Add necessary IAM permissions, update Helm chart (DNXLabs#6)

* Add IAM permissions, update Helm chart * fix IAM policy
witalisoft · Oct 29, 2021 · 29a6996 · 29a6996
1 parent c128705
commit 29a6996
Show file tree

Hide file tree

Showing 4 changed files with 141 additions and 12 deletions.
diff --git a/README.md b/README.md
@@ -10,9 +10,11 @@ The [Amazon Elastic File System](https://aws.amazon.com/efs/) Container Storage
 ## Usage
 ```
 module "efs_csi_driver" {
-  source = "git::https://github.com/DNXLabs/terraform-aws-eks-efs-csi-driver.git?ref=0.1.0"
+  source = "git::https://github.com/DNXLabs/terraform-aws-eks-efs-csi-driver.git"
 
-  enabled = true
+  cluster_name                     = module.eks_cluster.cluster_id
+  cluster_identity_oidc_issuer     = module.eks_cluster.cluster_oidc_issuer_url
+  cluster_identity_oidc_issuer_arn = module.eks_cluster.oidc_provider_arn
 }
 ```
 
@@ -72,9 +74,9 @@ Encryption in transit is enabled by default in the master branch version of the
 | helm\_chart\_name | Amazon EFS CSI Driver chart name. | `string` | `"aws-efs-csi-driver"` | no |
 | helm\_chart\_release\_name | Amazon EFS CSI Driver release name. | `string` | `"aws-efs-csi-driver"` | no |
 | helm\_chart\_repo | Amazon EFS CSI Driver repository name. | `string` | `"https://kubernetes-sigs.github.io/aws-efs-csi-driver/"` | no |
-| helm\_chart\_version | Amazon EFS CSI Driver chart version. | `string` | `"1.2.4"` | no |
+| helm\_chart\_version | Amazon EFS CSI Driver chart version. | `string` | `"2.2.0"` | no |
 | mod\_dependency | Dependence variable binds all AWS resources allocated by this module, dependent modules reference this variable. | `any` | `null` | no |
-| namespace | Kubernetes namespace to deploy EKS Spot termination handler Helm chart. | `string` | `"aws-efs-csi-driver"` | no |
+| namespace | Kubernetes namespace to deploy EKS Spot termination handler Helm chart. | `string` | `"kube-system"` | no |
 | service\_account\_name | Amazon EFS CSI Driver service account name. | `string` | `"aws-efs-csi-driver"` | no |
 | settings | Additional settings which will be passed to the Helm chart values, see https://github.com/kubernetes-sigs/aws-efs-csi-driver. | `map` | `{}` | no |
 | storage\_class\_name | Storage class name for EFS CSI driver. | `string` | `"efs-sc"` | no |
@@ -91,4 +93,4 @@ Module managed by [DNX Solutions](https://github.com/DNXLabs).
 
 ## License
 
-Apache 2 Licensed. See [LICENSE](https://github.com/DNXLabs/terraform-aws-eks-efs-csi-driver/blob/master/LICENSE) for full details.
+Apache 2 Licensed. See [LICENSE](https://github.com/DNXLabs/terraform-aws-eks-efs-csi-driver/blob/master/LICENSE) for full details.
diff --git a/_variables.tf b/_variables.tf
@@ -3,6 +3,21 @@ variable "enabled" {
   default = true
 }
 
+variable "cluster_name" {
+  type        = string
+  description = "The name of the EKS cluster"
+}
+
+variable "cluster_identity_oidc_issuer" {
+  type        = string
+  description = "The OIDC Identity issuer for the cluster."
+}
+
+variable "cluster_identity_oidc_issuer_arn" {
+  type        = string
+  description = "The OIDC Identity issuer ARN for the cluster that can be used to associate IAM roles with a service account."
+}
+
 variable "helm_chart_name" {
   type        = string
   default     = "aws-efs-csi-driver"
@@ -23,7 +38,7 @@ variable "helm_chart_repo" {
 
 variable "helm_chart_version" {
   type        = string
-  default     = "1.2.4"
+  default     = "2.2.0"
   description = "Amazon EFS CSI Driver chart version."
 }
 
