From b7418238a0aa3dfc564ddfc121c7a8796b2e5253 Mon Sep 17 00:00:00 2001 From: tomas-balaz Date: Mon, 5 Sep 2022 19:13:07 +0200 Subject: [PATCH 1/2] feat: update IRSA and examples --- README.md | 39 ++++------ examples/basic/README.md | 10 ++- examples/basic/base.tf | 33 ++++++++ examples/basic/main.tf | 72 ++++++++--------- iam.tf | 164 ++++++++++++++++++++++++++++++++------- outputs.tf | 2 +- values.tf | 19 ++++- variables.tf | 57 ++++---------- 8 files changed, 260 insertions(+), 136 deletions(-) create mode 100644 examples/basic/base.tf diff --git a/README.md b/README.md index 7579872..2580550 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -# AWS EKS <$addon-name> Terraform module +# AWS EKS EBS CSI driver Terraform module [![labyrinth labs logo](ll-logo.png)](https://lablabs.io/) @@ -6,12 +6,12 @@ We help companies build, run, deploy and scale software and infrastructure by em --- -[![Terraform validate](https://github.com/lablabs/terraform-aws-eks-<$addon-name>/actions/workflows/validate.yaml/badge.svg)](https://github.com/lablabs/terraform-aws-eks-<$addon-name>/actions/workflows/validate.yaml) -[![pre-commit](https://github.com/lablabs/terraform-aws-<$addon-name>/actions/workflows/pre-commit.yml/badge.svg)](https://github.com/lablabs/terraform-aws-eks-<$addon-name>/actions/workflows/pre-commit.yml) +[![Terraform validate](https://github.com/lablabs/terraform-aws-eks-ebs-csi-driver/actions/workflows/validate.yaml/badge.svg)](https://github.com/lablabs/terraform-aws-eks-ebs-csi-driver/actions/workflows/validate.yaml) +[![pre-commit](https://github.com/lablabs/terraform-aws-ebs-csi-driver/actions/workflows/pre-commit.yml/badge.svg)](https://github.com/lablabs/terraform-aws-eks-ebs-csi-driver/actions/workflows/pre-commit.yml) ## Description -A terraform module to deploy the <$addon-name> on Amazon EKS cluster. +A terraform module to deploy the AWS EBS CSI driver on Amazon EKS cluster. ## Related Projects @@ -32,14 +32,9 @@ To overcome this issue, the module deploys the ArgoCD application object using t Create helm release resource and deploy it as argo application (set `enabled = true`, `argo_enabled = true` and `argo_helm_enabled = true`) - - - +To disable of creation IRSA role and IRSA policy, set `irsa_role_create = false` and `irsa_policy_enabled = false`, respectively ## Examples @@ -73,7 +68,6 @@ No modules. | [helm_release.this](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource | | [kubernetes_manifest.this](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/manifest) | resource | | [aws_iam_policy_document.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_iam_policy_document.this_assume](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.this_irsa](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [utils_deep_merge_yaml.argo_helm_values](https://registry.terraform.io/providers/cloudposse/utils/latest/docs/data-sources/deep_merge_yaml) | data source | | [utils_deep_merge_yaml.values](https://registry.terraform.io/providers/cloudposse/utils/latest/docs/data-sources/deep_merge_yaml) | data source | @@ -101,8 +95,8 @@ No modules. | [argo\_sync\_policy](#input\_argo\_sync\_policy) | ArgoCD syncPolicy manifest parameter | `map` | `{}` | no | | [enabled](#input\_enabled) | Variable indicating whether deployment is enabled | `bool` | `true` | no | | [helm\_atomic](#input\_helm\_atomic) | If set, installation process purges chart on fail. The wait flag will be set automatically if atomic is used | `bool` | `false` | no | -| [helm\_chart\_name](#input\_helm\_chart\_name) | Helm chart name to be installed | `string` | `"<$addon-name>"` | no | -| [helm\_chart\_version](#input\_helm\_chart\_version) | Version of the Helm chart | `string` | `""` | no | +| [helm\_chart\_name](#input\_helm\_chart\_name) | Helm chart name to be installed | `string` | `"aws-ebs-csi-driver"` | no | +| [helm\_chart\_version](#input\_helm\_chart\_version) | Version of the Helm chart | `string` | `"2.10.1"` | no | | [helm\_cleanup\_on\_fail](#input\_helm\_cleanup\_on\_fail) | Allow deletion of new resources created in this helm upgrade when upgrade fails | `bool` | `false` | no | | [helm\_create\_namespace](#input\_helm\_create\_namespace) | Create the namespace if it does not yet exist | `bool` | `true` | no | | [helm\_dependency\_update](#input\_helm\_dependency\_update) | Runs helm dependency update before installing the chart | `bool` | `false` | no | @@ -117,14 +111,14 @@ No modules. | [helm\_postrender](#input\_helm\_postrender) | Value block with a path to a binary file to run after helm renders the manifest which can alter the manifest contents | `map(any)` | `{}` | no | | [helm\_recreate\_pods](#input\_helm\_recreate\_pods) | Perform pods restart during helm upgrade/rollback | `bool` | `false` | no | | [helm\_release\_max\_history](#input\_helm\_release\_max\_history) | Maximum number of release versions stored per release | `number` | `0` | no | -| [helm\_release\_name](#input\_helm\_release\_name) | Helm release name | `string` | `"<$addon-name>"` | no | +| [helm\_release\_name](#input\_helm\_release\_name) | Helm release name | `string` | `"aws-ebs-csi-driver"` | no | | [helm\_render\_subchart\_notes](#input\_helm\_render\_subchart\_notes) | If set, render helm subchart notes along with the parent | `bool` | `true` | no | | [helm\_replace](#input\_helm\_replace) | Re-use the given name of helm release, only if that name is a deleted release which remains in the history. This is unsafe in production | `bool` | `false` | no | | [helm\_repo\_ca\_file](#input\_helm\_repo\_ca\_file) | Helm repositories cert file | `string` | `""` | no | | [helm\_repo\_cert\_file](#input\_helm\_repo\_cert\_file) | Helm repositories cert file | `string` | `""` | no | | [helm\_repo\_key\_file](#input\_helm\_repo\_key\_file) | Helm repositories cert key file | `string` | `""` | no | | [helm\_repo\_password](#input\_helm\_repo\_password) | Password for HTTP basic authentication against the helm repository | `string` | `""` | no | -| [helm\_repo\_url](#input\_helm\_repo\_url) | Helm repository | `string` | `""` | no | +| [helm\_repo\_url](#input\_helm\_repo\_url) | Helm repository | `string` | `"https://kubernetes-sigs.github.io/aws-ebs-csi-driver"` | no | | [helm\_repo\_username](#input\_helm\_repo\_username) | Username for HTTP basic authentication against the helm repository | `string` | `""` | no | | [helm\_reset\_values](#input\_helm\_reset\_values) | When upgrading, reset the values to the ones built into the helm chart | `bool` | `false` | no | | [helm\_reuse\_values](#input\_helm\_reuse\_values) | When upgrading, reuse the last helm release's values and merge in any overrides. If 'helm\_reset\_values' is specified, this is ignored | `bool` | `false` | no | @@ -134,18 +128,15 @@ No modules. | [helm\_wait](#input\_helm\_wait) | Will wait until all helm release resources are in a ready state before marking the release as successful. It will wait for as long as timeout | `bool` | `false` | no | | [helm\_wait\_for\_jobs](#input\_helm\_wait\_for\_jobs) | If wait is enabled, will wait until all helm Jobs have been completed before marking the release as successful. It will wait for as long as timeout | `bool` | `false` | no | | [irsa\_additional\_policies](#input\_irsa\_additional\_policies) | Map of the additional policies to be attached to default role. Where key is arbitrary id and value is policy arn. | `map(string)` | `{}` | no | -| [irsa\_assume\_role\_arn](#input\_irsa\_assume\_role\_arn) | Assume role arn. Assume role must be enabled. | `string` | `""` | no | -| [irsa\_assume\_role\_enabled](#input\_irsa\_assume\_role\_enabled) | Whether IRSA is allowed to assume role defined by