radiant-maxar · jbronn · Dec 21, 2023 · Dec 14, 2023 · Dec 14, 2023 · Dec 14, 2023
diff --git a/README.md b/README.md
@@ -17,11 +17,11 @@ This module provides an opinionated way to configure an AWS EKS cluster using:
 Here's an example using a VPC defined using the [terraform-aws-vpc](https://github.com/terraform-aws-modules/terraform-aws-vpc) module:
 
 ```
-data "aws_availability_zones" "default" {}
+data "aws_availability_zones" "current" {}
 
 locals {
   cluster_name   = "test-eks"
-  vpc_azs        = slice(data.aws_availability_zones.default.names, 0, 2)
+  vpc_azs        = slice(data.aws_availability_zones.current.names, 0, 2)
   vpc_cidr       = "10.100.0.0/16"
   vpc_subnets    = cidrsubnets(local.vpc_cidr, 6, 6, 4, 4)
 

diff --git a/cert-manager.tf b/cert-manager.tf
@@ -0,0 +1,92 @@
+## cert-manager
+locals {
+  cert_manager = length(var.cert_manager_route53_zone_id) > 0
+}
+
+module "cert_manager_irsa" {
+  count   = local.cert_manager ? 1 : 0
+  source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
+  version = "5.32.1"
+
+  role_name = "${var.cluster_name}-cert-manager-role"
+
+  oidc_providers = {
+    main = {
+      provider_arn = module.eks.oidc_provider_arn
+      namespace_service_accounts = [
+        "cert-manager:cert-manager",
+      ]
+    }
+  }
+  tags = var.tags
+}
+
+data "aws_iam_policy_document" "cert_manager" {
+  count = local.cert_manager ? 1 : 0
+  statement {
+    actions = [
+      "route53:GetChange"
+    ]
+    resources = ["arn:${local.aws_partition}:route53:::change/*"]
+  }
+
+  statement {
+    actions = [
+      "route53:ChangeResourceRecordSets",
+      "route53:ListResourceRecordSets",
+    ]
+    resources = ["arn:${local.aws_partition}:route53:::hostedzone/${var.cert_manager_route53_zone_id}"]
+  }
+}
+
+resource "aws_iam_policy" "cert_manager" {
+  count       = local.cert_manager ? 1 : 0
+  name        = "AmazonEKS_Cert_Manager_Policy-${var.cluster_name}"
+  description = "Provides permissions for cert-manager"
+  policy      = data.aws_iam_policy_document.cert_manager[0].json
+  tags        = var.tags
+}
+
+resource "aws_iam_role_policy_attachment" "cert_manager" {
+  count      = local.cert_manager ? 1 : 0
+  role       = "${var.cluster_name}-cert-manager-role"
+  policy_arn = aws_iam_policy.cert_manager[0].arn
+  depends_on = [
+    module.cert_manager_irsa[0]
+  ]
+}
+
+resource "helm_release" "cert_manager" {
+  count            = local.cert_manager ? 1 : 0
+  name             = "cert-manager"
+  namespace        = "cert-manager"
+  create_namespace = true
+  chart            = "cert-manager"
+  repository       = "https://charts.jetstack.io"
+  version          = "v${var.cert_manager_version}"
+  keyring          = "${path.module}/cert-manager-keyring.gpg"
+  verify           = var.helm_verify
+
+  # Set up values so CRDs are installed with the chart, the service account has
+  # correct annotations, and that the pod's security context has permissions
+  # to read the account token:
+  # https://cert-manager.io/docs/configuration/acme/dns01/route53/#service-annotation
+  values = [
+    yamlencode({
+      "installCRDs" = true
+      "securityContext" = {
+        "fsGroup" = 1001
+      }
+      "serviceAccount" = {
+        "annotations" = {
+          "eks.amazonaws.com/role-arn" = "arn:${local.aws_partition}:iam::${local.aws_account_id}:role/${var.cluster_name}-cert-manager-role"
+        }
+      }
+    })
+  ]
+
+  depends_on = [
+    module.cert_manager_irsa[0],
+    module.eks,
+  ]
+}
diff --git a/cni.tf b/cni.tf
@@ -0,0 +1,18 @@
+# Authorize VPC CNI via IRSA.