@@ -35,8 +50,8 @@ variable "create_namespace" {
 
 variable "namespace" {
   type        = string
-  default     = "aws-efs-csi-driver"
-  description = "Kubernetes namespace to deploy EKS Spot termination handler Helm chart."
+  default     = "kube-system"
+  description = "Kubernetes namespace to deploy EFS CSI Driver Helm chart."
 }
 
 variable "service_account_name" {
@@ -65,4 +80,4 @@ variable "mod_dependency" {
 variable "settings" {
   default     = {}
   description = "Additional settings which will be passed to the Helm chart values, see https://github.com/kubernetes-sigs/aws-efs-csi-driver."
-}
+}
diff --git a/helm.tf b/helm.tf
@@ -8,12 +8,39 @@ resource "helm_release" "kubernetes_efs_csi_driver" {
   namespace  = var.namespace
 
   set {
-    name  = "serviceAccount.name"
+    name  = "controller.serviceAccount.create"
+    value = "true"
+  }
+
+  set {
+    name  = "controller.serviceAccount.name"
     value = var.service_account_name
   }
 
+  set {
+    name  = "controller.serviceAccount.annotations.eks\\.amazonaws\\.com/role-arn"
+    value = aws_iam_role.efs_csi_driver[0].arn
+  }
+
+  set {
+    name  = "node.serviceAccount.create"
+    # We're using the same service account for both the nodes and controllers,
+    # and we're already creating the service account in the controller config
+    # above.
+    value = "false"
+  }
+
+  set {
+    name  = "node.serviceAccount.name"
+    value = var.service_account_name
+  }
+
+  set {
+    name  = "node.serviceAccount.annotations.eks\\.amazonaws\\.com/role-arn"
+    value = aws_iam_role.efs_csi_driver[0].arn
+  }
+
   values = [
     yamlencode(var.settings)
   ]
-
-}
+}
diff --git a/iam.tf b/iam.tf
@@ -0,0 +1,85 @@
+data "aws_iam_policy_document" "efs_csi_driver" {
+  count = var.enabled ? 1 : 0
+
+  statement {
+    actions = [
+        "elasticfilesystem:DescribeAccessPoints",
+        "elasticfilesystem:DescribeFileSystems"
+    ]
+    resources = ["*"]
+    effect = "Allow"
+  }
+
+  statement {
+    actions = [
+      "elasticfilesystem:CreateAccessPoint"
+    ]
+    resources = ["*"]
+    effect = "Allow"
+    condition {
+      test = "StringLike"
+      variable = "aws:RequestTag/efs.csi.aws.com/cluster"
+      values = ["true"]
+    }
+  }
+
+  statement {
+    actions = [
+      "elasticfilesystem:DeleteAccessPoint"
+    ]
+    resources = ["*"]
+    effect = "Allow"
+    condition {
+      test = "StringEquals"
+      variable = "aws:ResourceTag/efs.csi.aws.com/cluster"
+      values = ["true"]
+    }
+  }
+}
+
+resource "aws_iam_policy" "efs_csi_driver" {
+  depends_on  = [var.mod_dependency]
+  count       = var.enabled ? 1 : 0
+  name        = "${var.cluster_name}-efs-csi-driver"
+  path        = "/"
+  description = "Policy for the EFS CSI driver"
+
+  policy = data.aws_iam_policy_document.efs_csi_driver[0].json
+}
+
+# Role
+data "aws_iam_policy_document" "efs_csi_driver_assume" {
+  count = var.enabled ? 1 : 0
+
+  statement {
+    actions = ["sts:AssumeRoleWithWebIdentity"]
+
+    principals {
+      type        = "Federated"
+      identifiers = [var.cluster_identity_oidc_issuer_arn]
+    }
+
+    condition {
+      test     = "StringEquals"
+      variable = "${replace(var.cluster_identity_oidc_issuer, "https://", "")}:sub"
+
+      values = [
+        "system:serviceaccount:${var.namespace}:${var.service_account_name}",
+      ]
+    }
+
+    effect = "Allow"
+  }
+}
+
+resource "aws_iam_role" "efs_csi_driver" {
+  count              = var.enabled ? 1 : 0
+  name               = "${var.cluster_name}-efs-csi-driver"
+  assume_role_policy = data.aws_iam_policy_document.efs_csi_driver_assume[0].json
+}
+
+resource "aws_iam_role_policy_attachment" "efs_csi_driver" {
+  count      = var.enabled ? 1 : 0
+  role       = aws_iam_role.efs_csi_driver[0].name
+  policy_arn = aws_iam_policy.efs_csi_driver[0].arn
+}