irsa\_assume\_role\_arn. | `bool` | `false` | no | | [irsa\_policy\_enabled](#input\_irsa\_policy\_enabled) | Whether to create opinionated policy to allow operations on specified zones in `policy_allowed_zone_ids`. | `bool` | `true` | no | | [irsa\_role\_create](#input\_irsa\_role\_create) | Whether to create IRSA role and annotate service account | `bool` | `true` | no | -| [irsa\_role\_name\_prefix](#input\_irsa\_role\_name\_prefix) | The IRSA role name prefix for vector | `string` | `"<$addon-name>-irsa"` | no | +| [irsa\_role\_name\_prefix](#input\_irsa\_role\_name\_prefix) | The IRSA role name prefix for AWS EBS CSI controller | `string` | `"ebs-csi-controller"` | no | | [irsa\_tags](#input\_irsa\_tags) | IRSA resources tags | `map(string)` | `{}` | no | -| [namespace](#input\_namespace) | The K8s namespace in which the <$addon-name> service account has been created | `string` | `"<$addon-name>"` | no | -| [rbac\_create](#input\_rbac\_create) | Whether to create and use RBAC resources | `bool` | `true` | no | +| [namespace](#input\_namespace) | The K8s namespace in which the AWS EBS CSI driver service account has been created | `string` | `"kube-system"` | no | | [service\_account\_create](#input\_service\_account\_create) | Whether to create Service Account | `bool` | `true` | no | -| [service\_account\_name](#input\_service\_account\_name) | The k8s <$addon-name> service account name | `string` | `"<$addon-name>"` | no | -| [settings](#input\_settings) | Additional helm sets which will be passed to the Helm chart values, see https://hub.helm.sh/charts/stable/<$addon-name> | `map(any)` | `{}` | no | -| [values](#input\_values) | Additional yaml encoded values which will be passed to the Helm chart, see https://hub.helm.sh/charts/stable/<$addon-name> | `string` | `""` | no | +| [service\_account\_name](#input\_service\_account\_name) | The k8s EBS CSI driver service account name | `string` | `"aws-ebs-csi-driver"` | no | +| [settings](#input\_settings) | Additional helm sets which will be passed to the Helm chart values, see https://github.com/kubernetes-sigs/aws-ebs-csi-driver/tree/master/charts/aws-ebs-csi-driver | `map(any)` | `{}` | no | +| [values](#input\_values) | Additional yaml encoded values which will be passed to the Helm chart, see https://github.com/kubernetes-sigs/aws-ebs-csi-driver/tree/master/charts/aws-ebs-csi-driver | `string` | `""` | no | ## Outputs @@ -153,7 +144,7 @@ No modules. |------|-------------| | [helm\_release\_application\_metadata](#output\_helm\_release\_application\_metadata) | Argo application helm release attributes | | [helm\_release\_metadata](#output\_helm\_release\_metadata) | Helm release attributes | -| [iam\_role\_attributes](#output\_iam\_role\_attributes) | <$addon-name> IAM role atributes | +| [iam\_role\_attributes](#output\_iam\_role\_attributes) | EBS CSI driver IAM role atributes | | [kubernetes\_application\_attributes](#output\_kubernetes\_application\_attributes) | Argo kubernetes manifest attributes | diff --git a/examples/basic/README.md b/examples/basic/README.md index b676807..9a7c801 100644 --- a/examples/basic/README.md +++ b/examples/basic/README.md @@ -11,10 +11,12 @@ No requirements. | Name | Source | Version | |------|--------|---------| -| [addon\_installation\_argo\_helm](#module\_addon\_installation\_argo\_helm) | ../../ | n/a | -| [addon\_installation\_argo\_kubernetes](#module\_addon\_installation\_argo\_kubernetes) | ../../ | n/a | -| [addon\_installation\_disabled](#module\_addon\_installation\_disabled) | ../../ | n/a | -| [addon\_installation\_helm](#module\_addon\_installation\_helm) | ../../ | n/a | +| [ebs\_csi\_argo\_helm](#module\_ebs\_csi\_argo\_helm) | ../../ | n/a | +| [ebs\_csi\_argo\_kubernetes](#module\_ebs\_csi\_argo\_kubernetes) | ../../ | n/a | +| [ebs\_csi\_disabled](#module\_ebs\_csi\_disabled) | ../../ | n/a | +| [ebs\_csi\_helm](#module\_ebs\_csi\_helm) | ../../ | n/a | +| [ebs\_without\_irsa\_policy](#module\_ebs\_without\_irsa\_policy) | ../../ | n/a | +| [ebs\_without\_irsa\_role](#module\_ebs\_without\_irsa\_role) | ../../ | n/a | | [eks\_cluster](#module\_eks\_cluster) | cloudposse/eks-cluster/aws | 2.3.0 | | [eks\_node\_group](#module\_eks\_node\_group) | cloudposse/eks-node-group/aws | 2.4.0 | | [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | 3.14.2 | diff --git a/examples/basic/base.tf b/examples/basic/base.tf new file mode 100644 index 0000000..ab6e026 --- /dev/null +++ b/examples/basic/base.tf @@ -0,0 +1,33 @@ +module "vpc" { + source = "terraform-aws-modules/vpc/aws" + version = "3.14.2" + + name = "cluster-autoscaler-vpc" + cidr = "10.0.0.0/16" + azs = ["eu-central-1a", "eu-central-1b"] + public_subnets = ["10.0.101.0/24", "10.0.102.0/24"] + enable_nat_gateway = true +} + +module "eks_cluster" { + source = "cloudposse/eks-cluster/aws" + version = "2.3.0" + + region = "eu-central-1" + subnet_ids = module.vpc.public_subnets + vpc_id = module.vpc.vpc_id + name = "basic-example" +} + +module "eks_node_group" { + source = "cloudposse/eks-node-group/aws" + version = "2.4.0" + + cluster_name = module.eks_cluster.eks_cluster_id + instance_types = ["t3.medium"] + subnet_ids = module.vpc.public_subnets + min_size = 1 + desired_size = 1 + max_size = 2 + depends_on = [module.eks_cluster.kubernetes_config_map_id] +} diff --git a/examples/basic/main.tf b/examples/basic/main.tf index d28191c..a0b227d 100644 --- a/examples/basic/main.tf +++ b/examples/basic/main.tf @@ -1,47 +1,33 @@ -module "vpc" { - source = "terraform-aws-modules/vpc/aws" - version = "3.14.2" - - name = "cluster-autoscaler-vpc" - cidr = "10.0.0.0/16" - azs = ["eu-central-1a", "eu-central-1b"] - public_subnets = ["10.0.101.0/24", "10.0.102.0/24"] - enable_nat_gateway = true -} +module "ebs_csi_disabled" { + source = "../../" -module "eks_cluster" { - source = "cloudposse/eks-cluster/aws" - version = "2.3.0" + enabled = false - region = "eu-central-1" - subnet_ids = module.vpc.public_subnets - vpc_id = module.vpc.vpc_id - name = "basic-example" + cluster_identity_oidc_issuer = module.eks_cluster.eks_cluster_identity_oidc_issuer + cluster_identity_oidc_issuer_arn = module.eks_cluster.eks_cluster_identity_oidc_issuer_arn } -module "eks_node_group" { - source = "cloudposse/eks-node-group/aws" - version = "2.4.0" - - cluster_name = module.eks_cluster.eks_cluster_id - instance_types = ["t3.medium"] - subnet_ids = module.vpc.public_subnets - min_size = 1 - desired_size = 1 - max_size = 2 - depends_on = [module.eks_cluster.kubernetes_config_map_id] +module "ebs_without_irsa_role" { + source = "../../" + + enabled = true + + irsa_role_create = false + cluster_identity_oidc_issuer = module.eks_cluster.eks_cluster_identity_oidc_issuer + cluster_identity_oidc_issuer_arn = module.eks_cluster.eks_cluster_identity_oidc_issuer_arn } -module "addon_installation_disabled" { +module "ebs_without_irsa_policy" { source = "../../" - enabled = false + enabled = true + irsa_policy_enabled = false cluster_identity_oidc_issuer = module.eks_cluster.eks_cluster_identity_oidc_issuer cluster_identity_oidc_issuer_arn = module.eks_cluster.eks_cluster_identity_oidc_issuer_arn } -module "addon_installation_helm" { +module "ebs_csi_helm" { source = "../../" enabled = true @@ -51,12 +37,20 @@ module "addon_installation_helm" { cluster_identity_oidc_issuer = module.eks_cluster.eks_cluster_identity_oidc_issuer cluster_identity_oidc_issuer_arn = module.eks_cluster.eks_cluster_identity_oidc_issuer_arn + helm_release_name = "aws-ebs-csi-helm" + namespace = "aws-ebs-csi-helm" + values = yamlencode({ - # insert sample values here + "podLabels" : { + "app" : "aws-ebs-csi-helm" + } }) + + helm_timeout = 240 + helm_wait = true } -module "addon_installation_argo_kubernetes" { +module "ebs_csi_argo_kubernetes" { source = "../../" enabled = true @@ -66,9 +60,8 @@ module "addon_installation_argo_kubernetes" { cluster_identity_oidc_issuer = module.eks_cluster.eks_cluster_identity_oidc_issuer cluster_identity_oidc_issuer_arn = module.eks_cluster.eks_cluster_identity_oidc_issuer_arn - values = yamlencode({ - # insert sample values here - }) + helm_release_name = "aws-ebs-csi-argo-kubernetes" + namespace = "aws-ebs-csi-argo-kubernetes" argo_sync_policy = { "automated" : {} @@ -76,8 +69,7 @@ module "addon_installation_argo_kubernetes" { } } - -module "addon_installation_argo_helm" { +module "ebs_csi_argo_helm" { source = "../../" enabled = true @@ -87,6 +79,10 @@ module "addon_installation_argo_helm" { cluster_identity_oidc_issuer = module.eks_cluster.eks_cluster_identity_oidc_issuer cluster_identity_oidc_issuer_arn = module.eks_cluster.eks_cluster_identity_oidc_issuer_arn + helm_release_name = "aws-ebs-csi-argo-helm" + namespace = "aws-ebs-csi-argo-helm" + + argo_namespace = "argo" argo_sync_policy = { "automated" : {} "syncOptions" = ["CreateNamespace=true"] diff --git a/iam.tf b/iam.tf index bcb0e09..12d84dc 100644 --- a/iam.tf +++ b/iam.tf @@ -1,55 +1,167 @@ locals { - irsa_role_create = var.enabled && var.rbac_create && var.service_account_create && var.irsa_role_create + irsa_role_create = var.enabled && var.service_account_create && var.irsa_role_create } data "aws_iam_policy_document" "this" { - count = local.irsa_role_create && var.irsa_policy_enabled && !var.irsa_assume_role_enabled ? 1 : 0 + count = local.irsa_role_create && var.irsa_policy_enabled ? 1 : 0 + + #checkov:skip=CKV_AWS_111 there is correct condition for existing Tags + # Official documentation https://raw.githubusercontent.com/kubernetes-sigs/aws-ebs-csi-driver/helm-chart-aws-ebs-csi-driver-2.10.1/docs/example-iam-policy.json statement { - sid = "Autoscaling" + effect = "Allow" + resources = ["*"] actions = [ - "autoscaling:DescribeAutoScalingGroups", - "autoscaling:DescribeAutoScalingInstances", - "autoscaling:DescribeLaunchConfigurations", - "autoscaling:DescribeTags", - "autoscaling:SetDesiredCapacity", - "autoscaling:TerminateInstanceInAutoScalingGroup", - "ec2:DescribeLaunchTemplateVersions", - "ec2:DescribeInstanceTypes" - ] # checkov:skip=CKV_AWS_111 + "ec2:CreateSnapshot", + "ec2:AttachVolume", + "ec2:DetachVolume", + "ec2:ModifyVolume", + "ec2:DescribeAvailabilityZones", + "ec2:DescribeInstances", + "ec2:DescribeSnapshots", + "ec2:DescribeTags", + "ec2:DescribeVolumes", + "ec2:DescribeVolumesModifications", + ] + } + + statement { + effect = "Allow" resources = [ - "*", + "arn:aws:ec2:*:*:volume/*", + "arn:aws:ec2:*:*:snapshot/*", ] - effect = "Allow" - } + actions = ["ec2:CreateTags"] -} + condition { + test = "StringEquals" + variable = "ec2:CreateAction" -data "aws_iam_policy_document" "this_assume" { - count = local.irsa_role_create && var.irsa_assume_role_enabled ? 1 : 0 + values = [ + "CreateVolume", + "CreateSnapshot", + ] + } + } statement { - sid = "AllowAssume<$addon-name>Role" effect = "Allow" - actions = [ - "sts:AssumeRole" - ] + resources = [ - var.irsa_assume_role_arn + "arn:aws:ec2:*:*:volume/*", + "arn:aws:ec2:*:*:snapshot/*", ] + + actions = ["ec2:DeleteTags"] + } + + statement { + effect = "Allow" + resources = ["*"] + actions = ["ec2:CreateVolume"] + + condition { + test = "StringLike" + variable = "aws:RequestTag/ebs.csi.aws.com/cluster" + values = ["true"] + } + } + + statement { + effect = "Allow" + resources = ["*"] + actions = ["ec2:CreateVolume"] + + condition { + test = "StringLike" + variable = "aws:RequestTag/CSIVolumeName" + values = ["*"] + } + } + + statement { + effect = "Allow" + resources = ["*"] + actions = ["ec2:CreateVolume"] + + condition { + test = "StringLike" + variable = "aws:RequestTag/kubernetes.io/cluster/*" + values = ["owned"] + } + } + + statement { + effect = "Allow" + resources = ["*"] + actions = ["ec2:DeleteVolume"] + + condition { + test = "StringLike" + variable = "ec2:ResourceTag/ebs.csi.aws.com/cluster" + values = ["true"] + } + } + + statement { + effect = "Allow" + resources = ["*"] + actions = ["ec2:DeleteVolume"] + + condition { + test = "StringLike" + variable = "ec2:ResourceTag/CSIVolumeName" + values = ["*"] + } + } + + statement { + effect = "Allow" + resources = ["*"] + actions = ["ec2:DeleteVolume"] + + condition { + test = "StringLike" + variable = "ec2:ResourceTag/kubernetes.io/cluster/*" + values = ["owned"] + } + } + + statement { + effect = "Allow" + resources = ["*"] + actions = ["ec2:DeleteSnapshot"] + + condition { + test = "StringLike" + variable = "ec2:ResourceTag/CSIVolumeSnapshotName" + values = ["*"] + } + } + + statement { + effect = "Allow" + resources = ["*"] + actions = ["ec2:DeleteSnapshot"] + + condition { + test = "StringLike" + variable = "ec2:ResourceTag/ebs.csi.aws.com/cluster" + values = ["true"] + } } } resource "aws_iam_policy" "this" { - count = local.irsa_role_create && (var.irsa_policy_enabled || var.irsa_assume_role_enabled) ? 1 : 0 + count = local.irsa_role_create && var.irsa_policy_enabled ? 1 : 0 name = "${var.irsa_role_name_prefix}-${var.helm_chart_name}" path = "/" - description = "Policy for <$addon-name> service" - policy = var.irsa_assume_role_enabled ? data.aws_iam_policy_document.this_assume[0].json : data.aws_iam_policy_document.this[0].json + description = "Policy for EBS CSI driver" + policy = data.aws_iam_policy_document.this[0].json tags = var.irsa_tags } diff --git a/outputs.tf b/outputs.tf index 42898ab..3f48ea4 100644 --- a/outputs.tf +++ b/outputs.tf @@ -14,6 +14,6 @@ output "kubernetes_application_attributes" { } output "iam_role_attributes" { - description = "<$addon-name> IAM role atributes" + description = "EBS CSI driver IAM role atributes" value = try(aws_iam_role.this[0], {}) } diff --git a/values.tf b/values.tf index a30740a..3f17066 100644 --- a/values.tf +++ b/values.tf @@ -1,6 +1,23 @@ locals { values_default = yamlencode({ - # add default values here + "controller" : { + "serviceAccount" : { + "create" : var.service_account_create + "name" : var.service_account_name + "annotations" : { + "eks.amazonaws.com/role-arn" : local.irsa_role_create ? aws_iam_role.this[0].arn : "" + } + } + } + "node" : { + "serviceAccount" : { + "create" : false + "name" : var.service_account_name + "annotations" : { + "eks.amazonaws.com/role-arn" : local.irsa_role_create ? aws_iam_role.this[0].arn : "" + } + } + } }) } diff --git a/variables.tf b/variables.tf index 57d0500..e809a75 100644 --- a/variables.tf +++ b/variables.tf @@ -14,28 +14,26 @@ variable "cluster_identity_oidc_issuer_arn" { description = "The OIDC Identity issuer ARN for the cluster that can be used to associate IAM roles with a service account" } -# ================ common variables (required) ================ - variable "helm_chart_name" { type = string - default = "<$addon-name>" + default = "aws-ebs-csi-driver" description = "Helm chart name to be installed" } variable "helm_chart_version" { type = string - default = "" + default = "2.10.1" description = "Version of the Helm chart" } variable "helm_release_name" { type = string - default = "<$addon-name>" + default = "aws-ebs-csi-driver" description = "Helm release name" } variable "helm_repo_url" { type = string - default = "" + default = "https://kubernetes-sigs.github.io/aws-ebs-csi-driver" description = "Helm repository" } @@ -47,28 +45,20 @@ variable "helm_create_namespace" { variable "namespace" { type = string - default = "<$addon-name>" - description = "The K8s namespace in which the <$addon-name> service account has been created" + default = "kube-system" + description = "The K8s namespace in which the AWS EBS CSI driver service