condition {
+ test = "StringLike"
+ variable = "ec2:ResourceTag/kubernetes.io/cluster/*"
+ values = ["owned"]
+ }
+ }
+
+ statement {
+ effect = "Allow"
+ resources = ["*"]
+ actions = ["ec2:DeleteSnapshot"]
+
+ condition {
+ test = "StringLike"
+ variable = "ec2:ResourceTag/CSIVolumeSnapshotName"
+ values = ["*"]
+ }
+ }
+
+ statement {
+ effect = "Allow"
+ resources = ["*"]
+ actions = ["ec2:DeleteSnapshot"]
+
+ condition {
+ test = "StringLike"
+ variable = "ec2:ResourceTag/ebs.csi.aws.com/cluster"
+ values = ["true"]
+ }
}
}
resource "aws_iam_policy" "this" {
- count = local.irsa_role_create && (var.irsa_policy_enabled || var.irsa_assume_role_enabled) ? 1 : 0
+ count = local.irsa_role_create && var.irsa_policy_enabled ? 1 : 0
name = "${var.irsa_role_name_prefix}-${var.helm_chart_name}"
path = "/"
- description = "Policy for <$addon-name> service"
- policy = var.irsa_assume_role_enabled ? data.aws_iam_policy_document.this_assume[0].json : data.aws_iam_policy_document.this[0].json
+ description = "Policy for EBS CSI driver"
+ policy = data.aws_iam_policy_document.this[0].json
tags = var.irsa_tags
}
@@ -86,7 +198,7 @@ resource "aws_iam_role" "this" {
}
resource "aws_iam_role_policy_attachment" "this" {
- count = local.irsa_role_create ? 1 : 0
+ count = local.irsa_role_create && var.irsa_policy_enabled ? 1 : 0
role = aws_iam_role.this[0].name
policy_arn = aws_iam_policy.this[0].arn
}
diff --git a/outputs.tf b/outputs.tf
index 42898ab..3f48ea4 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -14,6 +14,6 @@ output "kubernetes_application_attributes" {
}
output "iam_role_attributes" {
- description = "<$addon-name> IAM role atributes"
+ description = "EBS CSI driver IAM role atributes"
value = try(aws_iam_role.this[0], {})
}
diff --git a/values.tf b/values.tf
index a30740a..3f17066 100644
--- a/values.tf
+++ b/values.tf
@@ -1,6 +1,23 @@
locals {
values_default = yamlencode({
- # add default values here
+ "controller" : {
+ "serviceAccount" : {
+ "create" : var.service_account_create
+ "name" : var.service_account_name
+ "annotations" : {
+ "eks.amazonaws.com/role-arn" : local.irsa_role_create ? aws_iam_role.this[0].arn : ""
+ }
+ }
+ }
+ "node" : {
+ "serviceAccount" : {
+ "create" : false
+ "name" : var.service_account_name
+ "annotations" : {
+ "eks.amazonaws.com/role-arn" : local.irsa_role_create ? aws_iam_role.this[0].arn : ""
+ }
+ }
+ }
})
}
diff --git a/variables.tf b/variables.tf
index 57d0500..e809a75 100644
--- a/variables.tf
+++ b/variables.tf
@@ -14,28 +14,26 @@ variable "cluster_identity_oidc_issuer_arn" {
description = "The OIDC Identity issuer ARN for the cluster that can be used to associate IAM roles with a service account"
}
-# ================ common variables (required) ================
-
variable "helm_chart_name" {
type = string
- default = "<$addon-name>"
+ default = "aws-ebs-csi-driver"
description = "Helm chart name to be installed"
}
variable "helm_chart_version" {
type = string
- default = ""
+ default = "2.10.1"
description = "Version of the Helm chart"
}
variable "helm_release_name" {
type = string
- default = "<$addon-name>"
+ default = "aws-ebs-csi-driver"
description = "Helm release name"
}
variable "helm_repo_url" {
type = string
- default = ""
+ default = "https://kubernetes-sigs.github.io/aws-ebs-csi-driver"
description = "Helm repository"
}
@@ -47,28 +45,20 @@ variable "helm_create_namespace" {
variable "namespace" {
type = string
- default = "<$addon-name>"
- description = "The K8s namespace in which the <$addon-name> service account has been created"
+ default = "kube-system"
+ description = "The K8s namespace in which the AWS EBS CSI driver service account has been created"
}
variable "settings" {
type = map(any)
default = {}
- description = "Additional helm sets which will be passed to the Helm chart values, see https://hub.helm.sh/charts/stable/<$addon-name>"
+ description = "Additional helm sets which will be passed to the Helm chart values, see https://github.com/kubernetes-sigs/aws-ebs-csi-driver/tree/master/charts/aws-ebs-csi-driver"
}
variable "values" {
type = string
default = ""
- description = "Additional yaml encoded values which will be passed to the Helm chart, see https://hub.helm.sh/charts/stable/<$addon-name>"
-}
-
-# ================ IRSA variables (optional) ================
-
-variable "rbac_create" {
- type = bool
- default = true
- description = "Whether to create and use RBAC resources"
+ description = "Additional yaml encoded values which will be passed to the Helm chart, see https://github.com/kubernetes-sigs/aws-ebs-csi-driver/tree/master/charts/aws-ebs-csi-driver"
}
variable "service_account_create" {
@@ -77,6 +67,11 @@ variable "service_account_create" {
description = "Whether to create Service Account"
}
+variable "service_account_name" {
+ default = "aws-ebs-csi-driver"
+ description = "The k8s EBS CSI driver service account name"
+}
+
variable "irsa_role_create" {
type = bool
default = true
@@ -89,17 +84,6 @@ variable "irsa_policy_enabled" {
description = "Whether to create opinionated policy to allow operations on specified zones in `policy_allowed_zone_ids`."
}
-variable "irsa_assume_role_enabled" {
- type = bool
- default = false
- description = "Whether IRSA is allowed to assume role defined by irsa_assume_role_arn."
-}
-
-variable "irsa_assume_role_arn" {
- default = ""
- description = "Assume role arn. Assume role must be enabled."
-}
-
variable "irsa_additional_policies" {
type = map(string)
default = {}
@@ -108,8 +92,8 @@ variable "irsa_additional_policies" {
variable "irsa_role_name_prefix" {
type = string
- default = "<$addon-name>-irsa"
- description = "The IRSA role name prefix for vector"
+ default = "ebs-csi-controller"
+ description = "The IRSA role name prefix for AWS EBS CSI controller"
}
variable "irsa_tags" {
@@ -118,13 +102,6 @@ variable "irsa_tags" {
description = "IRSA resources tags"
}
-variable "service_account_name" {
- default = "<$addon-name>"
- description = "The k8s <$addon-name> service account name"
-}
-
-# ================ argo variables (required) ================
-
variable "argo_namespace" {
type = string
default = "argo"
@@ -193,8 +170,6 @@ variable "argo_helm_values" {
description = "Value overrides to use when deploying argo application object with helm"
}
-# ================ argo kubernetes manifest variables (required) ================
-
variable "argo_kubernetes_manifest_computed_fields" {
type = list(string)
default = ["metadata.labels", "metadata.annotations"]
@@ -218,8 +193,6 @@ variable "argo_kubernetes_manifest_wait_fields" {
description = "A map of fields and a corresponding regular expression with a pattern to wait for. The provider will wait until the field matches the regular expression. Use * for any value."
}
-# ================ helm release variables (required) ================
-
variable "helm_repo_key_file" {
type = string
default = ""