+module "eks_vpc_cni_irsa" {
+  source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
+  version = "5.32.1"
+
+  role_name             = "${var.cluster_name}-vpc-cni-role"
+  attach_vpc_cni_policy = true
+  vpc_cni_enable_ipv4   = true
+
+  oidc_providers = {
+    main = {
+      provider_arn               = module.eks.oidc_provider_arn
+      namespace_service_accounts = ["kube-system:aws-node"]
+    }
+  }
+
+  tags = var.tags
+}
diff --git a/ebs-csi.tf b/ebs-csi.tf
@@ -0,0 +1,85 @@
+## EBS CSI Storage Driver
+
+# Allow PVCs backed by EBS
+module "eks_ebs_csi_irsa" {
+  source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
+  version = "5.32.1"
+
+  role_name             = "${var.cluster_name}-ebs-csi-role"
+  attach_ebs_csi_policy = true
+
+  oidc_providers = {
+    main = {
+      provider_arn               = module.eks.oidc_provider_arn
+      namespace_service_accounts = ["kube-system:ebs-csi-controller-sa"]
+    }
+  }
+
+  tags = var.tags
+}
+
+resource "helm_release" "aws_ebs_csi_driver" {
+  name       = "aws-ebs-csi-driver"
+  namespace  = "kube-system"
+  chart      = "aws-ebs-csi-driver"
+  repository = "https://kubernetes-sigs.github.io/aws-ebs-csi-driver"
+  version    = var.ebs_csi_driver_version
+
+  values = [
+    yamlencode({
+      "controller" = {
+        "extraVolumeTags" = var.tags
+        "serviceAccount" = {
+          "annotations" = {
+            "eks.amazonaws.com/role-arn" = "arn:${local.aws_partition}:iam::${local.aws_account_id}:role/${var.cluster_name}-ebs-csi-role"
+          }
+        }
+      }
+      "image" = {
+        "repository" = "${var.csi_ecr_repository_id}.dkr.ecr.${local.aws_region}.amazonaws.com/eks/aws-ebs-csi-driver"
+      }
+    })
+  ]
+
+  depends_on = [
+    module.eks_ebs_csi_irsa,
+    module.eks,
+  ]
+}
+
+# Make EBS CSI with gp3 default storage driver
+resource "kubernetes_storage_class" "eks_ebs_storage_class" {
+  metadata {
+    annotations = {
+      "storageclass.kubernetes.io/is-default-class" = "true"
+    }
+    labels = {}
+    name   = "ebs-sc"
+  }
+
+  mount_options       = []
+  parameters          = {}
+  storage_provisioner = "ebs.csi.aws.com"
+  volume_binding_mode = "WaitForFirstConsumer"
+
+  depends_on = [
+    helm_release.aws_ebs_csi_driver,
+  ]
+}
+
+# Don't want gp2 storageclass set as default.
+resource "kubernetes_annotations" "eks_disable_gp2" {
+  api_version = "storage.k8s.io/v1"
+  kind        = "StorageClass"
+  metadata {
+    name = "gp2"
+  }
+  annotations = {
+    "storageclass.kubernetes.io/is-default-class" = "false"
+  }
+  force = true
+
+  depends_on = [
+    kubernetes_storage_class.eks_ebs_storage_class
+  ]
+}
diff --git a/efs-csi.tf b/efs-csi.tf
@@ -0,0 +1,148 @@
+## EFS CSI Storage Driver
+resource "aws_security_group" "eks_efs_sg" {
+  name        = "${var.cluster_name}-efs-sg"
+  description = "Security group for EFS clients in EKS VPC"
+  vpc_id      = var.vpc_id
+
+  ingress {
+    description = "Ingress NFS traffic for EFS"
+    from_port   = 2049
+    to_port     = 2049
+    protocol    = "tcp"
+    cidr_blocks = [var.vpc_cidr]
+  }
+
+  tags = var.tags
+}
+
+# Allow PVCs backed by EFS
+module "eks_efs_csi_controller_irsa" {
+  source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
+  version = "5.32.1"
+
+  role_name             = "${var.cluster_name}-efs-csi-controller-role"
+  attach_efs_csi_policy = true
+
+  oidc_providers = {
+    main = {
