BAH-1881 | Added policies for EFS

IPLit · Jul 2, 2022 · 37883b6 · 37883b6
1 parent 4f71f66
commit 37883b6
Show file tree

Hide file tree

Showing 6 changed files with 92 additions and 63 deletions.
diff --git a/.github/workflows/validate-deploy.yml b/.github/workflows/validate-deploy.yml
@@ -2,7 +2,7 @@ name: Validate and Deploy to AWS
 
 on:
   push:
-    branches: [ BAH-1881 ]
+    branches: [ main ]
     paths-ignore:
       - 'README.md'
 
@@ -48,13 +48,12 @@ jobs:
       - name: Terraform Validate
         run: ./terraform/tf-validate.sh
 
-  tfapply:
-    name: Terraform Apply
+  provision-resources:
+    name: Provision Resources
     needs: [ terrascan, tflint, tfsec, tfvalidate ]
     if: ${{ (needs.terrascan.result == 'success') && (needs.tflint.result == 'success') && (needs.tfvalidate.result == 'success') && (needs.tfsec.result == 'success') }}
     runs-on: ubuntu-latest
     env:
-      CLUSTER_NAME: bahmni-cluster-nonprod
       SC_NAME: bahmni-efs-sc
     steps:
       - name: Checkout repository
@@ -73,36 +72,35 @@ jobs:
           cd terraform/
           terraform init -backend-config=config.s3.tfbackend -backend-config='key=nonprod/terraform.tfstate'
           terraform apply -var-file=nonprod.tfvars -auto-approve 
+          echo "CLUSTER_NAME=$(terraform output -raw eks_cluster_name)" >> $GITHUB_ENV
       - name: Setup Amazon EFS driver and StorageClass
         run: |
           fileSystemId=$(aws ssm get-parameter --with-decryption --name "/nonprod/efs/file_system_id" --query "Parameter.Value" --output text)
           aws eks update-kubeconfig --name $CLUSTER_NAME
-          helm repo add aws-efs-csi-driver https://kubernetes-sigs.github.io/aws-efs-csi-driver/
-          helm repo update
+          kubectl kustomize \
+          "github.com/kubernetes-sigs/aws-efs-csi-driver/deploy/kubernetes/overlays/stable/?ref=release-1.3" > public-ecr-driver.yaml
           curl -o storageclass.yaml \
           https://raw.githubusercontent.com/kubernetes-sigs/aws-efs-csi-driver/master/examples/kubernetes/dynamic_provisioning/specs/storageclass.yaml
+          kubectl delete deployment efs-csi-controller -n kube-system || echo "Creating the deployment..."
+          kubectl delete daemonset efs-csi-node -n kube-system || echo "Creating the daemonset..."
           scName=$SC_NAME  yq -i e '.metadata.name |= env(scName)' storageclass.yaml
           fileSystemId=$fileSystemId  yq -i e '.parameters.fileSystemId |= env(fileSystemId)' storageclass.yaml
-          helm upgrade -i aws-efs-csi-driver aws-efs-csi-driver/aws-efs-csi-driver \
-          --namespace kube-system \
-          --set image.repository=602401143452.dkr.ecr.ap-south-1.amazonaws.com/eks/aws-efs-csi-driver \
-          --set controller.serviceAccount.create=false \
-          --set controller.serviceAccount.name=efs-csi-controller-sa
+          kubectl apply -f public-ecr-driver.yaml
           kubectl apply -f storageclass.yaml
 
 
-#  slack-workflow-status:
-#    name: Notify on Slack
-#    if: ${{ always() }}
-#    needs: [ tfapply ]
-#    runs-on: ubuntu-latest
-#    env:
-#      STATUS: ${{ (needs.tfapply.result == 'success') && 'success' || 'failure' }}
-#    steps:
-#      - name: Slack notification
-#        uses: 8398a7/action-slack@v3
-#        with:
-#          status: ${{ env.STATUS }}
-#          fields: message,author,workflow,repo
-#        env:
-#          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+  slack-workflow-status:
+    name: Notify on Slack
+    if: ${{ always() }}
+    needs: [ provision-resources ]
+    runs-on: ubuntu-latest
+    env:
+      STATUS: ${{ (needs.tfapply.result == 'success') && 'success' || 'failure' }}
+    steps:
+      - name: Slack notification
+        uses: 8398a7/action-slack@v3
+        with:
+          status: ${{ env.STATUS }}
+          fields: message,author,workflow,repo
+        env:
+          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
diff --git a/aws/policies/BahmniInfraAdmin.json b/aws/policies/BahmniInfraAdmin.json
@@ -180,39 +180,19 @@
           "Resource": "*"
       },
       {
+          "Sid": "EFS",
           "Effect": "Allow",
           "Action": [
-              "elasticfilesystem:DescribeAccessPoints",
+              "elasticfilesystem:CreateFileSystem",
               "elasticfilesystem:DescribeFileSystems",
-              "elasticfilesystem:DescribeMountTargets",
-              "elasticfilesystem:DeleteMountTarget",
-              "ec2:DescribeAvailabilityZones",
               "elasticfilesystem:DeleteFileSystem",
-              "elasticfilesystem:CreateFileSystem"
+              "elasticfilesystem:DescribeLifecycleConfiguration",
+              "elasticfilesystem:CreateMountTarget",
+              "elasticfilesystem:DescribeMountTargets",
+              "elasticfilesystem:DescribeMountTargetSecurityGroups",
+              "elasticfilesystem:DeleteMountTarget"
           ],
           "Resource": "*"
-      },
-      {
-          "Effect": "Allow",
-          "Action": [
-              "elasticfilesystem:CreateAccessPoint"
-          ],
-          "Resource": "*",
-          "Condition": {
-              "StringLike": {
-                  "aws:RequestTag/efs.csi.aws.com/cluster": "true"
-              }
-          }
-      },
-      {
-          "Effect": "Allow",
-          "Action": "elasticfilesystem:DeleteAccessPoint",
-          "Resource": "*",
-          "Condition": {
-              "StringEquals": {
-                  "aws:ResourceTag/efs.csi.aws.com/cluster": "true"
-              }
-          }
       }
   ]
-}
+}
diff --git a/terraform/main.tf b/terraform/main.tf
@@ -27,9 +27,17 @@ module "vpc" {
   vpc_cidr_block      = var.vpc_cidr_block
 }
 
