Merge pull request #36 from azavea/feature/efs-csi

Install EFS CSI plugin

Author: jpolchlo

deployment/aws-terraform/1-services/efs-csi.tf

@@ -0,0 +1,34 @@
+resource "helm_release" "efs_csi_driver" {
+  count = local.use_efs
+  namespace        = "kube-system"
+
+  name       = "aws-efs-csi-driver"
+  repository = "https://kubernetes-sigs.github.io/aws-efs-csi-driver/"
+  chart      = "aws-efs-csi-driver"
+
+  set {
+    name  = "controller.serviceAccount.name"
+    value = "efs-csi-controller-sa"
+  }
+
+  set {
+    name  = "node.serviceAccount.name"
+    value = "efs-csi-node-sa"
+  }
+
+  set {
+    name  = "image.repository"
+    value = "602401143452.dkr.ecr.${var.aws_region}.amazonaws.com/eks/aws-efs-csi-driver"
+  }
+}
+
+resource  "kubernetes_storage_class_v1" "efs_sc" {
+  count = local.use_efs
+
+  metadata {
+    name = "efs-sc"
+  }
+  storage_provisioner = "efs.csi.aws.com"
+
+  depends_on = [ helm_release.efs_csi_driver[0] ]
+}

deployment/aws-terraform/1-services/irsa.tf

@@ -1,5 +1,6 @@
-# These EBS-CSI plugin configs are here because they require the Kubernetes TF
-# plugin, which needs to be configured with information from the 0-hardware stage
+# The EBS CSI plugin IRSA configs are here, and not in 0—hardware where the EBS
+# CSI plugin was installed, because they require the Kubernetes TF provider,
+# which needs to be configured with outputs from the 0-hardware stage
 module "ebs_csi_irsa" {
   source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
 
@@ -27,3 +28,71 @@ resource "kubernetes_annotations" "ebs_csi_iam_annotation" {
     "eks.amazonaws.com/role-arn": module.ebs_csi_irsa.iam_role_arn
   }
 }
+
+module "efs_csi_irsa" {
+  count = local.use_efs
+
+  source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
+
+  role_name_prefix      = "efs-csi-${local.cluster_name}"
+  attach_efs_csi_policy = true
+
+  oidc_providers = {
+    main = {
+      provider_arn               = module.eks.oidc_provider_arn
+      namespace_service_accounts = [
+        "kube-system:efs-csi-controller-sa"
+      ]
+    }
+  }
+
+  tags = local.tags
+}
+
+module "efs_csi_irsa_node" {
+  count = local.use_efs
+
+  source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
+
+  role_name_prefix      = "efs-csi-node-${local.cluster_name}"
+  attach_efs_csi_policy = true
+
+  oidc_providers = {
+    main = {
+      provider_arn               = module.eks.oidc_provider_arn
+      namespace_service_accounts = [
+        "kube-system:efs-csi-node-sa"
+      ]
+    }
+  }
+
+  tags = local.tags
+}
+
+resource "kubernetes_annotations" "efs_csi_iam_annotation" {
+  count = local.use_efs
+
+  api_version = "v1"
+  kind = "ServiceAccount"
+  metadata {
+    name = "efs-csi-controller-sa"
+    namespace = "kube-system"
+  }
+  annotations = {
+    "eks.amazonaws.com/role-arn": module.efs_csi_irsa[0].iam_role_arn
+  }
+}
+
+resource "kubernetes_annotations" "efs_csi_node_annotation" {
+  count = local.use_efs
+
+  api_version = "v1"
+  kind = "ServiceAccount"
+  metadata {
+    name = "efs-csi-node-sa"
+    namespace = "kube-system"
+  }
+  annotations = {
+    "eks.amazonaws.com/role-arn": module.efs_csi_irsa_node[0].iam_role_arn
+  }
+}

deployment/aws-terraform/1-services/locals.tf

@@ -2,6 +2,7 @@ locals {
   cluster_name = "${var.project_prefix}-${var.environment}"
   db_count = var.create_rds_instance ? 1 : 0
   cognito_pool_count = var.create_cognito_pool ? 1 : 0
+  use_efs = var.use_efs_csi ? 1 : 0
 
   tags = {
     Name    = var.project_prefix

deployment/aws-terraform/1-services/network.tf

@@ -0,0 +1,19 @@
+data "aws_vpc" "cluster_vpc" {
+  id = module.eks.vpc_id
+}
+
+resource "aws_security_group" "efs" {
+  name = "EFS inbound"
+  description = "EFS inbound traffic"
+  vpc_id = module.eks.vpc_id
+
+  ingress {
+    description = "NFS traffic"
+    from_port = 2049
+    to_port = 2049
+    protocol = "tcp"
+    cidr_blocks = [data.aws_vpc.cluster_vpc.cidr_block]
+  }
+
+  tags = local.tags
+}

deployment/aws-terraform/1-services/variables.tf

@@ -44,6 +44,12 @@ variable "google_identity_client_secret" {
   description = "Client ID for Google identity provider"
 }
 
+variable "use_efs_csi" {
+  type = bool
+  description = "Install EFS CSI driver"
+  default = false
+}
+
 variable "r53_rds_private_hosted_zone" {
   type = string
   default = null

modules/aws/infrastructure/eks.tf

@@ -1,5 +1,6 @@
 module "eks" {
-  source          = "terraform-aws-modules/eks/aws"
+  source = "terraform-aws-modules/eks/aws"
+  version = "18.31.2"
 
   cluster_name                    = local.cluster_name
   cluster_version                 = var.cluster_version