Skip to content

Commit

Permalink
Merge pull request #15 from DrFaust92/r/iam
Browse files Browse the repository at this point in the history 
IAM for controller
  • Loading branch information
@DrFaust92
DrFaust92 authored May 16, 2021
2 parents ce1f40d + cd7fb9f commit 5638044
Show file tree
Hide file tree
Showing 5 changed files with 128 additions and 2 deletions.
19 changes: 17 additions & 2 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,22 +25,28 @@ module "efs_csi_driver" {

| Name | Version |
|------|---------|
| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
| <a name="provider_fco"></a> [fco](#provider\_fco) | n/a |
| <a name="provider_kubernetes"></a> [kubernetes](#provider\_kubernetes) | >= 2.1.0 |

## Modules

No modules.
| Name | Source | Version |
|------|--------|---------|
| <a name="module_efs_controller_role"></a> [efs\_controller\_role](#module\_efs\_controller\_role) | terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc | 4.1.0 |

## Resources

| Name | Type |
|------|------|
| [aws_iam_policy.efs_controller_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [kubernetes_cluster_role.provisioner](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cluster_role) | resource |
| [kubernetes_cluster_role_binding.provisioner](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cluster_role_binding) | resource |
| [kubernetes_csi_driver.efs](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/csi_driver) | resource |
| [kubernetes_daemonset.efs](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/daemonset) | resource |
| [kubernetes_deployment.efs_csi_controller](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/deployment) | resource |
| [kubernetes_service_account.csi_driver](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/service_account) | resource |
| [fco_fco.efs_controller_policy_doc](https://registry.terraform.io/providers/hashicorp/fco/latest/docs/data-sources/fco) | data source |

## Inputs

Expand All @@ -53,15 +59,24 @@ No modules.
| <a name="input_csi_controller_replica_count"></a> [csi\_controller\_replica\_count](#input\_csi\_controller\_replica\_count) | Number of EFS CSI driver controller pods | `number` | `2` | no |
| <a name="input_csi_controller_tolerations"></a> [csi\_controller\_tolerations](#input\_csi\_controller\_tolerations) | CSI driver controller tolerations | `list(map(string))` | `[]` | no |
| <a name="input_delete_access_point_root_dir"></a> [delete\_access\_point\_root\_dir](#input\_delete\_access\_point\_root\_dir) | Wheter to delete the access point root dir | `bool` | `false` | no |
| <a name="input_efs_csi_controller_role_name"></a> [efs\_csi\_controller\_role\_name](#input\_efs\_csi\_controller\_role\_name) | The name of the EFS CSI driver IAM role | `string` | `"efs-csi-driver-controller"` | no |
| <a name="input_efs_csi_controller_role_policy_name_prefix"></a> [efs\_csi\_controller\_role\_policy\_name\_prefix](#input\_efs\_csi\_controller\_role\_policy\_name\_prefix) | The prefix of the EFS CSI driver IAM policy | `string` | `"efs-csi-driver-policy"` | no |
| <a name="input_extra_node_selectors"></a> [extra\_node\_selectors](#input\_extra\_node\_selectors) | A map of extra node selectors for all components | `map(string)` | `{}` | no |
| <a name="input_host_aliases"></a> [host\_aliases](#input\_host\_aliases) | A map of host aliases | `map(any)` | `{}` | no |
| <a name="input_labels"></a> [labels](#input\_labels) | A map of extra labels for all resources | `map(string)` | `{}` | no |
| <a name="input_log_level"></a> [log\_level](#input\_log\_level) | The log level for the CSI Driver controller | `number` | `5` | no |
| <a name="input_namespace"></a> [namespace](#input\_namespace) | Namespace for EFS CSI driver resources | `string` | `"kube-system"` | no |
| <a name="input_node_extra_node_selectors"></a> [node\_extra\_node\_selectors](#input\_node\_extra\_node\_selectors) | A map of extra node selectors for node pods | `map(string)` | `{}` | no |
| <a name="input_oidc_url"></a> [oidc\_url](#input\_oidc\_url) | EKS OIDC provider URL, to allow pod to assume role using IRSA | `string` | `""` | no |
| <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to add to all resources | `map(string)` | `{}` | no |