+module "efs" {
+  source                   = "./modules/efs"
+  depends_on               = [module.vpc]
+  environment              = var.environment
+  vpc_suffix               = var.vpc_suffix
+  private_cidr_blocks      = var.private_cidr_blocks
+}
+
 module "eks" {
   source               = "./modules/eks"
-  depends_on           = [module.vpc]
+  depends_on           = [module.vpc,module.efs]
   environment          = var.environment
   owner                = var.owner
   vpc_suffix           = var.vpc_suffix
@@ -38,6 +46,7 @@ module "eks" {
   max_num_of_nodes     = var.max_num_of_nodes
   min_num_of_nodes     = var.min_num_of_nodes
   node_instance_type   = var.node_instance_type
+  efs_file_system_arn  = module.efs.efs-file-system-arn
 }
 
 module "rds" {
@@ -49,13 +58,6 @@ module "rds" {
   mysql_version      = var.mysql_version
   rds_instance_class = var.rds_instance_class
 }
-module "efs" {
-  source                   = "./modules/efs"
-  depends_on               = [module.vpc]
-  environment              = var.environment
-  vpc_suffix               = var.vpc_suffix
-  private_cidr_blocks      = var.private_cidr_blocks
-}
 
 module "bastion" {
   source                   = "./modules/bastion_host"

diff --git a/terraform/modules/efs/outputs.tf b/terraform/modules/efs/outputs.tf
@@ -0,0 +1,3 @@
+output "efs-file-system-arn" {
+  value = aws_efs_file_system.bahmni-efs.arn
+}
diff --git a/terraform/modules/eks/iam.tf b/terraform/modules/eks/iam.tf
@@ -1,5 +1,4 @@
 ## IAM Roles and policies for Node
-
 resource "aws_iam_role" "node-role" {
   name = "BahmniEKSNodeRole-${var.environment}"
 
@@ -14,6 +13,47 @@ resource "aws_iam_role" "node-role" {
     Version = "2012-10-17"
   })
 
+  inline_policy {
+    name = "aws-efs-csi-driver-policy"
+
+    policy = jsonencode({
+      "Version": "2012-10-17",
+      "Statement": [
+        {
+          "Effect": "Allow",
+          "Action": [
+            "elasticfilesystem:DescribeAccessPoints",
+            "elasticfilesystem:DescribeFileSystems",
+            "elasticfilesystem:DescribeMountTargets",
+          ],
+          "Resource": var.efs_file_system_arn
+        },
+        {
+          "Effect": "Allow",
+          "Action": [
+            "elasticfilesystem:CreateAccessPoint"
+          ],
+          "Resource": var.efs_file_system_arn,
+          "Condition": {
+            "StringLike": {
+              "aws:RequestTag/efs.csi.aws.com/cluster": "true"
+            }
+          }
+        },
+        {
+          "Effect": "Allow",
+          "Action": "elasticfilesystem:DeleteAccessPoint",
+          "Resource": var.efs_file_system_arn,
+          "Condition": {
+            "StringEquals": {
+              "aws:ResourceTag/efs.csi.aws.com/cluster": "true"
+            }
+          }
+        }
+      ]
+    })
+  }
+
   tags = {
     Name  = "BahmniEKSNodeRole-${var.environment}"
     owner = var.owner

diff --git a/terraform/modules/eks/variables.tf b/terraform/modules/eks/variables.tf
@@ -3,6 +3,12 @@ variable "environment" {
   description = "Environment Value used to create and tag resources"
 }
 
+variable "efs_file_system_arn" {
+  type = string
+  description = "EFS File System ARN"
+  sensitive   = true
+}
+
 variable "owner" {
   type        = string
   description = "Owner name used for tagging resources"