diff --git a/README.md b/README.md
index cdf74fd..ee710d0 100644
--- a/README.md
+++ b/README.md
@@ -25,22 +25,28 @@ module "efs_csi_driver" {
| Name | Version |
|------|---------|
+| [aws](#provider\_aws) | n/a |
+| [fco](#provider\_fco) | n/a |
| [kubernetes](#provider\_kubernetes) | >= 2.1.0 |
## Modules
-No modules.
+| Name | Source | Version |
+|------|--------|---------|
+| [efs\_controller\_role](#module\_efs\_controller\_role) | terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc | 4.1.0 |
## Resources
| Name | Type |
|------|------|
+| [aws_iam_policy.efs_controller_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [kubernetes_cluster_role.provisioner](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cluster_role) | resource |
| [kubernetes_cluster_role_binding.provisioner](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cluster_role_binding) | resource |
| [kubernetes_csi_driver.efs](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/csi_driver) | resource |
| [kubernetes_daemonset.efs](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/daemonset) | resource |
| [kubernetes_deployment.efs_csi_controller](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/deployment) | resource |
| [kubernetes_service_account.csi_driver](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/service_account) | resource |
+| [fco_fco.efs_controller_policy_doc](https://registry.terraform.io/providers/hashicorp/fco/latest/docs/data-sources/fco) | data source |
## Inputs
@@ -53,15 +59,24 @@ No modules.
| [csi\_controller\_replica\_count](#input\_csi\_controller\_replica\_count) | Number of EFS CSI driver controller pods | `number` | `2` | no |
| [csi\_controller\_tolerations](#input\_csi\_controller\_tolerations) | CSI driver controller tolerations | `list(map(string))` | `[]` | no |
| [delete\_access\_point\_root\_dir](#input\_delete\_access\_point\_root\_dir) | Wheter to delete the access point root dir | `bool` | `false` | no |
+| [efs\_csi\_controller\_role\_name](#input\_efs\_csi\_controller\_role\_name) | The name of the EFS CSI driver IAM role | `string` | `"efs-csi-driver-controller"` | no |
+| [efs\_csi\_controller\_role\_policy\_name\_prefix](#input\_efs\_csi\_controller\_role\_policy\_name\_prefix) | The prefix of the EFS CSI driver IAM policy | `string` | `"efs-csi-driver-policy"` | no |
| [extra\_node\_selectors](#input\_extra\_node\_selectors) | A map of extra node selectors for all components | `map(string)` | `{}` | no |
| [host\_aliases](#input\_host\_aliases) | A map of host aliases | `map(any)` | `{}` | no |
| [labels](#input\_labels) | A map of extra labels for all resources | `map(string)` | `{}` | no |
| [log\_level](#input\_log\_level) | The log level for the CSI Driver controller | `number` | `5` | no |
| [namespace](#input\_namespace) | Namespace for EFS CSI driver resources | `string` | `"kube-system"` | no |
| [node\_extra\_node\_selectors](#input\_node\_extra\_node\_selectors) | A map of extra node selectors for node pods | `map(string)` | `{}` | no |
+| [oidc\_url](#input\_oidc\_url) | EKS OIDC provider URL, to allow pod to assume role using IRSA | `string` | `""` | no |
| [tags](#input\_tags) | A map of tags to add to all resources | `map(string)` | `{}` | no |
## Outputs
-No outputs.