## Outputs

No outputs.
| Name | Description |
|------|-------------|
| <a name="output_efs-csi_driver_controller_role_name"></a> [efs-csi\_driver\_controller\_role\_name](#output\_efs-csi\_driver\_controller\_role\_name) | The Name of the EBS CSI driver controller IAM role name |
| <a name="output_efs_csi_driver_controller_role_arn"></a> [efs\_csi\_driver\_controller\_role\_arn](#output\_efs\_csi\_driver\_controller\_role\_arn) | The Name of the EBS CSI driver controller IAM role ARN |
| <a name="output_efs_csi_driver_controller_role_policy_arn"></a> [efs\_csi\_driver\_controller\_role\_policy\_arn](#output\_efs\_csi\_driver\_controller\_role\_policy\_arn) | The Name of the EBS CSI driver controller IAM role policy ARN |
| <a name="output_efs_csi_driver_controller_role_policy_name"></a> [efs\_csi\_driver\_controller\_role\_policy\_name](#output\_efs\_csi\_driver\_controller\_role\_policy\_name) | The Name of the EBS CSI driver controller IAM role policy name |
| <a name="output_efs_csi_driver_name"></a> [efs\_csi\_driver\_name](#output\_efs\_csi\_driver\_name) | The Name of the EBS CSI driver |
<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
66 changes: 66 additions & 0 deletions iam.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,66 @@
data "fco" "efs_controller_policy_doc" {
count = var.create_controller ? 1 : 0

statement {
effect = "Allow"
resources = ["*"]
actions = [
"elasticfilesystem:DescribeAccessPoints",
"elasticfilesystem:DescribeFileSystems"
]
}

statement {
effect = "Allow"
resources = ["*"]
actions = [
"elasticfilesystem:CreateAccessPoint"
]

condition {
test = "StringLike"
variable = "aws:RequestTag/efs.csi.aws.com/cluster"
values = [
"true"
]
}
}

statement {
effect = "Allow"
resources = ["*"]
actions = [
"elasticfilesystem:DeleteAccessPoint"
]

condition {
test = "StringLike"
variable = "aws:ResourceTag/efs.csi.aws.com/cluster"
values = [
"true"
]
}
}
}

resource "aws_iam_policy" "efs_controller_policy" {
count = var.create_controller ? 1 : 0

name_prefix = var.efs_csi_controller_role_policy_name_prefix
policy = data.aws_iam_policy_document.efs_controller_policy_doc[0].json
tags = var.tags
}

module "efs_controller_role" {
count = var.create_controller ? 1 : 0

source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
version = "4.1.0"
create_role = true
role_description = "EFS CSI Driver Role"
role_name_prefix = var.efs_csi_controller_role_name
provider_url = var.oidc_url
role_policy_arns = [aws_iam_policy.efs_controller_policy[0].arn]
oidc_fully_qualified_subjects = ["system:serviceaccount:${var.namespace}:${local.controller_name}"]
tags = var.tags
}
24 changes: 24 additions & 0 deletions outputs.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
output "efs_csi_driver_name" {
description = "The Name of the EBS CSI driver"
value = kubernetes_csi_driver.ebs.metadata[0].name
}

output "efs_csi_driver_controller_role_arn" {
description = "The Name of the EBS CSI driver controller IAM role ARN"
value = module.efs_controller_role[0].iam_role_arn
}

output "efs-csi_driver_controller_role_name" {
description = "The Name of the EBS CSI driver controller IAM role name"
value = module.efs_controller_role[0].iam_role_name
}

output "efs_csi_driver_controller_role_policy_arn" {
description = "The Name of the EBS CSI driver controller IAM role policy ARN"
value = aws_iam_policy.efs_controller_policy[0].arn
}

output "efs_csi_driver_controller_role_policy_name" {
description = "The Name of the EBS CSI driver controller IAM role policy name"
value = aws_iam_policy.efs_controller_policy[0].name
}
3 changes: 3 additions & 0 deletions rbac.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,9 @@ resource "kubernetes_service_account" "csi_driver" {
metadata {
name = local.name
namespace = var.namespace
annotations = {
"eks.amazonaws.com/role-arn" = module.efs_controller_role.iam_role_arn
}
}
automount_service_account_token = true
}
Expand Down
18 changes: 18 additions & 0 deletions variables.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -80,4 +80,22 @@ variable "controller_annotations" {
description = "A map of extra annotations for controller"
default = {}
type = map(string)
}

variable "oidc_url" {
description = "EKS OIDC provider URL, to allow pod to assume role using IRSA"
type = string
default = ""
}

variable "efs_csi_controller_role_name" {
description = "The name of the EFS CSI driver IAM role"
default = "efs-csi-driver-controller"
type = string
}

variable "efs_csi_controller_role_policy_name_prefix" {
description = "The prefix of the EFS CSI driver IAM policy"
default = "efs-csi-driver-policy"
type = string
}

0 comments on commit 5638044

Please sign in to comment.