account has been created" } variable "settings" { type = map(any) default = {} - description = "Additional helm sets which will be passed to the Helm chart values, see https://hub.helm.sh/charts/stable/<$addon-name>" + description = "Additional helm sets which will be passed to the Helm chart values, see https://github.com/kubernetes-sigs/aws-ebs-csi-driver/tree/master/charts/aws-ebs-csi-driver" } variable "values" { type = string default = "" - description = "Additional yaml encoded values which will be passed to the Helm chart, see https://hub.helm.sh/charts/stable/<$addon-name>" -} - -# ================ IRSA variables (optional) ================ - -variable "rbac_create" { - type = bool - default = true - description = "Whether to create and use RBAC resources" + description = "Additional yaml encoded values which will be passed to the Helm chart, see https://github.com/kubernetes-sigs/aws-ebs-csi-driver/tree/master/charts/aws-ebs-csi-driver" } variable "service_account_create" { @@ -77,6 +67,11 @@ variable "service_account_create" { description = "Whether to create Service Account" } +variable "service_account_name" { + default = "aws-ebs-csi-driver" + description = "The k8s EBS CSI driver service account name" +} + variable "irsa_role_create" { type = bool default = true @@ -89,17 +84,6 @@ variable "irsa_policy_enabled" { description = "Whether to create opinionated policy to allow operations on specified zones in `policy_allowed_zone_ids`." } -variable "irsa_assume_role_enabled" { - type = bool - default = false - description = "Whether IRSA is allowed to assume role defined by irsa_assume_role_arn." -} - -variable "irsa_assume_role_arn" { - default = "" - description = "Assume role arn. Assume role must be enabled." -} - variable "irsa_additional_policies" { type = map(string) default = {} @@ -108,8 +92,8 @@ variable "irsa_additional_policies" { variable "irsa_role_name_prefix" { type = string - default = "<$addon-name>-irsa" - description = "The IRSA role name prefix for vector" + default = "ebs-csi-controller" + description = "The IRSA role name prefix for AWS EBS CSI controller" } variable "irsa_tags" { @@ -118,13 +102,6 @@ variable "irsa_tags" { description = "IRSA resources tags" } -variable "service_account_name" { - default = "<$addon-name>" - description = "The k8s <$addon-name> service account name" -} - -# ================ argo variables (required) ================ - variable "argo_namespace" { type = string default = "argo" @@ -193,8 +170,6 @@ variable "argo_helm_values" { description = "Value overrides to use when deploying argo application object with helm" } -# ================ argo kubernetes manifest variables (required) ================ - variable "argo_kubernetes_manifest_computed_fields" { type = list(string) default = ["metadata.labels", "metadata.annotations"] @@ -218,8 +193,6 @@ variable "argo_kubernetes_manifest_wait_fields" { description = "A map of fields and a corresponding regular expression with a pattern to wait for. The provider will wait until the field matches the regular expression. Use * for any value." } -# ================ helm release variables (required) ================ - variable "helm_repo_key_file" { type = string default = "" From 8af94e93b32939d33b2d435586e7fb90f6941030 Mon Sep 17 00:00:00 2001 From: tomas-balaz Date: Tue, 6 Sep 2022 10:25:16 +0200 Subject: [PATCH 2/2] :fix(IAM): update condition for aws_iam_policy_attachment --- iam.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/iam.tf b/iam.tf index 12d84dc..7aaea41 100644 --- a/iam.tf +++ b/iam.tf @@ -198,7 +198,7 @@ resource "aws_iam_role" "this" { } resource "aws_iam_role_policy_attachment" "this" { - count = local.irsa_role_create ? 1 : 0 + count = local.irsa_role_create && var.irsa_policy_enabled ? 1 : 0 role = aws_iam_role.this[0].name policy_arn = aws_iam_policy.this[0].arn }