+| Name | Description |
+|------|-------------|
+| [efs-csi\_driver\_controller\_role\_name](#output\_efs-csi\_driver\_controller\_role\_name) | The Name of the EBS CSI driver controller IAM role name |
+| [efs\_csi\_driver\_controller\_role\_arn](#output\_efs\_csi\_driver\_controller\_role\_arn) | The Name of the EBS CSI driver controller IAM role ARN |
+| [efs\_csi\_driver\_controller\_role\_policy\_arn](#output\_efs\_csi\_driver\_controller\_role\_policy\_arn) | The Name of the EBS CSI driver controller IAM role policy ARN |
+| [efs\_csi\_driver\_controller\_role\_policy\_name](#output\_efs\_csi\_driver\_controller\_role\_policy\_name) | The Name of the EBS CSI driver controller IAM role policy name |
+| [efs\_csi\_driver\_name](#output\_efs\_csi\_driver\_name) | The Name of the EBS CSI driver |
\ No newline at end of file
diff --git a/iam.tf b/iam.tf
new file mode 100644
index 0000000..23f4e75
--- /dev/null
+++ b/iam.tf
@@ -0,0 +1,66 @@
+data "fco" "efs_controller_policy_doc" {
+ count = var.create_controller ? 1 : 0
+
+ statement {
+ effect = "Allow"
+ resources = ["*"]
+ actions = [
+ "elasticfilesystem:DescribeAccessPoints",
+ "elasticfilesystem:DescribeFileSystems"
+ ]
+ }
+
+ statement {
+ effect = "Allow"
+ resources = ["*"]
+ actions = [
+ "elasticfilesystem:CreateAccessPoint"
+ ]
+
+ condition {
+ test = "StringLike"
+ variable = "aws:RequestTag/efs.csi.aws.com/cluster"
+ values = [
+ "true"
+ ]
+ }
+ }
+
+ statement {
+ effect = "Allow"
+ resources = ["*"]
+ actions = [
+ "elasticfilesystem:DeleteAccessPoint"
+ ]
+
+ condition {
+ test = "StringLike"
+ variable = "aws:ResourceTag/efs.csi.aws.com/cluster"
+ values = [
+ "true"
+ ]
+ }
+ }
+}
+
+resource "aws_iam_policy" "efs_controller_policy" {
+ count = var.create_controller ? 1 : 0
+
+ name_prefix = var.efs_csi_controller_role_policy_name_prefix
+ policy = data.aws_iam_policy_document.efs_controller_policy_doc[0].json
+ tags = var.tags
+}
+
+module "efs_controller_role" {
+ count = var.create_controller ? 1 : 0
+
+ source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
+ version = "4.1.0"
+ create_role = true
+ role_description = "EFS CSI Driver Role"
+ role_name_prefix = var.efs_csi_controller_role_name
+ provider_url = var.oidc_url
+ role_policy_arns = [aws_iam_policy.efs_controller_policy[0].arn]
+ oidc_fully_qualified_subjects = ["system:serviceaccount:${var.namespace}:${local.controller_name}"]
+ tags = var.tags
+}
\ No newline at end of file
diff --git a/outputs.tf b/outputs.tf
new file mode 100644
index 0000000..a9ca345
--- /dev/null
+++ b/outputs.tf
@@ -0,0 +1,24 @@
+output "efs_csi_driver_name" {
+ description = "The Name of the EBS CSI driver"
+ value = kubernetes_csi_driver.ebs.metadata[0].name
+}
+
+output "efs_csi_driver_controller_role_arn" {
+ description = "The Name of the EBS CSI driver controller IAM role ARN"
+ value = module.efs_controller_role[0].iam_role_arn
+}
+
+output "efs-csi_driver_controller_role_name" {
+ description = "The Name of the EBS CSI driver controller IAM role name"
+ value = module.efs_controller_role[0].iam_role_name
+}
+
+output "efs_csi_driver_controller_role_policy_arn" {
+ description = "The Name of the EBS CSI driver controller IAM role policy ARN"
+ value = aws_iam_policy.efs_controller_policy[0].arn
+}
+
+output "efs_csi_driver_controller_role_policy_name" {
+ description = "The Name of the EBS CSI driver controller IAM role policy name"
+ value = aws_iam_policy.efs_controller_policy[0].name
+}
\ No newline at end of file
diff --git a/rbac.tf b/rbac.tf
index 9c17d1e..5e7561c 100644
--- a/rbac.tf
+++ b/rbac.tf
@@ -4,6 +4,9 @@ resource "kubernetes_service_account" "csi_driver" {
metadata {
name = local.name
namespace = var.namespace
+ annotations = {
+ "eks.amazonaws.com/role-arn" = module.efs_controller_role.iam_role_arn
+ }
}
automount_service_account_token = true
}
diff --git a/variables.tf b/variables.tf
index ba8f193..da14cb7 100644
--- a/variables.tf
+++ b/variables.tf
@@ -80,4 +80,22 @@ variable "controller_annotations" {
description = "A map of extra annotations for controller"
default = {}
type = map(string)
+}
+
+variable "oidc_url" {
+ description = "EKS OIDC provider URL, to allow pod to assume role using IRSA"
+ type = string
+ default = ""
+}
+
+variable "efs_csi_controller_role_name" {
+ description = "The name of the EFS CSI driver IAM role"
+ default = "efs-csi-driver-controller"
+ type = string
+}
+
+variable "efs_csi_controller_role_policy_name_prefix" {
+ description = "The prefix of the EFS CSI driver IAM policy"
+ default = "efs-csi-driver-policy"
+ type = string
}
\ No newline at end of file