+      provider_arn = module.eks.oidc_provider_arn
+      namespace_service_accounts = [
+        "kube-system:efs-csi-controller-sa",
+      ]
+    }
+  }
+  tags = var.tags
+}
+
+module "eks_efs_csi_node_irsa" {
+  source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
+  version = "5.32.1"
+
+  role_name = "${var.cluster_name}-efs-csi-node-role"
+  oidc_providers = {
+    main = {
+      provider_arn = module.eks.oidc_provider_arn
+      namespace_service_accounts = [
+        "kube-system:efs-csi-node-sa",
+      ]
+    }
+  }
+  tags = var.tags
+}
+
+data "aws_iam_policy_document" "eks_efs_csi_node" {
+  statement {
+    actions = [
+      "elasticfilesystem:DescribeMountTargets",
+      "ec2:DescribeAvailabilityZones",
+    ]
+    resources = ["*"] # tfsec:ignore:aws-iam-no-policy-wildcards
+  }
+}
+
+resource "aws_iam_policy" "eks_efs_csi_node" {
+  name        = "AmazonEKS_EFS_CSI_Node_Policy-${var.cluster_name}"
+  description = "Provides node permissions to use the EFS CSI driver"
+  policy      = data.aws_iam_policy_document.eks_efs_csi_node.json
+  tags        = var.tags
+}
+
+resource "aws_iam_role_policy_attachment" "eks_efs_csi_node" {
+  role       = "${var.cluster_name}-efs-csi-node-role"
+  policy_arn = aws_iam_policy.eks_efs_csi_node.arn
+  depends_on = [
+    module.eks_efs_csi_node_irsa
+  ]
+}
+
+resource "aws_efs_file_system" "eks_efs" {
+  creation_token = "${var.cluster_name}-efs"
+  encrypted      = true
+  kms_key_id     = var.kms_manage ? aws_kms_key.this[0].arn : module.eks.kms_key_arn
+  tags           = var.tags
+}
+
+resource "aws_efs_mount_target" "eks_efs_private" {
+  count           = length(var.private_subnets)
+  file_system_id  = aws_efs_file_system.eks_efs.id
+  subnet_id       = var.private_subnets[count.index]
+  security_groups = [aws_security_group.eks_efs_sg.id]
+}
+
+resource "helm_release" "aws_efs_csi_driver" {
+  name       = "aws-efs-csi-driver"
+  namespace  = "kube-system"
+  chart      = "aws-efs-csi-driver"
+  repository = "https://kubernetes-sigs.github.io/aws-efs-csi-driver"
+  version    = var.efs_csi_driver_version
+
+  values = [
+    yamlencode({
+      "controller" = {
+        "serviceAccount" = {
+          "annotations" = {
+            "eks.amazonaws.com/role-arn" = "arn:${local.aws_partition}:iam::${local.aws_account_id}:role/${var.cluster_name}-efs-csi-controller-role"
+          }
+        }
+        "tags" = var.tags
+      }
+      "image" = {
+        "repository" = "${var.csi_ecr_repository_id}.dkr.ecr.${local.aws_region}.amazonaws.com/eks/aws-efs-csi-driver"
+      }
+      "node" = {
+        "serviceAccount" = {
+          "annotations" = {
+            "eks.amazonaws.com/role-arn" = "arn:${local.aws_partition}:iam::${local.aws_account_id}:role/${var.cluster_name}-efs-csi-node-role"
+          }
+        }
+      }
+    })
+  ]
+
+  depends_on = [
+    module.eks_efs_csi_controller_irsa,
+    module.eks,
+  ]
+}
+
+resource "kubernetes_storage_class" "eks_efs_storage_class" {
+  metadata {
+    annotations = {}
+    name        = "efs-sc"
+    labels      = {}
+  }
+
+  mount_options = []
+  parameters = {
+    "provisioningMode" = "efs-ap"
+    "fileSystemId"     = aws_efs_file_system.eks_efs.id
+    "directoryPerms"   = "755"
+    "uid"              = "0"
+    "gid"              = "0"
+  }
+  storage_provisioner = "efs.csi.aws.com"
+
+  depends_on = [
+    helm_release.aws_efs_csi_driver,
+  ]
+}