fix: Fix efs csi driver mount issues (aws-ia#1191)

allamand · Jan 10, 2023 · 9a24797 · 9a24797
1 parent 4fb4bdc
commit 9a24797
Show file tree

Hide file tree

Showing 5 changed files with 121 additions and 102 deletions.
diff --git a/examples/stateful/main.tf b/examples/stateful/main.tf
@@ -208,6 +208,10 @@ resource "kubernetes_storage_class_v1" "gp3" {
     fsType    = "ext4"
     type      = "gp3"
   }
+
+  depends_on = [
+    module.eks_blueprints_kubernetes_addons
+  ]
 }
 
 resource "kubernetes_storage_class_v1" "efs" {
@@ -221,4 +225,12 @@ resource "kubernetes_storage_class_v1" "efs" {
     fileSystemId     = module.efs.id
     directoryPerms   = "700"
   }
+
+  mount_options = [
+    "iam"
+  ]
+
+  depends_on = [
+    module.eks_blueprints_kubernetes_addons
+  ]
 }
diff --git a/modules/kubernetes-addons/aws-efs-csi-driver/data.tf b/modules/kubernetes-addons/aws-efs-csi-driver/data.tf
diff --git a/modules/kubernetes-addons/aws-efs-csi-driver/locals.tf b/modules/kubernetes-addons/aws-efs-csi-driver/locals.tf
diff --git a/modules/kubernetes-addons/aws-efs-csi-driver/main.tf b/modules/kubernetes-addons/aws-efs-csi-driver/main.tf
@@ -1,15 +1,112 @@
-#-------------------------------------------------
-# EFS CSI Driver Helm Add-on
-#-------------------------------------------------
+locals {
+  name                 = try(var.helm_config.name, "aws-efs-csi-driver")
+  namespace            = try(var.helm_config.namespace, "kube-system")
+  service_account_name = "${local.name}-sa"
+}
+
 module "helm_addon" {
-  source            = "../helm-addon"
+  source = "../helm-addon"
+
   manage_via_gitops = var.manage_via_gitops
-  set_values        = local.set_values
-  helm_config       = local.helm_config
-  irsa_config       = local.irsa_config
-  addon_context     = var.addon_context
+
+  # https://github.com/kubernetes-sigs/aws-efs-csi-driver/blob/master/charts/aws-efs-csi-driver/Chart.yaml
+  helm_config = merge({
+    name        = local.name
+    chart       = local.name
+    repository  = "https://kubernetes-sigs.github.io/aws-efs-csi-driver/"
+    version     = "2.3.2"
+    namespace   = local.namespace
+    description = "The AWS EFS CSI driver Helm chart deployment configuration"
+    },
+    var.helm_config
+  )
+
+  irsa_config = {
+    kubernetes_namespace              = local.namespace
+    kubernetes_service_account        = local.service_account_name
+    create_kubernetes_namespace       = try(var.helm_config.create_namespace, false)
+    create_kubernetes_service_account = true
+    irsa_iam_policies                 = concat([aws_iam_policy.aws_efs_csi_driver.arn], var.irsa_policies)
+  }
+
+  set_values = [
+    {
+      name  = "controller.serviceAccount.name"
+      value = local.service_account_name
+    },
+    {
+      name  = "controller.serviceAccount.create"
+      value = false
+    },
+    {
+      name  = "node.serviceAccount.name"
+      value = local.service_account_name
+    },
+    {
+      name  = "node.serviceAccount.create"
+      value = false
+    }
+  ]
+
+  addon_context = var.addon_context
+}
+
+data "aws_iam_policy_document" "aws_efs_csi_driver" {
+  statement {
+    sid       = ""
+    effect    = "Allow"
+    resources = ["*"]
+
+    actions = [
+      "ec2:DescribeAvailabilityZones",
+      "elasticfilesystem:DescribeAccessPoints",
+      "elasticfilesystem:DescribeFileSystems",
+      "elasticfilesystem:DescribeMountTargets"
+    ]
+  }
+
+  statement {
+    sid       = ""
+    effect    = "Allow"
+    resources = ["*"]
+    actions   = ["elasticfilesystem:CreateAccessPoint"]
+
+    condition {
+      test     = "StringLike"
+      variable = "aws:RequestTag/efs.csi.aws.com/cluster"
+      values   = ["true"]
+    }
+  }
+
+  statement {
+    sid       = ""
+    effect    = "Allow"
+    resources = ["*"]
+    actions   = ["elasticfilesystem:DeleteAccessPoint"]
+
+    condition {
+      test     = "StringLike"
+      variable = "aws:ResourceTag/efs.csi.aws.com/cluster"
+      values   = ["true"]
+    }
+  }
+
+  statement {
+    actions = [
+      "elasticfilesystem:ClientRootAccess",
+      "elasticfilesystem:ClientWrite",
+      "elasticfilesystem:ClientMount",
+    ]
+    resources = ["*"]
+    condition {
+      test     = "Bool"
+      variable = "elasticfilesystem:AccessedViaMountTarget"
+      values   = ["true"]
+    }
+  }
 }
 
+
 resource "aws_iam_policy" "aws_efs_csi_driver" {
   name        = "${var.addon_context.eks_cluster_id}-efs-csi-policy"
   description = "IAM Policy for AWS EFS CSI Driver"

diff --git a/modules/kubernetes-addons/aws-efs-csi-driver/outputs.tf b/modules/kubernetes-addons/aws-efs-csi-driver/outputs.tf
@@ -1,6 +1,9 @@
 output "argocd_gitops_config" {
   description = "Configuration used for managing the add-on with ArgoCD"
-  value       = var.manage_via_gitops ? local.argocd_gitops_config : null
+  value = var.manage_via_gitops ? {
+    enable             = true
+    serviceAccountName = local.service_account_name
+  } : null
 }
 
 output "release_metadata" {