[nc] add efs storage class support

Signed-off-by: Nic Cheneweth <nchenewe@thoughtworks.com>
ThoughtWorks-DPS · May 22, 2024 · 76ca0df · 76ca0df
1 parent 776147a
commit 76ca0df
Show file tree

Hide file tree

Showing 3 changed files with 84 additions and 1 deletion.
diff --git a/data.tf b/data.tf
@@ -16,6 +16,11 @@ data "aws_subnets" "cluster_private_subnets" {
   }
 }
 
+data "aws_subnet" "cluster_private_subnets" {
+  for_each = toset(data.aws_subnets.cluster_private_subnets.ids)
+  id       = each.value
+}
+
 data "aws_subnets" "cluster_intra_subnets" {
   filter {
     name   = "vpc-id"

diff --git a/efs-csi-storage.tf b/efs-csi-storage.tf
@@ -0,0 +1,44 @@
+module "efs_csi_storage" {
+  source    = "cloudposse/efs/aws"
+  version   = "1.1.0"
+
+  name      = "${var.cluster_name}-efs-csi-storage"
+
+  region    = var.aws_region
+  vpc_id    = data.aws_vpc.vpc.id
+  subnets   = data.aws_subnets.cluster_private_subnets.ids
+
+  allowed_cidr_blocks = [for s in data.aws_subnet.cluster_private_subnets : s.cidr_block]
+  associated_security_group_ids = concat(
+    module.eks.cluster_security_group_id
+  )
+
+  transition_to_ia          = ["AFTER_7_DAYS"]
+  efs_backup_policy_enabled = true
+  encrypted                 = true
+
+  tags = {
+    "cluster" = var.cluster_name
+    "pipeline" = "psk-aws-control-plane-base"
+  }
+}
+
+output "eks_efs_csi_storage_dns_name" {
+  value = module.efs_csi_storage.dns_name
+}
+
+output "eks_efs_csi_storage_id" {
+  value = module.efs_csi_storage.id
+}
+
+output "eks_efs_csi_storage_mount_target_dns_names" {
+  value = module.efs_csi_storage.mount_target_dns_names
+}
+
+output "eks_efs_csi_storage_mount_target_ids" {
+  value = module.efs_csi_storage.mount_target_ids.*
+}
+
+output "eks_efs_csi_storage_security_group_id" {
+  value = module.efs_csi_storage.security_group_id
+}
diff --git a/eks-addons.tf b/eks-addons.tf
@@ -54,7 +54,26 @@ module "eks_addons" {
       })
     }
 
-  # aws-efs-csi-driver
+    aws-efs-csi-driver = {
+      amost_recent             = true
+      service_account_role_arn = module.efs_csi_irsa_role.iam_role_arn
+      configuration_values     = jsonencode({
+        controller = {
+          nodeSelector = {
+            "node.kubernetes.io/role" = "management"
+          }
+          tolerations = [
+            {
+              key      = "dedicated"
+              operator = "Equal"
+              value    = "management"
+              effect   = "NoSchedule"
+            }
+          ]
+        }
+      })
+    }
+
   # aws-mountpoint-s3-csi-driver
   # aws-guardduty-agent
   # eks-pod-identity-agent = { most_recent = true }
@@ -92,6 +111,21 @@ module "ebs_csi_irsa_role" {
   }
 }
 
+module "efs_csi_irsa_role" {
+  source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
+  version = "~> 5.39.1"
+
+  role_name             = "${var.cluster_name}-efs-csi-controller-sa"
+  attach_efs_csi_policy = true
+
+  oidc_providers = {
+    main = {
+      provider_arn               = module.eks.oidc_provider_arn
+      namespace_service_accounts = ["kube-system:efs-csi-controller-sa"]
+    }
+  }
+}
+
 # module "karpenter" {
 #   source = "terraform-aws-modules/eks/aws//modules/karpenter"
 #   version = "20.10.0"